Blocking spyware with a HOSTS file

Topic

New Reply

I’ve just come across the website A TroubleShooting Guide to Windows XP which contains a useful trick entitled Blocking unwanted spyware and parasites with a HOSTS file (which is relevant to this forum)!

John

Reply | Quote

Replies

great tip. i combine mvps’s host file with hpguru’s one. i look for updates on security sofware (including several hosts list definitions) at the calendar of security updates

Reply | Quote

Pieter

Golly! About 4,800 addresses from my reference, and about 26,000 from yours! That’s a lot to be looked up each time by IE!

John

Reply | Quote

John,

Once you start using a HOSTS file you have the challenge of keeping all the addresses correct.

Joe

--Joe

Reply | Quote

Joe

That’s just the usual maintenance you need with any application, surely, though 30,000 entries is certainly non-trivial! I feel a BATch file coming on, to sort and deduplicate lists. Alternatively, some way of making such a list specific to the things you look at might be a better idea…

What a pity there couldn’t be a generalised entry saying “no spyware, popups or anything nasty”!

John

Reply | Quote

John

Just FYI, I was involved with assessing the performance implications of the Hosts file quite a few years back, before it was being used to any extent to block DNS addresses by looping back to localhost. This was on Win98. We were comparing performance against JunkBuster, which has been around for a long time, as you see on the site. To our surprise, it appeared that the Hosts file was (re)loaded into memory each and every time it was accessed i.e. with each DNS lookup! Worse still, the whole file is searched sequentially, top to bottom, for a match. Needless to say, JunkBuster came up on top for efficiency – it stays resident, uses wildcards/ pattern matching rather than single entries, and uses fast/ smart searching.

I don’t know if Hosts operation has changed (as I said, in those days it was only designed to hold a handful of entries) or whether the performance hit is noticable on today’s more powerful machines. All said & done though, have you considered using something like Proxomitron? It’s JunkBuster + Hosts + a whole lot more.

Alan

Reply | Quote

Alan

Interesting that you’ve actually done some work on the subject, rather than my guesswork! I am asking my XP networking guru about the vagaries of the HOST file loading, and, given sufficient enthusiasm, I may get round to using SysInternal’s FILEMON to determine the loading (but not the sequential reading) characteristics.

Proximitron looks interesting, but (as is not uncommon), it is difficult to get into because the information given assumes you know all about it already! It ought to be compulsory for software authors to provide a one-paragraph explanation of what problem the program was written to solve, and how it solves it! Also, it seems to me that a) development has ceased by the author, and it hasn’t been taken over by someone else, and he seems to have written some of the documentation while on mind-altering substances!

John

Reply | Quote

Well, taking up those points with the author isn’t possible because, sadly, he died aged 36 on 1st May 2004. The best short description I can concoct is that it’s a local proxy that sits between your browser and the big, bad internet – a link in the chain if you like, between browser and ISP.

As such, it has the potential to vet everything that reaches your browser, or is sent from it, via http or https protocols. The potential here is wide-ranging, but the most easily understood application is its ability to actually rewrite the web pages that reach your browser, in such a way as to remove unwanted content within the HTML. For instance, things like browser window resizing commands, popups, popunders, banners can be removed from the HTML code. This makes for faster browsing (removed content is never downloaded), filtered to the desire of the user. For a better sampling of what just this one feature can do, have a look at Hitch-Hikers Guide to the Default Web Filters.

It’s possibilities are complex and wide-ranging, but it works very nicely “straight out of the box”. Trying to compare its native ad-blocking ability directly with the hosts file, I can see a few dozen entries in Prox, that use its own regular expression language, compared to how ever many thousand were quoted for the hosts file. And I can’t recall Prox letting through any that hosts would have blocked.

Alan

Reply | Quote

Alan

You may have got me sufficiently enthused to try it!

What we probably need to establish is how many, if any, of the anti-***-ware programs will be rendered redundant by the upcoming XP SP2? The answer should be all of them, of course — but I’m placing no bets on it…

John

Reply | Quote

John,

“if any” would be the good odds, NONE would be the best odds. Don’t hold your breath waiting for SP2 to be the cure all.

Reply | Quote

John,

“if any” would be the good odds, NONE would be the best odds. Don’t hold your breath waiting for SP2 to be the cure all.

