[Thread split] Hosts file et al

Discussion in 'other security issues & news' started by Espresso, May 15, 2012.

Thread Status:
Not open for further replies.
  1. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    You're choosing to completely ignore that it IS updated frequently, even monthly. Not only that, but updating a HOSTS file yourself is far more hassle than say, having a dedicated program do it for you.

    Which conveniently ignores the free ones.

    Nice, you brought up an invalid point and countered it all by yourself in brackets :D Every real ad blocker is system wide, you just have browser plugins stuck in your mind. An ad blocker isn't defined as a browser plugin, it's just a "reduced" form of one.

    Easy to say from someone who has no perspective of the code involved in the software itself. Maybe they do need to add it, or, for all we know it simply isn't that easy and adding every invalid IP address might be more effort/overhead than it's worth.
     
  2. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Re: MSE 4

    Yes, potential, but nothing blocks 100% of ads.


    I'm not advocating the use of HOSTS - I'm just defending my own successful usage. I don't give a damn whether anyone else uses it or not. :D


    A HOSTS file is used for whatever you want to use it for. It's been used for ad/malware blocking for years and MS is well aware of it. MSE should be able to distinguish between a localhost redirect vs an internet redirect.

    You're the one making all the claims. I'm just defending against them. Again, the onus is on you to prove that an ad blocked by an ad blocker is faster than the same ad blocked by a HOSTS file.

    Sure, but mine is 50k with 2700 entries. Tiny by comparison to standard ad blocking HOSTS file. I could use a Hostsserver log to prune it down to a tenth of that size and get rid of most ads.

    I'd like to know just how much "faster" it is. The HOSTS data is kept in memory and 2700 entries can be parsed pretty quickly on a modern computer. Methinks the difference is practically nil.
     
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Re: MSE 4

    Really? Then I'm done here as I couldn't care less what you use. I'm not here to personally convince you as that's obviously impossible even with the presented facts.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: MSE 4

    Amazing how the simplest things can provoke such heated debates in this place. Like so many other things, using a hosts file to block ads has both good and bad points.
    Good points:
    Does not require a separate process to perform the task.
    Works with all internet apps that use DNS, not just a browser.

    Bad points:
    Can be altered my malware if user allows machine to be infected and doesn't have other measures in place.
    Not complete coverage, but then nothing is.
    Large hosts files can slow DNS service on 2K and XP units. Not sure if this was fixed on Vista and newer. Never was a problem on 9X.
    Blocks resolved names, not IP addresses or ranges.

    The hosts file isn't for blocking access to malicious sites. They come and go so fast, nothing can keep up with the changes. It's OK for blocking known ad servers, "call home" locations, and other that you don't want tracking you (Google, Facebook, etc). It's good for bypassing the DNS blocking of sites when you know the sites IP. The hosts file is quite useful as long as you keep your expectations sensible. Trying to use the hosts file to block access to malicious sites is pointless. If your PC is so vulnerable that it can't be allowed near a malicious site, you've got much bigger problems.

    For those worried about malicious additions and changes to their hosts files, why not use a hash checker to verify it at startup or as a scheduled task? If it changes, you'll know.
     
  5. jynx

    jynx Registered Member

    Joined:
    Mar 3, 2012
    Posts:
    37
    Location:
    Right here
    Re: MSE 4

    Or use winpatrol free/plus, it can check if there is change on host file, where you can decide to acept the change or reject it when something change it
     
  6. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,955
    Location:
    Somethingshire
    ot posts removed
     
  7. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    165
    I use the hosts file for blocking ads/trackers (As my signature dictates) as I have other web based programs on my computer which contain ADs, and since Kaspersky's Ad blocker is literally worthless I rely on my hosts file to block those ads (And it works for me without fail as it always has). Hostsman serves as a quick little utility for managing it.

    I stick to the default 127.0.0.1 as I notice no issues with it (If it ain't broke don't fix it).
     
  8. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    Back to Security

    Discussion seems to have drifted to 127.0.0.1 vs 0, quality of methods of ad blocking, etc.

    All this is completely irrelevant to security. Original security issue: hosts file is modified without user permission. I have the same problem. In my case two lines disappear from my hosts file on the regular basis:

    127.0.0.1 ad.doubleclick.net
    127.0.0.1 www.google-analytics.com

    Again, what was on those lines is absolutely irrelevant, please don't even start. Real question is - what is the source of this malicious activity?
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Back to Security

    Interesting... I've never heard of any piece of malware* that removes Doubleclick, and advertising company owned by Google, and Google Analytics. I may be wrong, though.
    Anyway, before jumping into that conclusion, is important to know if you got some application that handles the hosts file, such as HostsMan? If you have, is it possible that you may have exclusion entries, which will remove those two entries if found?

    Another possible scenario is some other application you may be using that removed those two entries? It would have to be some dubious application, I must add. :ouch: Anything running with administrator privileges or more, could have changed any of those entries.

    I just don't see any malware* removing those two entries. o_O

    Another thing we should know is whether or not you use an administrator account for your daily tasks?

    -edit-

    * Maybe that's not what you meant with malicious. lol
     
    Last edited: Jun 11, 2012
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: MSE 4

    I doubt it was a FP, otherwise it would have happened to anyone having that entry in their hosts file, and MSE. I didn't see it happening here. Some other odd event had to be the cause of it all. :D
     
  11. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    Re: Back to Security

    OK, here is my problem again:

    I discovered that some valid lines disappear from my 'hosts' file from time to time. It's couple of month since i discovered it.

    I don't have any program (like HostsMan) managing my hosts file. I edit it by hand using Notepad. As far as i know, NOD32, which i use for runtime protection, is not managing this file either.

