White-Lists, Black-Lists, Hosts File, etc.

Discussion in 'other anti-malware software' started by gud4u, Dec 21, 2007.

Thread Status:
Not open for further replies.
  1. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    I'm interested in how many use a Hosts File, and if so, what you're using.

    I notice many are using SpywareBlaster innoculation, as I do.

    The Comodo firewall/HIPS emphasizes white-listing as a basis for trusted apps, as does Online Armor. Online Armor includes a short Hosts File. I didn't check to see if Comodo also uses a resident Hosts file.

    Opinions seem to vary as to using a large comprehensive Hosts file or a smaller Hosts file with emphasis on the most-dangerous threats - or none at all.

    How many use a smaller Hosts file created solely from your own entries?

    I have the current large MVPS Hosts File resident, with a few additions and a few edits to allow site-loading (DrudgeReport, etc.). This is in addition to the black-lists of SuperAntiSpyware, SpywareBlaster, NOD32 and Online Armor native Hosts File and black list. The MVPS Hosts File goes well beyond adware to include known malware sites - but is it overkill?

    So, what are you using and what's your philosophy on this aspect of malware prevention?
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Regarding Comodo and OA, how effectively they can implement whitelisting remains to be seen; especially in Comodo's case, where prompts are still given even though a program is whitelisted. The blacklisting guys (i.e. antivirus software) are already fighting a losing battle as it is, and there are easily fifty times more clean files out there than there are bad ones. Whitelisting admittedly does help reduce useless noise from "dumb" HIPS, but personally I doubt they'll make enough difference to matter.

    As for hosts files, that's a horribly useless technology.
     
  3. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    I understand the statement, but why? What makes hosts files a hopeless technology?

    For example, I'm not alone in considering the Online Armor as one of the better firewall/HIPS programs available - and they include a smaller hosts file. Why would they enroll 'hopeless' technology.

    I'm not trying to be contentious, just looking for education.
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    https://www.wilderssecurity.com/showthread.php?t=188934

    Also, take a look at mass-spammed Storm worms lately. The IPs of the malicious websites change in a matter of hours; that's the kind of tactics bad guys are using these days. A hosts file is going to do diddly squat to protect you.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I use nothing but whitelists, because all blacklists are incomplete. I have two whitelists :

    1. A whitelist of all executable objects in my system partition, which acts immediately.

    2. A whitelist of all objects in my system partition, which acts during reboot.
    If this whitelist would act immediately, I wouldn't need any security software anymore.

    Hosts files and IE-SPYAD are also blacklists, just like any scanner.
     
    Last edited: Dec 21, 2007
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    FWIW, I use OA 2 FW and their HIPS. I load the host file with 127.0.0.1's from Spybot Search and destroy's long list of bad sites.

    Updates every 2 weeks or so and I would never be able to duplicate what they do in ferreting out bad sites. Works well for me.

    In OA 2, you have to remember they don't have a host file per se. What they do have is set of rules about the host file entries. In other words it allows you to control if the entries in your host file can be there or not. It's a bit tricky but it works. So all of the bad SpyBot S&D sites appear as "allowed" but they are 127.0.0.1 With OA 2 I can delete an entry if needed but I've never needed to.

    The Host file is part of windows xp and is simple and can be used for effective site control if understood and maintained by the user.
     
  7. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    Erik Albert:
    That makes good sense. Like you, I keep my Windows partition strictly for the Windows OS and critical security apps, and back it up frequently.

    This sounds like a custom white-list of your own creation. May I ask how you created this list?

    Thanks!
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The first whitelist is created with Faronics Anti-Executable.

    The second whitelist is created with FirstDefense-ISR by using a frozen snapshot, that restores my system partition automatically in the original installation state during each reboot.
    Unfortunately, this software is terminated and you can't buy it anymore, but I still can use it during the next 5 years and if I'm lucky with winVISTA, another 5 years. After that I'm quite sure there will be another and better software than FDISR.

