wish to block incoming IP addresses with kerio 2.1.5

What I meant was the exact opposite. Malware would add the heavier used sites that specialize in cleaning malware to the hosts file, but with the localhost address. If a user didn't know to check there, those sites became unreachable. The user can add sites to the hosts file along with their real IP. That's closer to what the hosts file was originally intended to do.

It's the other way around. With most AVs, the initial update connection is outbound and the installed AV checks with the server to see if there's newer versions of the updatable files. When malware adds the AVs update servers to the hosts file, it'll give them the localhost address, which makes it impossible for the AV to contact the server and it can't update.

File integrity checkers aren't usually part of the average security package. They're mostly used by people who take security very seriously and have built layered security packages. Some of them are quite simple and check a user defined list whenever it's run. Others poll (check at a predefined interval) a list of monitored files or folders and alert if something is changed.

Batch files aren't that hard. The hardest part is getting used to the syntax the different commands use. Syntax is to batch files what grammar is to language. A batch file that uses a copy to overwrite an existing file would only need to use one command, "Copy". The rest would be paths and switches. If you call up a command prompt from the start menu and enter "copy /?" you'll see the basic usage instructions for the command. Command line takes a bit of learning and getting used to, but it's powerful and can be used for many tasks, including automating common tasks like regularly overwriting a file. The users startup folder, which is on the start menu under programs is an easy way to run an app or batch file at startup. Just make a shortcut in it to the batch file or script you want run.

It's not really necessary to take such measures to secure the hosts file. For most users, an occasional manual checking is sufficient. If you decide that you want to automate this task, let me know and I'll help you set it up.

 

noone_particular,

one specific thing i remember about producing the bitdefender batch file was the misunderstanding that took place. they thought i knew things i didn't know and mistakes were made. with a batch file as with many special features in a computer there is no margin for error. for example, if checkdisk is attempted to run without putting the space between "chkdsk" and "/f/r" it won't work. a little thing like the space in between is so important, and perfection is the key.

"If you decide that you want to automate this task, let me know and I'll help you set it up."

i'm ready when you are.

"Then make a script or batch file that will overwrite the existing hosts file with the backup copy and add an autostart entry to either the registry or the startup folder to run it automatically. This would replace it with a known good copy at each reboot."

this actually sounds like 3 seperate tasks, but that doesn't bother me because you are a good mentor. choose which ones or all three. it's fine with me. if i have a question, or get to a place where something is not going according to plan, i will just take a screenshot if need be. another plus is the website, screenshots work excellent here. once again, thanks, and i am looking forward to this.

 

noone_particular,

it looks like you have decided against helping me with the batch file and the startup entries. i don't blame you, it would have been a tough job (in my opinion).
you have been a saint. there has been so much explained to me about blocking with the firewall, and making entries in the hosts file, and also loads of in-depth technical info, that i feel very grateful.

thanks again, to everyone for their replies.

 

I haven't abandoned you. I was away on unexpected personal matters and just got back home.

The text of this batch file will depend on where you store the backup copy of the hosts file and what name you've given to the backup file. I'm color coding the areas of the batch file that will need editing to match it to your system. Notepad will work fine for doing this.

I need to mention that I've made this on Windows 2000 SP4. It should work the same on XP, but I don't have access to XP to actually try it. One more thing. I ran into this problem running it on 2000. It may or may not be a problem on XP, nothing to test it on. When I used the batch file to replace the existsing 1kb hosts file with the 700kb MVPS hosts file, services.exe began using 100% of the processor, dragging the PC down to a slow crawl. When I disabled the DNS client service, this problem disappeared. The DNS client service isn't usually needed by the average user. A PC will look up addresses normally without it. My PC runs just a bit faster without that service running. You can find more information on XP services here, and the DNS client service itself here. If you want to keep the DNS client serice running, it may or may not be a problem. Your choice.

