• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos5 Stats

Has Norton Security blocked my svchost.exe?

Today I received the following notification from Norton Security: “We have identified a program that does not work as expected on your computer. This program has been blocked.”

The threat level is High and the name of the threat is SONAR.SuspPE!gen8. However, the problem is that the file mentioned is svchost.exe, a Windows system file without which I don’t think my computer will work very well. I can still see svchost.exe in C:\Windows\System32 so at least that file hasn’t been put in quarantine.

Can anyone tell me what ramifications the above message actually has? Has NS just blocked the activity caused by the SuspPE!gen8 threat, or has it blocked svchost.exe altogether? For now I'm almost afraid to shut off my computer, not knowing if it will boot up again.

Replies

Kudos0

Re: Has Norton Security blocked my svchost.exe?

All: svchost was born into the Windows NT family of OS's as a way for multiple system processes to execute .dll files which natively, cannot be executed within Windows in the way .exe files are. Thus not killing system resources.  Another process utilizing the "shell" svchost provides could indeed be the culprit of detection. Using the system eventviewer should tell where the warning came from with better info.

 I would run NPE from inside your dashboard and allow it to try and "re-discover" the issue and hopefully catch the process that is the culprit. Another way to discover a possible culprit would be to get the SysInternals Suite from Microsoft (Free), run "procexp.32 / 64 depending on your OS. You can view all running processes from the UI that appears. TCPview within the suite is also a handy tool to view connections as they appear and drop off on the system.

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.167 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester
Kudos0

Re: Has Norton Security blocked my svchost.exe?

I have got the same message detection regarding SONAR.SuspPE!gen8  - I am running Windows 7

just thought I'd mention it

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Fikk denne meldingen fra Norton 09/01/2018 rundt sjutiden på kvelden

Kudos0

Re: Has Norton Security blocked my svchost.exe?

When I received the SONAR.SuspPE!gen8 alert, I checked my Norton Security logs, and there was nothing suspicious either immediately before or after the SONAR.SuspPE!gen8 alert.

However, I just checked my system's (Win 7) Event Viewer, and found that 28 seconds before I received the SONAR.SuspPE!gen8 alert, this entry was in the Windows Log > System section:

The Google Update Service (gupdate) service entered the running state.

I clicked on "details" and saw this ...

 EventData

  param1 Google Update Service (gupdate)
  param2 running
   67007500700064006100740065002F0034000000

Given that several other posters in this thread have mentioned Google Update as a possible cause of the SONAR.SuspPE!gen8 alert ... perhaps that is a good place for the developers to start their investigation.

Those who have posted in this thread:   if you are familiar with the Windows Event Viewer, then get the exact date/time of your SONAR.SuspPE!gen8 alert (from the Norton Security Log), and then open the Windows Event Viewer and check the Windows Log > System section to see what event(s) occurred just prior to the SONAR.SuspPE!gen8 alert.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Same notice as the others. Windows 10 64bit.  Norton blocked svchost.exe  SONAR.SuspPE!gen8   Seems to have started with Windows update. Notice occurs at start up. Recent history uploaded.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Greetings All,

Just woke my laptop (09 JAN 18) and received the same notification from Norton Security and Backup (latest version). I was last on the laptop on 07 JAN 18 and have not installed any new software/apps or received any updates. The only activity that would be close is an uninstall of Sony PlayMemories Home that has been on this laptop for 13 months.

I have searched for a reply from a Symantec/Norton employee moderator but did not find any. Does any other poster have additional information, either from this Forum or elsewhere?

In just under two years of use on this laptop, I have only one other notification. I only use my laptop for Bible Study/Research, News, Sports, and Ancestry/Genealogy research. Of course, after 30+ years of personal computing, I am overly cautious of any websites, program downloads, and never open emails from strangers, therefore this notification concerns me.

System Info:  OS: Windows 8.1 v.6.3 (Build 9600), Processor: Intel ®Core™i7-4720HQ CPU @ 2.60Hz, RAM: 16.0 GB, System Type: 64-bit

Regards,

Eddy

Filename: svchost.exe
Threat name: SONAR.SuspPE!gen8Full Path: c:\windows\system32\svchost.exe

____________________________

____________________________

On computers as of 
24-Dec-15 at 22:00:38

Last Used 
09-Jan-18 at 14:46:02

Startup Item 
Yes

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.

____________________________

svchost.exe Threat name: SONAR.SuspPE!gen8
Locate

Many Users
Millions of users in the Norton Community have used this file.

Mature
This file was released 3 years 2 months ago.

High
This file risk is high.

____________________________

Source: External Media
____________________________

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I have searched for a reply from a Symantec/Norton employee moderator but did not find any.

If you look about 10 posts up from yours you will see an update from Employee Sunil_GA from this morning.

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Thank you Peterweb. I am on my laptop now and it is easier to see the small area with the different pages (1 2 3) to navigate to.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

hello .
Norton block svchost that also block my Microsoft-Office starter (2010) .. 
DO SOMETHING  please ..

Kudos0

Re: Has Norton Security blocked my svchost.exe?

I had the same problem this evening.   Running Win 7 Pro 64 bit, fully upated.

Before the error message popped up, I had just opened Chrome.

