Hyperwolf122 Posted November 13, 2021 ID:1488195 Share Posted November 13, 2021 (edited) Hello! Firstly long time no see on here! So I got a random alert from Windows Defender that it prevented “Svchost.exe” from making changes to a file, is this a false positive or is this genuinely a threat? Windows defender definitely has the most false positives out of any anti-virus I have used so I’m definitely curious. Edited November 13, 2021 by Hyperwolf122 Misread Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 13, 2021 Author ID:1488197 Share Posted November 13, 2021 Here’s what I mean! Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 13, 2021 Author ID:1488198 Share Posted November 13, 2021 Svchost not sychost my bad lol Link to post Share on other sites More sharing options...
kevinf80 Posted November 13, 2021 ID:1488208 Share Posted November 13, 2021 Hiya Hyperwolf122, Have you recently enabled "Controlled Folder Access" Thank you, Kevin Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 13, 2021 Author ID:1488210 Share Posted November 13, 2021 Hello Kevinf80! I haven’t recently enabled “controlled folder access” on my PC Link to post Share on other sites More sharing options...
kevinf80 Posted November 13, 2021 ID:1488211 Share Posted November 13, 2021 Hiya Hyperwolf122, Your screenshot indicates Controlled Folder Access triggered the block to Svchost.exe from making changes to memory. Svchost.exe is also known as the Service Host process, it is responsible for hosting various service processes. There are many of Windows services running in the background, also possibly some 3rd party service processes. If your PC is definitely infected it would probably be a 3rd party process causing the problem. I have just upgraded to Windows 11, Controlled Folder Access is currently disabled; I assume by default. I do not believe it was enabled in Windows 10 either. As for why you are seeing these messages, it is because your Controlled Folder Access setting is enabled. This is possibly happening because one of the svchost processes may be host to a 3rd party service, which Windows Security is suspicious of. Lets run a diagnostic scan to check your system further.. Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The tool will also make a log named (Addition.txt) Please also attach that log to your reply. Thank you, Kevin 1 Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 13, 2021 Author ID:1488214 Share Posted November 13, 2021 Hello! Thanks for the reply! I’ll run FRST soon! (In a day or so as I’m away from my PC) In the meantime does this mean my PC is infected in anyway? Thanks! Link to post Share on other sites More sharing options...
kevinf80 Posted November 13, 2021 ID:1488216 Share Posted November 13, 2021 I do not believe your system is infected, but the only way to be sure is run a diagnostic scan... 1 Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 13, 2021 Author ID:1488225 Share Posted November 13, 2021 That’s relieving to hear! :) I’ll post my FRST txt file here soon once I run it! Will Windows Defender however prevent it from running? (It’s the AV I use.) Link to post Share on other sites More sharing options...
kevinf80 Posted November 14, 2021 ID:1488250 Share Posted November 14, 2021 I use Windows Defender and Malwarebytes combined, neither flag FRST if I use it... 1 Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 14, 2021 Author ID:1488270 Share Posted November 14, 2021 (edited) here you go! FRST_14-11-2021 09.36.00.txt Edited November 14, 2021 by Hyperwolf122 Added a wrong file Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 14, 2021 Author ID:1488306 Share Posted November 14, 2021 Whoops ignore the last one, that was from a few years ago Link to post Share on other sites More sharing options...
kevinf80 Posted November 14, 2021 ID:1488311 Share Posted November 14, 2021 Also need to see secondary log addition.txt Logs are saved here: C:\FRST\Logs Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 14, 2021 Author ID:1488315 Share Posted November 14, 2021 here you go! Addition_14-11-2021 09.36.00.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted November 14, 2021 Solution ID:1488328 Share Posted November 14, 2021 Hello Hyperwolf122, Your logs are clean, no signs of Malware or Infection. Your current problem is because Controlled Folder Access is enabled, hence the alerts you are seeing... The default setting for Controlled Folder Access is OFF, having it on will make your system more secure but can also cause a lot of ambiguity. My setting is current set to OFF, I did not change that setting, it came that way when I upgraded to Windows 11. I can also confirm it was also that way when I upgraded from Windows 7 to Windows 10... My advice would be to disable Controlled Folder Access, obviously that choice is yours to make. Have a read at the following links: https://support.microsoft.com/en-us/windows/allow-an-app-to-access-controlled-folders-b5b6627a-b008-2ca2-7931-7e51e912b034 https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html https://www.howtogeek.com/329532/how-to-protect-your-files-from-ransomware-with-windows-defenders-controlled-folder-access/ Let me know your thoughts... Regards, Kevin. 1 Link to post Share on other sites More sharing options...
Hyperwolf122 Posted November 14, 2021 Author ID:1488331 Share Posted November 14, 2021 Thank you very much Kevinf80 for helping me out with this all!!! :) 1 Link to post Share on other sites More sharing options...
kevinf80 Posted November 15, 2021 ID:1488366 Share Posted November 15, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts