In association with heise online

21 August 2012, 09:57

Microsoft's security software modifies HOSTS file

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Windows 8 icon Windows 8, set for release on 26 October, automatically deletes entries in the HOSTS file for specific domains. Try, for example, to prevent attempts to access, or ad servers such as by rerouting them to by adding entries to the HOSTS file and the relevant entries will soon disappear from the HOSTS file as if by magic, leaving nothing but an empty line. The effect does not occur for other domains, such as The H's sister site, however.

The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender's history, accessed from the start menu by entering "Defender" and clicking on the history tab. Defender is convinced it's uncovered a potentially malicious modification of the HOSTS file and thus records 'SettingsModifier:Win32/PossibleHostsFileHijack'. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.

w8 hosts cropped
Zoom Windows 8 will soon delete HOSTS entries for Doubleclick, Facebook and Twitter;, on the other hand, will be allowed to remain
Malware will in fact often create such erroneous entries in the HOSTS file in order to divert users to alternative servers when they attempt to access sites such as These servers may play host to phishing sites that send user data entered on them to internet fraudsters. The removal of entries for ad servers, which many users utilise as a simple but effective ad blocker, may be down to the fact that malware also makes use of the HOSTS file to divert queries from legitimate advertising servers to their own servers. This enables fraudsters to display their own malicious ads on third-party web sites.

Users who resent being wrapped in cotton-wool like this and wish to continue to use the HOSTS file for the affected domains can add their HOSTS file (c:\windows\system32\drivers\etc\hosts) to MSE's or Windows Defender's exceptions list. The relevant setting can be found under "Settings, Excluded files and locations". Of course this also mean that the anti-virus program will no longer detect any malicious modifications to the HOSTS file.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit