[Thread split] Hosts file et al

[funkydude]

Quote:

Originally Posted by safeguy

To be fair, however, using a hosts file to pseudo-block certain ads also has it's own advantages. Since it is included in the system, it requires no upgrades (unlike 3rd-party software)

You're choosing to completely ignore that it IS updated frequently, even monthly. Not only that, but updating a HOSTS file yourself is far more hassle than say, having a dedicated program do it for you.

Quote:

Originally Posted by safeguy

and that it is free of costs compared to a 3rd-party commercial ad-blocker

Which conveniently ignores the free ones.

Quote:

Originally Posted by safeguy

The pseudo-blocking implemented is also system-wide and works across multiple web browsers(not counting AdMuncher, AdFender, Privoxy, Proxomitron, etc).

Nice, you brought up an invalid point and countered it all by yourself in brackets Every real ad blocker is system wide, you just have browser plugins stuck in your mind. An ad blocker isn't defined as a browser plugin, it's just a "reduced" form of one.

Quote:

Originally Posted by safeguy

If security programs scan the HOSTS file and they only accept the IP address "127.0.0.1", it means the security program do not understand the hosts file intended purpose. It's time for them to change and learn to accept other IP addresses.

Easy to say from someone who has no perspective of the code involved in the software itself. Maybe they do need to add it, or, for all we know it simply isn't that easy and adding every invalid IP address might be more effort/overhead than it's worth.

[Espresso]

Quote:

Originally Posted by funkydude

programs like ABP can easily block 100%, they have the potential to do that,

Yes, potential, but nothing blocks 100% of ads.

Quote:

Oh, right, you count for the entire world now yeah? You're trying to disprove fact based solely on your own tiny experience? LOL.

I'm not advocating the use of HOSTS - I'm just defending my own successful usage. I don't give a damn whether anyone else uses it or not.

Quote:

Doesn't matter how benign they are, they aren't supposed to be used in a HOSTS file, that isn't the purpose of a HOSTS file.

A HOSTS file is used for whatever you want to use it for. It's been used for ad/malware blocking for years and MS is well aware of it. MSE should be able to distinguish between a localhost redirect vs an internet redirect.

Quote:

I'm sorry? Why is it on me to prove yet you have a free ride with your claims which are nothing other than blind faith?

You're the one making all the claims. I'm just defending against them. Again, the onus is on you to prove that an ad blocked by an ad blocker is faster than the same ad blocked by a HOSTS file.

Quote:

it's a fact that your system will become slower and slower the bigger the file is

Sure, but mine is 50k with 2700 entries. Tiny by comparison to standard ad blocking HOSTS file. I could use a Hostsserver log to prune it down to a tenth of that size and get rid of most ads.

Quote:

Real ad blockers can use lists in a way that reduces the impact of the size of said list. They can also use freely available system resources specifically designed for preventing connections, such as WFP, which work at a higher level and are therefor faster than waiting for the HOSTS file. I'm not sure where the difficulty in understanding this lies.

I'd like to know just how much "faster" it is. The HOSTS data is kept in memory and 2700 entries can be parsed pretty quickly on a modern computer. Methinks the difference is practically nil.

[funkydude]

Quote:

Originally Posted by Espresso

I'm not advocating the use of HOSTS - I'm just defending my own successful usage. I don't give a damn whether anyone else uses it or not.

Really? Then I'm done here as I couldn't care less what you use. I'm not here to personally convince you as that's obviously impossible even with the presented facts.

[noone_particular]

Amazing how the simplest things can provoke such heated debates in this place. Like so many other things, using a hosts file to block ads has both good and bad points.
Good points:
Does not require a separate process to perform the task.
Works with all internet apps that use DNS, not just a browser.

Bad points:
Can be altered my malware if user allows machine to be infected and doesn't have other measures in place.
Not complete coverage, but then nothing is.
Large hosts files can slow DNS service on 2K and XP units. Not sure if this was fixed on Vista and newer. Never was a problem on 9X.
Blocks resolved names, not IP addresses or ranges.

The hosts file isn't for blocking access to malicious sites. They come and go so fast, nothing can keep up with the changes. It's OK for blocking known ad servers, "call home" locations, and other that you don't want tracking you (Google, Facebook, etc). It's good for bypassing the DNS blocking of sites when you know the sites IP. The hosts file is quite useful as long as you keep your expectations sensible. Trying to use the hosts file to block access to malicious sites is pointless. If your PC is so vulnerable that it can't be allowed near a malicious site, you've got much bigger problems.

For those worried about malicious additions and changes to their hosts files, why not use a hash checker to verify it at startup or as a scheduled task? If it changes, you'll know.

[jynx]

Quote:

Originally Posted by noone_particular

.....
For those worried about malicious additions and changes to their hosts files, why not use a hash checker to verify it at startup or as a scheduled task? If it changes, you'll know.