The batch file:

Code:

@echo off
CD [color=#3333FF]C:\Documents and Settings\Administrator\Desktop[/color]
copy [color=#990000]\backup filename[/color] [color=#009900]C:\WINDOWS\system32\drivers\etc[/color][color=#993399]\hosts[/color] /v /y

This isn't as bad as it may look.
The first line: "@echo off"
The echo command basically controls whats displayed on the screen. No screen output is needed here. Most batch files start this way. If you're interested, there's plenty of info on the "echo" command here.
"CD" means change directory. The line following it is the path to the folder that contains the backup copy of the hosts file. In the example, C:\Documents and Settings\Administrator\Desktop is the administrators desktop. Note the space between CD and the beginning of the path of the containing folder. The "CD" line points to the folder where the next command will be executed. In this case, it's the one containing the file to be copied.
The next line begins with the "Copy" command, then a space, then the name of the backup hosts file. Another space. Then the path to the folder that contains the systems hosts file. The entry C:\WINDOWS\system32\drivers\etc is the normal location of the hosts file in XP. This assumes that XP is installed on the "C" drive in it's normal fashion.
Note that the path in the example code ends in \hosts. The "Copy" command can be used to rename the copied file. If the backup hosts file has a different name than "hosts", then this segment is needed to give the replaced file the correct name. If you're backup hosts file is also named "hosts", then the segment \hosts isn't needed.

At the end of the line is "/v /y". These are switches that add conditions to the command. The "/v" switch has your system verify that new files are written correctly. The "/y" switch suppresses the prompt to confirm you want to overwrite an existing destination file. Without it, you'll be asked "Are you sure..."

When you've got all the paths and names edited to match your system, save the file using a name of your choice with ".cmd" as the file extension. Any name is fine, but the "cmd" extension is necessary. Anywhere is fine to save it to, besides temp folders and similar locations.
Example name: hostsprotect.cmd

The easiest place for a startup entry is your startup folder on the start menu. Click on the start menu, then "programs", and find the "startup" folder. Right click on it. If there's an "Open all users" option in the right click menu, select it. If there's not, choose open. Windows 2000 has the "all users" option in the menu, not sure about XP. This will open the folder in its own window. Once the startup folder is open, right click on an empty spot, choose "New", then shortcut. Browse to the batch file you just saved, select it, click OK, then next. Name it however you want it to appear in the startup folder, then click finish. The batch file will run at bootup and replace the hosts file each time.

One more thing if you're going to be using a custom hosts file. They do release updates every so often. Make sure you remember to update the backup copy too or it will end up replacing the newly updated copy with your older backup copy.

If you have problems, let me know.

 

noone_particular,

i hope your personal matter hasn't resulted in any harm or suffering experienced by you. i hope everything is ok with ya.
i wouldn't call it abandonment, i would have called it "a change in course of action in an attempt to avoid never ending torture".

let me just say briefly, that was another impressive post. links, code, colors, and a long post with lots of info to boot.


first thing we'll square away, is my decision on the name, location, and other unknowns.


my operating system, and all my general data are in C:\. it's my main drive.

name of new file
edward

location of new file
my documents

DNS client service is already disabled. it has been for a long time.


is this the way that my notepad code should now look?

@echo off
CD C:\Documents and Settings\Administrator\My Documents
copy \edward C:\WINDOWS\system32\drivers\etc\hosts /v /y

i wanted to get that out of the way, so as not to overload the circuitry or put the cart before the horse.

start>all programs>startup>"open all users"
does exist in XP.
"right click on an empty spot, choose "New", then shortcut."
where do i right-click? inside the body of the startup folder window?
i've included a screenshot.

"update the backup copy too or it will end up replacing the newly updated copy with your older backup copy."
how do you deal with this? i definitely am for finding a permanent solution to achieve this end result, otherwise, all efforts would be in vein. this can wait on the back burner, but will need to be addressed.

once again, i thank you.

 

Your batch file is good except for the backslash after copy, which was also wrong in my example. Here's a fixed copy. Save it with the name of your choice using ".cmd" as the file extension. With notepad, you can do that by selecting "any" or "all" type(s) of files in the drop box, which ever is used on XP.

Code:

@echo off
CD C:\Documents and Settings\Administrator\My Documents
copy edward C:\WINDOWS\system32\drivers\etc\hosts /v /y

Right click anywhere inside the white area of the window, where the icons normally are. Then select "new", then "shortcut", and browse to the saved batch file. Just follow the prompts and either use the name windows gives it or pick your own.

Whenever you update the actual hosts file, just remember to save an additional copy under the name "edward" and replace the old copy of "edward" with it. Any method is fine.

