Jump to content

Archived

This topic is now archived and is closed to further replies.

NewbyUser

HIPS Alert for Host process

Recommended Posts

Have HIPS set to Smart mode. Suddenly seeing alerts for "host process for windows is trying to access registry consecutive switch count" Any suggestions?

 

Share this post


Link to post
Share on other sites

Have you created any user HIPS rules?

Share this post


Link to post
Share on other sites

Just the Ransomware prevention rules.

Actually, no. That's on my daughter's laptop. So no,  I haven't created any

Share this post


Link to post
Share on other sites
Just now, NewbyUser said:

Just the Ransomware prevention rules.

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

Share this post


Link to post
Share on other sites
Just now, itman said:

Suspect you may have borked the creation of those.

Temporarily disable all the rules you created. If the HIPS alerts disappear, then your source of the alerts is one or more of those rules. One by one enable each rule till the alerts reappear. At this point, you have found the source of your HIPS alerts.

This alert is on my daughter's laptop. I didn't put any rules on hers. Just default rules and set to Smart mode

Share this post


Link to post
Share on other sites
1 minute ago, NewbyUser said:

This alert is on my daughter's laptop. I didn't put any rules on hers.

I can't read the screen shot you posted.

Share this post


Link to post
Share on other sites
10 minutes ago, itman said:

I can't read the screen shot you posted.

The wording in the alert is what I posted. "host process for windows is trying to access registry (consecutive switch count)"

Share this post


Link to post
Share on other sites

I can't find find any reference to ConsecutiveSwitchCount in reference to the Win registry. As such, it can be assumed some Win service is trying to add it. Why I have no clue.

Also a mystery is why Eset HIPS would be triggering on any activity from svchost.exe, a critical Win legit process. That is unless what we have here is a rogue service that has been installed and is running.

What you can do is click on Advanced options and create a rule but ensure you only specify for the reg. key attempting to be updated. You will then have to use Process Explorer with the VirusTotal scan option enabled and see if that flags any of the running svchost.exe processes as malware. Note this will be a vendor detection count; i.e. 5/71 for example.

Note if additional svchost.exe HIPS alerts start appearing afterwards, this would be confirmation that a rogue Win service has been installed.

Share this post


Link to post
Share on other sites

Another possibility here is malware has injected a running svchost.exe with malicious code. Entirely possible if the service happens to be a one not PPL protected.

Share this post


Link to post
Share on other sites

If it helps, she gets this alert every time she opens her laptop. For now I told her to deny until I can actually get to her laptop. Also suggested she run a scan, which she'll do after an online class she's in the midst of.

Share this post


Link to post
Share on other sites

Given that Eset HIPS alerts are virtually non-existent in Auto or Smart mode, the best I can theorize is some service is attempting to write to a registry area that Eset is protecting. Most of those relate to Eset itself. 

One of the infuriating things about Eset HIPS alerts in regards to svchost.exe is it does not specify the service being used. Enabling logging on the Deny rule won't help either since not only is the service not specified, neither is the process id; something I requested log ago.  

Share this post


Link to post
Share on other sites

Yea, I'm not thrilled with their implementation of HIPS either. It's basically useless from my standpoint. As for this alert, I'm not liking that it''s a registry key that. like you, I can't find any mention of it existing anywhere, which makes me think this is some type of malware. But then I had Emsisoft on her laptop until a month ago and Eset since then, so I lean towards it not being malware related lol. Confusing 

Share this post


Link to post
Share on other sites

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

Eset_HIPS.thumb.png.4f91988efac1a2e3290af221f6616609.png

Share this post


Link to post
Share on other sites

Hmmm, didn't think if that. My daughter has an HP and I have a Dell, so O figured they'd naturally be different. Plus she has a lot of for school where as I don't have nearly the software on this one. Let me search this registry too.

Share this post


Link to post
Share on other sites

Looks like this registry area is Microsoft Account related.

Share this post


Link to post
Share on other sites
12 minutes ago, itman said:

Found ConsecutiveSwitchCount by searching my registry. And where it is located doesn't bode well with whats going on. It's in the Credentials area of the registry:

Eset_HIPS.thumb.png.4f91988efac1a2e3290af221f6616609.png

Whatever it is, seems there is an opt out option 

Share this post


Link to post
Share on other sites

I don't seem to have the opt out entry you do though.

2020-05-13.png

Share this post


Link to post
Share on other sites
3 minutes ago, NewbyUser said:

I don't seem to have the opt out entry you do though.

I don't log on using the Microsoft Account option.

Share this post


Link to post
Share on other sites

Ahh, so that could be it. But in that regard both my daughter and I do logon with PINs, and I'm not getting this alert. But it is every time she logons from what she said earlier.

Share this post


Link to post
Share on other sites

My assumption at this point is she might have been hit with some credential stealing malware. Appears Eset has default HIPS rules to lock down access to this area.

Share this post


Link to post
Share on other sites

Great. Doesn't sound good. I did have her check Live grid, everything was green. Not sure if if a hijacked legitimate process would show up that way though.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...