Hosts file is detected as malware in Windows Defender

[siljaline]

http://support.microsoft.com/kb/2764944/en-us

Quote:

• You install Windows 8. • You change the Hosts file by specifying custom IP-address-to-host-name mappings to prevent users from browsing to some websites. • You run a scan in Microsoft Windows Defender.

In this scenario, the Hosts file is detected as a SettingsModifier:Win32/PossibleHostsFileHijack malware threat by Windows Defender.

For those that run a custom Hosts file, please see the MS KB to exclude this file from detection.

[ComputerSaysNo]

Honestly, you should not be able to modify the host file. I can understand why WD picks it up as malware.

[siljaline]

You should not be able to modify the Hosts file, but, many run non-native Hosts files. It's fair that WD flags a non-native file as an intrusion. Question is, how many going to W8 with a user defined file will have it trashed by WD. Many elsewhere are finding this action by MS rather confounding.

[PJC]

Confusing, indeed...

[m00nbl00d]

Quote:

Originally Posted by ComputerSaysNo

Honestly, you should not be able to modify the host file. I can understand why WD picks it up as malware.

So, you're saying that whenever a DNS issue prevents a domain name to resolve to the IP address, then I can't temporarily solve that issue by mapping that domain to its IP address, in the hosts file, until the issue is solved? Wouldn't that be stupid?

[ComputerSaysNo]

Quote:

Originally Posted by m00nbl00d

So, you're saying that whenever a DNS issue prevents a domain name to resolve to the IP address, then I can't temporarily solve that issue by mapping that domain to its IP address, in the hosts file, until the issue is solved? Wouldn't that be stupid?

Since when does that happen?

[m00nbl00d]

Quote:

Originally Posted by ComputerSaysNo

Since when does that happen?

Since when what? DNS issues? Not so long ago some users of this forum were having issues to access it, due to DNS issues. I was one of such users, and the solution was to map www .wilderssecurity.com to its IP address. Problem solved.

That's just one tiny example.

[m00nbl00d]

Here: http://www.wilderssecurity.com/showt...&highlight=dns (I actually didn't think it passed two years. lol)

[ComputerSaysNo]

Well you really don't need to modify the HOST file. That's a bit silly. Anyway it will be picked up as malware by every AV scanner on earth so what's the point?

[m00nbl00d]

Quote:

Originally Posted by ComputerSaysNo

Well you really don't need to modify the HOST file. That's a bit silly. Anyway it will be picked up as malware by every AV scanner on earth so what's the point?

Why is it silly? Care to explain? I mentioned a valid scenario where one would want to use the hosts file, so one can access a given domain. So, how is it silly?

Regarding the detection... one doesn't really need to use an antivirus either... so...

[ComputerSaysNo]

Quote:

Originally Posted by m00nbl00d

Why is it silly? Care to explain? I mentioned a valid scenario where one would want to use the hosts file, so one can access a given domain. So, how is it silly?

Regarding the detection... one doesn't really need to use an antivirus either... so...

Well if you can't live without a website being down for 2 hours then But I don't think it's best practice to modify the HOST file, malware does that good enough already.

And yes very true.. You really don't need a AV either. Most are utter junk.

[AMIGA500]

Quote:

Originally Posted by ComputerSaysNo

Well if you can't live without a website being down for 2 hours then But I don't think it's best practice to modify the HOST file, malware does that good enough already.

And yes very true.. You really don't need a AV either. Most are utter junk.

What AV would you recommend then considering most are junk in your opinion.
Strange comment.

[Eagle Creek]

I've noticed the same issue 2 days ago. However, I noticed at a Windows 7 Professional system, not Windows 8!

I ignored the warning because deleting the host file didn't seem very wise. I thought it was caused by an update from WinDef, and because I did have some custom entries in my host file I didn't pay much attention to it.

I've noticed MS has put out the advice to add the host file to the exclusion zone, which doesn't sound like a solid solution. I doubt the exclusion will be automatically removed once the problem has been solved.

[m00nbl00d]

Quote:

Originally Posted by ComputerSaysNo

Well if you can't live without a website being down for 2 hours then But I don't think it's best practice to modify the HOST file, malware does that good enough already.[...]

Well, whether or not someone can't for 2 hours for a website to be up, it will depend on whether or not it will be problematic for more than 2 hours, and whether or not we're dealing with an important website.

Also, with the exception of malware, modifying a hosts file bears no harm to the system. And, under certain scenarios it actually brings benefits.

[Sully]

@m00nbl00d

I agree 100% with you and think the hosts file is great. There are other files as well, but hosts is most popular.

If this thread is any indication of reality, maybe the whining of the ignorant to M$ has caused this.

Sul.

[siljaline]

MS have decided several new scenarios with Windows Defender,
the main change is detecting non-native Hosts files files as malicious.

They are giving you these choices:

A- Set "WD" not to detect a foreign Hosts file, this has been riding on my sig in case no one noticed.

B- Don't use a non-native Hosts file, most choose to, others don't.
I'm not political and don't run Polls, you need to decide for yourself if the benefits of a Hosts file offers outweigh issues running one.
I would sooner (opinion) rely on my anti-virus | anti-malware app for protection with WD disabled, but that's me. This thread is not about disabling apps.

@MODS
C- Those that are here to berate others that don't quite get the concept of these should pack up and take their business elsewhere as this is a Moderated Computer discussion Forum.

[dvk01]

The Microsoft entry is slightly misleading. As far as is kniown, it isn't ANY or ALL entries in a hosts file that will be flagged by defender and alerted to but only many entries pointing to 127.0.0.1 and to certain well known websites like Microsoft, google, facebook, adobe & doubleclick etc that routinely get attempted to be diverted by malware when an unknown IP address is listed in it

Thai all came up in testing a few weeks or months ago when defender automatically blocked adding many sites to the hosts file

[Sully]

Quote:

Originally Posted by siljaline

@MODS
C- Those that are here to berate others that don't quite get the concept of these should pack up and take their business elsewhere as this is a Moderated Computer discussion Forum.

Who was berated?

Sul.

[AlexC]

Will Windows Defender apply actions automatically -in default settings- when that detection occurs?

[siljaline]

Per the KB you must exclude a non-native Hosts file from detection.
Instructions how to do this are detailed below.
http://support.microsoft.com/kb/2764944/en-us

[ComputerSaysNo]

Quote:

Originally Posted by m00nbl00d

Well, whether or not someone can't for 2 hours for a website to be up, it will depend on whether or not it will be problematic for more than 2 hours, and whether or not we're dealing with an important website.

Also, with the exception of malware, modifying a hosts file bears no harm to the system. And, under certain scenarios it actually brings benefits.

Yeah I don't think it's best practice to modify the HOST file... For what ever reason..

[m00nbl00d]

Quote:

Originally Posted by ComputerSaysNo

Yeah I don't think it's best practice to modify the HOST file... For what ever reason..

I also don't believe in modifying Windows/other default installation (that includes third-party software), but we all do it, don't we? So, we're going to have to agree to disagree in this one.

[fax]

Quote:

Originally Posted by m00nbl00d

but we all do it, don't we?

Yes, but it is not officially supported.

[m00nbl00d]

Quote:

Originally Posted by fax

Yes, but it is not officially supported.

What isn't? Installing, say, Adobe Reader X? By installing any application we're altering the system. It's not any different from the hosts file, really. A change is a change, regardless of its nature. Any antivirus will have false positives/flag potential unwanted applications. Are we going to stop using such applications because of that? I don't think so.

Heck, even a system "hack" is welcome, provided that it benefits our use of the system, even if some "crazy" AV flags it. Who cares if it isn't officially supported by Microsoft.

In this specific case, Microsoft has Windows Defender flag a hosts file modification as PossibleHostsFileHijack. It fits in the potential unwanted modification (at the image of potential unwanted application ) category.

[funkydude]

So basically this detection is actually a bug fix, where as before it would invisibly "clean" the HOSTS file, it now properly tags that action.