 

noone_particular,

i have a couple of screenshots to show you. i will split them up in two seperate posts. i hope the mods are ok with it. it will keep me from overloading attachments.

i pasted the code in notepad and saved it as "all files" as "edward.cmd" to my desktop (i thought i was supposed to put it there, as directed by the code). that is what the screenshot is of.

it's not like me to "wing it" like this, but i figured, what the heck, i can always delete it if it's not right.

 

noone_particular,

here is a screenshot of the "batch file?" after it was made in the startup folder.
i didn't know whether i could name all the files "edward", but i thought i would give it a shot and see if it would work. are both of these files batch files? they both have the extension of .cmd, i thought that it was required for a batch file to have an extension of .bat.

"One more thing if you're going to be using a custom hosts file. They do release updates every so often. Make sure you remember to update the backup copy too or it will end up replacing the newly updated copy with your older backup copy"

"Whenever you update the actual hosts file, just remember to save an additional copy under the name "edward" and replace the old copy of "edward" with it. Any method is fine"

i can't realistically foresee entries ever being removed from the hosts file, only added.
of course, your suggestions are always regarded highly, and there's always google, and who knows, maybe even youtube can help.
there's more i would like to say, but there's thunder and lightning started, so i want to post this and disconnect the computer. will continue after the storm subsides.

thanks again.

 

There's no reason you can't use the same name if it helps keep things organized. The icon in your startup folder is a shortcut to the batch file, not the batch file itself. Windows usually gives shortcuts the same name as file it's linked to. The arrow on the icon is for shortcuts.

Regarding the .bat extension, that was the standard batch file extension for DOS and 9X systems. They were executed by command.com. NT systems (Win2000, XP, and some older network terminal systems) use cmd.exe in its place. As far as I know, both .cmd and .bat will work on an NT system, but .cmd is the one commonly used. I'm not certain that they're entirely interchangeable. On my Win2000 system, both extensions work fine for this batch file.

.
It happens occasionally. A domain can get sold. Sometimes a questionable site will clean up their act and get themselves removed from the blocking hosts files. A hosts file isn't an effective defense against the really nasty sites. They change too fast to keep up with them by name. It's more effective against adware distributors and adservers that don't move nearly as much.

 

noone_particular,

i thought it would be easy to find forum discussions via google about hosts file that loads at startup with a batch file. the limited time i had available produced dismal results. there are loads of people that use MVPD and spybot, but do not have a batch file that loads at startup.
i think the best way to update the hosts file list is to delete the batch file in the startup folder, use MVPS and spybot, then make a new batch file. any other way to achieve this end result would probably be more work, if there is any other way.

"It happens occasionally. A domain can get sold. Sometimes a questionable site will clean up their act"

i think this happens more often with rogue antispyware and antivirus sites, gambling sites, peer2peer sites, weather sites, and movie sites, than it does to porn sites. ask.com for example is a site that may have "turned good".

if one of these sites turns good and i try to access the site and am unable to because of the entry in the hosts file, will i receive a notification informing me that it's the host file entry that is blocking me from making the connection to that site?

i also wonder about the trusted sites in the internet options>privacy. could that list also be altered by malware, and receive a batch file to restore it at startup?

there's much more i would like to discuss with you, but i have to go to work.

thanks again.

 

The batch file doesn't load the hosts file per se. When a hosts file is present, windows automatically uses it. The batch file makes sure that any malicious or unwanted changes to it are gone after each reboot. I doubt that you'll find this idea discussed anywhere as it's more than is normally required. For the hosts file to be altered, some type of malware would have to be on the system. It might also be possible to alter the hosts file via a malicious page. Either way, a malicious modification of the hosts file would only be one part of the malware's payload. Most likely, it would be accompanied by some malicious process or file, and the hosts file alterations would be to prevent the AV or similar app from updating and obtaining signatures that could detect it.

You'll get the standard "couldn't find page" message your browser normally shows when it can't find the site. It won't say anything about being blocked by the hosts file.

Oh yes, definitely. Malware does that too. I don't know where Internet Explorer stores the trusted sites list. If it's kept in a single file, it could be done the same way. If it's in the registry, the correct key would have to be located, copied, and remerged at each restart. I don't know what differences there are between IE6 and IE7 and how each handles this. I don't use Internet Explorer unless there's no choice.

