AdAware and Hosts File

For some reason it appears that when I ran a AdAware scan today it listed a bunch of blocked sites that I added a couple of months ago (Using Spybot SD) to my Hosts file. Am I misreading these results, and is this really a security issue, or is this a false alarm. See below. Thanks!

 

As long as the entries are being redirected to 127.0.0.1, you're OK. I would say false alarms.

Nick

 

Thanks, Nick. I thought so, but wanted to make sure. I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries.

 

Hi Daisy,

Nick is right.
Something similar is mentioned at the MVPS-HOSTS site.

Indeed: just ignore them if they are redirected to 127.0.0.1 like Nick already posted

Cheers, Jan.

 

I use the MVPS hosts file and set Ad-Aware to ignore the hosts file. The MVPS hosts file has about 6000 entries.

Nick

 

As Nick says "Ignore" them... whatever you do, DON'T DELETE.... those are the redirected "bad" sites back to you so you cannot get to them from a hosts file... 127.0.0.1

You will only get an alert once you ignore them, when you update a new lot of hosts files.

In your scan, the next time AdAware will say how many items you've set in Ignore Section.

The reason AdAware 'sees' them, is the 'redirection' aspect of those, as that is what spyware will do to your security apps so they cannot be updated. Each time you try to connect to the update site then, it simply redirects back to your home machine.

Just a little more info.

TAS

 

Nevertheless I wonder exactly the same as Daisy posted:

"I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries."

Just like I'm wondering for example why PestPatrol sometimes doesn't check the DWORD of a registry-entry (example: a registry-entry put there by IE-SPYAD, to put a site in the Restricted Zone of IE).

 

Same thing happened to me

 

Thanks to everyone for their helpful replies.

When the entries showed in the Ad-Ware scan, I added them (60 entries) to the ignore list. When you say that you "set Ad-Aware to ignore the hosts file", did you do this same thing (just ignore every single entry as it is detected during a scan), or is there a way to simply tell Ad-Aware to always ignore everything in the Hosts file?


Edit: By the way, there are a LOT more entries in my Hosts file. Not sure why Ad-Aware just now decided to start flagging only 60 of them.

 

Here's where I disabled the hosts file scan. I like to manage the hosts file myself.

Nick

 

Aah. Found it. Thanks, Nick. By the way, are you aware there is a new version of Ad-Aware?

 

I know. I bought the Plus version a long time ago. So I'm waiting for my free SE Plus upgrade e-mail.

Nick

 

you lot know more about these things then i do, but isnt it because malware puts 127.0.0.1 enteries into the hosts to stop you DL HJT, online scaners etc?

 

Good point. The hosts file can be a two-edged sword.

Nick

 

Yes, that can be a problem... you really have to check the entries listed.
Must admit I nearly fell off chair first time it happened, as it was near the very end of scan and up pops all these, especially when I saw the words 'CoolwebSearch' at end of lists, until I checked.

TAS

 

Hi All,

Ad-Aware SE New Build 1.02 available upgrade from 1.01

http://www.lavasoft.de/

Download SE 1.02 from Major Geeks - http://www.majorgeeks.com/download506.html

Ad-Aware SE Build 1.02

No Longer picks up F/P's for 127.0.0.1 host enteries - as redirects.

dog -

 

do you know if that is the only update for this new version? because if it is ill keep the one ive got, it seems to make more sense to me.

 

It's all I noticed so far.

As for this ... well ... seeing as you have this knowledge ... you can always check your host for bad enteries if something should go wrong ... but a modified host will help prevent malware from adding enteries to begin with ... you can also set the file to read only for a ~little~ added protection.

But I think not picking up these F/P's is much better for the less advanced user ... as they'll probably are most likely delete the found F/P's and lose their protection afforded them by their modified host file.

dog -

 

thanks, dog . i did a scan then put the results from my hosts file in ignore, so if anything shows up it should be malware. and, after reading your post i set it to read-only , and have it locked with spybot. but i'll have to check and see what was in the update. thanks

 

NEW features in Ad-Aware SE Professional edition

Applicable to both 1.01 & 1.02 - I can't find any details about the version 1.02 update ... other than what I noticed in regards to no longer reporting the F/P host redirects.

