Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all articles
Browse latest Browse all 10484

Incorrect answer/reply in forum could cause risk exposure for customers

$
0
0
I do not need a solution (just sharing information)

The forum thread at:

https://www-secure.symantec.com/connect/forums/sep-hardening-policy-protect-symantec-files-and-registry

the person responding to the original question or query gives incorrect information. The responder indicates that the file in question is a SEP file, it is not.
 It is my opinion that if others, lurkers or people seeking answer to the same question could end up whitelisting something for the wrong reasons or drop their guard.

svchost is not the process used by Symantec/SEP as the answer or post in that thread states. That file is the Windows service "host" and if it is the proper file and not compromised in any way - it is the process by which services are launched. Check your "task manager" and you will see svchost is responsible for multiple services and processes, local and network, and it's not SEP doing it.

SEP has its own version (the use of I'm not certain, but it's a different host) SEP's file is ccSvcHst.exe - not svchost.exe

I person should whitelist only the svchost.exe that runs from %windir%\system32 and no other location.

They can whitelist ccSvcHst.exe as long as it's running from the proper SEP folder structure.

Note that svchost can launch not only good Windows services or processes, it could well launch malware disguised as good files or services, so be ware.

Just wanted to indicate that lurkers or viewers should be wary of the info given as fact in that linked thread above is not factual and needs to be taken very carefully as it could lead to complications otherwise if used "as a matter of fact" to "trust" svchost.exe as a Symantec file - it's not.


Viewing all articles
Browse latest Browse all 10484

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>