SSM & Host

Hi Guys,

Is it possible to write a rule using SSM to protect the 'host' file? If possible exactly how would this be done?


Thanks & Take Care
Rico

 

Rules->Applications, then under "Object Name", choose the group folder you want to place the hosts file in, right-click and choose: Edit Rules->Add Rule for file, in "Files of type" choose "All Files [*.*]" then next to "Look in" drill down to the hosts file, select it, then hit "Open". That should do it. Once you have it in place, you may want to tailor the security on it by right-clicking it, choose "Special Permissions". You will probably want to choose "Protect from remote data modification", at least.

 

That will not work. SSM can prevent a process from being modified by another process but the hosts file is NOT a process. It's a text file that cannot be executed, so even if the checksum changes SSM will never alert about that.

 

Hi Guys,

I remember winpatrol, & microsoft antispyware, would alert if the 'hosts' file is/was modified. I was hoping that one of my resident apps (SSM, RD, AVG/as, or NOD32) could protect or notify. Currently the file is read only, does it need anything other than that?

Take Care
Rico

 

I know it's not a process so that is why I suggested to select "Protect from remote data modification", since this is probably - maybe?? - the only useful option for only a text or similar file. I have not tried this but why wouldn't SSM at least protect that type of file from data modification?

 

Actually there is something you can do with RD. Make sure it is protecting the data on this Reg value:-

HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters || DataBasePath

That gives the file path for your Hosts File and if it got changed it could result in a spurious file being used instead.

As to the Hosts File itself, you can lock it with ZA Pro if you happen to use that; also SpywareBlaster enables you to keep a backup copy in case of emergency.

I have been using CounterSpy to protect my non-Registry locations, including the Hosts File, though the recent version is not entirely to my liking!

File protection is being mooted for a future release of SSM, but for the moment it does not protect non-running objects. (aside from special cases, such as .ini startup files etc)

 

Too bad, though I guess anything trying to modify the hosts file should be picked up by SSM anyways, since it is likely to be an executable?

 

The simplest way to protect the Hosts file is via Windows' NTFS permissions - set Write and Modify to Deny for all users aside from the Administrator, and don't use the Administrator account for day-to-day use. If you then do need to modify the hosts file, use the Run As option to start up a copy of Explorer with Admin privilege to access the file.

 

This very issue that is been brought up is exactly why i been crowing for so long and loud that someone, anyone who is expert at programming development to invent a simple Folder/File Monitor as a standalone or else incorporate a folder monitor into their security products.

It's extremely important even after a rule is applied (if possible), or after applying M$ Group Policy to have areas, chiefly specific directory folders of importance constantly monitored for any forced changes IMO.

In this case the gentleman seeks only to protect a single text file that is been a notorious target of malware redirectors the world over, namely his HOSTS file.

I been relying on an old abandoned project named FileChangeAlarm which only monitors folders but does a fair enough job of it. LoL

btw, it was my understanding that SSM was to incorporate some type of Folder monitoring. Never heard if they got around to implimenting it in one of their many latest releases yet or not.

I can only find it Google cache'd now.
FileChangeAlarm...cache'd

 

It has been raised regularly and is on the ToDo list (see here, here and here). However NTFS permissions will do the job just as effectively for those sensible enough to limit their use of the Admin account.