SettingsModifier:Win32/HostsFileHijack

Hello, I'm getting a serious "potentially unwanted" message. I have the current Windows 10 2004 (1904.388) and only Defender as permanent protection.
How is that to evaluate, since nothing has changed at my hosts, I know that.
Or is this a false positive message?

a second check with AdwCleaner or malwarebytes or superantispyware shows no infection.

Greetings

message:

...

Erkannt: SettingsModifier:Win32/HostsFileHijack

...

Details: Das Verhalten dieses Programms ist potenziell unerwünscht.

file: C:\Windows\System32\drivers\etc\HOSTS

Answer
Answer

Since you're null routing Microsoft.com and other reputable websites into a black hole, Microsoft would obviously see this as potentially unwanted activity, so of course they detect these as PUA (not necessarily malicious, but undesired) activity, related to a Hosts File Hijack.

That you've decided it's something you wish to do is basically irrelevant.

As I clearly explained in my first post, the change to perform the PUA detections was enabled by default with the release of Windows 10 Version 2004, so that's the entire reason for your sudden issue.  Nothing is wrong except that you don't prefer to operate Windows in the manner that the developer Microsoft intended.

However, since your wish is to retain these unsupported modifications in the Hosts file, despite the fact they'll clearly break many of the Windows functions those sites are designed to support, you'd likely be better off to revert the PUA detection portion of Windows Defender to disabled as it used to be in previous versions of Windows.

Since GlenProuty is one of the most knowledgeable here regarding those once optional PUA detections and their management, perhaps he can aid you in disabling these in order to allow the abuse of the Hosts file without the typical ramifications this will cause.

Rob

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Answer
Answer

Glen, what he's doing is simple and well known, null routing the domain names of sites he doesn't wish to allow this specific PC to access into one of the commonly known black hole IP addresses of either 0.0.0.0 or the more commonly used loopback IP address of 127.0.0.1 often used by so called "security" apps of the distant past.

Microsoft hadn't wanted to support these abuses of the Hosts file for some time, but begrudgingly allowed them and fixed a performance issue about a decade ago.  However, I suspect their acceptance of this abuse has diminished over time, as more supportable techniques have been developed and the valid reasons for using these these unsupported techniques has waned.

Nothing complex about this at all, just not something most other than a handful of old techies ever knew about or cared to use.

I dropped this along with one of the early anti-spyware products that used it well over a decade ago even before the issues Microsoft had with it at some point after a major update in the Vista to early Windows 7 era as I recall.

Rob

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated November 28, 2020 Views 5,187 Applies to: