• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos4 Stats

Has Norton Security blocked my svchost.exe?

Today I received the following notification from Norton Security: “We have identified a program that does not work as expected on your computer. This program has been blocked.”

The threat level is High and the name of the threat is SONAR.SuspPE!gen8. However, the problem is that the file mentioned is svchost.exe, a Windows system file without which I don’t think my computer will work very well. I can still see svchost.exe in C:\Windows\System32 so at least that file hasn’t been put in quarantine.

Can anyone tell me what ramifications the above message actually has? Has NS just blocked the activity caused by the SuspPE!gen8 threat, or has it blocked svchost.exe altogether? For now I'm almost afraid to shut off my computer, not knowing if it will boot up again.

Replies

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Will Norton care to comment or email those affected?
This is not good PR whatsoever.
I do my online banking on my windows 8 PC and i am not happy :-(

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Because of Norton's blocking my svchost.exe (there is no such process at all in the process list of Task Manager) I am not able to look for Windows Updates.  I even tried to manually start the Windows Service (as administrator from the services dialog and the commandline - it refuses to start!).

I am expecting a statement by Norton: can I ignore the purported threat and unblock svchost.exe or what am I supposed to do? This program seems to be an integral part of Windows, so blocking it is a pretty severe intervention!

Kudos0

Re: Has Norton Security blocked my svchost.exe?

peterweb:
greendio:

I think it's not false positive. 3 secs after SONAR block there is norton statistical submission "application name google/update/googleupdate.exe Offending URL (a lot of text) chrome_updater.exe?cms_redirect=yes (more text)

I have the same notation about the googleupdate.exe in my Norton History. 

Same here.  IPS statistical submission relating to googleupdate.exe 12 secs after the SONAR block.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

As I noted above in this post, if this is in fact a valid detection of an intrusion attempt, Norton blocked it and no further action is necessary. You are safe to continue your usual operation of your systems.

If you chose to block svchost.exe when you saw this message, you need to unblock it so your system can run properly again. If some other process tries to use it again, Norton will block that process, again.

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

A word from Norton will be greatly appreciated. BTW, as from yesteday, I have received no further notification, 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hi I´m Dan!

I had this sonarwarning on SONAR.suspPE!gen8. It came after installing Google Chrome. I needed that to use Chromecast. I uninstalled Google Chrome and the warning and effects of the virus has not come back. It even disappeared in the Sonar warning window in Norton Security. It´s like magic. I don´t know for sure if its gone for good, but hope so. Before uninstalling Google Chrome the computer stopped working a couple of times and I had to reset to an earlier  date. Maybe this can be of any help. The download of Google Chrome was not done by me. It could have been fetched not from Google. Thank you. A good place this, to share thoughts. /Dan

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I didn't do anything additional to svchost when I got this message. I checked my options, because I was concerned, but the most I did was tell Norton to "continue blocking the behavior".

I assume you have to do something more to block svchost entirely, and it will be allowed to do other things so long as Sonar doesn't find it suspicious?

Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

If I had to guess, Sonar's attempts to predict threats found something off about the latest version of Chrome, or more specifically, its latest updater. This doesn't necessarily mean there is something malicious about it. The latest stable build of Chrome was released on the 4th, however, which means it fits the timeline.

Basically, I think the latest updater for Chrome tried to do something Sonar found odd.

I doubt it was something actually malicious, given the number of people who seem to have gotten this message at seemingly random moments. I have Norton, individually select which websites to allow javascript, don't allow flash, make browsers always ask where to save things, tenaciously keep my OS up to date, and very, very rarely add new programs or browser add-ons.

I don't think myself invulnerable, but for me, everyone here, and presumably more who don't post to have gotten this seems like it would have to be something major that can attack without any unsafe behavior on the part of the user. I think it more likely the latest Chrome updater, or Sonar definitions, or both had an error.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Archie12:

If I had to guess, Sonar's attempts to predict threats found something off about the latest version of Chrome, or more specifically, its latest updater. This doesn't necessarily mean there is something malicious about it. The latest stable build of Chrome was released on the 4th, however, which means it fits the timeline.

Basically, I think the latest updater for Chrome tried to do something Sonar found odd.

