HIPS Alert for Host process

[NewbyUser 73]

Have HIPS set to Smart mode. Suddenly seeing alerts for "host process for windows is trying to access registry consecutive switch count" Any suggestions?

 

[itman 1,659]

Have you created any user HIPS rules?

[NewbyUser 73]

Just the Ransomware prevention rules.

Actually, no. That's on my daughter's laptop. So no,  I haven't created any

Edited May 13, 2020 by NewbyUser

[NewbyUser 73]

[itman 1,659]

Just now, NewbyUser said:

Just the Ransomware prevention rules.

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

[NewbyUser 73]

Just now, itman said:

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

This alert is on my daughter's laptop. I didn't put any rules on hers. Just default rules and set to Smart mode

[itman 1,659]

1 minute ago, NewbyUser said:

This alert is on my daughter's laptop. I didn't put any rules on hers.

I can't read the screen shot you posted.

[NewbyUser 73]

Yea, sorry she took a crappy pic lol.

[NewbyUser 73]

[NewbyUser 73]

10 minutes ago, itman said:

I can't read the screen shot you posted.

The wording in the alert is what I posted. "host process for windows is trying to access registry (consecutive switch count)"

[itman 1,659]

I can't find find any reference to ConsecutiveSwitchCount in reference to the Win registry. As such, it can be assumed some Win service is trying to add it. Why I have no clue.

Also a mystery is why Eset HIPS would be triggering on any activity from svchost.exe, a critical Win legit process. That is unless what we have here is a rogue service that has been installed and is running.

What you can do is click on Advanced options and create a rule but ensure you only specify for the reg. key attempting to be updated. You will then have to use Process Explorer with the VirusTotal scan option enabled and see if that flags any of the running svchost.exe processes as malware. Note this will be a vendor detection count; i.e. 5/71 for example.

Note if additional svchost.exe HIPS alerts start appearing afterwards, this would be confirmation that a rogue Win service has been installed.

Edited May 13, 2020 by itman

[itman 1,659]

Another possibility here is malware has injected a running svchost.exe with malicious code. Entirely possible if the service happens to be a one not PPL protected.

[NewbyUser 73]

If it helps, she gets this alert every time she opens her laptop. For now I told her to deny until I can actually get to her laptop. Also suggested she run a scan, which she'll do after an online class she's in the midst of.

[itman 1,659]

Given that Eset HIPS alerts are virtually non-existent in Auto or Smart mode, the best I can theorize is some service is attempting to write to a registry area that Eset is protecting. Most of those relate to Eset itself. 

One of the infuriating things about Eset HIPS alerts in regards to svchost.exe is it does not specify the service being used. Enabling logging on the Deny rule won't help either since not only is the service not specified, neither is the process id; something I requested log ago.  

[NewbyUser 73]

Yea, I'm not thrilled with their implementation of HIPS either. It's basically useless from my standpoint. As for this alert, I'm not liking that it''s a registry key that. like you, I can't find any mention of it existing anywhere, which makes me think this is some type of malware. But then I had Emsisoft on her laptop until a month ago and Eset since then, so I lean towards it not being malware related lol. Confusing 

[itman 1,659]

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

[NewbyUser 73]

Hmmm, didn't think if that. My daughter has an HP and I have a Dell, so O figured they'd naturally be different. Plus she has a lot of for school where as I don't have nearly the software on this one. Let me search this registry too.

[itman 1,659]

Looks like this registry area is Microsoft Account related.

[NewbyUser 73]

12 minutes ago, itman said:

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

Whatever it is, seems there is an opt out option 

[NewbyUser 73]

I don't seem to have the opt out entry you do though.

[NewbyUser 73]

Do you use a PIN to logon? Seems related to that from what I read here;

 

https://stackoverflow.com/questions/57181616/how-does-windows-10-manage-and-use-pin-credential-data-for-windows-logon

[itman 1,659]

3 minutes ago, NewbyUser said:

I don't seem to have the opt out entry you do though.

I don't log on using the Microsoft Account option.

[NewbyUser 73]

Ahh, so that could be it. But in that regard both my daughter and I do logon with PINs, and I'm not getting this alert. But it is every time she logons from what she said earlier.

[itman 1,659]

My assumption at this point is she might have been hit with some credential stealing malware. Appears Eset has default HIPS rules to lock down access to this area.

[NewbyUser 73]

Great. Doesn't sound good. I did have her check Live grid, everything was green. Not sure if if a hijacked legitimate process would show up that way though.