Jump to content

Recommended Posts

  • ESET Insiders
Posted

Have HIPS set to Smart mode. Suddenly seeing alerts for "host process for windows is trying to access registry consecutive switch count" Any suggestions?

 

Posted

Have you created any user HIPS rules?

  • ESET Insiders
Posted (edited)

Just the Ransomware prevention rules.

Actually, no. That's on my daughter's laptop. So no,  I haven't created any

Edited by NewbyUser
Posted
Just now, NewbyUser said:

Just the Ransomware prevention rules.

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

  • ESET Insiders
Posted
Just now, itman said:

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

This alert is on my daughter's laptop. I didn't put any rules on hers. Just default rules and set to Smart mode

Posted
1 minute ago, NewbyUser said:

This alert is on my daughter's laptop. I didn't put any rules on hers.

I can't read the screen shot you posted.

  • ESET Insiders
Posted

Yea, sorry she took a crappy pic lol.

  • ESET Insiders
Posted
10 minutes ago, itman said:

I can't read the screen shot you posted.

The wording in the alert is what I posted. "host process for windows is trying to access registry (consecutive switch count)"

Posted (edited)

I can't find find any reference to ConsecutiveSwitchCount in reference to the Win registry. As such, it can be assumed some Win service is trying to add it. Why I have no clue.

Also a mystery is why Eset HIPS would be triggering on any activity from svchost.exe, a critical Win legit process. That is unless what we have here is a rogue service that has been installed and is running.

What you can do is click on Advanced options and create a rule but ensure you only specify for the reg. key attempting to be updated. You will then have to use Process Explorer with the VirusTotal scan option enabled and see if that flags any of the running svchost.exe processes as malware. Note this will be a vendor detection count; i.e. 5/71 for example.

Note if additional svchost.exe HIPS alerts start appearing afterwards, this would be confirmation that a rogue Win service has been installed.

Edited by itman
Posted

Another possibility here is malware has injected a running svchost.exe with malicious code. Entirely possible if the service happens to be a one not PPL protected.

  • ESET Insiders
Posted

If it helps, she gets this alert every time she opens her laptop. For now I told her to deny until I can actually get to her laptop. Also suggested she run a scan, which she'll do after an online class she's in the midst of.

Posted

Given that Eset HIPS alerts are virtually non-existent in Auto or Smart mode, the best I can theorize is some service is attempting to write to a registry area that Eset is protecting. Most of those relate to Eset itself. 

One of the infuriating things about Eset HIPS alerts in regards to svchost.exe is it does not specify the service being used. Enabling logging on the Deny rule won't help either since not only is the service not specified, neither is the process id; something I requested log ago.  

  • ESET Insiders
Posted

Yea, I'm not thrilled with their implementation of HIPS either. It's basically useless from my standpoint. As for this alert, I'm not liking that it''s a registry key that. like you, I can't find any mention of it existing anywhere, which makes me think this is some type of malware. But then I had Emsisoft on her laptop until a month ago and Eset since then, so I lean towards it not being malware related lol. Confusing 

Posted

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

Eset_HIPS.thumb.png.4f91988efac1a2e3290af221f6616609.png

  • ESET Insiders
Posted

Hmmm, didn't think if that. My daughter has an HP and I have a Dell, so O figured they'd naturally be different. Plus she has a lot of for school where as I don't have nearly the software on this one. Let me search this registry too.

Posted

Looks like this registry area is Microsoft Account related.

  • ESET Insiders
Posted
12 minutes ago, itman said:

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

Eset_HIPS.thumb.png.4f91988efac1a2e3290af221f6616609.png

Whatever it is, seems there is an opt out option 

  • ESET Insiders
Posted

I don't seem to have the opt out entry you do though.

2020-05-13.png

Posted
3 minutes ago, NewbyUser said:

I don't seem to have the opt out entry you do though.

I don't log on using the Microsoft Account option.

  • ESET Insiders
Posted

Ahh, so that could be it. But in that regard both my daughter and I do logon with PINs, and I'm not getting this alert. But it is every time she logons from what she said earlier.

Posted

My assumption at this point is she might have been hit with some credential stealing malware. Appears Eset has default HIPS rules to lock down access to this area.

  • ESET Insiders
Posted

Great. Doesn't sound good. I did have her check Live grid, everything was green. Not sure if if a hijacked legitimate process would show up that way though.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...