Windows svchost.exe tries WRITE to ZoneAlarm

Discussion in 'ProcessGuard' started by integral, Jul 25, 2004.

Thread Status:
Not open for further replies.
  1. integral

    integral Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    1
    I'm trying out ProcessGuard Free v2.000 and the program I chose to protect was my Zone Alarm firewall. I noticed the following in the log when I started up my computer:

    25 Jul 16:08:29 - [EXECUTION] c:\windows\system32\svchost.exe with commandline c:\windows\system32\svchost.exe -k imgsvc was ALLOWED to run
    25 Jul 16:08:29 - [EXECUTION] c:\windows\system32\zonelabs\vsmon.exe with commandline c:\windows\system32\zonelabs\vsmon.exe -service was ALLOWED to run
    25 Jul 16:08:30 - [P] c:\windows\system32\svchost.exe [1052] tried to gain WRITE access on c:\windows\system32\zonelabs\vsmon.exe [688]
    25 Jul 16:08:30 - [EXECUTION] c:\windows\system32\mspmspsv.exe with commandline c:\windows\system32\mspmspsv.exe was ALLOWED to run
    25 Jul 16:08:34 - [P] c:\windows\system32\lsass.exe [764] tried to gain WRITE access on c:\windows\system32\zonelabs\vsmon.exe [688]
    25 Jul 16:08:34 - [P] c:\windows\system32\lsass.exe [764] tried to gain WRITE access on c:\windows\system32\zonelabs\vsmon.exe [688]

    svchost.exe tries to write to the zone alarm monitoring program as does lssas.exe (2 times). Is this normal behavior for Windows XP or has some trojan hijacked my svchost.exe and lssas.exe processes to knock out my firewall (or just open up a little hole for itslef) as soon as it boots up?

    I've used the firewall without issue today. So I'm not sure what benefit, if any, windows had in trying to write to it before.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    windows\system32\svchost.exe is a legitimate and important system program,
    The default settings for svchost are:
    First four block flags
    And all six allow flags but for extra protection you can disable the Allow terminate flag, which just gives occasional log entries on this PC.

    Zone alarm already has process protection built in so it probably is not a good program to add to Process Guard.

    Outpost has no process protection except by password and is a good candidate to protect with PG.

    Many programs do calls to other programs , this is quite normal, Process Guard let's you see these in action which is quite an eye opener that is for sure;)

    HTH Pilli
     
Thread Status:
Not open for further replies.