IMO, the entire concept of "trusted sites" needs to be re-examined. There is no such thing anymore as a site that you can trust to be exploit and malware free. Sites that are clean today could be hacked tonite and infecting people tomorrow. It's happening a lot anymore and in places you'd expect better from. Even banking sites have been hacked and used to infect their customers. More recently, the DNS system itself has been shown to be vulnerable. If DNS is successfully compromised, there's no guarantee that the site you enter in the address bar will be the site you end up at. If that site happens to be one you trusted, you're very vulnerable.

 

noone_particular,

"I doubt that you'll find this idea discussed anywhere as it's more than is normally required."

translation: it's work.

"and the hosts file alterations would be to prevent the AV or similar app from updating and obtaining signatures that could detect it."

and, of course, removal is out of the question.

"You'll get the standard "couldn't find page" message your browser normally shows when it can't find the site. It won't say anything about being blocked by the hosts file."

oh well, it was wishful thinking.

"I don't know where Internet Explorer stores the trusted sites list."

sounds like the next project for me.

"the correct key would have to be located, copied, and remerged at each restart."

for me, the chore is in putting the proper slash (back slash or divide slash) in the right place, and having spaces in the correct place. one slight mistake and it won't work.

"I don't know what differences there are between IE6 and IE7"

i think i should have IE7 myself, but i don't think i do. i thought microsoft handles this upgrade/update with the automatic update procedure. how could i find out if i have the latest version, and upgrade/update if i don't?

"There is no such thing anymore as a site that you can trust"
"Even banking sites have been hacked and used to infect their customers. More recently, the DNS system itself has been shown to be vulnerable. If DNS is successfully compromised, there's no guarantee that the site you enter in the address bar will be the site you end up at."

it will always be essential to keep malware-free. when it comes to damage control as a result of the banking site, or the DNS being hacked, the best course of action i can think of is having a credit card. the credit card company will dispute the charges and return your money. this happens way too often (credit card companies refunding money) that it's a surprise they stay in business. how do you go after a nigerian or a chinese hacker? i would love to see how these institutions go after those guys, or do they, in many cases, take the loss?

thanks again.

 

There's always options.
An online AV can be used.
A rescue CD with an AV installed.
The hard drive can be installed as a slave drive on another PC and scanned with tools on its OS. Dual and multi-boot systems are great for this.

IE7 came thru windows update. You can see which you have by launching IE and clicking on "help", then "about Internet Explorer". Should show a version number. IMO, IE7 isn't that much better than IE6, and still has the same basic problem. It's part of the operating system. Personally, I like SeaMonkey much better. Opera is another option that many like. Other options include Firefox and k-meleon. I've tried several of them but keep coming back to SeaMonkey, previously known as the Mozilla Suite.

If you're interested in learning about command line and batch files, this is one of the best sites I've seen for info.
http://www.computerhope.com/msdos.htm
http://www.computerhope.com/batch.htm
The MSDOS page was primarily for 9X and DOS users but it includes all the commands for XP and covers the differences in how they're used.

A couple of general rules:
Switches are preceded by either / or -. Most of the command line apps that come with windows use /. Some will recognize either.

\ is primarily used in paths like C:\windows\system.

Regarding spaces, they're generally used to separate the different parts on the line, such as the command itself, the switches, and the paths. The command often have syntax help built into them, usually accessed by following the command with one of these:
/?
/help
-?
-help
Most command expect syntax close to example below. I'll use a red underscore in place of a space to show it better.

Code:

command[color=#CC0000]_[/color](source path)[color=#CC0000]_[/color](destination path if used)[color=#CC0000]_[/color]switch[color=#CC0000]_[/color]switch

Command line is very powerful, limited only by the users imagination and limitations imposed by Windows itself, such as "access denied, file in use" or something similar. On the 9X systems, it's even more powerful, being separate from windows and not limited by it. Almost any kind of task can be made a "one click" option, especially when some 3rd party tools are included.

That's only one of many kinds of damage malware can do. Malware can use your PC to send spam, participate in DDOS (distributed denial of service) attacks, even hosting child porn.

