File description |
Wscntfy.exe with description Windows Security Center Notification App is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is
digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher
What is wscntfy.exe?
Wscntfy.exe is the Windows Security Center (from Windows XP Service Pack 2 on). Its purpose is to display an icon in the system tray indicating whether the firewall is enabled, automatic updates are on, and whether virus protection is installed. The following is a screenshot of the Windows Security Center in Windows XP:
This is a system executable but it does not need to be running and can safely be disabled. If you choose to disable Security Center, be aware that your system will no longer warn you when your virus protection is out-of-date, your firewall is turned off, or automatic updates are disabled. The screenshot below illustrates how this process should appear in the task manager:
In the above screenshot, wscntfy.exe is running as the current user (Mike); however, it can also run as SYSTEM.
Dangers of wscntfy
As this is a legitimate process that runs on most systems with Windows XP Service Pack 2 or later, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.
Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as wscntfy.exe:
- Troj/Banker-FZ (%SystemRoot%)
- This is a password-stealing Trojan that logs keystrokes and takes periodic screenshots.
- Troj/Tanto-H (%SystemRoot%)
- This is a backdoor Trojan that allows a remote attacker to gain access to the infected computer.
- W32/Spelit-A (%SystemRoot%\System32\wsçntfy.exe)
- This is a mass-mailing IRC backdoor Trojan. Note that the filename contains a c with a cedilla under it ("a French soft c").
- W32/Agobot-AHT (%SystemRoot%\System32\wcsntfy.exe)
- This is an IRC backdoor Trojan. Note that the c and the s are transposed in the filename.
There is typically only one instance of this process running at a given time. The presence of multiple instances may be an indicator of a malware infection. Note that this executable should not exist if you are using Windows XP before Service Pack 2 or any version of Windows prior to XP. If it does, your system is likely infected with malware.
Common problems
- This process causes the system to slow down significantly
- This is a known problem with no certain fix. Try installing the latest updates. If the problem persists, disable the Security Center service.
- Wscntfy.exe wants access to port 3752
- This is a symptom of a malware infection. Run a virus scan immediately.
|
Automatic startup locations |
 |
001 Running Processes |
 |
002 Autorun registry entries local machine |
|
003 Autorun registry entries Current User |
 |
004 All users startup startmenu |
|
005 Current user startup startmenu |
|
006 Start Menu\Programs\Startup |
|
065 Image File Execution Options (debugger) |
|
136 Local Machine Runonce (+subkeys) |
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Services Signer |
|
|
MD5 security rating in our database |
 |
 |
|
90 |
files (Not yet rated
and
not
signed) |
 |
|
73 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to wscntfy.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments. |
There are no comments yet.
|
|
Database statistics
Top process list
