SONAR detects svchost.exe as the process causing Hosts File Change Security Risk. Users may see screen prompts and/or a toolbar notification balloon and the event may be logged in the Proactive Threat Protection Logs.
The following error is written to the Windows System Event Log:
"Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"
If enabled the Proactive Threat Protection Logs will show: Risk: Hosts File Change by svchost.exe in c:\windows\system32.
"svchost.exe" is the host process name for services that run from dynamic-link libraries (DLLs) and is an integral part of the Windows Operating System. These services include those locally responsible for domain name resolution.
The Hosts file is a plain text document utilized by all operating systems and is used to resolve domain names to an IP address.
When a domain name requests TCP/IP resolution the service - hosted by svchost.exe - opens the Hosts file as writable regardless of whether changes are being made.
If the SONAR/Proactive Threat Protection option for detecting hosts file changes is set to anything other than the default “Ignore” then each time a domain name is resolved it is detected and logged as a security risk because the hosts file is being opened as writable by svchost.exe.
Note: The High Security Virus and Spyware policy that ships with the product is configured to block both DNS and Host File Changes.
SEP 12.1 Release Update 1 (RU1) Maintenance Patch 1 (MP1) added a new exclusion category: DNS or Host File Change Exception. This exclusion will prevent SONAR from taking any action on applications that have been excluded from these detections.
Use one of the following methods to prevent these messages:
- For 12.1 RU1 MP1 and above clients: Create a DNS or Host File Change Exception for svchost.exe or other applications that are expected to make changes to the Windows host file or DNS.
- Use the default System Change Detection settings (Ignore) in the Virus and Spyware Protection - SONAR Policy.
Note: In Small Business Edition 12.1 RU1 MP1 this setting cannot be modified and is on by default if you are using the "High Security Virus and Spyware Protection Policy". Consider assigning the Balanced Virus and Spyware Protection Policy to disable the detection.
Imported Document Id