Hosts file is detected as malware in Windows Defender

[m00nbl00d]

Quote:

Originally Posted by funkydude

So basically this detection is actually a bug fix, where as before it would invisibly "clean" the HOSTS file, it now properly tags that action.

By the way, I remember some older thread where some users also reported MSE cleaning their hosts file for those same entries? If I well recall, when I tested it, MSE seemed to ignore the entries using 0.0.0.0 instead of 127.0.0.1. Unless Microsoft changes its behavior (to detect the modifications), then 0.0.0.0 might be a workaround for those not wanting to exclude the hosts file from MSE's detection. But, I'm not sure if anything has changed in the meantime...

[siljaline]

MS is stating that unless you set the exclusion - Defender will eat your non-native Hosts file. So, yes, MS is coming clean by saying Defender's default action is to examine and render your Hosts file to default if it's been altered.

Quote:

Originally Posted by funkydude

So basically this detection is actually a bug fix, where as before it would invisibly "clean" the HOSTS file, it now properly tags that action.

[fax]

Quote:

Originally Posted by m00nbl00d

What isn't? Installing, say, Adobe Reader X? By installing any application we're altering the system. It's not any different from the hosts file, really. A change is a change, regardless of its nature. Any antivirus will have false positives/flag potential unwanted applications. Are we going to stop using such applications because of that? I don't think so.

Heck, even a system "hack" is welcome, provided that it benefits our use of the system, even if some "crazy" AV flags it. Who cares if it isn't officially supported by Microsoft.

In this specific case, Microsoft has Windows Defender flag a hosts file modification as PossibleHostsFileHijack. It fits in the potential unwanted modification (at the image of potential unwanted application ) category.

This is what Microsoft suggests is hosts file for: http://technet.microsoft.com/en-us/l.../cc751132.aspx not a 127.0.0.0 cementery

[m00nbl00d]

Quote:

Originally Posted by fax

This is what Microsoft suggests is hosts file for: http://technet.microsoft.com/en-us/l.../cc751132.aspx not a 127.0.0.0 cementery

So, it seems that I'm following Microsoft's suggestion. http://www.wilderssecurity.com/showp...77&postcount=7

But, others are against even this, which has been precisely the focus of my posts. The hosts file has its benefits, and it is to be used when we need those benefits. Not simply refute them, just because someone thinks these changes are evil...

Then again, Microsoft also recommends excluding certain operating system areas from antiviruses scanning engines. Whether this is or not a good practice for those needing an antivirus is to be seen... -http://support.microsoft.com/kb/822158

So, it seems that with everything we do there are benefits and risks involved. It's up to us to decide if we should accept the benefits and go for it; or, if we'll be afraid of the risk and bend over.

[m00nbl00d]

By the way, this all discussion got me to think.

If the user is to be screwed by malware, then the user will be screwed anyway. Example: What would prevent an attacker from mapping some domain name, even one of those ad domains, to an IP address other than the localhost address (127.0.0.1)?

In that scenario, it won't flag anything. There's no way for Microsoft to know which IP address a given domain resolves to, unless it's a static IP address.

And, what exactly would be the problem of a malicious program mapping some ad domain name to 127.0.0.1? They would be doing the user a favor, actually, and it would be the least of the user's concern. lol

[funkydude]

Quote:

Originally Posted by m00nbl00d

And, what exactly would be the problem of a malicious program mapping some ad domain name to 127.0.0.1? They would be doing the user a favor, actually, and it would be the least of the user's concern. lol

As far as I'm aware even 127.0.0.1 can be marked as suspicious by MSE.

[siljaline]

For those of you that updated to and run MVPS Hosts, ensure that you have set the Hosts file exclusion.

[siljaline]

See: This post. I took ages for MS to disclose that Windows Defender under Windows 8 will shred your custom Hosts file unless it is set at exclude. If WinDef under Win 7 is shredding your Hosts file, PM me and we'll look at the situation as I can escalate this to MS.

Quote:

Originally Posted by Eagle Creek

I've noticed the same issue 2 days ago. However, I noticed at a Windows 7 Professional system, not Windows 8!

I ignored the warning because deleting the host file didn't seem very wise. I thought it was caused by an update from WinDef, and because I did have some custom entries in my host file I didn't pay much attention to it.

I've noticed MS has put out the advice to add the host file to the exclusion zone, which doesn't sound like a solid solution. I doubt the exclusion will be automatically removed once the problem has been solved.

[gerardwil]

Quote:

Originally Posted by siljaline

If WinDef under Win 7 is shredding your Hosts file, PM me and we'll look at the situation as I can escalate this to MS.

May I ask who do you mean with "we"?

[siljaline]

You - me, anyone willing to investigate.

Quote:

Originally Posted by gerardwil

May I ask who do you mean with "we"?

[siljaline]

Some have asked elsewhere if this applies to a custom Hosts Files under Windows 8. As already discussed but as a reminder, Windows Defender does require exclusion from detection. If anyone determines that action is happening under Windows 7, please let us know.

Thanks !