[Thread split] Hosts file et al

Discussion in 'other security issues & news' started by Espresso, May 15, 2012.

Thread Status:
Not open for further replies.
  1. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    I use my HOSTS file for ad blocking and I noticed today that MSE had quarantined the HOSTS file because of possible hijacks. After allowing it, I check the etc folder and noticed there was a copy of HOSTS made by MSE , so I compared the two and the restored version had ad.doubleclick.net removed. :shifty:
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    How is that suspicious? It would me smart for malware to modify the HOSTS file and divert a popular advertising site to a malicious one, that way they have a higher chance of infecting you further. So it could easily be a FP.

    Yet another reason not to use a HOSTS file for something like ad blocking and use a real tool designed to do just that.
     
  3. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    Considering that I have ~2700 entries all linked to 0.0.0.0, I wouldn't consider the focus on one linked to 0.0.0.0 to be smart at all, and mildly suspicious at least.
     
  4. marc57

    marc57 Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    83
    Location:
    St Marys,WV. U.S.A.
    Re: MSE 4

    I don't know if this works, ( I haven't had a virus in a long time) but a "Malware Expert" told me to set the HOSTS file to read only to keep malware from changing it.
     
  5. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Re: MSE 4

    Nah, there's no harm in doing this but it's barely a protection.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: MSE 4

    An attacker would need admin rights to write to the host file. If they have those rights they can already change the permissions I think.
     
  7. marc57

    marc57 Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    83
    Location:
    St Marys,WV. U.S.A.
    Re: MSE 4

    Thanks for the info.
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Re: MSE 4

    Yep, once you get to this point you have bigger problems.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Suspicious? Right, because Microsoft has an interested in unblocking Google owned advertising services from your machine, right...?

    What does the amount of entries have to do with anything? Malware modifies/adds specific entries. Like I've already told you, it's quite possible that malware exists that hijacks that specific entry, which set off MSE. Ofcourse MSE finds it suspicious, like I've already stated, using a HOSTS file as an ad blocker is silly.

    Also, using 0.0.0.0 has already been proven flawed and can cause more issues than it solves based on what programs you're using.

    http://winhelp2002.mvps.org/hostsfaq.htm

    Looks like there's your explanation of why MSE was set off.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: MSE 4

    The only thing it breaks is the assumption that 127.0.0.1 is being used. If you use 0 it saves space.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Being the standard loopback interface it's a pretty safe assumption, going against the standards is what breaks it.

    That adds no benefit whatsoever, especially not for saving 2 digits... cmon. What you want is to reduce line count, not line length. That's why optimizers will make lines longer to reduce line count.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: MSE 4

    I'm just saying it's not like the OS cares the problem is that products like Spybot can't handle it.

    I don't think it works on earlier Windows but you can use just "0" and over 2700 lines you save a bit of space. It's all held in RAM so access time/ read won't be an issue it's more about saving yourself however much RAM that saves.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Re: MSE 4

    Yes, it is also faster. 127.0.0.1 is a valid address on ANY machine, web server or no. 0.0.0.0 will always be faster as something checking 127.0.0.1 will wait for a response. I have been using 0.0.0.0 for 10 years and have never had an issue because of it.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Please try your best to read previous posts before posting false information, it will save you from unnecessary embarrassment.
     
  15. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  16. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    Because I have quite a few "popular" ad sites there, all of which were left alone.

    Specious reasoning. A link to 0.0.0.0 should be considered benign.

    Not silly at all. No extra processes, no local proxies required. It works.

    Hardly. It missed another ~2700 entries linked to 0.0.0.0.
     
  17. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    False? Quoting a FAQ entry by a guy who claims he can "see no noticeable difference" hardly qualifies as proof.

    Here's a small test by someone who at least did repeated, timed tests:

    YMMV.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Not when it's completely against standards.

    It is extremely silly, it's a flawed way of blocking because not only can it not block 100%, there is also no way to fix the high amount of false positives that comes with blanket banning thousands of domains.


    Here I thought I wouldn't need to explain something so basic, I guess not. It's not the entry that sets it off, it's the combination of the entry and the unusual IP address. For the third (can we make this the last?) time, it's possible that specific malware hijacks that entry which sets it off as suspicious.

    LOL! "A guy who claims"? This "guy" was probably the first ever person to publish a publicly available HOSTS file. He's literally been doing it for a decade.

