Microsoft Security Essentials

  • Getting Started and Upgrading
  • Microsoft Security Essentials
  • All forums
Question

MSE Alters Custom HOSTS Files

Applies To:
I have heard elsewhere that MSE alters and/or schreds custom HOSTS Files.
As this one:
http://www.mvps.org/winhelp2002/hosts.htm 

Can anyone from MS confirm or deny this, please.
siljaline MS MVP Alumni
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation
4 People had
this question

siljaline

siljaline

Was this helpful?

2

Votes

Answer

Just to be clear, my HOSTS file is not hidden or read only.  It is no longer excluded or ignored by MSE, which is a very good thing.  I may run further tests if I can find a really "infected" HOSTS file.

Sure would be nice to know if MSE is still monitoring the HOSTS file or if this feature has been removed completely.

EDIT:  I found an infected HOSTS file in this thread:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/421249-suspicious-entries-google-name-hosts-file-google-will-not-load.html

MSE detects and cleans this HOSTS file.  Good job!
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

Hi Randy,

I am not from Microsoft, but I can comfirm that MSE "cleans" custom HOSTS files.  Please see this thread:
http://social.answers.microsoft.com/Forums/en-US/msestart/thread/adcc0736-af36-4e4d-a892-bf1950e4b391

When this "threat" warning is displayed, just allow it and you will not be bothered again.

Paul
Trader2100
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

1

Vote

Hasn't happened here (WinXP SP3) during a Quick Scan or Full Scan.

My hosts file has not been put in the Excluded Files list...but it does have a Read Only attribute. <VBEG>
~Robear Dyer (PA Bear); MS MVP (IE, Mail, Security, Windows & Update Services) since 2002; Disclaimer: I neither represent nor work for Microsoft
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

PA Bear MS MVP

PA Bear MS MVP MVP
Community Star
~Robear Dyer (PA Bear)
MS MVP-Windows Client (IE, Mail, Security & Update Services) since 2002

Was this helpful?

1

Vote

I stand corrected.  Looks like this problem has been fixed, and my HOSTS file does not have a read only attribute.
Trader2100
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

1

Vote

The operative here Trader is excluded regardless of file attribute. Hiding your HOSTS file doesn't accomplish much.
Real malware will see it all the same.

Should MSE be set to ignore HOSTS file scanning, so be it.   
siljaline MS MVP Alumni
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

siljaline

siljaline

Was this helpful?

2

Votes

Answer

Just to be clear, my HOSTS file is not hidden or read only.  It is no longer excluded or ignored by MSE, which is a very good thing.  I may run further tests if I can find a really "infected" HOSTS file.

Sure would be nice to know if MSE is still monitoring the HOSTS file or if this feature has been removed completely.

EDIT:  I found an infected HOSTS file in this thread:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/421249-suspicious-entries-google-name-hosts-file-google-will-not-load.html

MSE detects and cleans this HOSTS file.  Good job!
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

Hasn't happened here (WinXP SP3) during a Quick Scan or Full Scan.

My hosts file has not been put in the Excluded Files list...but it does have a Read Only attribute. <VBEG>
~Robear Dyer (PA Bear); MS MVP (IE, Mail, Security, Windows & Update Services) since 2002; Disclaimer: I neither represent nor work for Microsoft

It's BAAAAACK!  MSE with definitions 1.69.357.0 just "cleaned" (removed) the following HOSTS file entries:
127.0.0.1  ad.doubleclick.net
127.0.0.1  dl.360safe.com
127.0.0.1  www.google-analytics.com
127.0.0.1  ad-flow.com
127.0.0.1  adhostcenter.com
127.0.0.1  adtrade.net
127.0.0.1  advertising.com
127.0.0.1  atdmt.com
127.0.0.1  commission-junction.com
127.0.0.1  doubleclick.com
127.0.0.1  doubleclick.net
127.0.0.1  engine.awaps.net
127.0.0.1  fastclick.com
127.0.0.1  fastclick.net
127.0.0.1  js.users.51.la
127.0.0.1  popuptraffic.com

Can anyone else confirm this?
Trader2100
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

Quick scan run ~4 hours ago didn't touch my hosts file.

WinXP SP3
MSE v1.1611.0
Engine v1.1.5202.0
Defs v1.69.374.0
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

PA Bear MS MVP

PA Bear MS MVP MVP
Community Star
~Robear Dyer (PA Bear)
MS MVP-Windows Client (IE, Mail, Security & Update Services) since 2002

Was this helpful?

Quick scan run ~4 hours ago didn't touch my hosts file.

WinXP SP3
MSE v1.1611.0
Engine v1.1.5202.0
Defs v1.69.374.0

Hello PA Bear,

Thanks for the quick reply.  It seems that if the HOSTS file is sufficiently large, the problem does not occur.  If you could, please create a HOSTS file in any directory with the following entries and scan it:
127.0.0.1  localhost
127.0.0.1  ad.doubleclick.net
127.0.0.1  dl.360safe.com
127.0.0.1  www.google-analytics.com
127.0.0.1  ad-flow.com
127.0.0.1  adhostcenter.com
127.0.0.1  adtrade.net
127.0.0.1  advertising.com
127.0.0.1  atdmt.com
127.0.0.1  commission-junction.com
127.0.0.1  doubleclick.com
127.0.0.1  doubleclick.net
127.0.0.1  engine.awaps.net
127.0.0.1  fastclick.com
127.0.0.1  fastclick.net
127.0.0.1  js.users.51.la
127.0.0.1  popuptraffic.com

TIA
Trader2100
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100

Was this helpful?

All of those entries were already in my custom hosts file when I ran my last scan.
~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

PA Bear MS MVP

PA Bear MS MVP MVP
Community Star
~Robear Dyer (PA Bear)
MS MVP-Windows Client (IE, Mail, Security & Update Services) since 2002

Was this helpful?

How large is your custom hosts file?

The SettingsModifier:Win32/PossibleHostsFileHijack was updated on 27 October:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=SettingsModifier%3aWin32%2fPossibleHostsFileHijack

I'm guessing that's when the problem returned.
Trader2100
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Trader2100

Trader2100
<< PreviousPage of 3 Next >>

Message marked as answers cannot be deleted

To delete this message, first unmark this message as an answer, then delete it.

Reason to remove escalation


Merge

Enter the thread ID of the thread you are merging into


Reply will be posted to a public thread

You are replying to a public portion of this thread. To reply privately, click Cancel, click the Private Messages tab, and Reply on that private message.

Don't show this message again

To report abuse, sign in or continue without signing in

Thank you.

Report abuse

Abuse type:

Details (optional):

Report abuse

Abuse type:

Details (required):
Enter the characters you see (required):
Type the numbers that you see in the picture.
Play audio and type the numbers that you hear.
Show a different picture.

Sign in

Hotmail, Xbox Live, Messenger, or msn accounts will also work.

Don't have one of the above accounts?

Signing in...
This page will automatically update after you are signed in.
If you are having problems, you can close this message and try to connect again.