Microsoft Defender flags hosts files with Microsoft server redirects as malicious
The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.
The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.
All you have to do is add redirects in the form of 127.0.0.1 www.microsoft.com to the hosts file to redirect requests to the site "www.microsoft.com" in this case to the local computer. The effect is simple: the request is blocked.
With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.
As of July 28, 2020, it appears that Microsoft Defender is flagging hosts files as malicious if they contain certain redirects. According to GÃ¼nter Born, the following versions introduced the new behavior:
- Antimalware-Clientversion: 4.18.2006.10
- Modulversion: 1.1.17300.4
- Antiviren-Version: 1.321.144.0
- Antispyware-Version: 1.321.144.0
Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.
Attempts to save the file may display the following notification by Microsoft Defender:
Operation did not complete successfully because the file contains a virus or potentially unwanted software.
Restoring of the file did not restore the listing. Bleeping Computer's Lawrence Abrahams ran a few tests and discovered the following servers that Microsoft Defender flags when they are added to the hosts file on Windows 10 devices.
It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.
A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.
Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.
Now You: do you use Microsoft Defender or another security solution on Windows?
It kind of makes sense. Some malware will try to prevent upgrades and stay persistent.
There are definitely other more sensible avenues for malware creators to block updates, but this is definitely a heavy handed/a mistake, from Microsoft.
Take a look at the servers being flagged, they are all telemetry servers, nothing to do with updates or security. No benefit for users.
Luckily, I don’t run Defender, which itself is malware. Windows 10 Home and Pro can be classified as malware too because it is impossible to full disable “telemetry” malware on those versions.
Now you’re saying but why don’t governments do anything about this spying even though they shut down Chinese and Russian companies for the SAME THING? The answer is: The 5 Eyes.
So Google, Apple, and all the other data collection agencies must also be malware. Conspiracy theorist supreme!
Thou doth protest too much.
Also since when have text files be able to contain virus’, a case of Microsoft overstepping perhaps, not that that’s ever stopped them.
I disabled Defender on my LTSC Â¯\_(ãƒ„)_/Â¯
I don’t have Defender on all my Linux boxes.
Wow, if MS does this it means there’s definitely a widespread use of telemetry blocking among W10 users. The entries are all related to spying/telemetry so this isn’t an attempt by MS to help users avoid security risks.
I don’t use the hosts-file because it’s more elegant to block DNS requests with blocking software like pi-hole or NextDNS.
>do you use Microsoft Defender or another security solution on Windows?<
Defender, No; another, Yes. We've never used any MS "security" software.
Beside Defender being a slow ass mess, it does things like this.
Somewhere I read that MS has put so much effort into understanding business users they have fallen far behind in their understanding of consumers.
I guess in their myopic bubble view they'll start slamming ordinary users with one Chredge Hammer after another.
“I guess in their myopic bubble view they’ll start slamming ordinary users with one Chredge Hammer after another.”
Not surprising. The company motto today is “We take your privacy seriously”.
But that line becomes a lot more accurate when you throw a comma in there, as in “We take your privacy, seriously.” In other words, they want to take all the juicy data about you for themselves and monetize it, while preventing their competitors from doing the same thing.
You know, like I ate all of the chocolate chip cookies at the party last night, so that there wouldn’t be any for any of the other guests.
Are you sure you’re not talking about Apple or Google?
Oh, wait a minute, all three do this.
Tim – full strike. You got it.
I will continue to use Windows Defender aka Windows Security because it works reliably and can be updated manually several times per day if desired. It is free because Microsoft also benefits when I use it, and that is OK with me.
Microsoft knows exactly what they are doing with this. Make no mistake they do not have any honorable intentions here.
This is a case of malware defending itself. No signs of Windows Defender flagging nvidia telemetry blocks as malicious… hmm I wonder.
You call it malicious we all call it something else. The only thing that is malicious is the way you treat your customers. P.S. windows 10 is not that much of an evolutionary step for its user you like to make it out to be its purely devised to hand over more control to Microsoft and erode the end users privacy.
I’ve am using it and can say its not that good. in fact I preferred windows 8.1 in some ways. you can’t even have a false sense of security with windows 10 and this is proof of that.
If Microsoft worked as hard as they do to actually make a decent OS not rooted in this subscription model as they do towards effing over their customers then we’d all be in a better place right now.
YOU SUCK MICROSOFT! Give yourself an uppercut!
And so many people always talk about using the “good” Windows Defender…
To be fair compared to other AV solutions it is, last time i used a commercial AV, third party AV, or whatever they were either bloated with extra ‘features’, slowed things down, or where outright buggy.
Windows Defender has added a load of ‘features’ but at least they can be switched off, don’t clutter the GUI, and are pretty unobtrusive.
I regularly roll my eyes at those who cry “EVIL!” every time Microsoft sneezes, but this is one of those situations where I agree that this is a bad move. Taking more control away from users is just a really bad look, and it’s one more thing to add to the list of things that make me concerned for the future of the platform.
I never trusted Microsoft to honor the host file with regard telemetry, so I removed the telemetry services. For anything that still manages to get by (Settings pings Bing a lot), I use Pihole.
I block the Microsoft telemetry servers through my router and there is nothing Microsoft can do about it.
