Hosts file is detected as malware in Windows Defender

By the way, I remember some older thread where some users also reported MSE cleaning their hosts file for those same entries? If I well recall, when I tested it, MSE seemed to ignore the entries using 0.0.0.0 instead of 127.0.0.1. Unless Microsoft changes its behavior (to detect the modifications), then 0.0.0.0 might be a workaround for those not wanting to exclude the hosts file from MSE's detection. But, I'm not sure if anything has changed in the meantime...

 

MS is stating that unless you set the exclusion - Defender will eat your non-native Hosts file. So, yes, MS is coming clean by saying Defender's default action is to examine and render your Hosts file to default if it's been altered.

 

This is what Microsoft suggests is hosts file for: http://technet.microsoft.com/en-us/library/cc751132.aspx not a 127.0.0.0 cementery

 

So, it seems that I'm following Microsoft's suggestion. https://www.wilderssecurity.com/showpost.php?p=2125977&postcount=7

But, others are against even this, which has been precisely the focus of my posts. The hosts file has its benefits, and it is to be used when we need those benefits. Not simply refute them, just because someone thinks these changes are evil...

Then again, Microsoft also recommends excluding certain operating system areas from antiviruses scanning engines. Whether this is or not a good practice for those needing an antivirus is to be seen... -http://support.microsoft.com/kb/822158

So, it seems that with everything we do there are benefits and risks involved. It's up to us to decide if we should accept the benefits and go for it; or, if we'll be afraid of the risk and bend over.

 

By the way, this all discussion got me to think.

If the user is to be screwed by malware, then the user will be screwed anyway. Example: What would prevent an attacker from mapping some domain name, even one of those ad domains, to an IP address other than the localhost address (127.0.0.1)?

In that scenario, it won't flag anything. There's no way for Microsoft to know which IP address a given domain resolves to, unless it's a static IP address.

And, what exactly would be the problem of a malicious program mapping some ad domain name to 127.0.0.1? They would be doing the user a favor, actually, and it would be the least of the user's concern. lol

 

As far as I'm aware even 127.0.0.1 can be marked as suspicious by MSE.

 

For those of you that updated to and run MVPS Hosts, ensure that you have set the Hosts file exclusion.

 

See: This post. I took ages for MS to disclose that Windows Defender under Windows 8 will shred your custom Hosts file unless it is set at exclude. If WinDef under Win 7 is shredding your Hosts file, PM me and we'll look at the situation as I can escalate this to MS.

 

May I ask who do you mean with "we"?

 

You - me, anyone willing to investigate.

 

Some have asked elsewhere if this applies to a custom Hosts Files under Windows 8. As already discussed but as a reminder, Windows Defender does require exclusion from detection. If anyone determines that action is happening under Windows 7, please let us know.

Thanks !