Windows 10: HOSTS file blocking telemetry is now flagged as a risk

[Spindel]

Thank you Diversion (installed in my router) that blocks this in the router (when I’m working from home since only my work laptop is a windows machine, I’m a mac user when using my own computer).

[bcredeur97]

I mean technically the computer might get say... security definition updates for Windows Defender from their servers and it can't if that is stopping it. 

So in that aspect it technically is a risk. 

But yeah I don't really like this

[jagdtigger]

1 hour ago, Korben said:

but still I don't like this kind of manipulations.

I guess you didnt knew about win10 selectively ignoring entries in the hosts file....

 

[RejZoR]

Is it detecting telemetry blocking entries specifically or just blanket HOSTS modification detection that gets triggere even if you put something nonsensical in it?

[Doobeedoo]

Yeah um my host files have a big list there.. 

[TetraSky]

And that's why you either disable telemetry in the group policy/registry or block the servers in your router.

[LAwLz]

3 hours ago, HM-2 said:

It takes literally two seconds to add a file exclusion for hosts.txt in the security console.

If you're savy enough to be fiddling around with the host file and actually understanding what the changes your making do, you're able to add an exclusion in an AV application.

I agree with most of what you say though. If you are making changes to the host file then you should probably also know how to make exclusions in Windows Defender.

I think "you can just change it, it only takes X number of minutes" is a weak excuse which is used far too often these days to justify anti-consumer behavior. Same with all the ads that are in Windows where people go "well you can turn them off if you know where to look and spend some time changing it".

 

 

 

3 hours ago, leadeater said:

Then don't put Microsoft domains in there and it won't nag you. Defender is not preventing any modification of the Hosts file, just ones that might be malicious like other AV also do. Difference is other AV software are not flagging Microsoft domains even though they could actually be malicious, probably for the reasons exhibited in this topic, user backlash.

Like I said in my first post, legitimate reason exist for warning about this, personal reasoning will be the difference between how one portrays it.

 

Making changes to your Hosts file is still fully supported, still do that to test things like Load Balancer changes without making the DNS change live on the entire network.

 

Edit:

Also why does it not surprise me that it's turned from specifically Microsoft domains, as mentioned in the source article, to any changes even though that is not the case. The spin here is rather strong.

 

Like I get that this could just be Microsoft wanting to have their cake and eat it to, finding a reason to make a change they have been wanting to do but it's not like warning about Hosts file changes for Microsoft domains isn't actually legitimate thing to do.

Agree. I don't think it's a coincidence that Microsoft has made it more difficult to disable telemetry though. Like I said in my original post, I agree that there are legitimate reasons for AVs to check the host file. But it's no secret that Microsoft really wants to collect data on their users, and this makes it a bit harder for people to protect themselves against that.

 

 

 

  

2 hours ago, RejZoR said:

Is it detecting telemetry blocking entries specifically or just blanket HOSTS modification detection that gets triggere even if you put something nonsensical in it?

According to the article, it lets regular edits of the host file through but blocks and/or flags the ones related to Microsoft/Windows.

[HM-2]

8 minutes ago, LAwLz said:

I think "you can just change it, it only takes X number of minutes" is a weak excuse which is used far too often these days to justify anti-consumer behavior.

I fail to see how this is "anticompetitive" in any way. Detection of host file modification focusing on MS and major security vendors is something that many AV products already do, and with good reason. I would guestimate that amongst the Windows user base malicious modification of the host file by malware designed to prevent its removal is multiple orders of magnitude more common than instituting host file changes to block MS telemetry or services. If you're a power user then you can circumvent this very easily, but for the 99.99% of their user base this is a beneficial thing.

[LAwLz]

4 minutes ago, HM-2 said:

I fail to see how this is "anticompetitive" in any way.

I never said it was anti-competitive though.

[HM-2]

Just now, LAwLz said:

I never said it was anti-competitive though.

Sorry, "anti-consumer". It's pro-consumer for the vast majority of the userbase. 

[jagdtigger]

55 minutes ago, TetraSky said:

And that's why you either disable telemetry in the group policy/registry or block the servers in your router.

Only if you are running server AFAIK, for every other version no matter how low you set the GP/registry it will default to basic......

[GoodBytes]

I thought Microsoft telemetry ignores the host file.

I recall a whole discussion here of it not working.

I think this is just malware protection, and nothing to do with telemetry data as it never worked in any case.

[WereCatf]

49 minutes ago, LAwLz said:

anti-consumer behavior

Are there more power-users using Windows, or non-power-users who don't even know about the hosts-file, let alone who'd modify it? Oh, that's right -- there are FAR more of the latter people, ergo protecting them first IS pro-consumer behaviour.

[Dylanc1500]

14 minutes ago, WereCatf said:

Are there more power-users using Windows, or non-power-users who don't even know about the hosts-file, let alone who'd modify it? Oh, that's right -- there are FAR more of the latter people, ergo protecting them first IS pro-consumer behaviour.

New concept "pro-certain-consumer" behavior.

[RejZoR]

1 hour ago, LAwLz said:

According to the article, it lets regular edits of the host file through but blocks and/or flags the ones related to Microsoft/Windows.

Question is, are those entries really telemetry only or do they happen to block cloud connections of Windows Defender. Because I've seen "block lists" that go beyond just telemetry and just block too much.

[LAwLz]

3 minutes ago, RejZoR said:

Question is, are those entries really telemetry only or do they happen to block cloud connections of Windows Defender. Because I've seen "block lists" that go beyond just telemetry and just block too much.

It seems to be anything related to Microsoft.

[SpaceGhostC2C]

Called it!  