I doubt it was something actually malicious, given the number of people who seem to have gotten this message at seemingly random moments. I have Norton, individually select which websites to allow javascript, don't allow flash, make browsers always ask where to save things, tenaciously keep my OS up to date, and very, very rarely add new programs or browser add-ons.

I don't think myself invulnerable, but for me, everyone here, and presumably more who don't post to have gotten this seems like it would have to be something major that can attack without any unsafe behavior on the part of the user. I think it more likely the latest Chrome updater, or Sonar definitions, or both had an error.

Again, further checking of my PC supports this suggestion.   As per my previous post, my logs show the IPS statistical submission relating to googleupdate.exe 12 secs after the SONAR detection, and I've now found, looking in C:\ Program Files (x86), that the folder for the latest build of Chrome was created just over a minute later.

It would be interesting to know if any of those who have reported this problem are not Chrome users. 

Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

win764bit, ns22.11.2.7, all programs up to date. this sonar detection occurred while i was manually updating chrome. my ips log shows chrome ddl instead of update.exe. also,after getting microsoft notification that update available for download (kb4056894  231.4mb) the checkbox was unticked. i looked at optional updates and all of those boxes were were unticked.. one other poster stated he was having trouble getting windows update to work. i don't know if i have that problem, i was thinking microsoft just pulled the update. also, does 231.4 mb seem large for this update? thanks

Kudos0

Re: Has Norton Security blocked my svchost.exe?

amdamonte:

A word from Norton will be greatly appreciated. BTW, as from yesteday, I have received no further notification, 

Employee Sunil_GA did reply to this thread.  https://community.norton.com/en/comment/7774731#comment-7774731

He will be back to work after the weekend, and hopefully we can get an update.

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Having same issue.  Log File zip included for review.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

peterweb: I don't think it's that simple. When I got the alert from Norton I looked for the file in system 32 and found it there unaltered from the day the OS was installed. Because it was a Windows file of long standing I left it alone; I closed the Norton alert window without telling it to do anything. If it did anything it did so of its own volition. However since then there has not been a single instance of an svchost service running; normally there are one to several instances at any one time.
G
Kudos0

Re: Has Norton Security blocked my svchost.exe?

In my case, the SONAR.suspPE!gen8 alert I received (on Jan 4, 2018) was NOT RELATED to either windows update or Chrome (googleupdate). I have only received one alert ... it has not repeated since Jan 4.

The last set of Windows Updates I performed was on December 24, 2017 (the December Windows 7 Updates). I have my Windows 7 Update set to Never Install ... so I can rule out Windows 7 doing an auto update in the background.

I do use the Chrome browser. But it was closed when I received the SONAR.suspPE!gen8 alert.

However, just prior to receiving the SONAR.suspPE!gen8 alert, I had installed and updated TurboTax.

I have attached a screen shot of my log (a JPG within a ZIP) showing log events of the installation and update of TurboTax just prior to the SONAR.suspPE!gen8 alert ... and no mention of googleupdate in the log events immediately after the SONAR.suspPE!gen8 alert.

I suspect that Symantec may have recently adjusted the heuristics for SONAR.suspPE!gen8, making its suspicious behavior pattern a bit too broad and prone to false positives. Now, various other users are receiving alerts (when svchost is running).

But of course I can only guess.

We need a DEFINITIVE statement from Symantec as to whether or not the recent SONAR.suspPE!gen8 alerts being reported here are false positives or real attacks ... and what to do if the user has inadvertently blocked svchost.exe

File Attachment: 
Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

I believe what some may be missing here is that it is not the actual file svchost.exe that is the problem. Some program or process that uses that Windows file did something that Norton's behavior detection feature flagged as suspicious/malicious. svchost.exe is just a tool that is used by many programs and processes. Here is some information from HowtoGeeks on svchost.exe that might help users understand what it is and does. 

The bottom line here seems to be that some process, possibly a Google Chrome update as reported a few times here, was using svchost and did something that Norton detected as suspicious behavior. That particular process was blocked, so Norton did its job and protected us. 

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

I am new to Norton and I am wondering if I have gone the wrong way?... My computer has slowed and is glitching and now this with no response from Norton?.... Hmmmm... I had concerns when speaking to a Norton Customer service person in Mumbai?.... I ran Avast pro for yerars with no issues like this... One week and my frustration levels have risen

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Thank you peterweb, for some useful information on what to do about this. I appreciate the step-by-step instructions!

