Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: ZA Security Alert - SvcHost

  1. #1
    paul_chicago Guest

    Default ZA Security Alert - SvcHost

    Hello from a long time ZA user,

    I've searched these forums for SvcHost discussions and haven't found the answer to my exact question.

    I am running a paid version of Internet Security Suite (V8.0.059). Recently, ZA's "Security Alert" window started popping up from my system tray every time I turn on the PC, asking permission for SvcHost.exe. The "Identification" field reads "none" and there is no process ID displayed, so I can't see who is calling SvcHost.

    Someone told me that SvcHost might be getting called by a rogue app (spyware/virus), which explains the lack of identification in the ZA "Security Alert" window.

    Any tips?

    Thanks!!

    Paul

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    zaswing Guest

    Default Re: ZA Security Alert - SvcHost

    Post details from the log
    windows\internet logs\zalog.txt
    Post at least the line(s) which include svchost in them. Someone might help with a bit more information from you

  3. #3
    naivemelody Guest

    Default Re: ZA Security Alert - SvcHost

    You need this process. You should put:Trust Level-
    three green bars,
    Access - two green checks,
    Server - Trust - one green check, Internet - red X,
    Mail -red X.<hr>Click here &gt; http://forum.zonelabs.org/zonelabs/b...message.id=145
    NOTE: Make sure all of the following Programs have Trusted and Internet access (2 Green Check Marks):
    a.) All Microsoft and Windows Programs have Green Check marks for Trusted and Internet Access..b.) Generic Host Process for win32 Services (svchost.exe) also allow Trusted Server Rightsc.) IE Crash Detectiond.) Internet Explorer or FireFoxe.) Malicious Software Removal Toolf.) True Vector Service
    (If it is listed)g.) Zone Alarm Clienth.) Zone Alarm Updating Clienti.) Your Email Client needs Trusted, Internet access
    and Send Mail all need Green check Marks..<hr>What is generic host process - click here &gt; http://www.computing.net/answers/sec...vices/272.html<hr>and here &gt; http://www.spywareinfoforum.com/lofi...hp/t70581.html<hr>here &gt; http://support.microsoft.com/default...;en-us;Q314056<hr>svchost.exe is a program that would have arrived on your computer the day you purchased it. Always verify the exact disk location as shown below, since many spyware and virus writers attempt to fool you by using similiar or same names but locate the file in other folders. Svchost.exe is a program which is a critical windows program which monitors programs, manages dll's, and controls loading of system processes. You will find multiple occurances of this running. This will always be running and you cannot kill this task. This svchost.exe file is considered safe and is not spyware or virus related, however, make sure the file is not located at c:\svchost.exe, as many viruses and spyware programs have used this name to confuse you, and several viruses put this svchost name in your root directory which is not the proper location for this file. Also pay close attention that svchost is not spelled scvhost, as these are not the same but look so close its hard to notice!


    What is the svchost.exe location, where is it stored on my computer?
    This program is located in your Windows\system32 folder, as in %SystemRoot%\System32\svchost.exe<hr>svchost.exe should not be disabled, required for essential applications to work properly..<hr>&quot;In general....
    svchost.exe will connect in and out of the 127.0.0.1 (loopback address) and the 0.0.0.0 (non-route or zero octet address) by TCP (and UDP), connect to the remote port 67 of the DHCP server and accept connections from the dhcp server's port 67 to the computer's own port 68, connect to the remote port 53 of the DNS server and accept connections from that DNS server's port 53, connect to the remote port 123 of the time server and accept incoming connections from that port.
    Svchost.exe can be seen in many outgoing connections in windows going to the remote ports 80 (HTTP), 443 (HTTPS) and other things such as RTSP, POP3, etc.
    Also used in the tracert, ping, nslookups, etc.
    But not limited to just these, as these are some of the generally seen items for the average home user.
    Usually the other window processes such as winlogon.exe, userinit.exe, csrss.exe, services.exe, explorer.exe, rundll32.exe and a few others are associated with these svchost.exe connections too.

    Oldsod.&quot;

  4. #4
    paul_chicago Guest

    Default Re: ZA Security Alert - SvcHost

    Thanks for your response.

