Wednesday, 5 August 2020

Blocking MS Telemetry in HOSTS File Now Triggers Windows Defender Virus Warning

A recent change to Microsoft Windows’ built-in anti-virus scanner, Windows Defender, has left the OS throwing false positives related to the HOSTS file. The hosts file can be used to translate URL names like “www.google.com” to a specific IP address and originated in the very early internet, at a time when maintaining an individually-curated list of valid host addresses wasn’t difficult to do on a per-node basis.

The hosts file can be used to block malware and spyware sites but it does so globally and it makes no attempt to meaningfully assess if a web address is actually serving malware or unwanted content. It’s a go / no go filter, and websites on the “no go” side of things aren’t getting accessed.

I’ve used hosts file blocking before as part of my own AV protections and I can confirm that while you can download any number of modified hosts files from the internet, you typically have to customize it further to avoid blocking content that you want to see. Blocking certain sites will prevent auto-play videos from activating, but it will also prevent you from seeing video you genuinely want to watch delivered over the same services. Although the hosts file is not a common malware target, it has been used as part of malware attacks in the past, typically to deny the end user the ability to visit security sites. While there are no recent examples of hosts files being abused in this fashion of which I’m aware, it has happened in the past.

Multiple online sources state Microsoft has modified Windows Defender so that it specifically checks to see if a hosts file has been updated to block Microsoft’s telemetry servers. What’s a little strange about this is that the OS has apparently performed some level of checking for quite some time, as evidenced by this Windows 8 story recommending that users exclude the hosts file from virus scans if they are going to modify it. The problem appears to have gotten worse or resurfaced only recently, but it was a known issue from four years ago.

According to BleepingComputer, they edited their own hosts file in multiple ways without provoking an outcry from Windows Defender before attempting to block MS’ telemetry servers. When they did, the hosts file actually refused to save, claiming they were infected with SettingsModifier:Win32/HostsFileHijack:

File by BleepingComputer. Hosts files are .TXT files and cannot contain a virus as these are traditionally defined.

While you can exclude the hosts file from being scanned, this would seem to confirm that Microsoft now specifically checks to see if you’re trying to block its telemetry servers — even though it also bypasses the hosts file and communicates directly with IP addresses for telemetry purposes. The fact that Windows data collection doesn’t depend exclusively on the telemetry servers you can block in the hosts file means that MS might have tuned Windows Defender in an attempt to prevent malware from infecting a system in this manner as opposed to deliberately attempting to prevent end-users from manually blocking telemetry collection.

Unfortunately, telling a system simply not to scan the hosts file isn’t a foolproof solution, either. In this instance, you can stop MS from yelling at you — but in exchange, you won’t know if another application has modified your hosts file, either. Ideally, the OS would note that the hosts file had changed and ask the end-user if the change was intentional rather than force the end-user to choose between protecting themselves from malware in this fashion or not.

The reason I’m not sure this is a move intended to boost Microsoft’s data collection is simple: Microsoft’s telemetry collection isn’t blocked by hosts file alterations, so it’s not clear they’d modify how they treat the hosts file to make data collection easier. Most antivirus / antimalware guides don’t specifically recommend a hosts-file based approach, because endless lists of websites are a poor way to try to block malware and because it’s downright common to end up customizing your list to avoid blocking sites you want to be able to access.

Either way, you should be aware that you may see malware detections in days ahead that don’t actually signify a malware infection. If you have manually modified your hosts file on-purpose, you should check to make certain the data hasn’t changed. If it has, tell Windows Defender to exclude scanning the hosts file in the future. Instructions on blocking telemetry collection entirely can be found here. It requires more than just modifying the hosts file.

Now Read:



No comments:

Post a Comment