cancel
Showing results for 
Search instead for 
Did you mean: 

Buffer overflow in svchost.exe

I am getting this message several times a day:

===========================================
McAfee has automatically blocked a buffer overflow.
About this Buffer Overflow
File: C:\WINDOWS\System32\svchost.exe
===========================================

However when I run a complete scan with McAfee Securuty Center nothing is found.

This occurs on both PCs where MSC 9.15 is installed.

I have uploaded C:\WINDOWS\System32\svchost.exe to Virustotal.com and nothing was found.

I had Conficker virus on these machines, but I believe it was successfully removed, as indicated by McAfee and several other virus scanners.

I am not getting any of the usual conficker symptons, and scanning my running processes with the University of Bonn Conficker detection tools finds nothing.

I have also run the McAfee Conficker S.t.i.n.g.e.r.exe program, which indicates that svchost.exe is in fact infected, but a scan of my machine using S.t.i.n.g.e.r.exe again finds nothing on any file on my hard drive.

Full scans with other tools such as Windows defender and Malicious Software Removal Tool also indicate nothing.

Again my PC is showing none of the usual Conficker symptoms. Only McAfee seems to see any sort of problem. This is making me think this is a false alarm and I would like to know what can be done about it.
Labels (1)
12 Replies
cws
Level 7
Report Inappropriate Content
Message 2 of 13

Same issue

Hello,

I have exactly the same problem, we had many computers who were infected by conficker but everything is clean now (according to McAfee Enterprise 8.7.0i and the Microsoft Malicious software removal tool).
Now some computers also show the same message as Gerry's.
Our ePolicy 4.5.0 shows svchost.exe as the thread source and _:kernel32.loadlibraryA as the "Threat target file path".

Thanks for the help.

RE: Same issue

Is it possible that this is a legimate but buggy program that is causing this? If so, how does one discover the source of the error?

There is a McAfee file called BufferOverflowProtectionLog.txt that I have heard about but do not see on my own PC. What application is supposed to generate this log?

The McAfee applications I am running are:

C:\Program Files\McAfee\MPS
C:\Program Files\McAfee\MQC
C:\Program Files\McAfee\MSC
C:\Program Files\McAfee\MSHR
C:\Program Files\McAfee\MSK
C:\Program Files\McAfee\MSM
C:\Program Files\McAfee\SiteAdvisor
C:\Program Files\McAfee\VirusScan
C:\Program Files\McAfee\MBK
C:\Program Files\McAfee\MHN
C:\Program Files\McAfee\MPF

I have used Process Explorer to look at the various processes running on my running svchost applications but see nothing odd or unusual.
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 13

RE: Same issue

cws, as you are using Enterprise products, most likely in a Corporate environment, you are better served posting in the Corporate area: http://community.mcafee.com/forumdisplay.php?f=122

GerryMarkham post #2 in this thread should help: http://community.mcafee.com/showthread.php?t=231313&highlight=Buffer+overflow
Highlighted

RE: Same issue

Hi Ex_brit, thanks for your response. The post you pointed out indicates that most crashes and errors dealing with buffer overflows in Windows will come from an outside source aka a Third Party application or plugin.

Some questions that come to mind are:

1. Do you have any suggestions on methods to find the source of the error (i.e. which program or process is causing the buffer overflow) ?

2. Can you tell me what McAfee program generates the BufferOverflowProtectionLog.txt log that I have read about?

3. Is there a way to turn off the Buffer Overflow detection specifically while leaving the other virus detection facilities in place?
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 13

RE: Same issue



Not without leaving you open to any infections.

Basically these things shouldn't occur if Windows is kept totally up to date with both critical and non-critical updates plus you keep software, driver etc. up to date, expecially Java, Flash and suchlike.

It helps too to have some extra anti-spyware tools handy: http://community.mcafee.com/showthread.php?t=136913

I'm no expert in this field however, so hopefully someone else will spot this and throw their views in.

Did you do the scans mentioned in that post?

RE: Same issue

I am running ESET online scanner as we speak. I will try malwarebytes later, although I have run it before I had McAfee with no problems detected.

Will Malwarebutes install OK over McAfee, or do you know if will I get the usual "another anti-virus product has been detected..." warning?
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 13

RE: Same issue

I've used it recently with no warnings from VirusScan. I don't usually leave it installed however, preferring to download it afresh each time I need it.

RE: Same issue

OK thanks XB. I will let you know what ESET online scanner finds, then I will run malwarebytes.

RE: Same issue

OK my scans revealed only one unopened "delivery failed" email with Win32\Sober.Y virus (deleted) and a registry flag belonging to McAfee (ignored):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)

I will see today if I am still getting the buffer overflows.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community