Windows Defender: False alarm triggered by hosts file
Since Monday evening, Microsoft's Windows Defender spyware detection software has mistakenly raised the Win32/PossibleHostsFileHijack alarm on some clean PCs. According to Microsoft, the error is caused by a flawed signature deployed via automatic update on Monday. Another signature update has now been issued to solve the problem.
In our German partners' editorial offices, the erroneous behaviour has so far only affected a few Windows Vista systems. The exact conditions that trigger the false alarm are still unclear. According to Microsoft, the problem is caused by the hosts file. Windows uses this file for the static name resolution between computer names and IP addresses and many malware samples target it for manipulating network traffic.
Users are advised to ignore the warning and update the signature database of Windows Defender via the Windows Update feature. Those who have put the alleged intruder into quarantine, or even deleted it, should use the Notepad text editor to at least create a minimal hosts file consisting of the following two lines:
This file needs to be saved as C:\Windows\system32\drivers\etc\hosts (Windows XP and Vista) or C:\WINNT\system32\drivers\etc\hosts (Windows 2000) to ensure uninterrupted network traffic.