AdAware and Hosts File

Discussion in 'other anti-malware software' started by Dazed_and_Confused, Aug 9, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    For some reason it appears that when I ran a AdAware scan today it listed a bunch of blocked sites that I added a couple of months ago (Using Spybot SD) to my Hosts file. Am I misreading these results, and is this really a security issue, or is this a false alarm. o_O See below. Thanks!
     

    Attached Files:

    • AA.gif
      AA.gif
      File size:
      32.4 KB
      Views:
      600
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    As long as the entries are being redirected to 127.0.0.1, you're OK. I would say false alarms.

    Nick
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Nick. I thought so, but wanted to make sure. I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries. o_O o_O
     
  4. FanJ

    FanJ Guest

    Hi Daisy,

    Nick is right.
    Something similar is mentioned at the MVPS-HOSTS site.

    Indeed: just ignore them if they are redirected to 127.0.0.1 like Nick already posted :)

    Cheers, Jan.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I use the MVPS hosts file and set Ad-Aware to ignore the hosts file. The MVPS hosts file has about 6000 entries.

    Nick
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    As Nick says "Ignore" them... whatever you do, DON'T DELETE.... those are the redirected "bad" sites back to you so you cannot get to them from a hosts file... 127.0.0.1

    You will only get an alert once you ignore them, when you update a new lot of hosts files.

    In your scan, the next time AdAware will say how many items you've set in Ignore Section.

    The reason AdAware 'sees' them, is the 'redirection' aspect of those, as that is what spyware will do to your security apps so they cannot be updated. Each time you try to connect to the update site then, it simply redirects back to your home machine.

    Just a little more info. :)

    TAS
     
  7. FanJ

    FanJ Guest

    Nevertheless I wonder exactly the same as Daisy posted:

    "I wonder why the folks at AdAware would not have the app check to see if a 127.0.0.1 address is associated to the entries."

    Just like I'm wondering for example why PestPatrol sometimes doesn't check the DWORD of a registry-entry (example: a registry-entry put there by IE-SPYAD, to put a site in the Restricted Zone of IE).
     
  8. Brent

    Brent Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    71
    Same thing happened to me
     
  9. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks to everyone for their helpful replies. :)

    When the entries showed in the Ad-Ware scan, I added them (60 entries) to the ignore list. When you say that you "set Ad-Aware to ignore the hosts file", did you do this same thing (just ignore every single entry as it is detected during a scan), or is there a way to simply tell Ad-Aware to always ignore everything in the Hosts file?


    Edit: By the way, there are a LOT more entries in my Hosts file. Not sure why Ad-Aware just now decided to start flagging only 60 of them. o_O
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Here's where I disabled the hosts file scan. I like to manage the hosts file myself.

    Nick
     

    Attached Files:

  11. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Aah. Found it. Thanks, Nick. By the way, are you aware there is a new version of Ad-Aware?
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I know. I bought the Plus version a long time ago. So I'm waiting for my free SE Plus upgrade e-mail.

    Nick
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    you lot know more about these things then i do, but isnt it because malware puts 127.0.0.1 enteries into the hosts to stop you DL HJT, online scaners etc?
     
  14. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Good point. The hosts file can be a two-edged sword.

    Nick
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yes, that can be a problem... you really have to check the entries listed.
    Must admit I nearly fell off chair first time it happened, as it was near the very end of scan and up pops all these, especially when I saw the words 'CoolwebSearch' at end of lists, until I checked. :)

    TAS
     
  16. dog

    dog Guest

  17. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    do you know if that is the only update for this new version? because if it is ill keep the one ive got, it seems to make more sense to me. o_O
     
  18. dog

    dog Guest

    It's all I noticed so far. ;)

    As for this ... well ... seeing as you have this knowledge ... you can always check your host for bad enteries if something should go wrong ... but a modified host will help prevent malware from adding enteries to begin with ... you can also set the file to read only for a ~little~ added protection.

    But I think not picking up these F/P's is much better for the less advanced user ... as they'll probably are most likely delete the found F/P's and lose their protection afforded them by their modified host file.

    dog - *puppy*
     
  19. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, dog *puppy* . i did a scan then put the results from my hosts file in ignore, so if anything shows up it should be malware. and, after reading your post i set it to read-only ;) , and have it locked with spybot. but i'll have to check and see what was in the update. thanks *puppy* :D *puppy*
     
  20. dog

    dog Guest

    NEW features in Ad-Aware SE Professional edition

    Applicable to both 1.01 & 1.02 - I can't find any details about the version 1.02 update ... other than what I noticed in regards to no longer reporting the F/P host redirects.

