Microsoft Defender flags hosts files with Microsoft server redirects as malicious

Martin Brinkmann
Aug 4, 2020
Windows, Windows 10
|
42

The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.

The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.

All you have to do is add redirects in the form of 127.0.0.1 www.microsoft.com to the hosts file to redirect requests to the site "www.microsoft.com" in this case to the local computer. The effect is simple: the request is blocked.

With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.

As of July 28, 2020, it appears that Microsoft Defender is flagging hosts files as malicious if they contain certain redirects. According to Günter Born, the following versions introduced the new behavior:

  • Antimalware-Clientversion: 4.18.2006.10
  • Modulversion: 1.1.17300.4
  • Antiviren-Version: 1.321.144.0
  • Antispyware-Version: 1.321.144.0

Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.

hosts file microsoft defender

Attempts to save the file may display the following notification by Microsoft Defender:

Operation did not complete successfully because the file contains a virus or potentially unwanted software.

Restoring of the file did not restore the listing. Bleeping Computer's Lawrence Abrahams ran a few tests and discovered the following servers that Microsoft Defender flags when they are added to the hosts file on Windows 10 devices.

www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.

A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.

Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.

Now You: do you use Microsoft Defender or another security solution on Windows?

Summary
Microsoft Defender flags hosts files with Microsoft server redirects as malicious
Article Name
Microsoft Defender flags hosts files with Microsoft server redirects as malicious
Description
The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Be Smart said on August 10, 2020 at 5:45 am
    Reply

    NEVER use 127.0.0.1 in the hosts file! That IP is the localhost address and applications may listen to! Instead, use 0.0.0.0!

  2. Anonymous said on August 5, 2020 at 10:37 pm
    Reply

    abuse of (market)power if a copany decides whats good or bad for you, esp if the target is an own product.
    Ethics dear MS, try to google it!

  3. allen said on August 5, 2020 at 10:52 am
    Reply

    Windows has been my #1 PUP (not so much “potential” as “actual”) for years due to many reasons, but the attitudes of Microsoft that this reflects are several of those reasons.

  4. Benjamin said on August 5, 2020 at 8:32 am
    Reply

    We are all dealing with private property here which is also very well protected by the state. It follows that the legal owner of such property can implement rules to whatever liking i.e. to achive certain goals in a purely dictatorial secretive shareholder driven (i.e. other mighty interests as well) manner… the wider population has no say in all of this an has in reality few options and certainly no rights at all. There you all go with your privately owned instead of public owned infrastructure… the whole internet is full of such privately owned domains.

  5. Anonymous said on August 5, 2020 at 8:14 am
    Reply

    I stopped using antivirus or anti malware software for years now, and I am never looking back. Most of my work is via browser I have that secure and common sense no need for antivirus.

  6. Litschi said on August 5, 2020 at 7:57 am
    Reply

    open “admin”-shell

    Add-MpPreference -ExclusionPath “%systemroot%\System32\drivers\etc\hosts”

    and exclude the hosts file.

    1. Anonymous said on August 5, 2020 at 2:50 pm
      Reply

      Thanks

      It must be (because only define the folder and not the file)

      Add-MpPreference -ExclusionPath “%systemroot%\System32\drivers\etc”

  7. Jozsef said on August 5, 2020 at 6:05 am
    Reply

    I thought that In Win 10, the hosts file was ignored in the case of just this sort of attempt to block their telemetry servers. Am I wrong?

  8. Rush said on August 5, 2020 at 2:48 am
    Reply

    On Aug 1st, Win/def did flag the host file as “this program has potentially unwanted behavior.

    Permit this detected item only if you trust the program.

    Item: File:C:\Windows\System32\drivers\etc\hosts is the how windows defender lists the item.

    Windows flagged the file as such, I did allow the file back into my system…we’ll see if that was a mistake, or if M$ will flag it again………..

  9. Mothy said on August 5, 2020 at 1:34 am
    Reply

    This happens with Windows Defender on Windows 8.1 as well when I removed the exclusion for C:\Windows\System32\drivers\etc directory which I learned to set a long time ago when first started using a custom hosts file as many anti-malware products, not just Defender, would occasionally flag it like this thinking something malicious had changed the file. Like Ghost said above, it’s a bit ironic though because a good custom hosts file is actually a better defense than any anti-malware product although it’s still good to have both for a layered defense.

  10. Anonymous said on August 5, 2020 at 12:01 am
    Reply

    One more reason not to use this trash Defender. Gotta start blocking them at router level now.

  11. Anonymous said on August 4, 2020 at 11:27 pm
    Reply

    Imagine thinking you are like a geek smart person and 1. You don’t run your firewall in whitelist mode and 2. You don’t turn off the realtime scan (or turn it off completely). 3. Turn executable and services through GPO or registry and even task schedule to avoid stuff from running. But then, complain about this type of stuff going on.
    I know the whitelist mode in Default Windows Firewall can be little annoying since an upgrade and installing updates from some UWP and all, will add new outbound rules to automatically allow connections, but again, if you are smart enough you know how to deal with it, if you want to run only Windows Firewall. But then there are 3rd party firewalls or any type, so no excuse.

