PG blocked svchost.exe from rminating opscan.exe

Discussion in 'ProcessGuard' started by TonyJ, Nov 17, 2004.

Thread Status:
Not open for further replies.
  1. TonyJ

    TonyJ Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    2
    Just had an alert from PG 3 (full version) that it blocked opscan.exe (part of Norton Antivirus) from terminating. OS is XP pro sp2 and svchost.exe is in windows\system32 folder (14K). TDS scan didn't show any warnings, nor did a scan with Norton.

    Don't think its a virus\trojan but this seems very odd behaviour. Should I be worried?

    TIA

    Tony
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tony, Some programs try to see if they have terminate abilities on other programs, especially security apps, without any intention of killing anything.
    If you only had one or two alerts I would not worry about it providing you know you can trust the file.

    HTH Pilli
     
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    last nite, i had an alert popup to ask me if i wanted to allow svchost.exe to run.. i said yes but now i wish i had paid more attention to what was going on.. i removed svchost.exe from "execution protection" so that hopefully it will popup again..

    (i know that svchost.exe is already showing as running in the taskmanager, but still, it popped up)..
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Redwolfe,
    If you have a look using tasklist you will see that you most probably have more than one svchost.exe process running. Each process hosts multiple services and you can see what these are by running tasklist /svc

    Below is an example from my PC, you can see that svchost is running more than once and that each svchost process is providing different services


    C:\>tasklist /svc

    Image Name PID Services
    ========================= ====== =============================================
    svchost.exe 916 DcomLaunch
    svchost.exe 988 RpcSs
    svchost.exe 1148 AudioSrv, CryptSvc, Dhcp, EventSystem,
    helpsvc, HidServ, lanmanworkstation, Netman,
    Nla, RasMan, Schedule, seclogon, SENS,
    ShellHWDetection, srservice, TapiSrv,
    winmgmt, wuauserv
    svchost.exe 1160 Dnscache
    (with all the other processes left out...)

    Next time the alert pops up have a look at what service the new svchost is running for you and you will probably be able to google it to get more information
     
    Last edited: Nov 18, 2004
Thread Status:
Not open for further replies.