Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Korben

Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Recommended Posts

Posted · Original PosterOP

Microsoft did some changes in their anti-malware software (Defender) so that entries in the Windows hosts file containing Microsoft servers are marked as security risk. If the file is not excluded from the scan (which is not recommended) it will be replaced by the default version (which contains no entries).

This behaviour was  confirmed for Windows 10 1909 and 2004.

 

Quotes

Quote

 Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat.

When detected, if a user clicks on the 'See details' option, they will simply be shown that they are affected by a 'Settings Modifier' threat and has 'potentially unwanted behavior

 

My thoughts

Sounds a little bit like "abuse of power" to me. I don't use the hosts file to block tracking (I use pi-hole), but still I don't like this kind of manipulations.

 

 

Sources

 https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/

(German) https://www.heise.de/news/Windows-Defender-zensiert-hosts-Datei-4863355.html

Link to post
Share on other sites
Posted · Original PosterOP
4 minutes ago, MyName13 said:

Unless you use LTSC (where the latest version is 1809).

Well, only if you disabled Defender and/or Defender updates...

Link to post
Share on other sites

Totally makes sense. I don't get why they haven't done this sooner.

 

To me, it's not about stopping people blocking telemetry, it's more about stopping modifying the Microsoft servers for more nefarious purposes!


Laptop:

Spoiler

HP OMEN 15 - Intel Core i7 9750H, 16GB DDR4, 512GB NVMe SSD, Nvidia RTX 2060, 15.6" 1080p 144Hz IPS display

PC:

Spoiler

Vacancy - Looking for applicants, please send CV

Mac:

Spoiler

2009 Mac Pro 8 Core - 2 x Xeon E5520, 16GB DDR3 1333 ECC, 120GB SATA SSD, AMD Radeon 7850. Soon to be upgraded to 2 x 6 Core Xeons

Phones:

Spoiler

LG G6 - Platinum (The best colour of any phone, period)

LG G7 - Moroccan Blue

 

Link to post
Share on other sites

I’m curious if other antivirus programs detect it as malware as well. As far as I know, Windows Defender or any other antivirus uses telemetry to determine if a file is malicious or not. 


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
3 minutes ago, yolosnail said:

it's more about stopping modifying the Microsoft servers for more nefarious purposes!

The host files dont modify Microsoft servers. It was a way to block access to certain sites and such. Editing it only affects the computer the host file is on. What they are doing is a DICK move, but its Microsoft and they have pretty much been doing the same crap for the last few years with Windows 10. All they are doing is pissing off long time Windows users. 

Link to post
Share on other sites
18 minutes ago, Korben said:

I don't use the hosts file to block tracking (I use pi-hole)

Then it won't affect you, viruses and malware do make changes to the hosts file and put Microsoft domains in there to point to malicious places. You can cut this story basically any way you like depending on your leaning towards or against Microsoft.

 

5 minutes ago, captain_to_fire said:

I’m curious if other antivirus programs detect it as malware as well. 

Other AV software do check the hosts file for known malicious entries yes.

Link to post
Share on other sites

to this date i was sceptical for disabling windows defender  but now im sure i wont regret it :)


if it was useful give it a like :) btw if your into linux pay a visit here  and i will be thankful if you send me an opinion here  

 

Link to post
Share on other sites
19 minutes ago, Korben said:

Sounds a little bit like "abuse of power" to me.

Not to my ears. There are plenty of malware and other kinds of less-than-honourable actors that mess around with the hosts-file, so this is a sensible move in protecting the less-capable users. More capable users can go and excluse the hosts-file and continue using it as they've done this far.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
1 minute ago, paeschli said:

I use the hosts file to block porn sites, what alternatives do I have?

  1. Add the hosts-file to exclusions in Defender's settings.
  2. Use PiHole.
  3. Get a better router that can do blocking at the router-level, like e.g. one running OpenWRT of Pfsense.
  4. Install one of the million different kinds of porn-blocking apps.
  5. So on and so forth.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
2 minutes ago, paeschli said:

I use the hosts file to block porn sites, what alternatives do I have?