    But I guess you'd rather take that 3 year old blog.... with ancient browsers as reference, right? The fact will always remain, programs designed with the specific goal of blocking ads will always be superior, and faster.
     
  19. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Re: MSE 4

    While I believe that hosts file as adblocker is not a good idea (there are much better tools for this) and as malware blocklist as a really stupid idea (websites with exploits come and go, and you could have a lot of dead entries in your hosts file), there are good reasons to use an invalid address instead of the loopback address in hosts file. (0.0.0.0 or 255.255.255.0 instead of 127.0.0.1).
    -http://hackademix.net/2009/07/01/abe-warnings-everywhere-omg/
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Did you read your own link in comparison to the link I posted?

    Your link:
    My link:
     
  21. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    I don't know anything that blocks 100%, nor do I care. There are probably ~50 sites that serve most of the annoying ads and as long as I get those I'm happy. It's not that big a deal. There are hardly any "false positives" from blocking an advertising domain, only if a company links content delivery with an ad server which is rare and an easy fix. In my experience it was more common to get false positives from ad blockers that block by parsing urls and image sizes.

    :rolleyes: Using 0.0.0.0 in a HOSTS file is not that unusual (the practice has been around since the 90s) and the link is removed if I use 127.0.0.1 as well (certainly not unusual). Yes malware have been known to redirect a number of ad sites, doubleclick included, but it's still mildly suspicious that MSE is removing only the doubleclick (a MS advertising partner in Silverlight) redirect to a localhost address. MSE is being dumb or devious.


    Appeal to authority. He's done no timed tests so it's merely anecdotal.

    Show me how/why new browsers would be different.

    I don't see how they're faster. I assume you have some properly designed tests to back up your assertion. :argh:
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Every single program including ABP that's designed to block ads can block them 100%, easily. That's what they are designed to do.

    You need only look for a second at the amount of specific allow rules that are needed in EasyList to see what kind of breakage outright blocking can do.

    http://easylist-msie.adblockplus.org/easyprivacy easylist.tpl

    I bet your "great" HOSTS file blocks doubleclick, right? Look at the amount of allow rules needed to prevent breakage there.

    It is very unusual when you consider what the HOSTS file is for, and how you're abusing it to accomplish a goal it was never intended for.

    Calling MSE dumb because you can't see the simple truth of this is hilarious at best. Though I haven't quite laughed as hard as I did to your comment of it being suspicious, damn Microsoft trying to make Google more money by unblocking ad sites!! :argh: :argh: That really takes some imagination.

    Feel free to provide evidence since you can clearly read this persons mind, amazing skills.

    That's like saying show me how/why new browsers would be faster at all, maybe it's magic! :ninja:

    They should be faster because they shouldn't be waiting for a timeout anymore. You can test this in IE9 for example, it most certainly does not take a second to reach a diverted host.

    They are designed with that specific goal in mind, and in some cases, even take advantage of Windows API such as the Filtering Platform(afaik TPLs do). Not only are they factually faster, they are logically faster.

    Feel free to disprove otherwise...

    At the end of the day using a HOSTS file will always be sub-par to using a dedicated ad blocker, that's a fact that cannot be denied by any knowledgeable person.
     
    Last edited: May 23, 2012
  23. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Re: MSE 4

    I've used them and they don't block 100% of ads. That's why their lists are constantly being upgraded.

    Isn't it amazing that I block it outright and I have no doubleclick related problems at all ?

    It's dumb because it doesn't consider the linked IPs 0.0.0.0 and 127.0.0.1 which are benign, period.


    The sucess of the struggling Silverlight will depend on ad links from major ad services being functional. The idea that MS would like to facilitate thier success isn't far fetched at all. Like I said, it's mildly suspicious.

    He probably would've posted them. In any case, you can search around and find tests like the one I linked that contradict his "findings".


    The onus is on you to prove your assertion. Considering that a link to 0.0.0.0 is terminated almost instantly, I can't see any way an ad blocker could be appreciably faster.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Re: MSE 4

    Their lists are more often or not "constantly" updated to add allow rules, but programs like ABP can easily block 100%, they have the potential to do that, HOSTS files do not. That should be pretty easy to see.

    Oh, right, you count for the entire world now yeah? You're trying to disprove fact based solely on your own tiny experience? LOL.