Quite often, the credit card companies are limited in what they can do for many reasons.
Laws that are years behind todays reality.
The global nature of the problem and the lack of international cooperation.
Identifying the actual parties responsible. They often use many layers of proxies, networks of hacked PCs, and other methods to protect their identity.
Don't think for a minute that they're just absorbing the loss. They just pass the costs on to the cardholders as fees, higher interest rates, etc. They're making more than enough to compensate.

 

Forgot to add this.
Back on the subject of the hosts file.
The hosts file can be used to offset the problems found in DNS. Your PC first checks the hosts file for the address. If it isn't there, it then uses the DNS service. A user can add the address of critical financial sites to their hosts file and avoid using a DNS service for those sites entirely.
Example using this forum.

Code:

65.175.38.194  www.wilderssecurity.com

This works very well as long as the site's IP address doesn't change.
FYI, this is what the hosts file was originally intended to do.

 

noone_particular,

You can see which you have by launching IE and clicking on "help", then "about Internet Explorer".

yes, i have IE7, and didn't even realize it. it must have been an uneventful upgrade, not that i mind that.

If you're interested in learning about command line and batch files, this is one of the best sites I've seen for info.
http://www.computerhope.com/msdos.htm
http://www.computerhope.com/batch.htm

in my google searches i have happened upon this website countless times. the more i learn about it, the more impressed i am. i would consider becoming a member.

Command line is very powerful, limited only by the users imagination and limitations imposed by Windows itself

there is going to be alot of command-line study for me in the immediate future because i just bought "microsoft WINDOWS command-line" (at a yard sale for $1). i just hope this book isn't too "advanced" for me. i consider my ability intermediate at best.

That's only one of many kinds of damage malware can do. Malware can use your PC to send spam, participate in DDOS (distributed denial of service) attacks, even hosting child porn.

not to mention getting in your email address book and send infected emails to your friends, and get in their email address book and infect their friends and on and on.
how about infecting the songs? there are certain infections that have worm-like characteristics that if one song gets infected, they all get infected. if you share any of the infected songs, the new "clean" recipient is now infected, and all their songs are infected and on and on.

Quite often, the credit card companies are limited in what they can do for many reasons.
The global nature of the problem and the lack of international cooperation.

china and north korea are not likely to hunt down and punish hackers of united states citizens.

Identifying the actual parties responsible. They often use many layers of proxies, networks of hacked PCs, and other methods to protect their identity.

how can proxies protect a perpetrator? a proxy still has to "hold" the incriminating evidence. i have to admit that i don't quite underatand the technicalities of a proxy, but i would think that experts can sort through the numbers to find the hackers provided they get cooperation from the ISPs involved. maybe the cooperation from the ISP is the biggest obstacle.

Don't think for a minute that they're just absorbing the loss. They just pass the costs on to the cardholders as fees, higher interest rates,

the good guy takes a beating, and the bad guy gets away with the money.

The hosts file can be used to offset the problems found in DNS
This works very well as long as the site's IP address doesn't change

a knowledgeable user can bypass the DNS and deem it to be unreliable.

i was unable to reply for a couple of days. my family had their annual get-together. i am going to study the thread again and see if there is anything else that may still be unclear or missed. i hope you continue to keep an eye on the thread, as you have been, and i will let you know about any questions that i may still have, or if i'm finally squared away.

thanks again, you have taught me alot.

 

noone_particular,

i just thought i would give you a heads up about what i am doing. if you want to chime in with advice, it would be most welcomed.

i thought it would be more organized to update my hosts file when spybot adds the new entries in with their immunize function. yesterday they had over 450 new entries (i didn't add them yet, the have a function that just notifies you of the potential entries). so this was my plan.

1. run the MVPS, it may have new entries to add/remove
2. immunize with spybot, also may have entries to add/remove
3. delete and create new batch file @desktop. with intention of recognizing new list.

either i am not using MVPS properly, or it cannot be used in such a way that spybot's entries cannot be added. when i add spybot's entries via immunize, the progress bar doesn't just zoom right accross like it normally does. it gets stuck at around 25% for about half a minute, then goes across to about 50% where it gets stuck again for about half a minute, then goes across to about 75% where it gets stuck again for about half a minute, then the progress bar completes.
i checked the hosts file and when i click on hosts file i "connect" to somewhere, which was something i didn't expect. i thought MVPS would do the same thing spybot does, just add entries to the hosts file, not monitor them from a remote location. is this the typical way that the MVPS programme works, from a remote location? anyway, i used a comparator and the spybot entries never got added.
i have been googling and doing research about hosts file managers, which is what i was doing last night. i don't like the thought of adding another programme, but i like the thought of having both MVPS's and spybot's entries together in my startup batch file on a permanent basis.

hope you can chime in with more expertise.
thanks again.