    It’s like people complaining about CCleaner, and then it’s just interesting how some people trust those tools instead of doing manual cleanup if necessary. But then if something gets too cleanup and deletes something that shouldn’t (Like recent firefox extensions issue), they complain.

    Malwarebytes does something like this and I never saw anyone complaining, I even saw someone got support refused because the user sent like a log info in forum and it displayed the person blocking an Adobe address in hosts file, so they refused saying the person was pirating software so they wouldn’t help (even if issue had nothing to do with it).

    But yeah, people act like they care so much this “evil telemetry”, yet they don’t even seem to use whitelist mode in their Firewalls where nothing like hosts and stuff would matter and be needed to stop telemetry. if they care about this “issue”/news, it makes me think they are allowing who knows which apps to connect to internet and send who knows what over anyway, so either way wit proper firewall setup (and system in general) or not, people should just move on and don’t make big drama about this.

  12. Anonymous said on August 4, 2020 at 9:24 pm
    Reply

    I use basic ESET AV to have more control.Not perfect but better than the built-in spyware scanning your filez.

  13. NeonRobot said on August 4, 2020 at 8:19 pm
    Reply

    Thanks God i am on win7x64.
    Pathetic actions of pathetic corp.

  14. Keith Baker said on August 4, 2020 at 6:30 pm
    Reply

    This happend to me so while I look into a replacement to MS Defender I have added the hosts file to the exclusion list.

    Not that I am expect MS will honour/abide by the list :(

  15. Kent Brockman said on August 4, 2020 at 5:59 pm
    Reply

    Lots of things in this world to be worried about, this ranks far down the list IMO. People going ape over it aren’t likely to be using Defender anyway. Yawn.

  16. Dave said on August 4, 2020 at 5:30 pm
    Reply

    Why? Why don’t you trust Microsoft?

    Someones going to get your data. Personally I’d rather it was a company owned and based in my own country.

    1. Yuliya said on August 4, 2020 at 5:52 pm
      Reply

      when was the last time you have checked a globe of Terra?

  17. Ghost said on August 4, 2020 at 5:26 pm
    Reply

    Ironically a hosts file, like the one from winhelp2002, with added known microsoft telemetry and google analytics blocking keeps your computer running smoother and SAFER than Windows Defender ever will.. Solution: Block/Disable/Remove/Cripple/Assault Windows Defender in any way possible. Clearly its main purpose is now to uphold microsoft ad revenue streams, not to protect you or your files. I mean the hosts file is a TEXT FILE for F**KS SAKE…GEEEEZ!!!!!! …just you wait, the nr ONE priority in Windows 10 development is now to eliminate the use of a hosts file.

  18. Anonymous said on August 4, 2020 at 5:23 pm
    Reply

    I could understand blocking or overwriting certain entries in the host file if it was related to blocking defender updates but not telemetry servers, their motivation is clear and they just dont gaf. Makes you wonder what else they are doing. That’s why I disable it and go buy an eset key off ebay for 10$.

    1. SpywareFan said on August 4, 2020 at 6:44 pm
      Reply

      Even Eset flags modified hosts file as malicious, but this is due to the web access protection engine (which accepts wildcards like *bing.* or *analytics.js*).
      With EIS you can also prevent waas SIH from running (M$ trojan) and useless .etl files creation, you will enjoy the powerful firewall! ;)
      P.S.: beware of BITS M$ backdoor service.

  19. Peterc said on August 4, 2020 at 5:22 pm
    Reply

    So *this* is why Microsoft wasn’t called before the House Judiciary Subcommittee on Antitrust along with Google, Amazon, Facebook, and Apple to answer questions about monopolistic abuses. They were just *too darn busy* extending control over their customers’ computers. On the bright side, I bet Windows Defender still allows redirects from the *other* GAFAM companies’ servers. But when you think about it, that’s kind of unfair. What we *really* need is one giant tech conglomerate that can put an end to uppity consumers’ obsession with privacy, choice, and control once and for all. “Freedom is slavery. Ignorance is strength.” /s

  20. Malte said on August 4, 2020 at 5:17 pm
    Reply

    I block the Microsoft telemetry servers through my router and there is nothing Microsoft can do about it.

  21. Tony said on August 4, 2020 at 4:24 pm
    Reply

    I never trusted Microsoft to honor the host file with regard telemetry, so I removed the telemetry services. For anything that still manages to get by (Settings pings Bing a lot), I use Pihole.

  22. Ryan F said on August 4, 2020 at 4:17 pm
    Reply

    I regularly roll my eyes at those who cry “EVIL!” every time Microsoft sneezes, but this is one of those situations where I agree that this is a bad move. Taking more control away from users is just a really bad look, and it’s one more thing to add to the list of things that make me concerned for the future of the platform.