    Doesn't matter how benign they are, they aren't supposed to be used in a HOSTS file, that isn't the purpose of a HOSTS file.


    Wait, what!? That's one hell of a stretch from ad blocking to Silverlight, which has pretty much been more or less killed off by MS anyway. I fail to see what Silverlight has to do with Google advertising, at all. Other than your desperation to justify your flawed responses, ofcourse.

    You can search around to find tests that contradict the findings contradicting the findings.

    I'm sorry? Why is it on me to prove yet you have a free ride with your claims which are nothing other than blind faith? :blink: They aren't even logically sound. It doesn't matter what it points to, it's a fact that your system will become slower and slower the bigger the file is, why? Again, it's not designed for ad blocking.

    Real ad blockers can use lists in a way that reduces the impact of the size of said list. They can also use freely available system resources specifically designed for preventing connections, such as WFP, which work at a higher level and are therefor faster than waiting for the HOSTS file. I'm not sure where the difficulty in understanding this lies.

    edit: Also on another note, you cannot block IP addresses with a HOSTS file, advertising and tracking using IP addresses will pass right through.
     
    Last edited: May 23, 2012
  25. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Blocking ads always involve the possibility of causing some sites to 'break'.
    When there are too many entries involved, using a dedicated ad-blocker (which is specifically 'designed' for the task) has advantages over using a hosts file seeing that it may have the flexibility of a white-list system allowing entries to counter the initial block rule(s) and for most, the lists are automatically updated. This means less work for you and chances of 'false positives' are lower. This is good enough a reason to recommend dedicated ad-blocker over a hosts file to pseudo-blockads.

    To be fair, however, using a hosts file to pseudo-block certain ads also has it's own advantages. Since it is included in the system, it requires no upgrades (unlike 3rd-party software) and that it is free of costs compared to a 3rd-party commercial ad-blocker (not counting IE 's TPL and ad-pseudo-blockextensions for other browsers). The pseudo-blocking implemented is also system-wide and works across multiple web browsers(not counting AdMuncher, AdFender, Privoxy, Proxomitron, etc).

    While it is arguably less effective on a web browser compared to dedicated tools, using a hosts file to pseudo-block ads is not that bad an idea if one uses it to mainly pseudo-block the major advertising delivery sites (and do not mind the possible resulting breakage of certain sites). My personal suggestion is to not dump too many entries to reduce the likelihood of sites breakage.

    Now, as to whether one should use 127.0.0.1 (localhost loopback address) or 0.0.0.0 or even 0 (invalid address/destination), that is a debate not worth going for. It is pretty much a personal choice.

    Using the former in conjunction with eDexter (a local-only personal image web server) prevents browser errors (HTTP 404" error messages) and replaces annoying ads from filtered sites with GIF images.

    Using the latter helps to reduce the size of the hosts file (and probably memory usage by a small margin) and speeds up the browsing speed as the system/browser immediately rejects the endpoint rather than to wait for a timeout (this depends on which OS and browser are in use although modern browsers may be better at this). 0.0.0.0 is also recommended if you're running web server software.

    Note: If you use 0.0.0.0, you may want to add this entry just before your first 0.0.0.0 "blocking" entry:

    # Special Entries
    0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly

    Without that entry, some network status and diagnostic apps will use the hostname associated with your first 0.0.0.0 "blocking" entry as the name of the default IP address.

    I got that from here: http://www.dslreports.com/forum/r24622031-

    Just take note that the use of 0 in the host file may not be supported on certain OS.

    I personally find the argument of going with "industry standards" as quoted in the FAQ from MVPS HOSTS site, not that convincing. If we were to go by that argument, then the "industry" itself has contradicted the "standards" as the Hosts file was never initially intended for malware sites or ad blocking in the 1st place. It has a different purpose as stated here:
    -http://en.wikipedia.org/wiki/Hosts_(file)#Purpose-
    In short, it provide host name to IP address translation.

    If security programs scan the HOSTS file and they only accept the IP address "127.0.0.1", it means the security program do not understand the hosts file intended purpose. It's time for them to change and learn to accept other IP addresses.

    P.S. Personally, I do not encourage the Hosts file to be used as a mean to pseudo-block malware sites (that's another topic) and while I do find using a dedicated ad-blocker more suitable for the task of blocking ads, I am not against using hosts file to do so.
     
Loading...
Thread Status:
Not open for further replies.