Code:

[B][SIZE=4]NEW features in Ad-Aware SE Professional edition[/SIZE][/B]

- New command line parameters that allow for silent and automated operation of Ad-Aware

- UNC support for remote storage of Preferences, definitions, and log files

- New results screens and detailed statistics

- Improved logging and reporting

- Hardened against third party uninstall with encrypted preference files

- Links to more information on detected content from our website

- New safety option that allows you to write protect sensitive system files such as the Hosts file

[B]Scanning engine improvements[/B]
   	Extended Memory scanning
   	Now scans all modules loaded by a process
   	Uses our all new CSI (Code Sequence Identification) technology to identify new and unknown variants of known targets
   	Extended protection against DLL-injection, SE can unload process modules on the fly

[B]Extended Registry scanning[/B]
   	Now scans registry branches of multiple user accounts
   	Performs additional smart checks to detect dynamically created references
   	Scanning speed noticeably faster
   	Extended Scanning for known and unknown/possible Browser-Hijackers

[B]Extended Disk scanning[/B]
   	Now scans and lists alternate Data-streams on NTFS volumes
   	Now Ad-Aware supports scanning of Cabinet files, (including spanned archives)
   	Scanning speed increased

   	Improved Hosts-file scan
   	Now Ad-Aware and Ad-Watch use much smaller reference files

[B]Several User Interface improvements[/B]
   	Improved Graphical UI
   	Ad-Aware now supports custom graphical Skins
   	More user friendly Plug-in/Extension GUI (Plug-ins and Extensions now shown on separate screens)
   	New Scan Result view, includes a scan summary and detailed view
   	Ad-Aware now linked to the online TAC database

[B]Multiple New Tweak options[/B]
   	Unloading of process modules during a scan
   	Obtaining command line of scanned processes
   	Ignoring spanned cab files
   	Scan registry for all users instead of current user only
   	Permanent archive caching
   	Always try to unload modules before deletion
   	Disable manual quarantine if auto quarantine is selected
   	Block pop-ups aggressively
   	Load Ad-Watch minimized
   	Hide Ad-Watch tray icon
   	Write protect system files after repair
   	Limit drive selection to fixed drives
   	Use gridlines in item lists
   	Log file detail section condensed

[B]Process-Watch[/B]
   	Improved Process-Watch scanning capabilities and scanning speed (Using the new CSI technology)
   	Several Process-Watch Interface improvements
   	Option to create a Hexdump of the process memory or dump the process memory to disk

[B]Several logfile improvements[/B]
   	Includes support for separate removal logfiles
   	Allows adding a Reference summary/index to logfiles
   	Logfile contains overall more detailed information

[B]Ad-Watch[/B] *Plus Version
   	Several GUI improvements
   	Ad-Watch now supports Cookie Blocking
   	Site-manager to edit the popup-blacklist included
   	Ad-Watch now uses the new CSI technology to detect new and unknown variants of known targets
   	New Ad-Watch configuration screen
   	New rules editor for pre-defined blocking exclusions
   	Support for hiding the Ad-Watch tray icon for unattended operation

dog -

 

Thanks for the info, Dog!

 

Actually, it still picks up some: (1.02 SE (free version), latest update flagged this in big red letters:

Warning!
Bad Hosts file entry:127.0.0.1nly-virgins.com


Win32.Delf.Trojan.A Object Recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Malware
Comment :
Bad Hostfile entry : 127.0.0.1nly-virgins.com

That entry in the hosts file is perfectly correct and to flag it in red on the critical list will only cause unnecessary scare to the less experienced. Letting AdAware fix it (assuming that they have thought about the possibility that my hosts file is read only) would actually put me at greater risk, should I ever be tempted to pay the virgins a visit .

As for the point made higher up in this thread (sorry, forgot by whom) that malware can redirect 'good' sites to 127.0.0.1, true, but AdAware would not flag those anyway, unless somehow it built up a database of 'good' sites.

What I would like it to flag are entries redirecting to other than localhost (usually 127.0.0.1), which malware often does too (redirecting to their own sites, for example). It could also check that the hosts file has been set to read only, which is a good first line of defence against malware writing into it (not foolproof, of course, it's not difficult to bypass if the malware programmer wants to, just one extra little hurdle).

I made the point on the Lavasoft boards, calling the above example a false positive, but they claim it is a 'feature'. Still, they have passed on the comments to their development team, so maybe things will change in some future update.

PS No idea where those emoticons have sprung from...underneath it says only-virgins.com.

 

From the Lavasoft Product Updates page:
Ad-Aware SE 1.03 Now Available, New definition file included

Note
Re-ran Adaware 1.02 and the....127.0.0.1 only-virgins.com Hosts entry....was still being flagged. I then installed the new 1.03 defs.ref file....and it no longer flags the above mentioned Hosts entry.

 

Yes, 1.03 has fixed it! So now I have nothing more to grumble about

 

Hi,

It is the board-software that "translates" the characters immediately after each other to that emoticon

If such a thing happens and you don't want it to happen, then (when you are making your posting) put a checkmark in the box "Disable smilies in text" in the "Additional Options" at the bottom.