Discussion in 'other security issues & news' started by EncryptedBytes, Aug 19, 2012.
"Update: Tom just pointed out that turning off Windows Defender, which basically is Microsoft Security Essentials, in Windows 8 will resolve the issue. It appears that the program has been designed to protect some hosts from being added to the Windows hosts file."
Gotta love how badly some people jump the gun. It's common for malware to try to hijack popular domains using the hosts file, it's obviously going to be suspicious.
Just because the IP is pointing to the local machine doesn't mean anything, there's been malware that hosts pages locally.
Pretty sure there was another thread here on Wilders (last month?) with someone complaining about blocking doubleclick with MSE. It's a shame journalists don't do more research before hitting the "submit" button in the hopes to be first to post something. I guess it's all about the traffic.
This should prove to be interesting for those that run custom Hosts files such as MVPS.
More as Win 8 goes RTM and the mentioned software comes online.
I agree with funkydude, this isn't a bad thing. If it improves security then it's worthwhile.
Useful to know still. Thanks.
Related from http://www.drwindows.de/content/576-windows-8-defender-setzt-hosts-manipulation-zurueck.html via http://hexus.net/tech/news/software/43937-windows-8-hosts-block-doubleclick-ads-facebook/. Adding 127.0.0.1 entries for various hosts resulted in the following ones being removed:
Attention was also drawn to a comment saying that servedby.advertising.com was another entry that gets removed.
Obviously, 127.0.0.1 entries could be a hijack or protection mechanism. I'm inclined to think that on the test machines there was nothing to corroborate the theory that such entries were a hijack (such as known malware proxy having been detected). IOW, it sounds as though Windows Defender was simply making an assumption, one that was incorrect in the reported cases, and one which would have done harm had those been part of a security/privacy protection mechanism rather than a test case. It also sounds as though such "protection" is enabled by default (user can opt-out the hosts file from that) and the removals are done silently without some kind of obvious alert. It seems the entries are deleted rather than being commented out and I've yet to hear someone say the original hosts file is backed up somewhere.
IOW, it sounds like this feature could use some work.
Commenting your Hosts file, is fairly easy assuming the software mentioned doesn't prevent you from doing so. If I were to have a machine with this software that disallowed my maintaining my custom file as I wanted it, I would not be running said software although this is just a personal observation and not a suggestion that anyone wanting to test-drive these new emerging technologies to go right ahead.
Separate names with a comma.