Protomartyr

Level 6
Verified
Microsoft now detects HOSTS files that block Windows telemetry

Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat.

When detected, if a user clicks on the 'See details' option, they will simply be shown that they are affected by a 'Settings Modifier' threat and has 'potentially unwanted behavior,' as shown below.

SettingsModifier:Win32/HostsFileHijack detection

SettingsModifier:Win32/HostsFileHijack detection

BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5].

While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today.

This led me to believe it was a false positive or some other non-malicious issue.

After playing with generic HOSTS file modifications such as blocking BleepingComputer and other sites, I tried adding a blocklist for Microsoft's telemetry to my HOSTS file.

This list adds many Microsoft servers used by the Windows operating system and Microsoft software to send telemetry and user data back to Microsoft.

As soon as I saved the HOSTS file, I received the following alert stating that I could not save the file as it "contains a virus or potentially unwanted software." I also received alerts that my computer was infected with 'SettingsModifier:Win32/HostsFileHijack.''

HOSTS file blocked from being saved
HOSTS file blocked from being saved

So it seems that Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file.

Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection.

In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following:

www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

If you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents.

Default Windows 10 HOSTS file
Default Windows 10 HOSTS file

Users who intentionally modify their HOSTS file can allow this 'threat,' but it may enable all HOSTS modifications, even malicious ones, going forward.

So only allow the threat if you 100% understand the risks involved in doing so.

BleepingComputer has reached out to Microsoft with questions regarding this new detection.
 
Last edited by a moderator:

Stopspying

Level 10
This detection of the HOSTS file as a threat was discovered by the same person who broke the news about CCleaner being regarded as a PUP by WD.


I'm more inclined to be suspicious as to the reasons for Microsoft doing this. I can see the reasoning behind keeping things in-house for reasons like restricting the attack surface, but it could lead to a more closed shop/walled garden approach like Apple's is. I've long thought that its good to have outside innovation, helping to avoid things getting stale.
 

SeriousHoax

Level 29
Verified
Malware Tester
This is something Kaspersky and Bitdefender have been doing for a long time now and maybe even some other AVs including probably F-Secure.
For Kaspersky, changing host files permission to "Read-only" after making changes makes it not detect anymore by Kaspersky but in case of Bitdefender, even after setting it to "Read-only" mode Bitdefender still detects and changes the host file to its default value.
I just checked WD. If the host file is modified after disabling Real time protection then after enabling WD don't detect any host file modifications.
Edit: It did when I tried to open the host file again after system restart. I also put Microsoft telemetry related hosts for the test. Btw, I have 3 entries in the host file related to Steam which are not detected by WD.
 
Last edited:

TairikuOkami

Level 28
Verified
Content Creator
About time. Besides, MS support has grown tired of fixing problems with broken connections, windows updates, cortana, etc. Merely blocking Location might render Weather app useless. Not to mention, that people, who block MS, will surely disable WD ASAP. So not an issue at all, at least not for privacy folk.
 

redsworn

Level 4
Verified
Well, even back in the day of 7 and below, HOSTS file was kind of like a double edged sword. It was frequently being abused by malware or dodgy software. AV vendors often put HOSTS protection feature or something like on their software that because of this.
There are so many options for network filtering/blocking nowadays. And modifying HOSTS file should be your last last option if not just avoid it completely.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Modifying and redirecting hosts file entries is a common tactic used by malware to silently send users to an unwanted website. Often, this is used to expose the user's machine to web-based attacks, as well as exposing the user to unsolicited and/or malicious content.

In other cases, the modification is made to prevent the user from accessing certain sites, such as operating system or security software vendors.

Intentionally modified hosts file
Under certain circumstances, hosts files may be manually modified by system administrators or developers in the course of their work.

Such intentional modifications will still trigger the 'redirected hosts file' detection. In such cases, to preserve the modification, the user should exclude the hosts file from scanning once the product detects the change
 

SeriousHoax

Level 29
Verified
Malware Tester
Looks like only Microsoft related domains are detected. Whatever else, how many domains you put there doesn't matter. Not a peep from WD. So it's a half baked implementation from Microsoft, not even half tbh. Malwares would still be able to party on the host file if they don't put anything but microsoft related domains. This is nothing to be impressed about.
 
Top