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Same problem for me today- but only on one of two PCs- Norton on both updated.

Is it related to Jan 2018 Windows update Multiple reports of blue screens (BSODs) 0X000000C4 when installing the January Win7 Monthly Rollup KB 4056894 and issues with A/V prorams as documented at -

https://www.askwoody.com/2018/multiple-reports-of-blue-screens-bsods-0x0...

What if my system needs this scvhost.exe that Norton is blocking?

SONAR.SuspPE!gen8 very low risk from August 2017- why suddenly blocking now scvhost.exe file installed in 2014.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I suspect Norton is preventing Windows Update from checking for new updates by blocking svchost.exe,

could also have been triggered by Firefox update minutes before alert blocking svchost.exe.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hello 

Same issue. Occurred 1/8/18 7.51

Fájlnév: svchost.exe
Fenyegetés neve: SONAR.SuspPE!gen8Teljes útvonal: c:\windows\system32\svchost.exe

____________________________

____________________________


Számítógépek a következő dátum szerint: 
2018. 01. 07. – 14:13:33

Utoljára használt 
2018. 01. 08. – 7:51:01

Indítási elem 
Igen

Indítva 
Igen

A SONAR védelem figyeli a gyanús programtevékenységet a számítógépen.

____________________________


svchost.exe Fenyegetés neve: SONAR.SuspPE!gen8
Hely


Sok felhasználó
A Norton Community több millió felhasználója használta ezt a fájlt.

Régi
Ez a fájl 3 hónapja jelent meg.

Magas
Ennek a fájlnak a kockázata magas.


____________________________


Forrás: Külső média


____________________________


Fájl ujjlenyomata – SHA:
Nem érhető el
Fájl ujjlenyomata – MD5:
Nem érhető el
 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

This is a reply to https://community.norton.com/en/comment/7777981#comment-7777981 I'm seeing reports that KB4056894 causes BSOD's on systems with an AMD-processor. On https://www.askwoody.com/forums/topic/multiple-reports-of-blue-screens-b.... This contributor (https://www.askwoody.com/forums/topic/multiple-reports-of-blue-screens-b...) says he sees the update unchecked on his AMD-system, checked on his Intel-system. Usually best practice is: if Microsoft serves an unchecked item, do not install. It usually is fixed in a few days and the update will be offered as checked again.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Updates and updates... Some people here or probably most of them didn't install or update anything and having this issue aswell. So I'm pretty sure it's not a problem with update. 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

The last few posts here referring to the MS KB articles about BSOD have nothing to do with the issue in this thread. The svchost.exe being blocked did not cause a BSOD.

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hello

First apologize,I'm Japanish so my English is not good.

In Japan this topic has not received much attention, so I thought that this is better.

My  parents PC has same things happend.

After the warning, the Outlook Asked for mail server and password when reseive mail.

But I can't receive it even if I input it. (my  parents are using Yahoo mail)

And this is inprove after signin to Yahoo by Internet browther ,but Norton's Warning is repeat after a while.

I think the Outlook use the scvhost.exe when connent to mailserver, and this action is blocked by Norton.

(It is a guess.)

Since there was nothing related to e-mail in the report of others, I wrote.

If you do not understand the meaning due to translation mistake, please give me a question by replying.

I wish this repot is will help solve the problem.

(My  parents call me SOS when every time Norton is warnig....)

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Sorry Peter, you are right. I tried to reply to someone in this thread who asked about the Windows update not being checked ( https://community.norton.com/en/comment/7777981#comment-7777981 ) - the BSOD-issue might be why the updates are unchecked - but my reply did not get attached to that post, but was placed as a general reply. Which it wasn't, it was specifically for the comment 7777981. I cannot remove my earlier post. If you can, please do.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I had this message only once on January 6 (1 hour after windows updates, if it mattes) and I run Win 7 x64.

