Our system just got the following alerts:
When we searched the hash on Virustotal, we got the information that this hash belongs to the original svchost.exe :
Could you enlighten us about this alert and how and where the intelligence about the file was obtained? We really panicked.
This alert is from a community threat. So it’s not from a built-in IDR alert.
These threats are most of the time built by other companies and offered as a opt-in detection.
So in this case someone opted into this ‘Ransomware/Malware/others-Ez’ threatfeed that had this svchost.exe hash in it’s detection.
These detections are not enabled by default, you can find your currently subscribed feeds within Detection Rules > Community Threats
You also have a button Threat Community to view threat feeds from other companies.
If I look at the description of the ‘Ransomware/Malware/others-Ez’ threatfeed I don’t see any information on how this intelligence was obtained, other than that it’s gathered through an API.
I do see that the owner of this feed added this svchost.exe host on Apr 19, 2022 6:00:17 PM through the audit history. But I don’t see any clues in the description on how to contact the owner of this threat feed.
Seems that the owner has removed this svchost hash
Thank you very much for your information sharing and support Ilyaaz. I guess you have to be selective in community feeds