{"id":15251,"date":"2020-08-04T08:23:37","date_gmt":"2020-08-04T06:23:37","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=15251"},"modified":"2020-08-04T08:27:11","modified_gmt":"2020-08-04T06:27:11","slug":"defender-blocks-redirected-microsoft-hosts-entries-part-3","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/08\/04\/defender-blocks-redirected-microsoft-hosts-entries-part-3\/","title":{"rendered":"Defender blocks redirected Microsoft hosts entries – Part 3"},"content":{"rendered":"

[English<\/a>]Microsoft has begun to block redirects in the Windows native hosts file that affect Microsoft sites in its antivirus products such as Microsoft Defender. The redirects are flagged as malicious (as HostFileHijack). I already mentioned that in part 2 of the article series – but now I get a more complete picture.<\/p>\n

<\/p>\n

The hosts file in Windows<\/h2>\n

\"\"In Windows there is the hosts file, a simple text file located in the following folder.<\/p>\n

C:\\Windows\\System32\\drivers\\etc\\hosts<\/p>\n

Windows allows administrators to easily set up redirections from host names to IP addresses via the hosts file. Some users use entries in the hosts file to redirect Microsoft network addresses to which telemetry data is transmitted to the local IP address 127.0.0.0. The Microsoft server in question can then no longer be reached.<\/p>\n

Microsoft say no, and puts a stop on it<\/h2>\n

This approach is now likely to be stopped by Microsoft on systems running Windows Defender (or any other Microsoft antivirus solution). I had reported in the blog post Windows Defender flags Windows Hosts file as malicious \u2013 Part 2<\/a> that Microsoft Defender suddenly considers a modified native Windows hosts file to be malicious and complains that it is a HostFileHijack. This has been happening since July 28, 2020 with the following components:<\/p>\n

Antimalware-Clientversion: 4.18.2006.10
\nModulversion: 1.1.17300.4
\nAntiviren-Version: 1.321.144.0
\nAntispyware-Version: 1.321.144.0<\/p>\n

The blog reader who observed this and gave a tip wrote: \"Someone has probably only now noticed that statistics, telemetry, Bing… of certain clients no longer arrive reliably<\/em>.\" The last information was not quite comprehensible for me, even though Blog-reader Info has added this comment in part 2. The same applies to the remarks of Mark Heitbrink in his German comment<\/a> yesterday. I only became aware of this afterwards, when the following puzzle pieces fell into the picture.<\/p>\n

Defender blocks redirected Microsoft pages<\/h2>\n

I spent the night on Twitter with Lawrence Abrams of Bleeping Computer in a private communication on the subject. He had become aware of the issue through the English language version of my post. So he took another look at the whole thing, tested it and came across some connections. Lawrence has now published some additional information on Bleeping Computer<\/a>.<\/p>\n

\n

After learning about this today from @etguenni<\/a>, BleepingComputer performed some tests to see if this was a false positive or something else triggering the detections.<\/p>\n

\u2014 BleepingComputer (@BleepinComputer) August 3, 2020<\/a><\/p><\/blockquote>\n