So *this* is why Microsoft wasn’t called before the House Judiciary Subcommittee on Antitrust along with Google, Amazon, Facebook, and Apple to answer questions about monopolistic abuses. They were just *too darn busy* extending control over their customers’ computers. On the bright side, I bet Windows Defender still allows redirects from the *other* GAFAM companies’ servers. But when you think about it, that’s kind of unfair. What we *really* need is one giant tech conglomerate that can put an end to uppity consumers’ obsession with privacy, choice, and control once and for all. “Freedom is slavery. Ignorance is strength.” /s
I could understand blocking or overwriting certain entries in the host file if it was related to blocking defender updates but not telemetry servers, their motivation is clear and they just dont gaf. Makes you wonder what else they are doing. That’s why I disable it and go buy an eset key off ebay for 10$.
Even Eset flags modified hosts file as malicious, but this is due to the web access protection engine (which accepts wildcards like *bing.* or *analytics.js*).
With EIS you can also prevent waas SIH from running (M$ trojan) and useless .etl files creation, you will enjoy the powerful firewall! ;)
P.S.: beware of BITS M$ backdoor service.
Ironically a hosts file, like the one from winhelp2002, with added known microsoft telemetry and google analytics blocking keeps your computer running smoother and SAFER than Windows Defender ever will.. Solution: Block/Disable/Remove/Cripple/Assault Windows Defender in any way possible. Clearly its main purpose is now to uphold microsoft ad revenue streams, not to protect you or your files. I mean the hosts file is a TEXT FILE for F**KS SAKE…GEEEEZ!!!!!! …just you wait, the nr ONE priority in Windows 10 development is now to eliminate the use of a hosts file.
Why? Why don’t you trust Microsoft?
Someones going to get your data. Personally I’d rather it was a company owned and based in my own country.
when was the last time you have checked a globe of Terra?
Lots of things in this world to be worried about, this ranks far down the list IMO. People going ape over it aren’t likely to be using Defender anyway. Yawn.
This happend to me so while I look into a replacement to MS Defender I have added the hosts file to the exclusion list.
Not that I am expect MS will honour/abide by the list :(
Thanks God i am on win7x64.
Pathetic actions of pathetic corp.
I use basic ESET AV to have more control.Not perfect but better than the built-in spyware scanning your filez.
Imagine thinking you are like a geek smart person and 1. You don’t run your firewall in whitelist mode and 2. You don’t turn off the realtime scan (or turn it off completely). 3. Turn executable and services through GPO or registry and even task schedule to avoid stuff from running. But then, complain about this type of stuff going on.
I know the whitelist mode in Default Windows Firewall can be little annoying since an upgrade and installing updates from some UWP and all, will add new outbound rules to automatically allow connections, but again, if you are smart enough you know how to deal with it, if you want to run only Windows Firewall. But then there are 3rd party firewalls or any type, so no excuse.
It’s like people complaining about CCleaner, and then it’s just interesting how some people trust those tools instead of doing manual cleanup if necessary. But then if something gets too cleanup and deletes something that shouldn’t (Like recent firefox extensions issue), they complain.
Malwarebytes does something like this and I never saw anyone complaining, I even saw someone got support refused because the user sent like a log info in forum and it displayed the person blocking an Adobe address in hosts file, so they refused saying the person was pirating software so they wouldn’t help (even if issue had nothing to do with it).
But yeah, people act like they care so much this “evil telemetry”, yet they don’t even seem to use whitelist mode in their Firewalls where nothing like hosts and stuff would matter and be needed to stop telemetry. if they care about this “issue”/news, it makes me think they are allowing who knows which apps to connect to internet and send who knows what over anyway, so either way wit proper firewall setup (and system in general) or not, people should just move on and don’t make big drama about this.
One more reason not to use this trash Defender. Gotta start blocking them at router level now.
This happens with Windows Defender on Windows 8.1 as well when I removed the exclusion for C:\Windows\System32\drivers\etc directory which I learned to set a long time ago when first started using a custom hosts file as many anti-malware products, not just Defender, would occasionally flag it like this thinking something malicious had changed the file. Like Ghost said above, it’s a bit ironic though because a good custom hosts file is actually a better defense than any anti-malware product although it’s still good to have both for a layered defense.
On Aug 1st, Win/def did flag the host file as “this program has potentially unwanted behavior.
Permit this detected item only if you trust the program.
Item: File:C:\Windows\System32\drivers\etc\hosts is the how windows defender lists the item.
Windows flagged the file as such, I did allow the file back into my system…we’ll see if that was a mistake, or if M$ will flag it again………..
I thought that In Win 10, the hosts file was ignored in the case of just this sort of attempt to block their telemetry servers. Am I wrong?
Add-MpPreference -ExclusionPath “%systemroot%\System32\drivers\etc\hosts”
and exclude the hosts file.
It must be (because only define the folder and not the file)
Add-MpPreference -ExclusionPath â€œ%systemroot%\System32\drivers\etcâ€
I stopped using antivirus or anti malware software for years now, and I am never looking back. Most of my work is via browser I have that secure and common sense no need for antivirus.
We are all dealing with private property here which is also very well protected by the state. It follows that the legal owner of such property can implement rules to whatever liking i.e. to achive certain goals in a purely dictatorial secretive shareholder driven (i.e. other mighty interests as well) manner… the wider population has no say in all of this an has in reality few options and certainly no rights at all. There you all go with your privately owned instead of public owned infrastructure… the whole internet is full of such privately owned domains.
Windows has been my #1 PUP (not so much “potential” as “actual”) for years due to many reasons, but the attitudes of Microsoft that this reflects are several of those reasons.
abuse of (market)power if a copany decides whats good or bad for you, esp if the target is an own product.
Ethics dear MS, try to google it!
NEVER use 127.0.0.1 in the hosts file! That IP is the localhost address and applications may listen to! Instead, use 0.0.0.0!