Application Modification Detected - SVCHOST

Discussion in 'ESET Smart Security' started by rheumatoid, Apr 3, 2008.

Thread Status:
Not open for further replies.
  1. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    keep getting this today. nothing has really changed since the last time I used my PC although last time I used it I updated to Vista SP1. A full in-depth scan shows nothing. Should I be concerned?

    R.
     
  2. ASpace

    ASpace Guest

    If you use the default options of ESS about application modification detection , ESET will see that if svchost.exe has been updated from Microsoft and not bother you about it. Have you modified that option ?

    When ESS displays that message again , see where svchost.exe is located on your computer and then upload a copy of it to www.virustotal.com
    If some vendors find it possibly infected (the genuie Microsoft one must be 100% clean) , send a copy of it to samples@eset.sk
     
  3. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    Thanks

    Never modified that option.

    told it to allow because firefox couldn't access sites. can't remember the location it gave for svchost but think in /system32. presume that is where it legitimately resides?

    R.
     
  4. ASpace

    ASpace Guest

    The legitimate place of the legitimate genuie svchost.exe is %windir%\system32\ but since the warning is for that file it means that the the first svchost you have had has been modified . ESS detected this during attemp for communication by the new svchost.exe
    It might be a malware that has modified it . That is why it is important for you to double check this file . I think you must eliminate the possibility of infection or respectively false positive alarm from ESS.
     
  5. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    I have again had a warning for svchost.exe residing in:
    C:\Windows\System32

    EC edit: Removed virus total results. Please read our TOS.
    Presumably this means I have nothing to worry about and can allow svchost from that location?

    thanks

    R.
     
    Last edited by a moderator: May 28, 2008
  6. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    137
    I had the same warning from ESS shortly after installing vista sp1.
     
  7. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Looks like ESS has a design flaw in this feature, somehow its not able to detect certain kinds of legit modifications to these files.
     
  8. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    It seems a compatibility issue between Vista sp1 and ESS
     
  9. Eryan

    Eryan Eset Staff Account

    Joined:
    Jan 17, 2008
    Posts:
    181
    As far as I'm aware, the behavior described in this thread is expected. The software is designed to warn in such a situation.
     
  10. ASpace

    ASpace Guest

    It is also designed not to warn about signed applications and I am to believe Microsoft have signed their svchost.exe and related applications :rolleyes: :thumb:
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    It depends on how the Allow modification of signed (trusted) applications option is set in ESET Smart Security and its associated list of entries.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.