The title says it all. How do I distinguish a malicious process from a normal operating system function. Often times HIPS messages just ask me if I want SVHOST to do this or that? What would be considered action that is initiated by a malware? How do you know whether SVHOST is really trusted or has fake signature? How do you know if SVHOST is safe or not? There is about what... 12 SVHOSTS that are initiated by services. There is a bunch of malware that pretends to be part of these services. How do you know which one is what? For example I read somewhere on this forum that if Java is asking your FW to make an outbound connection then it is probably up to no go. Well I have a software that requires Java to make outbound connection. Otherwise it doesn't run. These are the problems that I am facing with HIPS and FWs... How to distinguished what is allowed and what is not and what is a safe action. UPDATE: Okay guys thanks for your input. I am looking for more general rules on what to watch out for. 1.