Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Windows 10: HOSTS file blocking telemetry is now flagged as a risk
77 views
Skip to first unread message
Nic
Sep 10, 2022, 2:02:08 PM9/10/22
to
https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/
Starting at the end of July, Microsoft has begun detecting HOSTS files
that block Windows 10 telemetry servers as a 'Severe' security risk.
The HOSTS file is a text file located at
C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program
with Administrator privileges.
This file is used to resolve hostnames to IP addresses without using the
Domain Name System (DNS).
This file is commonly used to block a computer from accessing a remote
site by assigning host to the 127.0.0.1 or 0.0.0.0 IP address.
For example, if you add the following line to the Windows HOSTS file, it
will block users from accessing www.google.com as your browsers will
think you are trying to connect to 127.0.0.1, which is the local computer.
|127.0.0.1 www.google.com|
Microsoft now detects HOSTS files that block Windows telemetry
Since the end of July, Windows 10 users began reporting that Windows
Defender had started detecting modified HOSTS files as a
'SettingsModifier:Win32/HostsFileHijack' threat.
When detected, if a user clicks on the 'See details' option, they will
simply be shown that they are affected by a 'Settings Modifier' threat
and has 'potentially unwanted behavior,' as shown below.
SettingsModifier:Win32/HostsFileHijack detection*SettingsModifier:Win32/HostsFileHijack detection*
BleepingComputer first learned about this issue from BornCity
<https://borncity.com/win/2020/08/03/windows-defender-lscht-windows-hosts-datei-teil-2/>,
and while Microsoft Defender detecting HOSTS hijacks is not new
<https://support.microsoft.com/en-us/help/2764944/hosts-file-is-detected-as-malware-in-windows-defender>,
it was strange to see so many people suddenly reporting the detection [1
<https://www.tenforums.com/antivirus-firewalls-system-security/161347-cant-get-rid-settingsmodifier-win32-hostsfilehijack.html>,
2
<https://www.tenforums.com/antivirus-firewalls-system-security/161347-cant-get-rid-settingsmodifier-win32-hostsfilehijack.html>,
3 <https://steamcommunity.com/discussions/forum/0/2798376550596602341/>,
4
<https://www.reddit.com/r/TronScript/comments/hzr0ce/great_program_breathed_new_life_into_an_old/>,
5
<https://answers.microsoft.com/en-us/protect/forum/all/settingsmodifierwin32hostsfilehijack/822cdbad-f81f-4714-a629-61f7b76b7009>].
While a widespread infection hitting many consumers simultaneously in
the past is not unheard of, it is quite unusual with the security built
into Windows 10 today.
This led me to believe it was a false positive or some other
non-malicious issue.
After playing with generic HOSTS file modifications such as blocking
BleepingComputer and other sites, I tried adding a blocklist for
Microsoft's telemetry
<http://encrypt-the-planet.com/windows-10-anti-spy-host-file/> to my
HOSTS file.
This list adds many Microsoft servers used by the Windows operating
system and Microsoft software to send telemetry and user data back to
Microsoft.
As soon as I saved the HOSTS file, I received the following alert
stating that I could not save the file as it "contains a virus or
potentially unwanted software." I also received alerts that my computer
was infected with 'SettingsModifier:Win32/HostsFileHijack.''
--
Pity the fool who followed his GPS over the cliff
Starting at the end of July, Microsoft has begun detecting HOSTS files
that block Windows 10 telemetry servers as a 'Severe' security risk.
The HOSTS file is a text file located at
C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program
with Administrator privileges.
This file is used to resolve hostnames to IP addresses without using the
Domain Name System (DNS).
This file is commonly used to block a computer from accessing a remote
site by assigning host to the 127.0.0.1 or 0.0.0.0 IP address.
For example, if you add the following line to the Windows HOSTS file, it
will block users from accessing www.google.com as your browsers will
think you are trying to connect to 127.0.0.1, which is the local computer.
|127.0.0.1 www.google.com|
Microsoft now detects HOSTS files that block Windows telemetry
Since the end of July, Windows 10 users began reporting that Windows
Defender had started detecting modified HOSTS files as a
'SettingsModifier:Win32/HostsFileHijack' threat.
When detected, if a user clicks on the 'See details' option, they will
simply be shown that they are affected by a 'Settings Modifier' threat
and has 'potentially unwanted behavior,' as shown below.
SettingsModifier:Win32/HostsFileHijack detection*SettingsModifier:Win32/HostsFileHijack detection*
BleepingComputer first learned about this issue from BornCity
<https://borncity.com/win/2020/08/03/windows-defender-lscht-windows-hosts-datei-teil-2/>,
and while Microsoft Defender detecting HOSTS hijacks is not new
<https://support.microsoft.com/en-us/help/2764944/hosts-file-is-detected-as-malware-in-windows-defender>,
it was strange to see so many people suddenly reporting the detection [1
<https://www.tenforums.com/antivirus-firewalls-system-security/161347-cant-get-rid-settingsmodifier-win32-hostsfilehijack.html>,
2
<https://www.tenforums.com/antivirus-firewalls-system-security/161347-cant-get-rid-settingsmodifier-win32-hostsfilehijack.html>,
3 <https://steamcommunity.com/discussions/forum/0/2798376550596602341/>,
4
<https://www.reddit.com/r/TronScript/comments/hzr0ce/great_program_breathed_new_life_into_an_old/>,
5
<https://answers.microsoft.com/en-us/protect/forum/all/settingsmodifierwin32hostsfilehijack/822cdbad-f81f-4714-a629-61f7b76b7009>].
While a widespread infection hitting many consumers simultaneously in
the past is not unheard of, it is quite unusual with the security built
into Windows 10 today.
This led me to believe it was a false positive or some other
non-malicious issue.
After playing with generic HOSTS file modifications such as blocking
BleepingComputer and other sites, I tried adding a blocklist for
Microsoft's telemetry
<http://encrypt-the-planet.com/windows-10-anti-spy-host-file/> to my
HOSTS file.
This list adds many Microsoft servers used by the Windows operating
system and Microsoft software to send telemetry and user data back to
Microsoft.
As soon as I saved the HOSTS file, I received the following alert
stating that I could not save the file as it "contains a virus or
potentially unwanted software." I also received alerts that my computer
was infected with 'SettingsModifier:Win32/HostsFileHijack.''
--
Pity the fool who followed his GPS over the cliff
0 new messages