    I didn't want to clutter up my original post with log data because few of the logs reference SvcHost (which seems unusual, because ZA flags it on each power-up (~twice/day)). The most recent log reference to SvcHost was from last week (ZALog2009.01.29.txt) and here are a few lines around the ref:

    OSFW,2009/01/29,09:45:16 -6:00 GMT,BLOCKED,Windows Explorer,C:\WINDOWS\explorer.exe,FILE,WRITE,SRC,ZL DIR*

    PE,2009/01/29,09:45:16 -6:00 GMT,Generic Host Process for Win32 Services,C:\WINDOWS\system32\svchost.exe,0.0.0.0:1 35,N/A

    OSFW,2009/01/29,09:45:18 -6:00 GMT,BLOCKED,Spam Filter,C:\Program Files\ZoneAlarm\MailFrontier\mantispm.exe,REGISTRY ,SETVALUE,SRC,HKLM\SOFTWARE\ZONE LABS\ZONEALARM,EmailSpamTotal

    OSFW,2009/01/29,09:45:18 -6:00 GMT,BLOCKED,Spam Filter,C:\Program Files\ZoneAlarm\MailFrontier\mantispm.exe,REGISTRY ,SETVALUE,SRC,HKLM\SOFTWARE\ZONE LABS\ZONEALARM,EmailFraudTotal


    Thank you!!

    Paul

  5. #5
    paul_chicago Guest

    Default Re: ZA Security Alert - SvcHost

    Thanks NaiveMelody. I saw that post, but I am hesitant to set permissions for a service that might be getting called by a rogue app.

  6. #6
    zaswing Guest

    Default Re: ZA Security Alert - SvcHost

    0.0.0.0:135 in the log - normal, has to be there. Each version of ZA treats it slightly differently, and the recent v8 is more alert to that communication.

    As NaiveMelody and Oldsod said, allow it to the trusted zone.
    0.0.0.0 is your computer with no IP assigned (yet).
    port 135 is for svchost to listen for things like windows explorer to look at files on your computer. That's why you can and must allow it to be a server but only in the trusted zone. Trusted zone is your computer, router, local host and whatever else (DHCP) you've got on the zones tab.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA Security Alert - SvcHost

    "Thanks NaiveMelody. I saw that post, but I am hesitant to set permissions for a service that might be getting called by a rogue app."

    If or when a rogue application pOwn3d (owns) the svchost.exe, it is not even going to bother with something as trivial or meaningless as the 0.0.0.0 address.
    It is much more likely the rogue will use the svchost.exe to do some rogue DNS or Domain Name Loopkups to infect your computer or even use rogue DHCP connections to steal your information by reading the packets.
    Or instead of the port 135 being normally used at the 0.0.0.0, it will be port 135 attempting to connect or allow incoming to malwareRus.com or giveMEyourbankaccountNUmber.net , not the innocent 0.0.0.0 address.


    Or it will be encrypted packets using port 80 but it will not be regular http traffic and it is not encrypted like https.
    Or it will be remote connections to some IRC server using the regular IRC ports.
    Or it will be your computer sending out spam to the regular email ports (and sometimes even http/https ports).

    Not by the 0.0.0.0 address.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA Security Alert - SvcHost


    <blockquote><hr>Paul_Chicago wrote:
    Thanks for your response.

    I didn't want to clutter up my original post with log data because few of the logs reference SvcHost (which seems unusual, because ZA flags it on each power-up (~twice/day)). The most recent log reference to SvcHost was from last week (ZALog2009.01.29.txt) and here are a few lines around the ref:

    OSFW,2009/01/29,09:45:16 -6:00 GMT,BLOCKED,Windows Explorer,C:\WINDOWS\explorer.exe,FILE,WRITE,SRC,ZL DIR*

    PE,2009/01/29,09:45:16 -6:00 GMT,Generic Host Process for Win32 Services,C:\WINDOWS\system32\svchost.exe,0.0.0.0:1 35,N/A

    OSFW,2009/01/29,09:45:18 -6:00 GMT,BLOCKED,Spam Filter,C:\Program Files\ZoneAlarm\MailFrontier\mantispm.exe,REGISTRY ,SETVALUE,SRC,HKLM\SOFTWARE\ZONE LABS\ZONEALARM,EmailSpamTotal

    OSFW,2009/01/29,09:45:18 -6:00 GMT,BLOCKED,Spam Filter,C:\Program Files\ZoneAlarm\MailFrontier\mantispm.exe,REGISTRY ,SETVALUE,SRC,HKLM\SOFTWARE\ZONE LABS\ZONEALARM,EmailFraudTotal


    Thank you!!

