Hosts file is detected as malware in Windows Defender

Discussion in 'other security issues & news' started by siljaline, Oct 5, 2012.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    http://support.microsoft.com/kb/2764944/en-us
    In this scenario, the Hosts file is detected as a SettingsModifier:Win32/PossibleHostsFileHijack malware threat by Windows Defender.

    For those that run a custom Hosts file, please see the MS KB to exclude this file from detection.
     
  2. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Honestly, you should not be able to modify the host file. I can understand why WD picks it up as malware.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You should not be able to modify the Hosts file, but, many run non-native Hosts files. It's fair that WD flags a non-native file as an intrusion. Question is, how many going to W8 with a user defined file will have it trashed by WD. Many elsewhere are finding this action by MS rather confounding.
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Confusing, indeed...:doubt:
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, you're saying that whenever a DNS issue prevents a domain name to resolve to the IP address, then I can't temporarily solve that issue by mapping that domain to its IP address, in the hosts file, until the issue is solved? o_O Wouldn't that be stupid?
     
  6. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Since when does that happen?
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Since when what? DNS issues? Not so long ago some users of this forum were having issues to access it, due to DNS issues. I was one of such users, and the solution was to map www .wilderssecurity.com to its IP address. Problem solved.

    That's just one tiny example.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  9. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Well you really don't need to modify the HOST file. That's a bit silly. Anyway it will be picked up as malware by every AV scanner on earth so what's the point?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why is it silly? Care to explain? I mentioned a valid scenario where one would want to use the hosts file, so one can access a given domain. So, how is it silly?

    Regarding the detection... one doesn't really need to use an antivirus either... so... ;)
     
  11. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413

    Well if you can't live without a website being down for 2 hours then :p But I don't think it's best practice to modify the HOST file, malware does that good enough already.

    And yes very true.. You really don't need a AV either. Most are utter junk.
     
  12. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    What AV would you recommend then considering most are junk in your opinion.
    Strange comment.o_O
     
  13. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    I've noticed the same issue 2 days ago. However, I noticed at a Windows 7 Professional system, not Windows 8!

    I ignored the warning because deleting the host file didn't seem very wise. I thought it was caused by an update from WinDef, and because I did have some custom entries in my host file I didn't pay much attention to it.

    I've noticed MS has put out the advice to add the host file to the exclusion zone, which doesn't sound like a solid solution. I doubt the exclusion will be automatically removed once the problem has been solved.
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, whether or not someone can't for 2 hours for a website to be up, it will depend on whether or not it will be problematic for more than 2 hours, and whether or not we're dealing with an important website.

    Also, with the exception of malware, modifying a hosts file bears no harm to the system. And, under certain scenarios it actually brings benefits. :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @m00nbl00d

    I agree 100% with you and think the hosts file is great. There are other files as well, but hosts is most popular.

    If this thread is any indication of reality, maybe the whining of the ignorant to M$ has caused this.

    Sul.
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    MS have decided several new scenarios with Windows Defender,
    the main change is detecting non-native Hosts files files as malicious.

    They are giving you these choices:

    A- Set "WD" not to detect a foreign Hosts file, this has been riding on my sig in case no one noticed. :cautious:

    B- Don't use a non-native Hosts file, most choose to, others don't.
    I'm not political and don't run Polls, you need to decide for yourself if the benefits of a Hosts file offers outweigh issues running one.
    I would sooner (opinion) rely on my anti-virus | anti-malware app for protection with WD disabled, but that's me. This thread is not about disabling apps.

    @MODS
    C- Those that are here to berate others that don't quite get the concept of these should pack up and take their business elsewhere as this is a Moderated Computer discussion Forum.
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The Microsoft entry is slightly misleading. As far as is kniown, it isn't ANY or ALL entries in a hosts file that will be flagged by defender and alerted to but only many entries pointing to 127.0.0.1 and to certain well known websites like Microsoft, google, facebook, adobe & doubleclick etc that routinely get attempted to be diverted by malware when an unknown IP address is listed in it

    Thai all came up in testing a few weeks or months ago when defender automatically blocked adding many sites to the hosts file
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Who was berated?

    Sul.
     
  19. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Will Windows Defender apply actions automatically -in default settings- when that detection occurs? :doubt:
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  21. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Yeah I don't think it's best practice to modify the HOST file... For what ever reason..
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I also don't believe in modifying Windows/other default installation (that includes third-party software), but we all do it, don't we? ;) So, we're going to have to agree to disagree in this one. :)
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Yes, but it is not officially supported.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What isn't? Installing, say, Adobe Reader X? By installing any application we're altering the system. It's not any different from the hosts file, really. A change is a change, regardless of its nature. Any antivirus will have false positives/flag potential unwanted applications. Are we going to stop using such applications because of that? I don't think so. :)

    Heck, even a system "hack" is welcome, provided that it benefits our use of the system, even if some "crazy" AV flags it. Who cares if it isn't officially supported by Microsoft. :D

    In this specific case, Microsoft has Windows Defender flag a hosts file modification as PossibleHostsFileHijack. It fits in the potential unwanted modification (at the image of potential unwanted application :D) category.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    So basically this detection is actually a bug fix, where as before it would invisibly "clean" the HOSTS file, it now properly tags that action.
     
Loading...
Thread Status:
Not open for further replies.