    In principle any ISR-software can do this, but FDISR is the most powerful one in possibilities. The other ISR-softwares are too simple, except Rollback Rx. :)

    Separating your system from personal data (= 2 partitions) is a good preparation, even necessary IMO, if you decide to use an ISR-software. You probably have done this already.
     
    Last edited: Dec 21, 2007
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    HOSTS file is useful for more than blacklisting. HOSTS was not originally intended as a security program, but for other uses. HOSTS can do several useful jobs, depending on how the user sets it up.

    For instance-- HOSTS can do a good job of shortcuts to urls -- especially handy for those not-yet-fully-propagated.

    As a security device, HOSTS is mostly (NOT solely) blacklist. I use MVPS, supplemented by my own schtuff, to kill lots of annoying ads & banners & such. I neither use nor need any other ad blocker.

    Bottom Line- HOSTS is a tool, like a hammer is a tool. Used properly, HOSTS can be very helpful. To categorize it as exclusively a blacklist is simply mis-leading. Neither does HOSTS scan, per se, so it is NOT at all "like any scanner."
     
  10. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi ,

    We don't use HOSTS as a protection in any way like a blacklist, and personally I do not like this approach (although, it can't hurt).

    The idea of hosts in Online Armor is to protect the system from malicious acts by malware.

    For example, we have seen malware which will write 127.0.0.1 entries for security software - neutering the updates.

    In 2005 when we released the first OA release, we were concerned that banking trojans could use the hosts file or DNS poisoning to redirect users to fake banking sites.

    Hope this helps.


    Mike
     
  11. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    While I agree that using a blacklist is fated to always lag behind the latest round of malware, I agree with Mike that it can't hurt either.

    I run the MVPS HOSTS file and manage it with hostsXpert. (MJ Registry Watcher and ThreatFire help to protect it for me.)
     
  12. Shunted

    Shunted Registered Member

    Joined:
    Dec 21, 2007
    Posts:
    11
    I use Opera and turn off Java, Flash, animated GIF-s and referer-sending for almost all sites. Unless required, JavaScript and cookies are off to. This gets rid of almost all web annoyances I think. To get rid of web bugs and the likes, I use Privoxy, but I'm sure Proxomitron is fine too.

    Concerned about software phoning home and uploading your passwords and files? I think a firewall with outbound filtering is better than a hosts file...

    Shortcuts to URL-s? Modern browser have features for this, and not only to certain IP-s but to any URL. However, I've put an IP for google there, in case of DNS being dead I could at least find something through their cache. (I have a list of alternate dns-es in a text file to prevent this problem however).

    Also, very large hosts files requires dns caching to be turned off in XP. This means more dns requests which is slower, and is not very nice to whoever runs your DNS. However, I think it makes sense to turn of caching of failed dns lookups, this is done in the registry.

    So if I'm not on a computer from the stone age, I'd probably not see that much use for hosts files, really a poor mans tool, i think.
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Over & above the examples of HOSTS file uses given in my prior post, here are just a few additional examples...

    *Most ad-blockers will only intercept IP calls going to the HTTP port. The Hosts file, however, can block IP calls on any port, whether it is HTTP, FTP, or whatever.

    *HOSTS will intercept IP calls before they ever leave your computer. Ergo, Hosts can prevent trackers from knowing you are even viewing their web page. This prevents them from profiling you.

    *Rather than relying solely on others to decide what sites to block, you can add sites of your OWN choosing to the Hosts file. You get to decide what you want to block (or NOT block), without the need to depend on someone else's judgement!

    *Another way of using the HOSTS is if you want to *whitelist* & access computers that are not listed by any DNS servers. For example if you have a local network, you wouldn't list your local computers in DNS servers. So you could just enter them into your HOSTS file.

    As always, your mileage may vary.

    Aloha & Happy Christmas Season to all... bellgamin


    .
     
