Ken_GlassWire , I uninstalled, rebooted and then reinstalled. The alerts are still there.
@Servo_GlassWire
So, anyways, I tried to conduct an experiment.
I created a program to monitor the svchost.exe’s digital signature in real-time using the sigcheck tool and some old school batch files. I created a logger, which would monitor the digital signatures as the Windows Updates were starting.
Started the logging and windows updates, the Alerts on Glasswire popped up at 6:52:01 as shown in the screenshot.
Now, to my surprise, the output of digital signatures logged during that time is as follows
06:51 PM
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit
06:51 PM
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\svchost.exe:
Verified: Unsigned
Link date: 10:15 AM 01-Mar-11
Publisher: Microsoft Corporation
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit
06:51 PM
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\svchost.exe:
Verified: Unsigned
Link date: 10:15 AM 01-Mar-11
Publisher: Microsoft Corporation
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit
06:51 PM
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit
06:52 PM
Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit
I modified the sigcheck tool by SysInternals to monitor this in real-time during the updates. Sigcheck - Sysinternals | Microsoft Learn
So, I hereby conclude, the svchost.exe is stripped off the Digital Signatures during Windows Updates. It’s normal behavior and not a bug of Glasswire.
Notice the publisher name change from Microsoft Windows during signed state to Microsoft Corporation during unsigned state (and back to MS Windows when signed again), which explains the publisher name change alert.