ESET Insiders NewbyUser 74 Posted May 13, 2020 ESET Insiders Posted May 13, 2020 Have HIPS set to Smart mode. Suddenly seeing alerts for "host process for windows is trying to access registry consecutive switch count" Any suggestions?
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 (edited) Just the Ransomware prevention rules. Actually, no. That's on my daughter's laptop. So no, I haven't created any Edited May 13, 2020 by NewbyUser
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 Just now, NewbyUser said: Just the Ransomware prevention rules. Suspect you may have borked the creation of those. Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Just now, itman said: Suspect you may have borked the creation of those. Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts. This alert is on my daughter's laptop. I didn't put any rules on hers. Just default rules and set to Smart mode
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 1 minute ago, NewbyUser said: This alert is on my daughter's laptop. I didn't put any rules on hers. I can't read the screen shot you posted.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Yea, sorry she took a crappy pic lol.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 10 minutes ago, itman said: I can't read the screen shot you posted. The wording in the alert is what I posted. "host process for windows is trying to access registry (consecutive switch count)"
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 (edited) I can't find find any reference to ConsecutiveSwitchCount in reference to the Win registry. As such, it can be assumed some Win service is trying to add it. Why I have no clue. Also a mystery is why Eset HIPS would be triggering on any activity from svchost.exe, a critical Win legit process. That is unless what we have here is a rogue service that has been installed and is running. What you can do is click on Advanced options and create a rule but ensure you only specify for the reg. key attempting to be updated. You will then have to use Process Explorer with the VirusTotal scan option enabled and see if that flags any of the running svchost.exe processes as malware. Note this will be a vendor detection count; i.e. 5/71 for example. Note if additional svchost.exe HIPS alerts start appearing afterwards, this would be confirmation that a rogue Win service has been installed. Edited May 13, 2020 by itman
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 Another possibility here is malware has injected a running svchost.exe with malicious code. Entirely possible if the service happens to be a one not PPL protected.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 If it helps, she gets this alert every time she opens her laptop. For now I told her to deny until I can actually get to her laptop. Also suggested she run a scan, which she'll do after an online class she's in the midst of.
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 Given that Eset HIPS alerts are virtually non-existent in Auto or Smart mode, the best I can theorize is some service is attempting to write to a registry area that Eset is protecting. Most of those relate to Eset itself. One of the infuriating things about Eset HIPS alerts in regards to svchost.exe is it does not specify the service being used. Enabling logging on the Deny rule won't help either since not only is the service not specified, neither is the process id; something I requested log ago.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Yea, I'm not thrilled with their implementation of HIPS either. It's basically useless from my standpoint. As for this alert, I'm not liking that it''s a registry key that. like you, I can't find any mention of it existing anywhere, which makes me think this is some type of malware. But then I had Emsisoft on her laptop until a month ago and Eset since then, so I lean towards it not being malware related lol. Confusing
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Hmmm, didn't think if that. My daughter has an HP and I have a Dell, so O figured they'd naturally be different. Plus she has a lot of for school where as I don't have nearly the software on this one. Let me search this registry too.
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 Looks like this registry area is Microsoft Account related.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 12 minutes ago, itman said: Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry: Whatever it is, seems there is an opt out option
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 I don't seem to have the opt out entry you do though.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Do you use a PIN to logon? Seems related to that from what I read here; https://stackoverflow.com/questions/57181616/how-does-windows-10-manage-and-use-pin-credential-data-for-windows-logon
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 3 minutes ago, NewbyUser said: I don't seem to have the opt out entry you do though. I don't log on using the Microsoft Account option.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Ahh, so that could be it. But in that regard both my daughter and I do logon with PINs, and I'm not getting this alert. But it is every time she logons from what she said earlier.
itman 1,801 Posted May 13, 2020 Posted May 13, 2020 My assumption at this point is she might have been hit with some credential stealing malware. Appears Eset has default HIPS rules to lock down access to this area.
ESET Insiders NewbyUser 74 Posted May 13, 2020 Author ESET Insiders Posted May 13, 2020 Great. Doesn't sound good. I did have her check Live grid, everything was green. Not sure if if a hijacked legitimate process would show up that way though.
Recommended Posts