PG blocked svchost.exe from rminating opscan.exe

Discussion in 'ProcessGuard' started by TonyJ, Nov 17, 2004.

Thread Status:
Not open for further replies.
  1. TonyJ

    TonyJ Registered Member

    Aug 19, 2003
    Just had an alert from PG 3 (full version) that it blocked opscan.exe (part of Norton Antivirus) from terminating. OS is XP pro sp2 and svchost.exe is in windows\system32 folder (14K). TDS scan didn't show any warnings, nor did a scan with Norton.

    Don't think its a virus\trojan but this seems very odd behaviour. Should I be worried?


  2. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    Hi Tony, Some programs try to see if they have terminate abilities on other programs, especially security apps, without any intention of killing anything.
    If you only had one or two alerts I would not worry about it providing you know you can trust the file.

    HTH Pilli
  3. redwolfe_98

    redwolfe_98 Registered Member

    Feb 14, 2002
    South Carolina, USA
    last nite, i had an alert popup to ask me if i wanted to allow svchost.exe to run.. i said yes but now i wish i had paid more attention to what was going on.. i removed svchost.exe from "execution protection" so that hopefully it will popup again..

    (i know that svchost.exe is already showing as running in the taskmanager, but still, it popped up)..
  4. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    If you have a look using tasklist you will see that you most probably have more than one svchost.exe process running. Each process hosts multiple services and you can see what these are by running tasklist /svc

    Below is an example from my PC, you can see that svchost is running more than once and that each svchost process is providing different services

    C:\>tasklist /svc

    Image Name PID Services
    ========================= ====== =============================================
    svchost.exe 916 DcomLaunch
    svchost.exe 988 RpcSs
    svchost.exe 1148 AudioSrv, CryptSvc, Dhcp, EventSystem,
    helpsvc, HidServ, lanmanworkstation, Netman,
    Nla, RasMan, Schedule, seclogon, SENS,
    ShellHWDetection, srservice, TapiSrv,
    winmgmt, wuauserv
    svchost.exe 1160 Dnscache
    (with all the other processes left out...)

    Next time the alert pops up have a look at what service the new svchost is running for you and you will probably be able to google it to get more information
    Last edited: Nov 18, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.