 

The MVPS hosts file wouldn't cause your system to connect out unexpectedly. No matter whose version of a hosts file you use, the hosts file is plain text. There's nothing that could be done to it that would cause your PC to connect out unexpectedly. I'm not sure what SpyBot does to the hosts file. If it scans it for malicious entries, the size of the MVPS hosts file would explain the delays. Haven't used SpyBot since version 1.2, don't know how much has changed. Are you using SpyBots real time protection? If you could capture a copy of the connection alert or the address your system is connecting to, I'll see what I can find out. I don't have XP, but I can set up a Win2000 test unit and check how SpyBot interacts with the hosts file.

Regarding hosts file managers, I like HostsToggle. It lets you edit, change and save multiple hosts files if you choose to. Doesn't need to run all the time either. Just when you're doing something with the hosts file. It's not an installed program. Just unzip and use it.

 

noone_particular,

The MVPS hosts file wouldn't cause your system to connect out unexpectedly. No matter whose version of a hosts file you use, the hosts file is plain text. There's nothing that could be done to it that would cause your PC to connect out unexpectedly.

here is a brief rundown of what happens:

1. i click on "hosts".
2. a pop-up appears "open with"
3. i highlight "internet explorer"
4. click "ok"
5. here is the connection taking place. i took a screenshot at the perfect moment when i get the hosts file, yet the connection is still clearly stated.

so MVPS is not "giving" me the hosts file. they are allowing me to "borrow" it from a remote location, so to speak. unless i am not using the programme properly, which is entirely possible. i can't imagine the average user finding this desirable, much less to highly recommend the programme. obviously, i suspect myself to blame, i think i am not using the programme properly.
before the cart gets before the horse, i have a question:
should i be highlighting "notepad" at step #3 instead of "internet explorer" and finding a way to use the captured list?

I'm not sure what SpyBot does to the hosts file. If it scans it for malicious entries

it has a list to give you, and looks at the list you already have. it adds entries that you don't have. i don't think it removes any. i haven't seen evidence of removal.
i don't think it scans for malicious entries. if it could, it probably would. i don't think it can. it wouldn't surprise me if they are working on this. the way they add the hosts file entries is impressive/admirable. i have come to appreciate them for this.

the size of the MVPS hosts file would explain the delays.

but the spybot entries are not allowed to be added. MVPS has control over my hosts file from a remote location (it appears) and is rejecting the spybot entries from being added. i used a comparator, and i know there is no difference in the list after immunizing with spybot.

Haven't used SpyBot since version 1.2, don't know how much has changed

i have only had computers for 2 years. i don't think the immunize feature is much more than a year old.

Are you using SpyBots real time protection?

i don't use teatimer. i don't think there is another real-time protection process offered by spybot. i make a point to use no other real-time protection other than kaspersky. they tend to conflict. kaspersky claims in their documentation that they scan for "grayware", which could be classified as spyware as well as virus.

If you could capture a copy of the connection alert or the address your system is connecting to, I'll see what I can find out.

i know what needs to be done to accomplish this; i think i can do this with "active ports". i don't know if the kerio GUI can help with this, also there is the possibility of netstat helping, but i am not too good at that. i will definitely venture this endevour and see what i can come up with.

I like HostsToggle.

i'm going to check this out.

It lets you edit, change and save multiple hosts files

just what i would want.

Doesn't need to run all the time either. Just when you're doing something with the hosts file.

i'm hoping like heck this is exactly what i need. it would be so nice to copy and paste the MVPS hosts file right in there, and with luck, the spybot entries could go in as well.

thanks again, noone_particular!

 

noone_particular,

for some reason the attachment didn't work. i'll try it again.

should i add this?
bbcode to display in post body:

 

A text editor like Notepad, Wordpad, etc is much better suited for editing the hosts file. Using Internet Explorer to open the hosts file is responsible for a lot of the problems you describe, including the unexpected connection and probably the inability of SpyBot to add to its entries.

