Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
taskhostw.exe trying to connect through Windows Firewall - Is it Malware?
Message
<blockquote data-quote="DDE_Server" data-source="post: 862721" data-attributes="member: 65727"><p>there was a talk on one of the microsoft threads that it may differe in the footprint of registry enteries created</p><p>here is the Quote:</p><p>[SPOILER="Taskhostw.exe"]</p><p>I have now looked around more, and I do see many saying that malware does use the very same name, with the w. But it also gave sized of the correct file and the malware one, and the malware is much larger than the correct file.</p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p>It listed three varying sizes for the correct file:</p><p></p><p></p><p></p><p>•71,792 bytes</p><p></p><p>•71,280 bytes</p><p></p><p>•71,848 bytes.</p><p></p><p></p><p></p><p>And it said the malware by the same name in a subfolder in Program Files is 1,113,088 bytes. And the malware file by the same name in a subfolder in the user profile folder is 1,3792,328 bytes.</p><p></p><p></p><p></p><p>Mine doesn't match any of those numbers! Mine comes in at:</p><p></p><p></p><p></p><p>•Size: 87,904 bytes</p><p></p><p>•Size on disk: 90,112 bytes</p><p></p><p></p><p></p><p>So, since there are so many subfolders on my computer in the specified locations for the malware, I decided to just take the advice and run Malwarebytes -- I got the free, 14-day trial and ran it.</p><p></p><p></p><p></p><p>Malwarbytes did not produce any notice about taskhostw.exe. So, I guess mine cleared that hurdle and is probably the correct one.</p><p></p><p></p><p></p><p>So, I now have what I think is a better approach to stop this notice than fully turning off that function, which is supposed to be designed to avoid ransomware. You do not have to turn it off, you can selectively protect a folder or file, in this case a file. I have done that on my computer now. To do that:</p><p></p><p></p><p></p><p>•Open Windows Defender</p><p></p><p>•Go to the "Virus & threat protection" page</p><p></p><p> •At bottom of that page, click into "Ransomware protection"</p><p></p><p></p><p></p><p>•On the "Ransomware protection" page, toward the bottom, under "Controlled folder access," select the second option: "Allow an app through controlled folder access"</p><p></p><p>•Now navigate to and select the correct taskhostw.exe file at:</p><p></p><p></p><p></p><p>C:\Windows\System32\taskhostw.exe</p><p></p><p></p><p></p><p>Once selected, it will be added to a list of protected files and you should not get that message any more -- and I presume if you do start getting it again, that would be because you then have gotten the real malware file, so good thing you stopped this selectively instead of turning the entire function off!</p><p></p><p></p><p></p><p>(Malwarebytes did find a number of things it questioned and left it to me to decide -- I hate that, how am I supposed to know! Anyway, I did know one was fine, but the others I could not tell, but the names left me wondering if yes, they are a problem, even though Windows Defender has not identified them as a problem. So, I quarantined them. I restarted, tested a couple applications to see if they would still open after that, but I will just have to await the test of time, I suppose -- but better delete them or restore them before the 14-day trial end.)</p><p></p><p>[/SPOILER]</p><p></p><p>The link: <a href="https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/taskhostwexe-on-windows-10/db876c06-0329-465a-bab0-35997a575d17" target="_blank">taskhostw.exe on windows 10</a></p><p>[USER=85179]@security123[/USER] from where you inserted this quote</p></blockquote><p></p>
[QUOTE="DDE_Server, post: 862721, member: 65727"] there was a talk on one of the microsoft threads that it may differe in the footprint of registry enteries created here is the Quote: [SPOILER="Taskhostw.exe"] I have now looked around more, and I do see many saying that malware does use the very same name, with the w. But it also gave sized of the correct file and the malware one, and the malware is much larger than the correct file. It listed three varying sizes for the correct file: •71,792 bytes •71,280 bytes •71,848 bytes. And it said the malware by the same name in a subfolder in Program Files is 1,113,088 bytes. And the malware file by the same name in a subfolder in the user profile folder is 1,3792,328 bytes. Mine doesn't match any of those numbers! Mine comes in at: •Size: 87,904 bytes •Size on disk: 90,112 bytes So, since there are so many subfolders on my computer in the specified locations for the malware, I decided to just take the advice and run Malwarebytes -- I got the free, 14-day trial and ran it. Malwarbytes did not produce any notice about taskhostw.exe. So, I guess mine cleared that hurdle and is probably the correct one. So, I now have what I think is a better approach to stop this notice than fully turning off that function, which is supposed to be designed to avoid ransomware. You do not have to turn it off, you can selectively protect a folder or file, in this case a file. I have done that on my computer now. To do that: •Open Windows Defender •Go to the "Virus & threat protection" page •At bottom of that page, click into "Ransomware protection" •On the "Ransomware protection" page, toward the bottom, under "Controlled folder access," select the second option: "Allow an app through controlled folder access" •Now navigate to and select the correct taskhostw.exe file at: C:\Windows\System32\taskhostw.exe Once selected, it will be added to a list of protected files and you should not get that message any more -- and I presume if you do start getting it again, that would be because you then have gotten the real malware file, so good thing you stopped this selectively instead of turning the entire function off! (Malwarebytes did find a number of things it questioned and left it to me to decide -- I hate that, how am I supposed to know! Anyway, I did know one was fine, but the others I could not tell, but the names left me wondering if yes, they are a problem, even though Windows Defender has not identified them as a problem. So, I quarantined them. I restarted, tested a couple applications to see if they would still open after that, but I will just have to await the test of time, I suppose -- but better delete them or restore them before the 14-day trial end.) [/SPOILER] The link: [URL='https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/taskhostwexe-on-windows-10/db876c06-0329-465a-bab0-35997a575d17']taskhostw.exe on windows 10[/URL] [USER=85179]@security123[/USER] from where you inserted this quote [/QUOTE]
Insert quotes…
Verification
Post reply
Top