Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a 'Severe' security risk.
The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges.
This file is used to resolve hostnames to IP addresses without using the Domain Name System (DNS).
This file is commonly used to block a computer from accessing a remote site by assigning host to the 127.0.0.1 or 0.0.0.0 IP address.
For example, if you add the following line to the Windows HOSTS file, it will block users from accessing www.google.com as your browsers will think you are trying to connect to 127.0.0.1, which is the local computer.
127.0.0.1 www.google.comMicrosoft now detects HOSTS files that block Windows telemetry
Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat.
When detected, if a user clicks on the 'See details' option, they will simply be shown that they are affected by a 'Settings Modifier' threat and has 'potentially unwanted behavior,' as shown below.
BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5].
While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today.
This led me to believe it was a false positive or some other non-malicious issue.
After playing with generic HOSTS file modifications such as blocking BleepingComputer and other sites, I tried adding a blocklist for Microsoft's telemetry to my HOSTS file.
This list adds many Microsoft servers used by the Windows operating system and Microsoft software to send telemetry and user data back to Microsoft.
As soon as I saved the HOSTS file, I received the following alert stating that I could not save the file as it "contains a virus or potentially unwanted software." I also received alerts that my computer was infected with 'SettingsModifier:Win32/HostsFileHijack.''
So it seems that Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file.
Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection.
In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following:
www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.comIf you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents.
Users who intentionally modify their HOSTS file can allow this 'threat,' but it may enable all HOSTS modifications, even malicious ones, going forward.
So only allow the threat if you 100% understand the risks involved in doing so.
BleepingComputer has reached out to Microsoft with questions regarding this new detection.
Comments
doncoyote - 1 year ago
O&O ShutUp10 FTW.
JohnC_21 - 1 year ago
"O&O ShutUp10 FTW."
This is what I use. Welcome to Windows as a service.
KimBaker - 1 year ago
Welcome to possible Windows 10 breakage.
JohnC_21 - 1 year ago
I've used Shut Up for months without an issue. If there is breakage, I've got a disk image backup. :-)
d-reaper - 1 year ago
Doing all that stuff just doesn't seem worth it to make 10 work the way I want it to. This is why I went to Linux.
DoNotLeachOffMe - 1 year ago
Thanks for this
I have added most of those links to my Hosts file & using a proper Antivirus.
Lets see what happens.
MolassesMan - 1 year ago
Telemetry cannot be blocked in the host file, you need to just disabled the service or use the firewall. Also, not sure what you mean by "proper" Windows Defender has a higher detection rate than most AV's out there, doesn't consume as many resources and is recommended by all the people on the security forum of this site.
KimBaker - 1 year ago
https://www.zdnet.com/article/when-it-comes-to-windows-10-privacy-dont-trust-amateur-analysts/
I don't think their reason is about telemetry. They can easily bypass hosts for their own addresses.
I think enforcing integrity of hosts file is a legitimate security concern. Malware can insert malicious diversions, imagine most important banking IP addresses getting directed towards phishing addresses because of a compromised hosts file.
Though in fairness, Microsoft could have just ignored 0.0.0.0 and 127.0.0.1 and only blocked outside IP addresses
Lawrence Abrams - 1 year ago
Not sure what the article reference is meant for, but as I stated in the article, HOSTS file modification detection is not new and is an important security feature.
What is new is the detection of their servers.
d-reaper - 1 year ago
That's really something... That they are going to those extremes just to mine for people's data. For me, that would be too much to take if I couldn't mod the hosts file to re-route the requested domains I want to block.
I think I now count my lucky stars that I moved over to Linux (Specifically KDE Neon) back in 2016 when Windows 8 was being pushed onto people. I have no regrets on that decision. If I ever need Windows 7, as I won't use 10 if I don't need to, I'll just run 7 in a VM with PCI passthrough and a second GPU; with a separate virtual network so that the VM can only communicate with my host and have no access to the internet. And that's about it. But I basically never use Windows now.
Microsoft seems to have adopted a Nazi-like behavior with their end users. They've literally locked down everything from re-installing unwanted crapware and changing default applications on people after every update. And people are supposed to work with this? It's like as if Microsoft is in the business of writing malware themselves...
It's just mind boggling to me.
iamdoubz - 1 year ago
I like to use PiHole using this GitHub list: https://github.com/crazy-max/WindowsSpyBlocker/blob/master/data/hosts/spy.txt
d-reaper - 1 year ago
Me too. It works great to filter out all the crap on the internet. I'll add this since my bro uses Win 10.
redwolfe_98 - 1 year ago
i think bleepingcomputer made a mistake in their testing in this case by blocking access to "microsoft.com." it's not surprising that such a HOSTS file would be flagged.
