Is not Prevx supposed to protect the hosts file?

Hello,

my setup:
Prevx: real time protection
Dr.Web & Counterspy: on demand (real time disabled)
Once a month I do an on demand scan with Dr.Web & CS

Yesterday, during an on demand scan Dr.Web notified me that the hosts file had been changed. A closer look at the hosts file indicated that "start of entries inserted by Spybot Search & Destroy".
Dr.Web made it possible to go back to the "original" hosts file which I did.

I remember when making the latest UBCD4Win I included Spybot in UBCD4Win.
This is probably when the hosts file has been altered.

Should not I have gotten a warning from Prevx

 

If you modified the HOST file from a boot cd how can prevx give you a warning (as it was not loaded)?

Anyway I am pretty sure (with safeonline anyway) that you are given an alert when you try to access a website that has a HOSTS file entry for it, not before.

 

As Joe stated in this post:

And yes Spybot adds "start of entries inserted by Spybot Search & Destroy" entry in the hosts file.

 

I did not.

When I wanted to burn UBCD4Win to CD, the program appeared to be too large for CD. I removed a couple of programs, Spybot being 1 of them, to fit the program on CD( before removal of Spybot, I had updated its signatures). Thus Hosts file has not being modified from boot cd (spybot was not on boot cd).

I have just finished doing the same thing again.

*I selected proggies I wanted to have on CD
*I had Spybot in the selection. I updated its signatures.
*After building (before burning to CD) I noticed that the hosts file has been changed. Confirmed
by Dr.Web.

No warning at all of Prevx. All the things mentioned above I do when I am in windows and Prevx is running.

After this I ran a scan and a deep scan with Prevx, but nada, nichts, nothing





# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# This HOSTS file created by Dr.Web Scanner for Windows

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

~~~ Removed sample websites from post as these are links to bad (spam, malware, porn and phishing) websites ~~~

List is longer: total 351 KB

 

Prevx will detect malicious hosts file entries (i.e. ones that redirect AV websites) and SafeOnline will warn the user and correct the hosts file if they are being redirected while browsing.

Legitimate modifications to it for blocking spam, etc. won't be warned about as the hosts file is a core operating system component which is used legitimately by a number of different services.

Let me know if you have any questions with it