Windows 10: HOSTS file blocking telemetry is now flagged as a risk

[Korben]

Microsoft did some changes in their anti-malware software (Defender) so that entries in the Windows hosts file containing Microsoft servers are marked as security risk. If the file is not excluded from the scan (which is not recommended) it will be replaced by the default version (which contains no entries).

This behaviour was  confirmed for Windows 10 1909 and 2004.

 

Quotes

Quote

 Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat.

When detected, if a user clicks on the 'See details' option, they will simply be shown that they are affected by a 'Settings Modifier' threat and has 'potentially unwanted behavior

 

My thoughts

Sounds a little bit like "abuse of power" to me. I don't use the hosts file to block tracking (I use pi-hole), but still I don't like this kind of manipulations.

 

 

Sources

 https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/

(German) https://www.heise.de/news/Windows-Defender-zensiert-hosts-Datei-4863355.html

[MyName13]

Unless you use LTSC (where the latest version is 1809).

[Donut417]

This is why I use my windows machine for gaming and porn. So Microsoft is getting some interesting data from me. To be honest I haven't turned my desktop on in a while. I use my MacBook as my main machine currently. 

[Korben]

4 minutes ago, MyName13 said:

Unless you use LTSC (where the latest version is 1809).

Well, only if you disabled Defender and/or Defender updates...

[yolosnail]

Totally makes sense. I don't get why they haven't done this sooner.

 

To me, it's not about stopping people blocking telemetry, it's more about stopping modifying the Microsoft servers for more nefarious purposes!

[captain_to_fire]

I’m curious if other antivirus programs detect it as malware as well. As far as I know, Windows Defender or any other antivirus uses telemetry to determine if a file is malicious or not. 

[Donut417]

3 minutes ago, yolosnail said:

it's more about stopping modifying the Microsoft servers for more nefarious purposes!

The host files dont modify Microsoft servers. It was a way to block access to certain sites and such. Editing it only affects the computer the host file is on. What they are doing is a DICK move, but its Microsoft and they have pretty much been doing the same crap for the last few years with Windows 10. All they are doing is pissing off long time Windows users. 

[leadeater]

18 minutes ago, Korben said:

I don't use the hosts file to block tracking (I use pi-hole)

Then it won't affect you, viruses and malware do make changes to the hosts file and put Microsoft domains in there to point to malicious places. You can cut this story basically any way you like depending on your leaning towards or against Microsoft.

 

5 minutes ago, captain_to_fire said:

I’m curious if other antivirus programs detect it as malware as well. 

Other AV software do check the hosts file for known malicious entries yes.

[mahyar]

to this date i was sceptical for disabling windows defender  but now im sure i wont regret it

[WereCatf]

19 minutes ago, Korben said:

Sounds a little bit like "abuse of power" to me.

Not to my ears. There are plenty of malware and other kinds of less-than-honourable actors that mess around with the hosts-file, so this is a sensible move in protecting the less-capable users. More capable users can go and excluse the hosts-file and continue using it as they've done this far.

[paeschli]

I use the hosts file to block porn sites, what alternatives do I have?

[WereCatf]

1 minute ago, paeschli said:

I use the hosts file to block porn sites, what alternatives do I have?

1. Add the hosts-file to exclusions in Defender's settings.
2. Use PiHole.
3. Get a better router that can do blocking at the router-level, like e.g. one running OpenWRT of Pfsense.
4. Install one of the million different kinds of porn-blocking apps.
5. So on and so forth.

[leadeater]

2 minutes ago, paeschli said:

I use the hosts file to block porn sites, what alternatives do I have?

Will not affect that at all, it's looking for Microsoft domains listed in there and flagging them as a Hosts file Hijack. No Microsoft domains in the Hosts file then it won't flag it, of course it might flag other known malicious entries too but I don't think you'll be intentionally putting those in there though.

[LAwLz]

On one hand, I can see why an anti-virus software would want to make sure the host file is unmodified.

But on the other hand, this is clearly Microsoft using their dominance in anti-virus software to try and get an advantage in their data harvesting business.

 

In general, I'd say that anything that removes freedom from the user is bad, and this definitely does just that.

[HM-2]

3 minutes ago, LAwLz said:

In general, I'd say that anything that removes freedom from the user is bad, and this definitely does just that.

How does it "remove freedom" from the user?