  23. Tobi said on August 4, 2020 at 3:47 pm
    Reply

    And so many people always talk about using the “good” Windows Defender…

    1. Corky said on August 4, 2020 at 6:13 pm
      Reply

      To be fair compared to other AV solutions it is, last time i used a commercial AV, third party AV, or whatever they were either bloated with extra ‘features’, slowed things down, or where outright buggy.

      Windows Defender has added a load of ‘features’ but at least they can be switched off, don’t clutter the GUI, and are pretty unobtrusive.

  24. Mystique said on August 4, 2020 at 3:37 pm
    Reply

    Microsoft knows exactly what they are doing with this. Make no mistake they do not have any honorable intentions here.
    This is a case of malware defending itself. No signs of Windows Defender flagging nvidia telemetry blocks as malicious… hmm I wonder.

    You call it malicious we all call it something else. The only thing that is malicious is the way you treat your customers. P.S. windows 10 is not that much of an evolutionary step for its user you like to make it out to be its purely devised to hand over more control to Microsoft and erode the end users privacy.

    I’ve am using it and can say its not that good. in fact I preferred windows 8.1 in some ways. you can’t even have a false sense of security with windows 10 and this is proof of that.
    If Microsoft worked as hard as they do to actually make a decent OS not rooted in this subscription model as they do towards effing over their customers then we’d all be in a better place right now.

    YOU SUCK MICROSOFT! Give yourself an uppercut!

  25. chesscanoe said on August 4, 2020 at 3:34 pm
    Reply

    I will continue to use Windows Defender aka Windows Security because it works reliably and can be updated manually several times per day if desired. It is free because Microsoft also benefits when I use it, and that is OK with me.

  26. Tim said on August 4, 2020 at 2:56 pm
    Reply

    Not surprising. The company motto today is “We take your privacy seriously”.

    But that line becomes a lot more accurate when you throw a comma in there, as in “We take your privacy, seriously.” In other words, they want to take all the juicy data about you for themselves and monetize it, while preventing their competitors from doing the same thing.

    You know, like I ate all of the chocolate chip cookies at the party last night, so that there wouldn’t be any for any of the other guests.

    1. MarK said on September 28, 2020 at 10:36 pm
      Reply

      Tim – full strike. You got it.
      Brilliant. Unmasking.

    2. Coriy said on August 4, 2020 at 8:24 pm
      Reply

      Are you sure you’re not talking about Apple or Google?
      Oh, wait a minute, all three do this.

    3. Mystique said on August 4, 2020 at 3:53 pm
      Reply

      ^ EXCELLENT!

  27. ULBoom said on August 4, 2020 at 2:51 pm
    Reply

    >do you use Microsoft Defender or another security solution on Windows?<

    Defender, No; another, Yes. We've never used any MS "security" software.
    Beside Defender being a slow ass mess, it does things like this.

    Somewhere I read that MS has put so much effort into understanding business users they have fallen far behind in their understanding of consumers.

    I guess in their myopic bubble view they'll start slamming ordinary users with one Chredge Hammer after another.

    1. kalmly said on August 4, 2020 at 3:58 pm
      Reply

      “I guess in their myopic bubble view they’ll start slamming ordinary users with one Chredge Hammer after another.”

      Start?

      Start?

  28. Anonymous said on August 4, 2020 at 2:38 pm
    Reply

    Wow, if MS does this it means there’s definitely a widespread use of telemetry blocking among W10 users. The entries are all related to spying/telemetry so this isn’t an attempt by MS to help users avoid security risks.

    I don’t use the hosts-file because it’s more elegant to block DNS requests with blocking software like pi-hole or NextDNS.

  29. Yuliya said on August 4, 2020 at 2:30 pm
    Reply

    I disabled Defender on my LTSC ¯\_(ツ)_/¯

    1. James Sullivan said on August 4, 2020 at 3:09 pm
      Reply

      I don’t have Defender on all my Linux boxes.

  30. Corky said on August 4, 2020 at 2:20 pm
    Reply

    Thou doth protest too much.

    Also since when have text files be able to contain virus’, a case of Microsoft overstepping perhaps, not that that’s ever stopped them.

  31. asdsa said on August 4, 2020 at 1:53 pm
    Reply

    It kind of makes sense. Some malware will try to prevent upgrades and stay persistent.
    There are definitely other more sensible avenues for malware creators to block updates, but this is definitely a heavy handed/a mistake, from Microsoft.

    1. No Thanks, MSNBCIAGooglesoft said on August 4, 2020 at 6:03 pm
      Reply

      Take a look at the servers being flagged, they are all telemetry servers, nothing to do with updates or security. No benefit for users.

      Luckily, I don’t run Defender, which itself is malware. Windows 10 Home and Pro can be classified as malware too because it is impossible to full disable “telemetry” malware on those versions.

      Now you’re saying but why don’t governments do anything about this spying even though they shut down Chinese and Russian companies for the SAME THING? The answer is: The 5 Eyes.

      1. brightspark said on August 6, 2020 at 1:20 pm
        Reply

        So Google, Apple, and all the other data collection agencies must also be malware. Conspiracy theorist supreme!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.