Or use winpatrol free/plus, it can check if there is change on host file, where you can decide to acept the change or reject it when something change it

[Cudni]

ot posts removed

[Tomwa]

I use the hosts file for blocking ads/trackers (As my signature dictates) as I have other web based programs on my computer which contain ADs, and since Kaspersky's Ad blocker is literally worthless I rely on my hosts file to block those ads (And it works for me without fail as it always has). Hostsman serves as a quick little utility for managing it.

I stick to the default 127.0.0.1 as I notice no issues with it (If it ain't broke don't fix it).

[nodbaga]

Discussion seems to have drifted to 127.0.0.1 vs 0, quality of methods of ad blocking, etc.

All this is completely irrelevant to security. Original security issue: hosts file is modified without user permission. I have the same problem. In my case two lines disappear from my hosts file on the regular basis:

127.0.0.1 ad.doubleclick.net
127.0.0.1 www.google-analytics.com

Again, what was on those lines is absolutely irrelevant, please don't even start. Real question is - what is the source of this malicious activity?

[m00nbl00d]

Interesting... I've never heard of any piece of malware* that removes Doubleclick, and advertising company owned by Google, and Google Analytics. I may be wrong, though.
Anyway, before jumping into that conclusion, is important to know if you got some application that handles the hosts file, such as HostsMan? If you have, is it possible that you may have exclusion entries, which will remove those two entries if found?

Another possible scenario is some other application you may be using that removed those two entries? It would have to be some dubious application, I must add. Anything running with administrator privileges or more, could have changed any of those entries.

I just don't see any malware* removing those two entries.

Another thing we should know is whether or not you use an administrator account for your daily tasks?

-edit-

* Maybe that's not what you meant with malicious. lol

[m00nbl00d]

Quote:

Originally Posted by funkydude

How is that suspicious? It would me smart for malware to modify the HOSTS file and divert a popular advertising site to a malicious one, that way they have a higher chance of infecting you further. So it could easily be a FP.

Yet another reason not to use a HOSTS file for something like ad blocking and use a real tool designed to do just that.

I doubt it was a FP, otherwise it would have happened to anyone having that entry in their hosts file, and MSE. I didn't see it happening here. Some other odd event had to be the cause of it all.

[nodbaga]

OK, here is my problem again:

I discovered that some valid lines disappear from my 'hosts' file from time to time. It's couple of month since i discovered it.

I don't have any program (like HostsMan) managing my hosts file. I edit it by hand using Notepad. As far as i know, NOD32, which i use for runtime protection, is not managing this file either.

I do work on this machine daily from administrative account, but such is the nature of what i do, no choice here.

Both NOD32 and manual weekly scan using Malwarebytes report my system as clean all this time.

Whatever entity is messing with my 'hosts' file is doing this without my permission, and against my will. Therefore, regardless of it's intentions, I call it a malware.

Does anybody have any clue of what is it and/or how do I make it stop?

[m00nbl00d]

You could run a monitoring application to monitor your system for any changes, specifically if something tries to change the hosts file. If the application behind those action is "legit", then it shouldn't conceal its actions, and the monitor application should have no problems flagging it.

Considering that you run with full administrator privileges, maybe you could consider some security application that will protect important system areas?

[noone_particular]

Quote:

You could run a monitoring application to monitor your system for any changes, specifically if something tries to change the hosts file. If the application behind those action is "legit", then it shouldn't conceal its actions, and the monitor application should have no problems flagging it.

That's probably the only way you'll find out what is changing it. There's monitoring apps that either poll on intervals or watch in real time. On short intervals, the polling apps can cause lag. You might be able to narrow down your search by determining which apps (including their updating components) have administrative rights.

[FanJ]

Quote:

Originally Posted by nodbaga

Discussion seems to have drifted to 127.0.0.1 vs 0, quality of methods of ad blocking, etc.

All this is completely irrelevant to security. Original security issue: hosts file is modified without user permission. I have the same problem. In my case two lines disappear from my hosts file on the regular basis:

127.0.0.1 ad.doubleclick.net
127.0.0.1 www.google-analytics.com

Again, what was on those lines is absolutely irrelevant, please don't even start. Real question is - what is the source of this malicious activity?

Hi nodbaga,

For now I'm not going into the "why" and "what has changed it" question. Dear members m00nbl00d and noone_particular have slightly pointed to that.

If you would allow me, may I point to (maybe) another possibility to block the two urls. I did read that you are using NOD32. I don't know which version of NOD32 and which Windows OS version you are using. Version 4.2.71.2 of NOD32 (on XP) gives you the possibility to block urls (and you can even use the "masks" * and ?) in someway. From the Help-file of 4.2.71.2:

"HTTP address management
In this section you can define lists of addresses that will be blocked, allowed, or excluded from scanning.
These three list are by default available in the Lists drop-down menu."