 

You can choose whether or not to respond to or ignore the alert raised by Defender, so if you want to block MS IP address ranges cos your tinfoil hat is on too tight then you still can, you'll just get Defender telling you that you have.

[schwellmo92]

This has to be one of the biggest non-stories I’ve seen blasting Microsoft. People can really twist anything to suit their agenda.

[LAwLz]

1 minute ago, HM-2 said:

How does it "remove freedom" from the user? You can choose whether or not to respond to or ignore the alert raised by Defender, so if you want to block MS IP address ranges cos your tinfoil hat is on too tight then you still can, you'll just get Defender telling you that you have.

I don't appreciate the condescending tone.

 

Here is a screenshot from the source article:

 

I'd say that labeling it a threat which deletes the user modifications if you click "clear", blocking changes from happening even when it's the user actively doing it through another program, and nagging and scaring the user is a way of removing freedom from the user.

[HarryNyquist]

Man, Microsoft, every day you really push me more into trying to install Ubuntu as my daily driver.

 

Fuck that shit.

[HM-2]

3 minutes ago, LAwLz said:

I don't appreciate the condescending tone.

Here is a screenshot from the source article:

It takes literally two seconds to add a file exclusion for hosts.txt in the security console.

If you're savy enough to be fiddling around with the host file and actually understanding what the changes your making do, you're able to add an exclusion in an AV application.

 

3 minutes ago, LAwLz said:

I'd say that labeling it a threat 

It is a threat. Host file modification to block access to MS domains along with those of common security vendors is exceptionally common in malware, and a static scanning engine cannot easily determine what has modified a file.

[xAcid9]

I don't think StevenBlack HOSTS  file block any of Microsoft telemetry but Window Defender flagged mine few days ago.

 

[William M]

I don't block telemetry  but do have things block in the host file use spybot. never had alert and I am running windows 10 2003. HarrNyquist  Ubuntu has telemetry in as while,. Also Mac os has telemetry as well. Just something to use to.

[porina]

I've encountered this in the past with some AV package I don't recall. I'd consider this a false positive myself. There are legitimate reasons for editing a host file. As long as you have a way to exclude it, it isn't a major deal.

[leadeater]

16 minutes ago, LAwLz said:

I'd say that labeling it a threat which deletes the user modifications if you click "clear", blocking changes from happening even when it's the user actively doing it through another program, and nagging and scaring the user is a way of removing freedom from the user.

Then don't put Microsoft domains in there and it won't nag you. Defender is not preventing any modification of the Hosts file, just ones that might be malicious like other AV also do. Difference is other AV software are not flagging Microsoft domains even though they could actually be malicious, probably for the reasons exhibited in this topic, user backlash.

Like I said in my first post, legitimate reason exist for warning about this, personal reasoning will be the difference between how one portrays it.

 

Making changes to your Hosts file is still fully supported, still do that to test things like Load Balancer changes without making the DNS change live on the entire network.

 

Edit:

Also why does it not surprise me that it's turned from specifically Microsoft domains, as mentioned in the source article, to any changes even though that is not the case. The spin here is rather strong.

 

Like I get that this could just be Microsoft wanting to have their cake and eat it to, finding a reason to make a change they have been wanting to do but it's not like warning about Hosts file changes for Microsoft domains isn't actually legitimate thing to do.

[XWAUForceflow]

Honestly in my opinion this makes sense and is a sensible thing to do. I'd say 99% of Windows users do not even know what the hosts file is much less on how to edit it. As such any changes in that file especially when it concerns Microsoft owned domains is a huge red flag. A lot of AV programs monitor the hosts file and will block any access to it.

If you are among the 1% that does know that the hosts file does and how to utilize it for your benefit you should also know how to remove it from being monitored and alter it if you really need to change any microsoft domains. Sure you will loose some protection then, but I do understand that it would be a lot of work for the MS team to modify the Defender behavior to allow a save change of those domains. As I really do think that this is a very small fringe case I understand that they don't want to invest too much time into it.

If you really want to block your PC from accessing certain domains I would highly suggest to use a PiHole anyways. It's fairly cheap, easy to set up and so much more powerful than anything that you could do with the hosts file anyways. 

[Tech Enthusiast]

When using BitDefender, about 2 years ago... it blocked me from even trying to modify that file.

So, it is not only Microsoft Defender.

 

I mean,.. That file is like a whitelist for stuff not just pass trough. It is better to not touch it, unless you really know what you are doing.

Marking it as a "risk", is obviously spot on and correct.