    Code:
    [B][SIZE=4]NEW features in Ad-Aware SE Professional edition[/SIZE][/B]
    
    - New command line parameters that allow for silent and automated operation of Ad-Aware
    
    - UNC support for remote storage of Preferences, definitions, and log files
    
    - New results screens and detailed statistics
    
    - Improved logging and reporting
    
    - Hardened against third party uninstall with encrypted preference files
    
    - Links to more information on detected content from our website
    
    - New safety option that allows you to write protect sensitive system files such as the Hosts file
    
    [B]Scanning engine improvements[/B]
       	Extended Memory scanning
       	Now scans all modules loaded by a process
       	Uses our all new CSI (Code Sequence Identification) technology to identify new and unknown variants of known targets
       	Extended protection against DLL-injection, SE can unload process modules on the fly
    
    [B]Extended Registry scanning[/B]
       	Now scans registry branches of multiple user accounts
       	Performs additional smart checks to detect dynamically created references
       	Scanning speed noticeably faster
       	Extended Scanning for known and unknown/possible Browser-Hijackers
    
    [B]Extended Disk scanning[/B]
       	Now scans and lists alternate Data-streams on NTFS volumes
       	Now Ad-Aware supports scanning of Cabinet files, (including spanned archives)
       	Scanning speed increased
    
       	Improved Hosts-file scan
       	Now Ad-Aware and Ad-Watch use much smaller reference files
    
    [B]Several User Interface improvements[/B]
       	Improved Graphical UI
       	Ad-Aware now supports custom graphical Skins
       	More user friendly Plug-in/Extension GUI (Plug-ins and Extensions now shown on separate screens)
       	New Scan Result view, includes a scan summary and detailed view
       	Ad-Aware now linked to the online TAC database
    
    [B]Multiple New Tweak options[/B]
       	Unloading of process modules during a scan
       	Obtaining command line of scanned processes
       	Ignoring spanned cab files
       	Scan registry for all users instead of current user only
       	Permanent archive caching
       	Always try to unload modules before deletion
       	Disable manual quarantine if auto quarantine is selected
       	Block pop-ups aggressively
       	Load Ad-Watch minimized
       	Hide Ad-Watch tray icon
       	Write protect system files after repair
       	Limit drive selection to fixed drives
       	Use gridlines in item lists
       	Log file detail section condensed
    
    [B]Process-Watch[/B]
       	Improved Process-Watch scanning capabilities and scanning speed (Using the new CSI technology)
       	Several Process-Watch Interface improvements
       	Option to create a Hexdump of the process memory or dump the process memory to disk
    
    [B]Several logfile improvements[/B]
       	Includes support for separate removal logfiles
       	Allows adding a Reference summary/index to logfiles
       	Logfile contains overall more detailed information
    
    [B]Ad-Watch[/B] *Plus Version
       	Several GUI improvements
       	Ad-Watch now supports Cookie Blocking
       	Site-manager to edit the popup-blacklist included
       	Ad-Watch now uses the new CSI technology to detect new and unknown variants of known targets
       	New Ad-Watch configuration screen
       	New rules editor for pre-defined blocking exclusions
       	Support for hiding the Ad-Watch tray icon for unattended operation
    
    dog - *puppy*
     
  21. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
  22. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    Actually, it still picks up some: (1.02 SE (free version), latest update flagged this in big red letters:

    Warning!
    Bad Hosts file entry:127.0.0.1:eek:nly-virgins.com


    Win32.Delf.Trojan.A Object Recognized!
    Type : Hosts file
    Data : 127.0.0.1
    Category : Malware
    Comment :
    Bad Hostfile entry : 127.0.0.1:eek:nly-virgins.com

    That entry in the hosts file is perfectly correct and to flag it in red on the critical list will only cause unnecessary scare to the less experienced. Letting AdAware fix it (assuming that they have thought about the possibility that my hosts file is read only) would actually put me at greater risk, should I ever be tempted to pay the virgins a visit :).

    As for the point made higher up in this thread (sorry, forgot by whom) that malware can redirect 'good' sites to 127.0.0.1, true, but AdAware would not flag those anyway, unless somehow it built up a database of 'good' sites.

    What I would like it to flag are entries redirecting to other than localhost (usually 127.0.0.1), which malware often does too (redirecting to their own sites, for example). It could also check that the hosts file has been set to read only, which is a good first line of defence against malware writing into it (not foolproof, of course, it's not difficult to bypass if the malware programmer wants to, just one extra little hurdle).

    I made the point on the Lavasoft boards, calling the above example a false positive, but they claim it is a 'feature'. Still, they have passed on the comments to their development team, so maybe things will change in some future update.

    PS No idea where those emoticons have sprung from...underneath it says only-virgins.com.
     
  23. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    From the Lavasoft Product Updates page:
    Ad-Aware SE 1.03 Now Available, New definition file included

    Note
    Re-ran Adaware 1.02 and the....127.0.0.1 only-virgins.com Hosts entry....was still being flagged. I then installed the new 1.03 defs.ref file....and it no longer flags the above mentioned Hosts entry.
     
  24. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    Yes, 1.03 has fixed it! So now I have nothing more to grumble about :)
     
  25. FanJ

    FanJ Guest

    Hi,

    It is the board-software that "translates" the characters :eek: immediately after each other to that emoticon [​IMG]

    If such a thing happens and you don't want it to happen, then (when you are making your posting) put a checkmark in the box "Disable smilies in text" in the "Additional Options" at the bottom.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.