Advice Request svchost process is blocking a non-Microsoft-signed binary: fsamsi64.dll

Please provide comments and solutions that are helpful to the author of this topic.

Zartarra

Zartarra

Level 7
Thread author
Verified
Well-known
May 9, 2019
313
Hello all

I am using F-Secure Safe 18.2. In the Security-Mitigrations logs I found many warning with all the same message:

Process '\Device\HarddiskVolume4\Windows\System32\svchost.exe' (PID 2520) was blocked from loading the non-Microsoft-signed binary '\Program Files (x86)\F-Secure\SAFE\Ultralight\ulcore\1642777614\fsamsi64.dll'. The PID points to Windows management Instrumentation service.

I found on the F-secure community the following: Win 10 Event Log - fsamsi64.dll - image hash of a file is not valid. On the Avast community I found a similar message (Avast and Security-Mitigations warning events).

I tried to turn off the code integrity for svchost.exe in the Exploit protection setting but that did not resolve the issue.

Does anyone have an idea to solve this issue?
 
  • Like
  • +Reputation
Reactions: show-Zi, Venustus, oldschool and 4 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
  • Like
Reactions: show-Zi, Zartarra, Venustus and 4 others
Zartarra

Zartarra

Level 7
Thread author
Verified
Well-known
May 9, 2019
313
I turned off the memory protection but the issue is still there :cry:. I even used the regkey in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios.
 
  • Sad
Reactions: Venustus and Gandalf_The_Grey
Zartarra

Zartarra

Level 7
Thread author
Verified
Well-known
May 9, 2019
313
I tested a bit further. I disabled the exploit protection, still the same issue.

I have a policy enabled to protect svchost.exe. Maybe that can be an issue. I disabled it on a test machine but still the same. Going to search further on an fresh installed VM.
 
  • Like
Reactions: Venustus, upnorth and Gandalf_The_Grey
Zartarra

Zartarra

Level 7
Thread author
Verified
Well-known
May 9, 2019
313
I maybe found the issue. I have a policy enabled to enable svchost.exe mitigrations. When I set the policy back to "not configured" and delete manually the regkey, the event is not registered again in the eventviewer.

Policy - Mitigratie svchost.png
 
  • Like
Reactions: Gandalf_The_Grey and upnorth

Similar threads

Bot
    • Like
Releasing Windows 11 Build 22621.1631 to the Release Preview Channel
Replies
0
Views
426
Windows 11
Bot
Bot
Bot
    • Like
Releasing Windows 11 Build 22000.1879 to the Release Preview Channel
Replies
0
Views
418
Windows 11
Bot
Bot
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,028
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top