Defense+: mscorsvw.exe and ngenservicelock.dat

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

Dear All,
I have Comodo Internet Security (free) version 8.2.0.4508. The log of Defense+ shows a continuous sequence of mscorsvw.exe modifying (or trying to, I can’t know) ngenservicelock.dat. It has thousands and thousands of lines like the following:

Date Application Action Target
2015-07-13 18:03:55 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:47 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:47 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:39 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:39 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:22 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:22 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:06 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:06 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:03:06 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:45 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:32 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:25 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:17 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:10 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:10 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:02:02 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:47 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:47 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:40 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:32 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:23 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:10 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:01:02 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:00:55 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
2015-07-13 18:00:55 G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File G:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

I have already spent a lot of time on Google looking for info on this subject but nothing has led me to a solution.
What is this? It seems to be some serious problem, as it repeats several times per minute, never stopping.
Can anybody shed some light on this matter? Any help will be much appreciated.

Thanks in advance
Roger

P.S.: Windows 7, 64 bit, English
MB: ASUS P6T; CPU: Intel i7-920 socket LGA1366; RAM: 6GB DDR3 1600 MHz HyperX Kingston; HDDs: 1TB + 500MB Samsung;

#2

Hi RogerLima , Run a full scan with Malwarebytes Free and Hitman Pro. There is a chance you may be infected. I’m not saying you are. It very well maybe be something else, but it looks like it’s a good possibility. mscorsvw.exe is net runtime optimization service which should be automatically trusted. According to several sources ngenservicelock.dat is a dropped file from malware installation. I have several versions of .net installed but nowhere on system is a file with that name. Good Luck.

ngenservicelock.dat

#3

Hi sAyer and thanks for the post.
I regularly do full system anti-spyware scans on this PC. Malware Bytes has been run and reported nothing. It seems I don’t have an infection.
I have been reading about ngenservicelock.dat using Google for quite a while, but still have not resolved my case.
Thanks sAyer and others who may contribute to this discussion.

Regards,
Roger

#4

Hello,
https://support.microsoft.com/en-us/kb/2571181

#5

ZorKas, thanks for your input. I’ve read the link you gave. That article mentioned several versions of hotfix files that should apply to the case, but unfortunatelly none of them matched the one that I had in my system.

Anyway, I gave it a try. I used the WORKAROUND shown in the article. I run ngen.exe in an elevated Command prompt and got the message “All compilation targets are up to date.” I reboot the PC, opened the Comodo log and… those events were still coming up.

Two notes:
1 – Even before these procedures, Windows Task Manager did not display any Mscorsvw.exe process.
2 – There was NOT any file in my system named ngenservicelock.dat

Then I run MSCONFIG.EXE. I went to the section SERVICES. I found two services which seemed related to this issue:

Microsoft .NET Framework NGEN v4.0.30319_X64 (status: STTOPED)
Microsoft .NET Framework NGEN v4.0.30319_X86 (status: RUNNING)

Both were marked as enabled (V mark on the small square to their left)

I disabled the _X86 line; clicked on APPLY and OK. I reboot the PC.

After reboot I opened the Comodo Defense+ events log: there were no more mscorsvw.exe events. Not even a single one. They simply stopped at all. I don’t know if I am right or not. And don’t know if this will cause any undesired consequences, but this was the only (apparent) solution I found.

Of course, any comments will be appreciated. Sorry for my english; my native language is portuguese.

#6

Can you check your HIPS rules to see if a rule exists for the file? If their is remove the rule. Also check CIS files list to see if its listed as trusted or unknown, if its rating is unknown you should mark it as trusted.

#7

Futuretech,
Yes. There is a HIPS rule for mscorsvw.exe. I found in Security Settings > HIPS > HIPS Rules. It is as follows:

Application Treat As
G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Custom ruleset

Double clicking on it gives:

Access Rights: all lines show Action = Ask and Exclusions = Modify (0\0)
Protection Settings: all lines show State = Inactive.

Then I looked in Security Settings > File Rating > File List. The mscorsvw.exe is NOT listed.

Now I have to decide what is better:
1 - Re-enable the service “Microsoft .NET Framework NGEN v4.0.30319_X86” OR
2 - Remove that HIPS rule.

Thanks a lot for the help and please help me decide me which option is better.

#8

Hello,
Your path or is the application being
G: \ Windows \ Microsoft.NET \ Framework \ v4.0.30319 \ mscorsvw.exe
And not as on my PC
C: \ Windows \ Microsoft.NET \ Framework \ v4.0.30319 \ mscorsvw.exe
Configuring the directory assessment on my PC
Sorry for my english (I’m french)
ps: http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx

[attachment deleted by admin]

#9

You should remove the HIPS rule, add the executable to the file list and define it as trusted, and re-enable the service. That way it can operate normally without cis blocking its actions.

#10

ZorKas
1 - The difference between the location of mscorsvw.exe in our PCs is only because my Windows is installed on drive G.

2 - I’ve read the link you provided. As I told before, mscorsvw.exe is not running as a service or as a process in my system. It’s being called by another service.

Thanks for the help!
Roger

#11

Hi futuretech,
Thanks for the reply. I’ll do that. Thanks a lot for the help!
Roger