1 2 Previous Next 12 Replies Latest reply: Sep 12, 2009 1:45 AM by GerryMarkham RSS

    Buffer overflow in svchost.exe

      I am getting this message several times a day:

      ===========================================
      McAfee has automatically blocked a buffer overflow.
      About this Buffer Overflow
      File: C:\WINDOWS\System32\svchost.exe
      ===========================================

      However when I run a complete scan with McAfee Securuty Center nothing is found.

      This occurs on both PCs where MSC 9.15 is installed.

      I have uploaded C:\WINDOWS\System32\svchost.exe to Virustotal.com and nothing was found.

      I had Conficker virus on these machines, but I believe it was successfully removed, as indicated by McAfee and several other virus scanners.

      I am not getting any of the usual conficker symptons, and scanning my running processes with the University of Bonn Conficker detection tools finds nothing.

      I have also run the McAfee Conficker S.t.i.n.g.e.r.exe program, which indicates that svchost.exe is in fact infected, but a scan of my machine using S.t.i.n.g.e.r.exe again finds nothing on any file on my hard drive.

      Full scans with other tools such as Windows defender and Malicious Software Removal Tool also indicate nothing.

      Again my PC is showing none of the usual Conficker symptoms. Only McAfee seems to see any sort of problem. This is making me think this is a false alarm and I would like to know what can be done about it.
        • 1. Same issue
          Hello,

          I have exactly the same problem, we had many computers who were infected by conficker but everything is clean now (according to McAfee Enterprise 8.7.0i and the Microsoft Malicious software removal tool).
          Now some computers also show the same message as Gerry's.
          Our ePolicy 4.5.0 shows svchost.exe as the thread source and _:kernel32.loadlibraryA as the "Threat target file path".

          Thanks for the help.
          • 2. RE: Same issue
            Is it possible that this is a legimate but buggy program that is causing this? If so, how does one discover the source of the error?

            There is a McAfee file called BufferOverflowProtectionLog.txt that I have heard about but do not see on my own PC. What application is supposed to generate this log?

            The McAfee applications I am running are:

            C:\Program Files\McAfee\MPS
            C:\Program Files\McAfee\MQC
            C:\Program Files\McAfee\MSC
            C:\Program Files\McAfee\MSHR
            C:\Program Files\McAfee\MSK
            C:\Program Files\McAfee\MSM
            C:\Program Files\McAfee\SiteAdvisor
            C:\Program Files\McAfee\VirusScan
            C:\Program Files\McAfee\MBK
            C:\Program Files\McAfee\MHN
            C:\Program Files\McAfee\MPF

            I have used Process Explorer to look at the various processes running on my running svchost applications but see nothing odd or unusual.
            • 3. RE: Same issue
              Ex_Brit
              cws, as you are using Enterprise products, most likely in a Corporate environment, you are better served posting in the Corporate area: http://community.mcafee.com/forumdisplay.php?f=122

              GerryMarkham post #2 in this thread should help: http://community.mcafee.com/showthread.php?t=231313&highlight=Buffer+overflow
              • 4. RE: Same issue
                Hi Ex_brit, thanks for your response. The post you pointed out indicates that most crashes and errors dealing with buffer overflows in Windows will come from an outside source aka a Third Party application or plugin.

                Some questions that come to mind are:

                1. Do you have any suggestions on methods to find the source of the error (i.e. which program or process is causing the buffer overflow) ?

                2. Can you tell me what McAfee program generates the BufferOverflowProtectionLog.txt log that I have read about?

                3. Is there a way to turn off the Buffer Overflow detection specifically while leaving the other virus detection facilities in place?
                • 5. RE: Same issue
                  Ex_Brit


                  Not without leaving you open to any infections.

                  Basically these things shouldn't occur if Windows is kept totally up to date with both critical and non-critical updates plus you keep software, driver etc. up to date, expecially Java, Flash and suchlike.

                  It helps too to have some extra anti-spyware tools handy: http://community.mcafee.com/showthread.php?t=136913

                  I'm no expert in this field however, so hopefully someone else will spot this and throw their views in.

                  Did you do the scans mentioned in that post?
                  • 6. RE: Same issue
                    I am running ESET online scanner as we speak. I will try malwarebytes later, although I have run it before I had McAfee with no problems detected.

                    Will Malwarebutes install OK over McAfee, or do you know if will I get the usual "another anti-virus product has been detected..." warning?
                    • 7. RE: Same issue
                      Ex_Brit
                      I've used it recently with no warnings from VirusScan. I don't usually leave it installed however, preferring to download it afresh each time I need it.
                      • 8. RE: Same issue
                        OK thanks XB. I will let you know what ESET online scanner finds, then I will run malwarebytes.
                        • 9. RE: Same issue
                          OK my scans revealed only one unopened "delivery failed" email with Win32\Sober.Y virus (deleted) and a registry flag belonging to McAfee (ignored):

                          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)

                          I will see today if I am still getting the buffer overflows.
                          1 2 Previous Next