I agree with others here - it would really be more helpful if the message didn't just identify svchost.exe, but the actual process that triggered the alert.

Filename: svchost.exe
Threat name: SONAR.SuspPE!gen8Full Path: c:\windows\system32\svchost.exe

____________________________

____________________________


On computers as of 
8/20/2017 at 12:59:13 AM

Last Used 
1/9/2018 at 10:40:59 PM

Startup Item 
Yes

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


svchost.exe Threat name: SONAR.SuspPE!gen8
Locate


Many Users
Millions of users in the Norton Community have used this file.

Mature
This file was released 8 years 5 months ago.

High
This file risk is high.


____________________________


Source: External Media


____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Hello, I had same alert on my laptop tonight after I updated January Win10 1709 CU. that file SONAR.SuspPE!gen8 was High Risk and blocked by Norton.   Also got a caution alert that Spooler SubSystem App does not have proper digital signature right before Google Chrome updated and right after getting the SONAR alert. I don't know what that means? Default action allowed it because I didn't know it was on a timer for default to kick in.  I'm running Win10 1709 Home Edition NSwBU. This is over my head!. Maybe related to SONAR block or Chrome updater...I don't know.  Scans finding no threats.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

If you believe this really is a case of false positive, it can be submitted to Symantec. https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230... (info); https://submit.symantec.com/false_positive/ (submit-form). I really hope there will be an answer soon; it is almost a week now since first posts emerged.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

I did a full system scan and it only found a handful of tracking cookies. 15 to be exact and No, I did not restrict any folders. Proof in point  being; I tend to do a lot of 3d art with Daz Studio and that involves a lot of content files. Normally I tell it to skip those but I forgot to this time and it even scanned the CD Rom I had in my D drive and an external HD I had on my E drive. It literally scanned everything on, in, and connected to my PC and came up empty handed.

~ Freelance Web Developer & Photoshop Guru Dual Display - Gateway DX4300, AMD Phenom II x4 820 @ 2.80 GHz, 6.0 GB RAM, ATI Radeon HD 5450Win7 (x64) * Firefox 21* IE 10 * NIS 2013 v. 20.4.0.40
Kudos0

Re: Has Norton Security blocked my svchost.exe?

I also encountered this same Sonar alert two nights ago, but it seems to have been to be a one off - at the time I had woken laptop from sleep and it appeared within 2/3 minutes. I have checked windows logs and there doesn't appear to be any event that triggered it. My machine is windows 10 with latest updates.

Ran live update, full system scan and Norton Power Eraser - all clear.

Here is the log below: 

Filename: svchost.exe

Threat name: SONAR.SuspPE!gen8Full Path: c:\windows\system32\svchost.exe

____________________________

____________________________

On computers as of 

06/12/2017 at 23:40:36

Last Used 

09/01/2018 at 22:14:23

Startup Item 

Yes

Launched 

Yes

SONAR Protection monitors for suspicious program activity on your computer.

____________________________

svchost.exe Threat name: SONAR.SuspPE!gen8

Locate

Many Users

Millions of users in the Norton Community have used this file.

Mature

This file was released 3 months ago.

High

This file risk is high.

____________________________

Source: External Media

___________________________

File Thumbprint - SHA:

Not available

File Thumbprint - MD5:

Not available

* Im not sure this is relevant but it states "external media" as the source - at the time I did not have anything (USB) etc connected

Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

This afternoon, I filed a "false positive" report about the SONAR.SuspPE!gen8 alert using this link:

https://submit.symantec.com/false_positive/

Approximately 5 hours later I received the following reply (confirming that the SONAR.SuspPE!gen8 alert we all here have received is a false positive):

=================================

In relation to submission 67551.

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.symantec.com/security_response/definitions.jsp

Please note that whitelisting can take up to 24 hours to take effect.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

Sincerely,
Symantec Security Response

============================

This thread has been open for FIVE DAYS and we still have not received a definitive reply from Symantec.  

Why is that??????

Kudos1 Stats

Re: Has Norton Security blocked my svchost.exe?

Hi Everyone,

Thanks for the details and logs provided for the investigation. 

We have checked & corrected the threat signatures causing this false detection. Please run LiveUpdate to have latest definitions and let us know if you encounter this issue again. 

Sunil_GA | Norton Forums Administrator | Symantec Corporation
Kudos0

Re: Has Norton Security blocked my svchost.exe?

Sunil_GA,

Thank you for that information. One more question. What about the entry in History, Resolved Security Risks, that still shows this as being blocked. Does anything have to be done to correct that? If it entails allowing it, then maybe Norton should put out a script that does this for us as many people don't read this forum and would be unaware there is no problem.

Thanks again.

Kudos0

Re: Has Norton Security blocked my svchost.exe?

Your resolved History listing is not going to change. That is just a log entry for something that has already happened.

What the update should do is is just stop this particular detection next time the exact same circumstances present themselves on your system.

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: Has Norton Security blocked my svchost.exe?

@peterweb.... thanks. I thought since there was an option there to continue blocking or to allow it might be where something was needed to fully correct the issue if it still said to continue blocking.

This thread is closed from further comment. Please visit the forum to start a new thread.