In version 4.2.71.2 (advanced setup):
Antivirus and antispyware > Web acces protection > HTTP, HTTPS > Address management.
You can choose there what you want to do. I use it
How to do it on NOD32 version 5 (if possible), I don't know. Ask about it on the ESET forum

[nodbaga]

Quote:

Originally Posted by noone_particular

That's probably the only way you'll find out what is changing it...

Quote:

Originally Posted by m00nbl00d

You could run a monitoring application...

Thank you for the advice! As a matter of fact i started monitoring hosts file some time ago. So far the only write to the file which was not me, was by svchost.exe with mpengine.dll from Microsoft\Windows Defender on the stack. Unfortunately, i can't confirm that it actually modified the file, because i didn't check contents before this write access. I can only say that after that write, lines in question were not present in the file. Since that time hosts file was not modified. I left monitor running, will let you know if it catches anything.

Theoretically 'they' can detect if file is monitored, and not touch it in that case. I doubt it though.

[nodbaga]

Quote:

Originally Posted by FanJ

... NOD32 ...
In version 4.2.71.2 (advanced setup):
Antivirus and antispyware > Web acces protection > HTTP, HTTPS > Address management.

Hi FanJ,
thank you for the advice. I have NOD32 4.2.71.2 on Win7 and use Chrome (latest). Unfortunately, it did not work for me. I blocked access to ad.doubleclick.net, but when i browse to, say, http://www.accuweather.com/, scripts from ad.doubleclick.net are downloaded OK.
Maybe NOD32 is only blocking HTML? Anyway, i will try it again, after reboot.

[nodbaga]

At 5:42 am file C:\Windows\System32\drivers\etc\hosts was modified by process C:\Windows\System32\svchost.exe -k secsvcs. First non-kernel module on the stack is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C81B2031-BF61-4014-8979-31D26BCE102A}\mpengine.dll. Following two lines were replaced with blank lines:

0.0.0.0 ad.doubleclick.net
0.0.0.0 www.google-analytics.com

I'll try to get more details...

[funkydude]

Have you tried using 127.0.0.1 instead and seeing if the issue goes away? I bet it does

[Escalader]

Hate to break into the tread late BUT I have a simple question:

How do I EASILY edit the contents of my Host file in windows 7 64 bit?

I need a tool?

[Cudni]

Quote:

Originally Posted by Escalader

How do I EASILY edit the contents of my Host file in windows 7 64 bit?

I need a tool?

As easy as running a notepad as administrator and then editing the file

[noone_particular]

Quote:

Originally Posted by nodbaga

At 5:42 am file C:\Windows\System32\drivers\etc\hosts was modified by process C:\Windows\System32\svchost.exe -k secsvcs. First non-kernel module on the stack is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C81B2031-BF61-4014-8979-31D26BCE102A}\mpengine.dll. Following two lines were replaced with blank lines:

0.0.0.0 ad.doubleclick.net
0.0.0.0 www.google-analytics.com

I'll try to get more details...

Forum software seems determined that google-analytics needs to be a link. Putting lines like that in a code box prevents it.

Code:

0.0.0.0 ad.doubleclick.net
0.0.0.0 www.google-analytics.com

Just to clarify, you're using 0.0.0.0 on all the items you block, but only those 2 were singled out? These are typical of the other entries? I'm wondering if WD is singling out those 2 entries specifically or if it's not parsing the file correctly. Just for a test, try moving those 2 lines farther down the file and see if WD singles them out again or if it focuses on the next pair of 0.0.0.0 entries. If it still does, maybe adding an extra space between after the last "0" or changing just those 2 to use 127.0.0.1 could stop that particular problem, but it points out a few others.

Regarding the "proper format" for what many call an improper use of the hosts file, both 127.0.0.1 and 0.0.0.0 have been used for some time, something MS is very aware of. If WD can't properly parse the file because it contains 0.0.0.0, what will it do with one that contains "normal" IPs? Unless for some reason WD is deliberately removing blocks to those 2 links, it's definitely not reading the file properly. Maybe it's mistaking them for similar names that are malicious (think in terms of typo squatting). I also question WD altering a file that can contain user specified IPs without the user being asked or told. If that were my system, I'd throw WD out on the spot for that alone.

[nodbaga]

Quote:

Originally Posted by funkydude

Have you tried using 127.0.0.1 instead and seeing if the issue goes away? I bet it does

Tried both 0.0.0.0 and 127.0.0.1 No difference.

[Escalader]

Quote:

Originally Posted by Cudni

As easy as running a notepad as administrator and then editing the file

Wow! Thanks, that was easy. Now all I have to do is figure out where Gates hid it!

[funkydude]

Quote:

Originally Posted by nodbaga

Tried both 0.0.0.0 and 127.0.0.1 No difference.

Then I'm afraid it's time to report the issue on the MSE forums.

[nodbaga]

Quote:

Originally Posted by Escalader

Wow! Thanks, that was easy. Now all I have to do is figure out where Gates hid it!

%SystemRoot%\System32\drivers\etc\hosts, on most systems it is C:\Windows\System32\drivers\etc\hosts