But it is a shame we are waiting for a feedback from Norton so many days. A weekend is not an excuse - an antivirus company must work 24/7 and they have to inform the customers - do we have a false positive alarm or our systems were (or even is) in trouble or give us another explanation.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hi this happened to me as well. On Jan 4th, I started up my laptop and that Norton warning message popped up. The only thing I did differently that day, was update itunes. On Fri. Jan 5, that message came up again upon starting up my laptop. But then Microsoft had an update, so I updated my computer and since then, that Norton warning has not popped up again. BTW, I am also on Chrome and I run Windows 7

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Wrote yesterday that the problem with SONAR.SuspPE!gen8 dissapeared when I uninstalled Google Chrome. That was overoptimistic. The block returned late recent night. In all three cases it appears to come up when i take a longer rest from the computer. Like it comes when the computer go into ”rest” or hibernation mode. Each time I have to make a reset back to an earlier date. Then it works again but of course the Google Chrome also comes back when I reset. Så I uninstalls it again. But now Nortons Sonar do not react at all. It´s all ”green” there. If I shut down the PC before it blocks the PC, it starts normally again and the ”block” does not come back.

 Now I have stopped the PC to go into hibernation or ”rest”. It has not come back this far and the PC has been on for the whole day. Well I can not be sure if it´s gone. Maybe it just can use one way to start.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

The silence from Norton is deafening. You'd think by now, with this many posts, someone from Norton would at least give some kind of update besides the one made on Jan 5 by Sunil. 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Spleenie, I am suspecting that it may be related to the Windows 10 update. I updated my PC today with the latest version, which took forever, and at the end, I was instructed to restart. A few hours later, when I got back on the computer, I saw Norton had an urgent message about SONAR.SuspPE!gen8 and it had it marked as High risk. I followed it's prompt (Norton) to see details and it located to the svchost.exe in 32. 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I just got this error too, and this thread was the first thing that popped up. I haven't noticed any marked difference in performance as yet, but will update changes. Windows 10. I don't use Chrome; Firefox doesn't seem to have any issues, though the error may have been triggered by Firefox's suggested update.

For those of you whose performance is slow upon installing Norton: have you turned off all other internet security? I know that might be basic, but it's good to check. If you run Avast and Norton at the same time, for example, it will reeeeally slow your processing down.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I received this same error message today. I would like to know if I need to do something with this. The reply from Sunil on the 5th was vague. Any further news or words from Norton would be appreciated. 

Filename: svchost.exe
Threat name: SONAR.SuspPE!gen8Full Path: c:\windows\system32\svchost.exe

____________________________

____________________________


On computers as of 
10/24/17 at 8:23:28 PM

Last Used 
1/8/18 at 7:34:47 PM

Startup Item 
Yes

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


svchost.exe Threat name: SONAR.SuspPE!gen8
Locate


Many Users
Hundreds of thousands of users in the Norton Community have used this file.

Mature
This file was released 3 months ago.

High
This file risk is high.


____________________________


Source: External Media


____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

so i got this exact same thing today. located the file and took me to svchost.exe. From what ive seen in the comments, dont block it and just leave it alone? 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Prese, Norton, WAKE UP!
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Got this same warning tonight. I was opening MS WORD. MS will not start now...and I need it.

Filename: svchost.exe
Threat name: SONAR.SuspPE!gen8Full Path: c:\windows\system32\svchost.exe

____________________________

On computers as of 
5/11/2014 at 1:02:13 PM

Last Used 
9/01/2018 at 8:36:46 PM

Startup Item 
Yes

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


svchost.exe Threat name: SONAR.SuspPE!gen8
Locate


Many Users
Millions of users in the Norton Community have used this file.

Mature
This file was released 8 years 5 months ago.

High
This file risk is high.


____________________________


Source: External Media


____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

It was "Please (not prese) Norton, WAKE UP! 

BTW, no traces of svchost.exe found in Process / Services when accessed as user. Svchost.exe was present when logged as administrator. Everything seems working with no problem. Last Windows update is KB4056894 (Win7). There are more recent updates not downloaded because svchost.exe block?

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Last Windows update is KB4056894 (Win7)

 That is the only "important" update I received so far 

Windows 7 HP SP1 32-bit | Chrome 63.0.3239.132 | NS 22.11.2.7
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Same problem here, I received it today without doing or launching anything. Just opened my laptop and 2 seconds later it gave me the svchost blocked notification.
Really hope we can expect an update about this soon! :)

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hi Sunil, any news on this issue yet?

Kudos0

Re: Has Norton Security blocked my svchost.exe?