 

noone_particular,

you are absolutely correct. selecting internet explorer is what is causing my "connection" and the explanation is so simple that it makes me feel foolish. i tried using active ports, the kerio GUI, and netstat, to no avail. i was not connecting out. you know, the question that begs to be asked is; why is "internet explorer" even on that list? or another one, why the list? i understand where right-clicking and selecting "properties>read only" may have a valid purpose, but that list, at that specific place. i know there is a techy reason for it, and at the present stage of my development i may not understand it anyway. it could have been thought out better, perhaps.

i downloaded hoststoggle and so far it still looks like i am unable to add the spybot entries when i immunize, however i am not sure. the last immunize had over 8000 items ready for me, but i can't really be sure that any were for the hosts file. they could have been for the internet options>privacy>sites, also there is a list at internet options>security>restricted sites>sites that has entries, probably added by spybot (MVPS doesn't do this, and i didn't do it). there could be other things that spybot does, other lists. maybe spybot didn't have any available entries for the hosts file at all, this time. it's too bad there wasn't a way to find out from the spybot GUI exactly what is being done by the immunize feature.
how is the "load hosts" option used in hoststoggle? a pop-up similar to "save as" window comes up with a choice of location, file name, type of file, hosts toggle files (tgl), txt, then "all files", and finally "open"?. care to shed some light on this function? is this the function to use to inject the spybot entries? there are many threads about hoststoggle on google, but nothing really substantive. i was hoping for one guy explaining to the other guy how to use it, but i can find nothing close to that.
i have never used wordpad, but i don't think it could be that difficult. should i just put all the hosts file entries on a wordpad and try to edit them into the hosts file?

thanks again for your expertise!

 

Windows offers up that list when there isn't a specific application registered to open the file. Most files have an extension after the name which is associated with an application. Text files for example end in ".txt" which is associated with (registered to be opened by) notepad. Batch files ending in .bat or .cmd are associated with cmd.exe. The hosts file has no extension. Windows doesn't have anything registered to handle it, so it asks you what to use. Most files can be opened by several different applications but only one application can be the default handler of any given file type.

When the "asociate .tgl with HostsToggle" option is selected, HostsToggle will save backup and alternate hosts files with the .tgl extension as well as load the copies saved using that extension. The reason for the different file type loading options is to accomodate the different file extensions. It also makes it easier to find your copies by filtering out all the other file extensions from the listing. Some downloadale hosts files come as hosts.txt while others don't have an extension.

Regarding SpyBot, I'll try to set up a testbox with it this weekend and see what if anything it does with the hosts file.

 

noone_particular,

i have gone over the thread a few times, done a bunch of investigating, and googling, and thinking, and i pretty much think i have everything squared away, but there are a few items that may need attention.

Whenever you update the actual hosts file, just remember to save an additional copy under the name "edward" and replace the old copy of "edward" with it.

this query is in regards to the copy that i keep in my documents.
1. this file should be a list of entries that both MVPS and spybot have cumulatively assembled.
2. does this file need to have an extension in the title? according to your earlier explanation, the answer is no.
3. this copy, kept in my documents, is the only part that needs regular/repeated attention. if i replace it with the updated entries from MVPS and spybot, and change the hosts file itself with the same list, those changes become activated and used. from this point on, malware would love to infect this list, but would have no idea to go after a file by the name of "edward". the malware targets a file named "hosts". is this correct? the more unpredictable the name, the better the disguise, i assume.

i did also take a stab at learning how to use the "load files" feature in hosts toggle. please let me know if i made any errors, or was inefficient in any way.
1. i copied and saved my original hosts file in hosts toggle with .txt extension
2. renamed with a .tgl extension
3. right-clicked on icon and chose "load file"
4. clicked on original.tgl and clicked on "open"
5. pop-up window says "original.tgl has been made the active hosts file"
6. later replaced that file with a new, updated MVPS/spybot file
7. replaced "my documents>edward" file with updated file.

let's hope this all works the way i want it to. the hosts toggle documentation explains about a way to test this. this is my next venture to test it out. i already read it, and it actually sounds very easy in comparison to everything else you have helped me with. i am going to be crushed if my hosts file setup fails the test.