    I do work on this machine daily from administrative account, but such is the nature of what i do, no choice here.

    Both NOD32 and manual weekly scan using Malwarebytes report my system as clean all this time.

    Whatever entity is messing with my 'hosts' file is doing this without my permission, and against my will. Therefore, regardless of it's intentions, I call it a malware.

    Does anybody have any clue of what is it and/or how do I make it stop?
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Back to Security

    You could run a monitoring application to monitor your system for any changes, specifically if something tries to change the hosts file. If the application behind those action is "legit", then it shouldn't conceal its actions, and the monitor application should have no problems flagging it.

    Considering that you run with full administrator privileges, maybe you could consider some security application that will protect important system areas?
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: Back to Security

    That's probably the only way you'll find out what is changing it. There's monitoring apps that either poll on intervals or watch in real time. On short intervals, the polling apps can cause lag. You might be able to narrow down your search by determining which apps (including their updating components) have administrative rights.
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,907
    Re: Back to Security

    Hi nodbaga,

    For now I'm not going into the "why" and "what has changed it" question. Dear members m00nbl00d and noone_particular have slightly pointed to that.

    If you would allow me, may I point to (maybe) another possibility to block the two urls. I did read that you are using NOD32. I don't know which version of NOD32 and which Windows OS version you are using. Version 4.2.71.2 of NOD32 (on XP) gives you the possibility to block urls (and you can even use the "masks" * and ?) in someway. From the Help-file of 4.2.71.2:

    "HTTP address management
    In this section you can define lists of addresses that will be blocked, allowed, or excluded from scanning.
    These three list are by default available in the Lists drop-down menu."


    In version 4.2.71.2 (advanced setup):
    Antivirus and antispyware > Web acces protection > HTTP, HTTPS > Address management.
    You can choose there what you want to do. I use it ;)
    How to do it on NOD32 version 5 (if possible), I don't know. Ask about it on the ESET forum ;)
     
    Last edited: Jun 13, 2012
  15. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    Re: Back to Security

    Thank you for the advice! As a matter of fact i started monitoring hosts file some time ago. So far the only write to the file which was not me, was by svchost.exe with mpengine.dll from Microsoft\Windows Defender on the stack. Unfortunately, i can't confirm that it actually modified the file, because i didn't check contents before this write access. I can only say that after that write, lines in question were not present in the file. Since that time hosts file was not modified. I left monitor running, will let you know if it catches anything.

    Theoretically 'they' can detect if file is monitored, and not touch it in that case. I doubt it though.
     
  16. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    Re: Back to Security

    Hi FanJ,
    thank you for the advice. I have NOD32 4.2.71.2 on Win7 and use Chrome (latest). Unfortunately, it did not work for me. I blocked access to ad.doubleclick.net, but when i browse to, say, http://www.accuweather.com/, scripts from ad.doubleclick.net are downloaded OK.
    Maybe NOD32 is only blocking HTML? Anyway, i will try it again, after reboot.
     
  17. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    It is Windows Defender!

    At 5:42 am file C:\Windows\System32\drivers\etc\hosts was modified by process C:\Windows\System32\svchost.exe -k secsvcs. First non-kernel module on the stack is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C81B2031-BF61-4014-8979-31D26BCE102A}\mpengine.dll. Following two lines were replaced with blank lines:

    0.0.0.0 ad.doubleclick.net
    0.0.0.0 www.google-analytics.com

    I'll try to get more details...
     
  18. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Have you tried using 127.0.0.1 instead and seeing if the issue goes away? I bet it does ;)
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hate to break into the tread late BUT I have a simple question:

    How do I EASILY edit the contents of my Host file in windows 7 64 bit?

    I need a tool?
     
  20. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,955
    Location:
    Somethingshire
    As easy as running a notepad as administrator and then editing the file
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: It is Windows Defender!

    Forum software seems determined that google-analytics needs to be a link. Putting lines like that in a code box prevents it.
    Code:
    0.0.0.0 ad.doubleclick.net
    0.0.0.0 www.google-analytics.com
    Just to clarify, you're using 0.0.0.0 on all the items you block, but only those 2 were singled out? These are typical of the other entries? I'm wondering if WD is singling out those 2 entries specifically or if it's not parsing the file correctly. Just for a test, try moving those 2 lines farther down the file and see if WD singles them out again or if it focuses on the next pair of 0.0.0.0 entries. If it still does, maybe adding an extra space between after the last "0" or changing just those 2 to use 127.0.0.1 could stop that particular problem, but it points out a few others.

    Regarding the "proper format" for what many call an improper use of the hosts file, both 127.0.0.1 and 0.0.0.0 have been used for some time, something MS is very aware of. If WD can't properly parse the file because it contains 0.0.0.0, what will it do with one that contains "normal" IPs? Unless for some reason WD is deliberately removing blocks to those 2 links, it's definitely not reading the file properly. Maybe it's mistaking them for similar names that are malicious (think in terms of typo squatting). I also question WD altering a file that can contain user specified IPs without the user being asked or told. If that were my system, I'd throw WD out on the spot for that alone.
     
  22. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    Tried both 0.0.0.0 and 127.0.0.1 No difference.
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Wow! Thanks, that was easy. Now all I have to do is figure out where Gates hid it!:D
     
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Then I'm afraid it's time to report the issue on the MSE forums.
     
  25. nodbaga

    nodbaga Registered Member

    Joined:
    Jun 11, 2012
    Posts:
    8
    Location:
    US
    %SystemRoot%\System32\drivers\etc\hosts, on most systems it is C:\Windows\System32\drivers\etc\hosts
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.