UK here - 9th Jan - no idea how SONAR SuspPEgen8 ended up on my machine - recently updated windows and also ran Intel Management Consul test to see if machine was affected by Intel bug identified in November - apparently machine not vulnerable so no idea where it came from and how it installed itself on my machine 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hi! I found out that in Win update, the big januari update kb4056892 was waiting for a restart. Even though i had started my PC a couple of times before. So in Win update I clicked for a restart. Everything seem to work well. When the download ”meter” showed 30 % it suddenly restarted. But before it should open the startwindow a black window with a small blue Windows flag came up. Then it was blocked or ”frozen” and did not react at all. Not even ctrl+alt+delete worked. The only thing I could do was to do a reset. So I did, and it worked again. Now I downloaded the update as a standalone file and began to install it. Thought that maybe there is some difference from the one I had in Win update. No – same thing happened. Now I begin to think the problem with the virus in the svchost-file and the ”freeze” on my PC may be two different things. The virus may have come with Google Chrome and the ”freeze” is caused by something in the update. Thank You!

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Can you run power eraser with rootkit scan checked?  Norton security immediately quarantined SONARSuspPE!gen8 so machine not compromised thankfully - full system scan revealed nothing amiss - maybe reboot in safe mode and run power eraser specifically to eliminate this bug?

Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

Lets get some tumbleweed onto this thread please - 
because it looks like NORTON are not bothering to get someone over here to answer the many concerned customers who - like me - are not sure what action to take. I am still using windows 8.1 because i work a lot in adobe Photoshop C3 and if i update, the software is busted ( am not updating to their creative cloud based rip-off subscription model).
 I have notices a few glitches since this warning, some software isn't always responding to mouse clicks. It could have nothing to do with this block, but i am not tech savvy enough to know otherwise.

 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Realized a few days ago that Windows Update not offering me any updates (set to ask me first) - The Fix meant I had to change the date on my machine back to end Nov then update then reset and update again - no probs but suddenly this SONAR bug appears - I asked Norton Rep was it connected to Meltdown or Spectre but the guy said no

Kudos3 Stats

Re: Has Norton Security blocked my svchost.exe?

Hi Everyone,

Thanks for reporting in Norton Community Forums. We are aware about "Norton blocking svchost.exe as threat SONAR.SuspPE!gen8" issue and team looking into it. We will update thread once we have more information. 

Sunil_GA | Norton Forums Administrator | Symantec Corporation
Kudos0

Re: Has Norton Security blocked my svchost.exe?

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Fall Creators Update version 1709 / build 16299.194 / NSBU 22.11.2.7 Traditional / Norton BETA tester
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Yeah, I saw that when the alert came up and I asked for more information. My question is what the heck does it mean? Should we be trying to remove it? When you ask for a location it directs you to svchost.exe

~ Freelance Web Developer & Photoshop Guru Dual Display - Gateway DX4300, AMD Phenom II x4 820 @ 2.80 GHz, 6.0 GB RAM, ATI Radeon HD 5450Win7 (x64) * Firefox 21* IE 10 * NIS 2013 v. 20.4.0.40
Kudos0

Re: Has Norton Security blocked my svchost.exe?

I have same problem with a kicker.  I started a Full scan, laptop went to sleep, very unstable trying to start Windows, may be running in background, blank screen.  PITA

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Norton Tech guy assured me this has nothing to do with Meltdown or Spectre FYI although tbh he also wasn't aware that this is an issue being faced by many users

Kudos0

Re: Has Norton Security blocked my svchost.exe?

It would not surprise me if this indirectly had to do with Meltdown or Spectre. Both Norton and Microsoft are taking steps to protect our systems, which means significant changes on two fronts at the same time on a multitude of systems with wildly varying configurations, software, and hardware. Add in that Norton tries to predict threats and will take action if it thinks it's found one, and it's a recipe for warnings and bugs.

This does mean there is an issue even if the cause is not malicious, because it means Sonar is reacting to something it shouldn't be. There is something for Norton to correct either way. If that is the case, my hope is updated definitions or a patch will automatically correct matters.

My suspicion at this point, based on this thread, the many various scans others have done, and the time it's taken, is that it is an issue with the service that tries to predict threats, and not something malicious. I include the time it's taken because I think something malicious would raise more red flags and point more quickly to a culprit, while an error can be a needle in a haystack of ever-evolving antiviral code with elusive and difficult to replicate triggers.

Though, obviously, I don't know anything with certainty.