WD does not flag my HOSTS file though it is flagged by kaspersky's and eset's av-programs.
Lawrence Abrams - 1 year ago
Mistake? Was just checking to see what domains were being detected.
d-reaper - 1 year ago
So, Lawrence. Do you think that M$ is in the business of writing malware for their end users? Seeing as they are trying so hard to make sure you don't block their telemetry domains? With what M$ is doing these days, it's almost like a malware approach to me.
Lawrence Abrams - 1 year ago
No, I think there are good reasons for not wanting certain domains to be blocked. Ones that may prevent security updates or are required by the OS to properly work.
The telemetry ones are a bit more gray.
d-reaper - 1 year ago
Hmm... I don't know about that one. That just seems all too convenient for M$ to do more spying if you ask me. Otherwise, people wouldn't take such strides (make scripts, 3rd party applications etc.) to block those domains; along with de-bloating their system of all the crapware M$ pre-installs.
MolassesMan - 1 year ago
Blocking telemetry in the hosts files doesn't do anything. It is ignored. You need to block it using the firewall, ie the actual service itself.
Jeybee - 1 year ago
I always disable Windows defender. I delete the folders. I disable windows security by deleting the registry entries. I disable Windows firewall and base filter engine by deleting the services and disable windows update , windows search and events log by disabling the service in services. Never get a virus and have no other security software installed. Win10 runs much faster, files don't go missing and nothing starts randomly canning my hard drives when I don't want them to. Nothing is broken. I code in visual studio.
gueneal - 1 year ago
This is outrageous. Microsoft should realize that there are better alternatives out there to their OS and the more they pull crap like this the more likely people will switch to those alternatives. I got sick of their crap when they stopped explaining and labeling the updates. Now I run Arch.
d-reaper - 1 year ago
But M$ doesn't care because they are in a bubble. They most likely believe that they only matter as a software company, and that no other software company is relevant or could replace them. So they think people will just put up with it. Boy, I think they are going to fall on their face one of these days.
I started on Linux Mint KDE. But then when that got discontinued, I moved on to KDE Neon. And do I love it! I've used Arch before. The closest I get to using Arch these days is Manjaro just because I prefer not to build my desktop and everything basic from scratch.
JohnC_21 - 1 year ago
So in other words it took Microsoft about 19 years since the intro of XP to determine the HOSTS file was a security concern.
d-reaper - 1 year ago
Isn't that funny? I mean, with Linux, you needed root privileges just to modify the hosts file.
ColinMitchell - 1 year ago
I love Windows and I wish people didnt trash or compromise windows 10 telemetry. The more microsoft collects from bloat-ridden W10 installations the more likely they are to leave Server 2016/19 pristine for people like me to enjoy. With 200 or so more threads (doing f knows what) at any given time compared to WS2016, I sure sympathise with W10 users.
MolassesMan - 1 year ago
The reason for doing this cannot be so that it can still collect telemetry, as telemetry cannot be blocked by editing the host file. Therefore this seems more likely to be a general check to see if malware has changed the host file to block any domains which would be required for MS services.
AdvancedSetup - 1 year ago
Not exactly NEW except that some of those URLs for Windows 10 are probably new and not in the original URL bypasses via DomainLists
Microsoft HOSTS file bypass issue - Apr 15, 2006 12:05 pm PST
https://www.csoonline.com/article/2641599/microsoft-hosts-file-bypass-issue.html
Discussion even goes back to 2006
https://www.securityfocus.com/archive/1/431032/30/0/threaded
hardcoded domains in dnsapi that skips hosts file
https://ywjheart.wordpress.com/2018/04/03/hardcoded-domains-in-dnsapi-that-skips-hosts-file/
Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
https://bugtraq.securityfocus.narkive.com/a2fZWlAb/microsoft-dns-resolver-deliberately-sabotaged-hosts-file-lookup
Detect and block potentially unwanted applications
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
SettingsModifier:Win32/HostsFileHijack (as it relates to Windows Defender detecting and resetting your hosts file)
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=SettingsModifier:Win32/HostsFileHijack&threatId=265754
This detection flags suspicious modifications to the Windows hosts file, specifically entries for certain domains used by the operating system and critical services. Windows uses the hosts files to resolve domains to IP addresses during network communication, so malicious modifications can prevent legitimate network connections, such as updates and certificate checks, or result in insecure and potentially harmful connections.
Hosts file tampering is a common malware or attacker technique used to prevent or redirect network connections. An attacker might modify the file to block legitimate connections or to divert network traffic to a destination controlled by the attacker, resulting in the download of additional malware or other malicious activity.
Manage connections from Windows 10 operating system components to Microsoft services
https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
Required diagnostic data for Office
https://docs.microsoft.com/en-us/deployoffice/privacy/required-diagnostic-data