Defender flags Windows Hosts file as malicious – Part 2

[German]It looks like the Windows Defender has run amok again and considers the Windows hosts file as malicious and complains about it as HostFileHijack. I've had now a few confirmation from other users.

I had only published the blog post Windows Defender flags CCleaner as PUP – Part 1 a few days ago – and I've planned the 2nd article for the next day – but it has been delayed.

A reader comment

It was a reader's comment from Blog Reader Info here in the comments section that gave me the idea for this article – maybe there are other people who have noticed this. The reader wrote somewhat cryptically:

[WINDOWS SECURITY]
What took you so long?

Since 28.07.2020 the W10 Defender(quick check) only recognizes the "C:\Windows\System32\drivers\etc\hosts" as "HostFileHijack".

Very old hat with other av programs

Antimalware-Clientversion: 4.18.2006.10
Modulversion: 1.1.17300.4
Antiviren-Version: 1.321.144.0
Antispyware-Version: 1.321.144.0

and added the following as a supplement.

Someone has probably only now noticed that

Statistik
Telemetrie
Bing…

of certain clients is no longer arriving reliably…

I con't have an idea what the last remark means- but I published the translated text into the post here as I sporadically delete old comments in the discussion area of the German blog.

Findings in the Internet

At this place I searched the internet a few days ago and found this few days old thread on reddit.com.  A user noticed the same thing – because he writes:

Wtf am I going to do…

For the first time since building this computer 7 years ago, I somehow got a virus. It was called HostFileHijack or something, Windows defense picked it up but was unable to remove it. I installed Zamena and it detected the virus and was able to remove it, but about 20 minutes later windows detected it again but Zamena didn't detect anything. It's seemingly disappeared from my computer for now but I don't trust it. Should I just go about my business or bite the bullet, back up 400GB of data and format?

So the affected user seems to have a similar problem (although he probably really did have a virus), the Defender reports a HostFileHijack infection, but cannot remove it. After removing it with other AV software a message came up again (although in this case I consider the system as compromised anyway, this would have to be rebuilt, since you never know if all the malware was detected and removed). In the course of the thread, however, ESET security specialist Aryeh Goretsky points out that

C:\Windows\System32\drivers\etc\hosts

is simply a text file. If there is nothing bad in it, it should be a false alarm. It is strange, however, that the Defender is only now complaining about the file – which would be consistent with the reader observations above. But the story is a bit strange.

What is HostFileHijack

With this term you can find it at Microsoft in this article (and here). The Defender detects the malware SettingsModifier:Win32/PossibleHostsFileHijack, a program that makes changes to the hosts file on a Windows system. Microsoft writes:

The Hosts file is used by your web browser to find out where to redirect certain IP address calls. Malicious or unwanted software can modify this file to prevent users and applications from accessing certain websites. Or the malware may force you to visit other websites instead.

Microsoft's advice: If you changed the Hosts file yourself, you must exclude it from detection by your antivirus software. Well, and this is now a problem: If I have made changes, with this exception, I disable Defender with regard to monitoring the hosts file. If malware strikes and manipulates this file, Defender is blind. In this case it would be better if there was a hash in Defender that excludes a certain version of the hosts from a check. If the hash value changes, the hosts have been changed, so the alert should be raised again.

There is this article from 2016, which also addresses this and recommends to define the hosts from exception in Defender, if you have made changes yourself. Otherwise you would get the Defender alerts.  But even there it is not recognized that with the definition of the exceptions the Defender is blind and does not recognize a malicious manipulation.

Feedback of a user

Addendum: By e-mail, blog reader Rolf (thanks for that) sent me the following information:

the problem with the Defender and the host file SettingsModifier:Win32/PossibleHostsFileHijack
exists since 28.7.2020.

I have helped myself in the following way: Disabled detection by Defender and made the host file read-only.

Anyone of you who affected? I hadn't heard of this behavior before. Addendum: After a discussion with me Lawrence Abrams took also a look at that topic and published some additional information on Bleeping Computer.

Similar article:
Windows Defender flags CCleaner as PUP – Part 1
Defender flags Windows Hosts file as malicious – Part 2
Defender blocks redirected Microsoft hosts entries – Part 3
Microsoft Defender Antimalware Platform: June 2020 Update KB4052623 drops Error 0x8024200B
SCEP/MSE/Defender: Broken Signatureupdate kills Microsoft Antivirus (04/16/2020)
Defender mis-classified Winaero Tweaker as a hacker tool