 

 

8 hours ago, WereCatf said:

More capable users can go and excluse the hosts-file and continue using it as they've done this far.

Which is a bad thing? Because, as you said:

8 hours ago, WereCatf said:

There are plenty of malware and other kinds of less-than-honourable actors that mess around with the hosts-file,

which means excluding the file is not a solution. Only white-listing individual entries would be a solution, but that doesn't seem feasible.

 

False positives are a problem, there are no two ways about it, that's why you try to minimize them as much as you can. Workarounds involving excluding files known to be targets for malware is one of the reasons why. False positives create an artificial trade-off between security and usability (there's always a trade-off, false positives make it artificially harsher).

 

 

8 hours ago, HM-2 said:

You can choose whether or not to respond to or ignore the alert raised by Defender, so if you want to block MS IP address ranges cos your tinfoil hat is on too tight then you still can, you'll just get Defender telling you that you have.

As far as I've seen, you can't, it's instant quarantine. You have to exclude it altogether. In fact, notifying so you can check there are no additional changes than the ones you want would be a much better workaround.

 

8 hours ago, HM-2 said:

It takes literally two seconds to add a file exclusion for hosts.txt in the security console. If you're savy enough to be fiddling around with the host file and actually understanding what the changes your making do, you're able to add an exclusion in an AV application.

Which is a problem, see above.

 

 

8 hours ago, porina said:

I've encountered this in the past with some AV package I don't recall. I'd consider this a false positive myself. There are legitimate reasons for editing a host file. As long as you have a way to exclude it, it isn't a major deal.

I agree except for the last bit: false positives and exclusion workarounds are a security concern just like false negatives are (see above).

[HM-2]

4 minutes ago, SpaceGhostC2C said:

False positives 

I wouldn't describe this as a false positive; it's a non-malicious true positive. It's not an error in the detection logic caused by too broad or generic a signature, it's doing exactly what it's designed to do.

[SpaceGhostC2C]

1 minute ago, HM-2 said:

I wouldn't describe this as a false positive; it's a non-malicious true positive.

Of course it is a false positive, there is no malware involved here. Just people using the hosts file a they would, or third-party programs adding entries to it at the users' request

1 minute ago, HM-2 said:

It's not an error in the detection logic caused by too broad or generic a signature, it's doing exactly what it's designed to do.

Every positive, false or not, is the outcome of an algorithm flagging as positive what it was designed to flag as such. That's just tautological.

The only way to argue it is not "false" would be to argue that it is flagging what it was intended to flag, meaning that Microsoft wants to detect not only malware messing with MS's addresses, but also individuals and privacy tools that redirect those MS's addresses to 127.0.0.1 or 0.0.0.0 on purpose - in which case, terrible move form Microsoft. Either way, the result is reduced security or giving up your current choices about how your computer is to operate. Which is exactly the problem with false positives, but call it what you want.

[HM-2]

25 minutes ago, SpaceGhostC2C said:

Of course it is a false positive, there is no malware involved here.

I think you're misunderstanding the definition of a "false positive" in the context of malware detection.

25 minutes ago, SpaceGhostC2C said:

The only way to argue it is not "false" would be to argue that it is flagging what it was intended to flag

Which it is. That much is abundantly clear from the definition it is ascribed. As I previously noted, a static signature used in on-access or routine file scanning cannot tell the difference between a modification to the host file to redirect MS domains to Loopback made voluntarily by a user from one made maliciously to prevent malware removal.

 

Having just tested it in my malware lab VM, direct editing of the hosts file will trigger Defender, but copying the host file elsewhere on the system, editing and copying back won't until an on-access scan is performed; this approach gives you the option to remove, quarantine, or permit.

 

[porina]

I'll leave the argument if it is correct to call it a "false positive" for now. From a user perspective, if I want to do something, I don't want something to stop me. This is the biggest reason I've stopped using 3rd party AV solutions, as they try overly hard to justify their value for existence. They flag a ton of enthusiast (low level hardware accessing) software as PUPs. I don't want to deal with that crap. The MS one I only tolerate as it rarely generates any noise, but I have also run many systems totally AV free because they waste more of my time than saving me from anything. In the broadband era, I've had exactly zero useful detections from AV or malware software.

[xAcid9]

Weird, my old HOSTS file taken from StevenBlack repo a year ago got instant flagged and quarantined but Defender didn't flag when i use his latest release . Both got some microsoft domain in it.

[LAwLz]

6 hours ago, xAcid9 said:

Weird, my old HOSTS file taken from StevenBlack repo a year ago got instant flagged and quarantined but Defender didn't flag when i use his latest release . Both got some microsoft domain in it.

Chances are it will get flagged again if you do a manual scan, or if the automatic scan kicks in later.

[xAcid9]

16 hours ago, LAwLz said:

Chances are it will get flagged again if you do a manual scan, or if the automatic scan kicks in later.

I tried manual scan yesterday, nothing happen. Forgot to try pasting the old content and see if it instantly flag the file again. 

[Kisai]

On 8/5/2020 at 4:31 AM, leadeater said:

Then it won't affect you, viruses and malware do make changes to the hosts file and put Microsoft domains in there to point to malicious places. You can cut this story basically any way you like depending on your leaning towards or against Microsoft.

 

Other AV software do check the hosts file for known malicious entries yes.

I use Spybot, and it adds literately 15636 entries to the HOSTS file. Just scrolling through the list it seems like 99% of them are fake-everythings like typosquats for other antivirus products and look-a-like domains due to the I and l looking the same with sans-serif fonts.

 

... seriously we've been dealing with I and l looking the same for a really long time, maybe the address bar should use a serif font.