Regarding SpyBot, I'll try to set up a testbox with it this weekend and see what if anything it does with the hosts file.

routine work for you, i'm sure.
the immunize number escaladed up to 8080, yet after immunizing, there were only 3 new entries added to the hosts file, and one entry was actually removed. so there is alot more that is being done by spybot than just the entries in the hosts file. right after posting this, i am going to see what google tells me about it. it will be interesting.

thanks again.

 

I installed SpyBot on a 2K test unit. Using the original sample hosts file, the immunize function added 9118 entries that brought the total file size to 256KB. I removed that hosts file, then added the MVPS hosts file dated 8/6/2008. File size was 702KB as displayed by windows explorer. The SpyBot immunize function showed the MVPS hosts file already contains 1038 of the 9118 entries SpyBot wanted to add. FYI, the MVPS hosts file contains over 18200 entries of its own. When I ran the immunize, SpyBot added the missing 8080 entries to the hosts file after the MVPS entries. Oddly enough, it also removed 3 of the entries from the original MVPS hosts file. Don't know why. After running immunize on top of the MVPS hosts file, it contained a total of 26284 entries and was 927KB in size. SpyBot does check the hosts file contents, both adds and removes entries, and can work with the MVPS hosts file.

When I used the immunize function, I unchecked everything except the hosts file, immunizing it only. SpyBot did complain about the browser being open and potentially interfering with the immunize process. Having the hosts file open in a text editor could cause the same problem.

To an extent, that's true, but for malware to alter your hosts file, it has to already be infecting your system, which means your primary defenses have already failed. If your system is kept clean, malware won't be able to touch the hosts file. Either way, it isn't likely to even check for backup copies using other names. A batch file that overwrites the hosts file with a backup copy at startup would undo any damage malware would do to the hosts file, but it would not do anything about the malware itself.

 

noone_particular,

i got a little crazy with the calculator.

the immunize function added 9118 entries that brought the total file size to 256KB.

that's .0280763 KB per entry

then added the MVPS hosts file dated 8/6/2008. File size was 702KB as displayed by windows explorer. The SpyBot immunize function showed the MVPS hosts file already contains 1038 of the 9118 entries SpyBot wanted to add. FYI, the MVPS hosts file contains over 18200 entries

.0385714 KB per entry

After running immunize on top of the MVPS hosts file, it contained a total of 26284 entries and was 927KB in size.

.0352686 KB per entry

i wonder why there is a difference in size per entry. also, i think at a quick glance, that the MVPS targets adware-type sites in general, and spybot focuses on alot of porn. i'm glad i have a mix of the two.


i have assembled a little collection about spybot's immunize function that i think you would be interested in. i don't know whether the links will work by just clicking on them. there is a little info that is the "beef" of each link.

http://forum.networktechs.com/archive/topic.php/t-2461.html

Registry entries get added
which act as kill bits to known spyware ActiveX controls. Because of
these registry entries, any AX control that uses that class ID will not
be allowed to run.

http://www.htworkshop.com/freeinfo_about_spybot_immunize.htm

Spybot's "Immunize" feature adds entries to the Windows Registry
which has the following effects on IE (Internet Explorer browser):

* Blocks cookies from certain websites.

* Places certain websites in the IE restricted zone and
locks down the IE if you visit one of those nasty websites.

* Blocks the download/execution of selected ActiveX scripts.

http://www.htworkshop.com/freeinfo_procedure_spybot.htm

The Immunize feature in Spybot inserts a list of known dangerous websites into IE's (Internet Explorer browser) Restricted Security Zone. After that, if you ever happen visit one the those websites, IE automatically locks down into a secure mode where things like ActiveX & Scripting are disabled. ActiveX and scripting can be used to install spyware onto your computer.


so, in brief, spybot does this with the immunize function:

1. adds entries to the hosts file
2. adds entries to the internet options>security>restricted sites>sites
3. adds entries to the internet options>privacy>sites
4. adds beneficial entries to the registry


for malware to alter your hosts file, it has to already be infecting your system

can't an act as innocent as a simple google search cause infection? the infections are actually in the search results occasionally, not even in the sponsored links, which most of us know to be bad news. and like you said earlier, is there such a thing as a trusted site?

i have to confess that i have been slacking off, i still haven't tested my hosts file. i will do that within the next couple of days and let you know.

you have been awesome. thank you so much noone_particular!