    Paul
    <hr></blockquote>
    These are all normal and should be allowed.
    Try a reset of the ZA database to reset the setting and start fresh.
    Oldsod.
    Best regards.
    oldsod

  9. #9
    paul_chicago Guest

    Default Re: ZA Security Alert - SvcHost

    NaiveMelody, zasuiteuser, Oldsod -- !thanks! for all of your inputs. Couldn't have done it without you (and my ELO greatest hits CD).

    I took the path of least resistance and reset the ZA database, and so-far so-good.

    Just curious...after performing the recommended cleanup of *.RDB &amp; *.LDB files, I rebooted (with no network cable) and immediately checked the ZA &quot;Log Viewer&quot; and found these two entries, which to my untrained eye looks like rogue Internet Explorer activity:

    -----------------------------------------------------------------------
    Description Windows Explorer was prevented from changing the behavior of ZoneAlarm Security Suite by modifying the file: ZLDIR*
    Rating High
    Date / Time 2009-02-10 10:18:32-6:00
    Type File
    Subtype File Write
    Data ZLDIR*
    Program C:\WINDOWS\explorer.exe
    Action Taken Blocked (once)
    Count 1
    Policy Personal Policy
    -----------------------------------------------------------------------
    Description Windows Explorer was trying to launch C:\PROGRAM FILES\ZONEALARM\zlclient.exe, or use another program to gain access to privileged resources
    Rating High
    Date / Time 2009-02-10 10:17:58-6:00
    Type Process
    Subtype Spawn Process
    Data C:\PROGRAM FILES\ZONEALARM\zlclient.exe,
    Program C:\WINDOWS\explorer.exe
    Action Taken
    Count 1
    Policy Personal Policy


    Thanks,

    Paul

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA Security Alert - SvcHost


    <blockquote><hr>Paul_Chicago wrote:
    NaiveMelody, zasuiteuser, Oldsod -- !thanks! for all of your inputs. Couldn't have done it without you (and my ELO greatest hits CD).

    I took the path of least resistance and reset the ZA database, and so-far so-good.

    Just curious...after performing the recommended cleanup of *.RDB & *.LDB files, I rebooted (with no network cable) and immediately checked the ZA "Log Viewer" and found these two entries, which to my untrained eye looks like rogue Internet Explorer activity:

    -----------------------------------------------------------------------
    Description Windows Explorer was prevented from changing the behavior of ZoneAlarm Security Suite by modifying the file: ZLDIR*
    Rating High
    Date / Time 2009-02-10 10:18:32-6:00
    Type File
    Subtype File Write
    Data ZLDIR*
    Program C:\WINDOWS\explorer.exe
    Action Taken Blocked (once)
    Count 1
    Policy Personal Policy
    -----------------------------------------------------------------------
    Description Windows Explorer was trying to launch C:\PROGRAM FILES\ZONEALARM\zlclient.exe, or use another program to gain access to privileged resources
    Rating High
    Date / Time 2009-02-10 10:17:58-6:00
    Type Process
    Subtype Spawn Process
    Data C:\PROGRAM FILES\ZONEALARM\zlclient.exe,
    Program C:\WINDOWS\explorer.exe
    Action Taken
    Count 1
    Policy Personal Policy


    Thanks,

    Paul
    <hr></blockquote>


    Actually these events are normal - not unusual.
    All part of the ZoneAlarm's self defense from other files.
    Basically in the normal use of the windows various other files, including the legitimate explorer.exe, will attempt to open the ZoneAlarm files.
    The ZoneAlarm does not allow this because of the self protection.
    The resulting alerts and logs show the blocked event.
    The only time you should be concerned about the opening of the ZoneAlarm files by other files is if they are malware or new files (from the Temp folder or from new and unusual places, etc) as this could be a sign of malware attempting to attack the ZoneAlarm.

    Best advice for this - right click the explorer.exe listed in the ZA Program listing, open the Options and check the first two items listed - one item is for allowing more component rights and the other item is for allowing more network connections rights. Apply and OK.
    It is really neccessary to only allow more component rights, but often including the extra more network rights seems to solve some issues.
    Then set the Trust rating for the exploree.exe to the three green bars or the "Super".

    Oldsod.
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •