[English]Microsoft has begun to block redirects in the Windows native hosts file that affect Microsoft sites in its antivirus products such as Microsoft Defender. The redirects are flagged as malicious (as HostFileHijack). I already mentioned that in part 2 of the article series – but now I get a more complete picture.
Advertising
The hosts file in Windows
In Windows there is the hosts file, a simple text file located in the following folder.
C:\Windows\System32\drivers\etc\hosts
Windows allows administrators to easily set up redirections from host names to IP addresses via the hosts file. Some users use entries in the hosts file to redirect Microsoft network addresses to which telemetry data is transmitted to the local IP address 127.0.0.0. The Microsoft server in question can then no longer be reached.
Microsoft say no, and puts a stop on it
This approach is now likely to be stopped by Microsoft on systems running Windows Defender (or any other Microsoft antivirus solution). I had reported in the blog post Windows Defender flags Windows Hosts file as malicious – Part 2 that Microsoft Defender suddenly considers a modified native Windows hosts file to be malicious and complains that it is a HostFileHijack. This has been happening since July 28, 2020 with the following components:
Antimalware-Clientversion: 4.18.2006.10
Modulversion: 1.1.17300.4
Antiviren-Version: 1.321.144.0
Antispyware-Version: 1.321.144.0
Advertising
The blog reader who observed this and gave a tip wrote: "Someone has probably only now noticed that statistics, telemetry, Bing… of certain clients no longer arrive reliably." The last information was not quite comprehensible for me, even though Blog-reader Info has added this comment in part 2. The same applies to the remarks of Mark Heitbrink in his German comment yesterday. I only became aware of this afterwards, when the following puzzle pieces fell into the picture.
Defender blocks redirected Microsoft pages
I spent the night on Twitter with Lawrence Abrams of Bleeping Computer in a private communication on the subject. He had become aware of the issue through the English language version of my post. So he took another look at the whole thing, tested it and came across some connections. Lawrence has now published some additional information on Bleeping Computer.
After learning about this today from @etguenni, BleepingComputer performed some tests to see if this was a false positive or something else triggering the detections.
— BleepingComputer (@BleepinComputer) August 3, 2020
The above tweet already summarizes the situation. If the Microsoft virus scanner detects a manipulation in the file hosts and you allow the Microsoft Defender to delete the file, its content is reset to default settings. Then Lawrence Abrams tested my hint that some users use the hosts file to block Microsoft URLs.
Now when you try to add a Microsoft privacy HOSTS file, Windows Defender will not allow you to save the file as it "contains a virus or potentially unwanted software." pic.twitter.com/RWrjjBSWEY
— BleepingComputer (@BleepinComputer) August 3, 2020
The above tweet then reveals the insight. If an administrator attempts to block Microsoft websites via the hosts file, Defender will block that and report a security risk. Saving the changes is rejected in the editor with an error message..
(Error message when saving the hosts file, source: Bleeping Computer)
The message indicates that the file contains a virus or potentially unwanted software – where the hosts is a text file. In any case, the changes cannot be saved. Lawrence Abrams has found the following Microsoft sites, among others, which are not allowed to be entered into the hosts.
www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com
Because then the Defender will sound the alarm and prevent it from saving. Users who wish to maintain these URLs in the hosts file must then define the file in Defender as an exception and exclude it from the check (see also Part 2). In this case, Defender does not monitor any malware manipulation of the hosts file. And that's the missing piece of the puzzle from the user note above. Microsoft is taking targeted action against blocking certain URLs via the hosts file.
Similar articles:
Windows Defender flags CCleaner as PUP – Part 1
Windows Defender flags Windows Hosts file as malicious – Part 2
Defender blocks redirected Microsoft hosts entries – Part 3
Advertising
Pingback: Microsoft Defender flags hosts files with Microsoft server redirects as malicious - gHacks Tech News
Pingback: Microsoft Defender marca los archivos de los hosts con redirecciones de servidores de Microsoft como maliciosos - MATERIA GEEK
Had same Hosts file issues with July updates from MS. After scanning with many antimalware programs (offline also) did not find anything. Win 10 / MS Defender did not like changes to hosts file by either Spybot SD or Safer-Networking anti telemetry tool.
Sooo…switched back to Avira Free after many years. When lock down hosts file with Avira, it appears Win 10 (Defender?) still tries to rewrite hosts file (get a vaguely worded warning about hosts file from Avira).
At least with Avira I can control when the hosts file can be revised. Can't do that with MS Defender.
[Prefer this to an unsatisfactory MS solution even though I had to do a custom instal of Avira to limit uneccesary components and manually remove extensions in all my browsers and uninstal various Avira components.]