Hosts file protection, what apps do it?

Apropos of the recent DNS outages at register.com and some problem that affected some Wilders user access (links below), this blog by Mike Nash of Online Armor is good non-techie description of how the hosts file works and how malware likes to mangle it for their own benefit:

http://onlinearmorpersonalfirewall.blogspot.com/2009/03/host-of-problems.html

So my question: are firewalls the only apps that protect the hosts file? Do HIPS apps? Any others?

Seems like at the very least one could use some sort of a scheduled app to backup the file every hour or whatever; anybody know of any "hosts guard" little apps?

It seems like the hosts file functionality is transparently ripe for mayhem.

Wilders access problem threads:
Was the forum down?
Why wasn't I able to connect?

 

Hello,
kaspersky HIPS alerts of anything trying to modify the hosts file.

 

Arovax does. Cyberhawk and Threatfire do. I used to use Arovax, but it and Sandboxie don't play well together. I use cyberhawk a lot as it is a quiet hips, although not near as robust as threatfire or others. It watches the hosts file, and most importantly, has the much sought after allow/deny feature.

Sul.

 

Spy Sweeper, Spyware Doctor, WinPatrol, MJ Registry Watcher and many more I can't think of at the moment...

 

Thank you -- it sounds like several types of apps protect the hosts file, it's not just firewalls or just spyware apps.

And, I guess even more important, am I correct that it's NOT anti-virus apps that do it, at least not directly. An AV might stop a virus that could harm the hosts file, if the AV database already had the virus signature, but not proactively protect the hosts file.

From reading Mike's blog I was thinking how disruptive a relatively easy-to-do hosts file nastiness could be to diagnose, even for users who were reasonably tech-savvy. I don't mean to dramatize here, but couldn't a jiggered hosts file have some of the same effect as confiker, i.e. that the user could potentially not be able to get security updates and even worse, potentially be re-routed to drive-by infected websites.

 

my friend got infected with malware last year. his host file was changed to block all antivirus websites.
norton couldnt update.
of course not knowing firstly i went to the symantec website trying to get the removol tool but the website wouldnt load correctly.
so i got the tool from another site.
then i remembered about one of my fav tools hosts expert from funkytoad.
i simply pressed the button "restore ms default hosts file" and it was sorted.

dont forget that you could do this with any OS if the user has enough rights to.

 

Found some other Hosts file maintenance utils, here:
http://lists.thedatalist.com/pages/Hosts_File.php

I see it includes a link to the HostsXpert that you mentioned, lodore, thank you.

Does anybody know the meaning of the green checkmark beside some of the apps listed? I don't see a legend anywhere on the page or on the index page:
http://thedatalist.com/index.html

 

It does mean that the checkmarked entry is in use by Abbot and/or Costello, the 2 wise guys responsable of those pages

 

Damn, you're right JRViejo, I always intermix those four together!

--
«Je suis né très jeune.»

 

Good question. Thanks for asking.
WindowsDefender, when run as a HIPS, will alert to attempts to alter the Hosts file. A user can then permit or deny. And SpywareBlaster offers a Hosts Safe backup feature.