PrevX 3 and hosts file monitoring

Discussion in 'Prevx Releases' started by pling_man, Feb 13, 2010.

Thread Status:
Not open for further replies.
  1. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    I have entries in my hosts file to prevent access to a number of rogue sites (I am using the MVPS hosts file).

    Each in the hosts entry looks like:

    127.0.0.1 xxx.etracker.de

    (note xxx means www as I don't want to link to it inadvertantly here)

    This means if I type xxx.etracker.de into my browser I do not get the website but a harmless "null" point.

    With SafeOnline installed, I get a popup window saying:

    "High Risk: Web site access is blocked by hosts file (hxxp://xxx.etracker.de/)

    The request to visit this web site has been blocked by a localhost 127.0.0.1 entry in your hosts file. To visit this site you need to remove the 127.0.0.1 entry for it from your hosts file."

    It gives me three buttons to Close, Ignore, or Fix.

    Fix removes the entry from the hosts file, which I don't want.
    Close closes the browser which is inconvenient.
    Ignore adds the file to the list of protected sites (but with security set to none) so that it is ignored subsequently.

    Should the Ignore option be doing this?

    Forgive me if this is obvious to the experts here. I'm just trying to understand this for the first time.
     
    Last edited: Feb 13, 2010
  2. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    I also use the MVPS Hosts file. Some malware tries to prevent users from accessing security websites by modifying the Hosts file. If Prevx missed this modification (or maybe the Hosts file was modified before installing Prevx) then it seems reasonable to offer the user the option of unblocking a site that they believe to be good.

    If you chose "Ignore" and then decided that the site was indeed bad, then you could just delete it from SafeOnline. What more can Prevx do? They've warned you that this site was blocked by your Hosts file. But it could be www.prevx.com or symantec.com, or whatever.

    Without Prevx, you could be a user with a Hosts file that prevents you from visiting a site to fix your malware-infected computer. And you wouldn't know why.
     
  3. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    I can see what you mean.

    I think the main issue though is that SafeOnline does not maintain a separate list for website over-rides. Any sites which it thinks are suspicious but the user wishes to allow to visit, are just added to the list of protected sites. It would be better to use a separate list (or have the ability to hide/show them in the protected sites list). If a separate list is maintained, it should be managed from the main gui (not the tab) as these are not protected sites at all.

    In the case of a re-direction to 127.0.0.1 in the hosts file, I cannot see any reason to add the site to the protected list when Ignore is chosen. This doesn't need doing if its a good entry (it doesn't do anything for embedded unwanted adverts for example), and it definitely does not if its a rogue entry put there by some malware. It doesn't achieve anything if the 127.0.0.1 entry is still there (unless "Ignore" means remove hosts entry and add to over-ride list - but I have not checked this).

    The site should only go in the list if Fix is chosen by the user and the site is also considered a rogue site.
     
    Last edited: Feb 14, 2010
  4. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    I just tried this out myself by blocking a non-malicious site (www.118.com) that I added to my Hosts file. SafeOnline cuts in when I try to visit the site, as you describe above. Choosing "Ignore" adds an entry for that site to SafeOnline with security turned off.

    I suppose that looks potentially dangerous if the site was actually malicious. However, I find that SafeOnline cuts in every time I try to visit the site. Moreover, clicking the "Ignore" option doesn't in fact allow me to visit the site, because it's still blocked in the Hosts file. The clip window also flags it as "High-risk HostsFile Block". So, SafeOnline is trying really hard to keep me from visiting this potentially malicious site.

    I have to select "Fix" to get SafeOnline to remove the Hosts-file entry. That leaves the site configured in SafeOnline without any security, which seems a bit odd but is not particularly dangerous when the site is good.

    Like you, I don't really understand why SafeOnline needed to configure the blocked site in response to "Ignore". Maybe it'd be better to put it into a special category of overrides, as you suggest. It would also have been nice to have the option of deleting or modifying the site configuration after fixing the Hosts file.

    However, although the implementation may be a bit odd, SafeOnline does seem to work hard to keep the user safe.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello pling_man/MaxEntropy,
    I agree that the website should not be overridden to be allowed here although I do suspect the scope of problems like this is relatively rare (going to a malicious website, receiving a block, clicking Ignore to the block, and then visiting it again).

    Also, on a side note - the HOSTs file check will detect any overridden website via the HOSTs file regardless of if it was added before Prevx was installed or not so you'll remain protected from the instant you install Prevx :)

    We'll be making the change to our website trusting for blocked domains :) Thank you for the testing and input!
     
Thread Status:
Not open for further replies.