Saturday, 14 March 2015

Svchost.exe *32 Malware Virus?

svchost.exe *32 - legit? I was looking in my task manager when I noticed "svchost.exe *32" listed in the processes. I did some googling, but I'm getting some mixed signals - it is the name of a virus, but it's also the name of a legit file..maybe. I've seen some sources saying that svchost.exe should only be found in the System32 folder, but others saying an svchost.exe can be legitimate if it's found in the SysWOW64 folder, which is where the one I found is (apparently that would account for the "*32"). I've seen some references to a svchost.exe in the SysWOW54 folder on Microsoft's official website, but mostly in question-and-answer things talking bout the virus - I haven't found a straight-up "This is legitimage/This is always a virus" here. And there'a wikipedia ("Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems)...") but, you know, wikipedia...

Can an svhost.exe in SysWOW64 be legitimate, or is it always a virus?

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

It can be legitimate. If you're still concerned, run the version you found through Jotti's malware scan:

The "%SystemRoot%\System32\svchost.exe" (lower case s) executable is a well known Windows system executable that runs system services, which are background processes that do various things. Some like RPC are needed for Windows to run! In UNIX they're called "daemons". As you can see, I have a little familiarity with them!

In 64-bit Windows there's no "System64" subdirectory, so the native 64-bit service launcher is located in the "System32" subdirectory, and the 32-bit thunking launcher for 32-bit services resides in the "SysWOW64" subdirectory. The 64-bit Windows on Windows subsystem performs the same sort of thunking functions that 32-bit WOW did for 16-bit DOS and Windows executables.

A well run 64-bit Windows system shouldn't have any old 32-bit service DLLs loaded; they should be ungraded to 64-bit versions or replaced with newer 64-bit software that can perform the same function. Since you didn't mention what the 32-bit service host was loading, that's about all I can tell you.

It should be a legitimate version, but since the WOW version usually isn't running, I suppose that a malware installer that you give Administrator privilege to could replace it with malware. The only way to know for sure is to use a known-good, trusted virus scanner while Windows is not running to check for signs of infection. If your system is infected, the bad software running as a system service can easily intercept any antivirus software running within Windows.

No comments:

Post a Comment

International Shipping Eligible