Rule for SVCHOST

Discussion in 'ProcessGuard' started by A884126, Nov 12, 2005.

Thread Status:
Not open for further replies.
  1. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    I got already 2 alerts saying that SVCHOST was trying to terminate "gcasserv.exe" which is MS Antispyware program.

    Is it normal? Should I allow it?

    Thanks for your help.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi A884126, svchosts is a trusted aprogram and provided it has not changed recently should be no problem, it may not actually be terminating your other but ascertaining that it can if needs be. :)

    Pilli
     
  3. steverio

    steverio Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    161
    I have had an alert like this before and there has been no termination of "gcasserv.exe". "gcasserv.exe" is on my protection list along with svchost.exe which has no authorization to terminate.
     
  4. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    Same again, but this time PG blocked svchost.exe to terminate gcasdtserv.exe which also belongs to MS Antispyware Beta.

    It seems there is a serious concern between MS Windows (svchost) and MS Antispyware relationship... I really do not understand why it is trying to kill each other :D
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    On my protection list svchost has the ability to Modify+Read and Access Physical Memory.

    When I click Reset to Default those are the settings that svchost gets.
     
  6. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    I know that, the concern is that svchost does not want to leave in peace MS Antispyware for a reason I cannot understand. The issue is the termination process.
     
  7. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Not sure if this is relevant, but might be worth mentioning: when my computer was swamped in malware I noticed many more copies of svchost running in task manager. Normally I see about 6. Back then I would see 8-12. I assumed it meant svchost could be abused. Then again, some malware could have just been using the name to look inconspicuous.

    Out of curiosity, what does svchost actually do?
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    "The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging."

    http://support.microsoft.com/default.aspx?scid=kb;en-us;314056

    As that article also describes, if you enter "tasklist /svc" in the command prompt, you can see what services are running under each instance svchost.exe.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.