"svchost.exe (LocalServiceAndNoImpersonation)" - это вирус / троян?

12161
newguy

Посмотрев на скриншот, вы обнаружите, что их два svchost.exe.

Один есть, svchost.exe (NetworkService)а другой естьsvchost.exe (LocalServiceAndNoImpersonation)

svchost.exe (LocalServiceAndNoImpersonation)активен только и использует сеть, когда firefox.exeактивен.

0
Вы провели какое-нибудь исследование самостоятельно? schroeder 8 лет назад 0

2 ответа на вопрос

4
ner0x652

Some malware often uses a process name of svchost.exe to disguise itself. The original system file svchost.exe is located in C:\Windows\System32. Are those services located somewhere else? If they do, then they are malware.

What is svchost.exe?

svchost.exe is a system process that hosts multiple Windows services or as Microsoft describes: "svchost.exe is a generic host process name for services that run from dynamic-link libraries".

Why are there multiple svchost.exes?

There are multiple instances of this service, because if every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows, thus they a separated.

You can analyze the services using a tool like Process Explorer and gain more information about their activity.

References: howtogeek

0
Daniel Ruf

No, it is not a virus / malware.

You say it only appears when you open Firefox, there is possibly no malware behind this.

I also have this svchost process running LocalServiceAndNoImpersonation and this PC is clean.

So far LocalServiceAndNoImpersonation is a legit process and is used by Windows AppLocker.

Windows AppLocker is a security feature of Windows.

https://technet.microsoft.com/en-us/library/dd759117.aspx

AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running.

You can inspect it with ProcessExplorer. https://technet.microsoft.com/sysinternals/bb896653

There should be also the loaded DLL mentioned.

http://www.bleepingcomputer.com/startups/appidsvc.dll-25613.html

A Microsoft Service that is used by AppLocker to determine and verify the identity of an applicaiton. Please note that this service is launched by svchost.exe, but the actual application is what is listed as the filename.

Это правильно **, если ** этот конкретный случай не является вредоносным ПО, подражающим законному сервису. Проверка его местоположения, как предлагает ner0x652, не может повредить. fixer1234 8 лет назад 0
Конечно, но я уверен, что этот процесс AppLocker является законным ;-) Daniel Ruf 8 лет назад 0

Похожие вопросы