Will not affect that at all, it's looking for Microsoft domains listed in there and flagging them as a Hosts file Hijack. No Microsoft domains in the Hosts file then it won't flag it, of course it might flag other known malicious entries too but I don't think you'll be intentionally putting those in there though.

Link to post
Share on other sites

On one hand, I can see why an anti-virus software would want to make sure the host file is unmodified.

But on the other hand, this is clearly Microsoft using their dominance in anti-virus software to try and get an advantage in their data harvesting business.

 

In general, I'd say that anything that removes freedom from the user is bad, and this definitely does just that.

Link to post
Share on other sites
3 minutes ago, LAwLz said:

In general, I'd say that anything that removes freedom from the user is bad, and this definitely does just that.

How does it "remove freedom" from the user?

 

You can choose whether or not to respond to or ignore the alert raised by Defender, so if you want to block MS IP address ranges cos your tinfoil hat is on too tight then you still can, you'll just get Defender telling you that you have.


P R O J E C T | S A N D W A S P
Intel 6900K 4.2GHz (1.260v) | MSI X99A MPOWER | NXZT Kraken X62 | 32GB G-Skill Trident Z RGB 3000MHz CL14
Corsair AX750 | Lian Li PC-O11 Dynamic XL | EVGA GeForce RTX2080 XC | Samsung 970 Evo 500GB PCI-E NVMe
2x Samsung 860 Evo 500GB | Gigabyte WBAX200 | ASUS ROG Swift PG279Q | Q Acoustics 2010i | Sabaj A4

Link to post
Share on other sites
1 minute ago, HM-2 said:

How does it "remove freedom" from the user? You can choose whether or not to respond to or ignore the alert raised by Defender, so if you want to block MS IP address ranges cos your tinfoil hat is on too tight then you still can, you'll just get Defender telling you that you have.

I don't appreciate the condescending tone.

 

Here is a screenshot from the source article:

Untitled.thumb.png.3472a8b1776f6ba661bb4c89b7b0eb04.png

 

I'd say that labeling it a threat which deletes the user modifications if you click "clear", blocking changes from happening even when it's the user actively doing it through another program, and nagging and scaring the user is a way of removing freedom from the user.

Link to post
Share on other sites
3 minutes ago, LAwLz said:

I don't appreciate the condescending tone.

Here is a screenshot from the source article:

It takes literally two seconds to add a file exclusion for hosts.txt in the security console.

If you're savy enough to be fiddling around with the host file and actually understanding what the changes your making do, you're able to add an exclusion in an AV application.

 

3 minutes ago, LAwLz said:

I'd say that labeling it a threat 

It is a threat. Host file modification to block access to MS domains along with those of common security vendors is exceptionally common in malware, and a static scanning engine cannot easily determine what has modified a file.


P R O J E C T | S A N D W A S P
Intel 6900K 4.2GHz (1.260v) | MSI X99A MPOWER | NXZT Kraken X62 | 32GB G-Skill Trident Z RGB 3000MHz CL14
Corsair AX750 | Lian Li PC-O11 Dynamic XL | EVGA GeForce RTX2080 XC | Samsung 970 Evo 500GB PCI-E NVMe
2x Samsung 860 Evo 500GB | Gigabyte WBAX200 | ASUS ROG Swift PG279Q | Q Acoustics 2010i | Sabaj A4

Link to post
Share on other sites

I don't think StevenBlack HOSTS  file block any of Microsoft telemetry but Window Defender flagged mine few days ago. 🤔

 

image.png.4817902ec7a3993fcbac791e1c452ef9.png


| Intel i7-3770@4.2Ghz | Asus Z77-V | Zotac 980 Ti Amp! Omega | DDR3 1800mhz 4GB x4 | 300GB Intel DC S3500 SSD | 512GB Plextor M5 Pro | 2x 1TB WD Blue HDD |
 | Enermax NAXN82+ 650W 80Plus Bronze | Fiio E07K | Grado SR80i | Cooler Master XB HAF EVO | Logitech G27 | Logitech G600 | CM Storm Quickfire TK | DualShock 4 |

Link to post
Share on other sites

I don't block telemetry  but do have things block in the host file use spybot. never had alert and I am running windows 10 2003. HarrNyquist  Ubuntu has telemetry in as while,. Also Mac os has telemetry as well. Just something to use to.

Link to post
Share on other sites

I've encountered this in the past with some AV package I don't recall. I'd consider this a false positive myself. There are legitimate reasons for editing a host file. As long as you have a way to exclude it, it isn't a major deal.


Main system: Asus Maximus VIII Hero, i7-6700k stock, Noctua D14, G.Skill Ripjaws V 3200 2x8GB, Gigabyte GTX 1650, Corsair HX750i, In Win 303 NVIDIA, Samsung SM951 512GB, WD Blue 1TB, HP LP2475W 1200p wide gamut

Desktop Gaming system: Asrock Z370 Pro4, i7-8086k stock, Noctua D15, Corsair Vengeance Pro RGB 3200 4x16GB, Asus Strix 1080Ti, NZXT E850 PSU, Cooler Master MasterBox 5, Optane 900p 280GB, Crucial MX200 1TB, Sandisk 960GB, Acer Predator XB241YU 1440p 144Hz G-sync

TV Gaming system: Asus X299 TUF mark 2, 7920X @ 8c8t, Noctua D15, Corsair Vengeance LPX RGB 3000 8x8GB, Gigabyte RTX 2070, Corsair HX1000i, GameMax Abyss, Samsung 970 Evo 500GB, LG OLED55B9PLA

VR system: Asus Z170I Pro Gaming, i7-6700T stock, Scythe Kozuti, Kingston Hyper-X 2666 2x8GB, Zotac 1070 FE, Corsair CX450M, Silverstone SG13, Samsung PM951 256GB, Crucial BX500 1TB, HTC Vive

Gaming laptop: Asus FX503VD, i5-7300HQ, 2x8GB DDR4, GTX 1050, Sandisk 256GB + 480GB SSD

Link to post
Share on other sites
16 minutes ago, LAwLz said:

I'd say that labeling it a threat which deletes the user modifications if you click "clear", blocking changes from happening even when it's the user actively doing it through another program, and nagging and scaring the user is a way of removing freedom from the user.

Then don't put Microsoft domains in there and it won't nag you. Defender is not preventing any modification of the Hosts file, just ones that might be malicious like other AV also do. Difference is other AV software are not flagging Microsoft domains even though they could actually be malicious, probably for the reasons exhibited in this topic, user backlash.

Like I said in my first post, legitimate reason exist for warning about this, personal reasoning will be the difference between how one portrays it.

 

Making changes to your Hosts file is still fully supported, still do that to test things like Load Balancer changes without making the DNS change live on the entire network.

 

Edit:

Also why does it not surprise me that it's turned from specifically Microsoft domains, as mentioned in the source article, to any changes even though that is not the case. The spin here is rather strong.

 

Like I get that this could just be Microsoft wanting to have their cake and eat it to, finding a reason to make a change they have been wanting to do but it's not like warning about Hosts file changes for Microsoft domains isn't actually legitimate thing to do.

Link to post
Share on other sites

Honestly in my opinion this makes sense and is a sensible thing to do. I'd say 99% of Windows users do not even know what the hosts file is much less on how to edit it. As such any changes in that file especially when it concerns Microsoft owned domains is a huge red flag. A lot of AV programs monitor the hosts file and will block any access to it.

If you are among the 1% that does know that the hosts file does and how to utilize it for your benefit you should also know how to remove it from being monitored and alter it if you really need to change any microsoft domains. Sure you will loose some protection then, but I do understand that it would be a lot of work for the MS team to modify the Defender behavior to allow a save change of those domains. As I really do think that this is a very small fringe case I understand that they don't want to invest too much time into it.

If you really want to block your PC from accessing certain domains I would highly suggest to use a PiHole anyways. It's fairly cheap, easy to set up and so much more powerful than anything that you could do with the hosts file anyways. 

Link to post
Share on other sites

When using BitDefender, about 2 years ago... it blocked me from even trying to modify that file.

So, it is not only Microsoft Defender.

 

I mean,.. That file is like a whitelist for stuff not just pass trough. It is better to not touch it, unless you really know what you are doing.

Marking it as a "risk", is obviously spot on and correct.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×