    Last edited: Dec 22, 2007
  14. Shunted

    Shunted Registered Member

    Joined:
    Dec 21, 2007
    Posts:
    11
    I certainly don't mind your using of hosts files, but I can't resist to comment.

    * Most ad-blockers will only intercept IP calls going to the HTTP port. The Hosts file, however, can block IP calls on any port, whether it is HTTP, FTP, or whatever.

    I tried blocking FTP content with Opera's built in content blocker, and that worked fine. Also, Privoxy doesn't care about the port, only the protocol. So I think this claim is not true (anymore).

    * HOSTS will intercept IP calls before they ever leave your computer. Ergo, Hosts can prevent trackers from knowing you are even viewing their web page. This prevents them from profiling you.

    It seems Adblock Plus for Firefox does request content and just hide it, at least by default. However, neither Opera nor Privoxy does this.

    * Rather than relying solely on others to decide what sites to block, you can add sites of your OWN choosing to the Hosts file. You get to decide what you want to block (or NOT block), without the need to depend on someone else's judgement!

    Well, Operas filter is empty when you install the browser and the same goes for Privoxy. However, the later comes with many smart filters you can activate if you like (filtering of webbugs, javascript and html annoyances, fast-redirects, and so on, or you can basically regexp replace whatever you like). Otherwise, you just block domains you don't like (same as hosts) or wildcard domains (*counter.*/) or parts of domains (www.somedomain.com/tracker?*), things you can't do with hosts.

    * Another way of using the HOSTS is if you want to *whitelist* & access computers that are not listed by any DNS servers.

    Now that's what hosts were actually intended for (this is so old it predates the domain registries..). Not that I complain about using hosts for blocking, it's certainly light-weight and straight forward.
     
  15. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    So the concensus of this thread is the hosts files is useless for security (Bellagamin is just arguing for the sake of arguing) . The best anyone can say is "it doesn't hurt".

    I would think that in security one should Keep things simple. If something doesn't work, using it just creates additional complexity which is not a good thing.

    For example if you have no hosts file, it is easy to check to see if some malicious entry has being added.

    But i guess the whole "kitchen-sink" approach to security is very popular here...
     
  16. herbalist

    herbalist Guest

    I use a hosts file on the PCs I service for clients but don't consider it to be a security tool as such. I treat it more as an ad blocker, Google blocker, etc. A hosts file works well for cleaning a lot of the garbage off of web pages for those who don't use specific ad blocking software or extensions. More of an annoyance remover than a security aid.
    On my own PC, this is the primary use of the hosts file. Proxomitron takes care of the rest.
    Rick
     
  17. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    Actually, I appreciate Bellgamin's viewpoint in most matters you call 'arguing'. He's usually logical and free of such nonsense as adapting his opinion as the "concensus of the thread".

    The hosts file does what it was designed to do. It overrides DNS problems, redirects, and defines and/or re-defines. If one finds a way of incorporating a greater level of privacy or security in making use of those features, they've found a way of doing something without adding the overhead of third party software.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Important note, and thanks for pointing it out.

    As little security as Microsoft deemed to offer us with each of their O/S releases, the Hosts file is at least one (avenue) of those readily available for enhancing without third party additionals.

    I always made mine READ-ONLY attributes after entering potential disrupting routes. Malware writers have tampered endlessly with nearly every conceivable point of exploitation and the Host files is been in the past an easy target for them to abuse.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Nice that you do mind-reading. Is there no end to your godlike talents? :cautious:

    Did I mention that HOSTS also cures the heart-break of psoriasis?

    But seriously, folx -- those who want a good HOSTS can get it Hither, or even Thither.
     
  20. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    You know there isn't. That is why you quote what i write like a disciple of mine, whenever you get a chance to lecture on "behavior blockers"... :D
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    You guys just lecture on. ;)

    Many of us draw a great deal of better understanding the more subjects like these are discussed and product results compared, as well as the occasional luck-of-the-draw when someone posts a link to a useful tool or two. :thumb:
     
Loading...
Thread Status:
Not open for further replies.