Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Host resolution priority -> vulnerable to malware tampering?

2 views
Skip to first unread message

Virus Guy

unread,
Dec 13, 2009, 9:17:21 AM12/13/09
to
I wasn't aware that you could set the priority for host resolution.

http://www.speedguide.net/read_articles.php?id=1130

Could this mean that with the right settings, that the hosts file could
be essentially deactivated by setting it to a very low priority and
setting DnsPriority to a high priority?

If so, does any anti-malware software examine those registry settings
and look for malicious tampering?

David H. Lipman

unread,
Dec 13, 2009, 9:30:15 AM12/13/09
to
From: "Virus Guy" <Vi...@Guy.com>

| http://www.speedguide.net/read_articles.php?id=1130

No, it wouldn't deactivate the resolution via the etc/hosts file.

The information cited is really for changing the resolution sequence depending on your
situation. For example is you are in a workgroup or Domain and how the OS reacts to such
named hosts as...

\\machinename

http://hostname

With this one may choose the etc/hosts to have a lower number than the other resolution
methods but I don't think it will disable it altogether.

If one wants to do that, it is much better to just redirect the location of the etc/hosts
file via the "DataBasePath" key in..
HLKM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Virus Guy

unread,
Dec 13, 2009, 9:42:43 AM12/13/09
to
"David H. Lipman" wrote:

> | Could this mean that with the right settings, that the hosts
> | file could be essentially deactivated
>

> No, it wouldn't deactivate the resolution via the etc/hosts file.
>
> The information cited is really for changing the resolution sequence
> depending on your situation.

Seems to me that these settings are for setting the priority of those
services with respect to other services running on the machine.

If they also set the sequence or order of which method is used to
perform a host resolution, then setting the local hosts value to the
highest numerical value out of the 4 of them would mean that the hosts
file would always be the last to be queried - which would effectively
deactivate it as resolution method. No?

David H. Lipman

unread,
Dec 13, 2009, 1:14:46 PM12/13/09
to
From: "Virus Guy" <Vi...@Guy.com>

| "David H. Lipman" wrote:

OK, rethinking this...

It would "deactivate" it. However if a DNS resoltion to a malicious site is first and you
are affectively getting that address then the etc/hosts file redirection to the IP
responder address would be a moot point.

Deactived - no.

Inffectual - yes.

0 new messages