Reply | Quote

It’s actually dead easy to give it a whirl. It just resides in its own folder (no “installing” as such) and, despite the inadequacy of the help files, there are really only two other things to do:

1. Be sure to set up IE so that it “talks” through Proxomitron, by following the instructions in the “Installation and Eradication” section. Use two browser windows for this – one for reading the instructions, one for fiddling the settings. At the heart of it, you should end up with Proxy Settings as shown below.

2. Ensure that Prox is running when your browser is in use. Easiest to make a startup shortcut, so that it runs in the tray all the time (uses 360KB memory on my machine).

That’s it. I’d suggest just using it “as is” at first, comparing “annoying” sites you know with & without the filters turned on. This should give you the idea. As I said, there’s a lot in it and it’s probably best to pick it up bit by bit if you feel inclined to customize. For instance, after some learning I wrote a filter to insert the date, title and hyperlinked URL at the top or bottom of web pages. I sometimes turn this on when I want to save a page, so that I have its details embedded. The list goes on.

Hope you like it.

Alan

Reply | Quote

It’s actually dead easy to give it a whirl. It just resides in its own folder (no “installing” as such) and, despite the inadequacy of the help files, there are really only two other things to do:

1. Be sure to set up IE so that it “talks” through Proxomitron, by following the instructions in the “Installation and Eradication” section. Use two browser windows for this – one for reading the instructions, one for fiddling the settings. At the heart of it, you should end up with Proxy Settings as shown below.

2. Ensure that Prox is running when your browser is in use. Easiest to make a startup shortcut, so that it runs in the tray all the time (uses 360KB memory on my machine).

That’s it. I’d suggest just using it “as is” at first, comparing “annoying” sites you know with & without the filters turned on. This should give you the idea. As I said, there’s a lot in it and it’s probably best to pick it up bit by bit if you feel inclined to customize. For instance, after some learning I wrote a filter to insert the date, title and hyperlinked URL at the top or bottom of web pages. I sometimes turn this on when I want to save a page, so that I have its details embedded. The list goes on.

Hope you like it.

Alan

Reply | Quote

Alan

You may have got me sufficiently enthused to try it!

What we probably need to establish is how many, if any, of the anti-***-ware programs will be rendered redundant by the upcoming XP SP2? The answer should be all of them, of course — but I’m placing no bets on it…

John

Reply | Quote

Well, taking up those points with the author isn’t possible because, sadly, he died aged 36 on 1st May 2004. The best short description I can concoct is that it’s a local proxy that sits between your browser and the big, bad internet – a link in the chain if you like, between browser and ISP.

As such, it has the potential to vet everything that reaches your browser, or is sent from it, via http or https protocols. The potential here is wide-ranging, but the most easily understood application is its ability to actually rewrite the web pages that reach your browser, in such a way as to remove unwanted content within the HTML. For instance, things like browser window resizing commands, popups, popunders, banners can be removed from the HTML code. This makes for faster browsing (removed content is never downloaded), filtered to the desire of the user. For a better sampling of what just this one feature can do, have a look at Hitch-Hikers Guide to the Default Web Filters.

It’s possibilities are complex and wide-ranging, but it works very nicely “straight out of the box”. Trying to compare its native ad-blocking ability directly with the hosts file, I can see a few dozen entries in Prox, that use its own regular expression language, compared to how ever many thousand were quoted for the hosts file. And I can’t recall Prox letting through any that hosts would have blocked.

Alan

Reply | Quote

Alan

Interesting that you’ve actually done some work on the subject, rather than my guesswork! I am asking my XP networking guru about the vagaries of the HOST file loading, and, given sufficient enthusiasm, I may get round to using SysInternal’s FILEMON to determine the loading (but not the sequential reading) characteristics.

Proximitron looks interesting, but (as is not uncommon), it is difficult to get into because the information given assumes you know all about it already! It ought to be compulsory for software authors to provide a one-paragraph explanation of what problem the program was written to solve, and how it solves it! Also, it seems to me that a) development has ceased by the author, and it hasn’t been taken over by someone else, and he seems to have written some of the documentation while on mind-altering substances!

John

Reply | Quote

John

Just FYI, I was involved with assessing the performance implications of the Hosts file quite a few years back, before it was being used to any extent to block DNS addresses by looping back to localhost. This was on Win98. We were comparing performance against JunkBuster, which has been around for a long time, as you see on the site. To our surprise, it appeared that the Hosts file was (re)loaded into memory each and every time it was accessed i.e. with each DNS lookup! Worse still, the whole file is searched sequentially, top to bottom, for a match. Needless to say, JunkBuster came up on top for efficiency – it stays resident, uses wildcards/ pattern matching rather than single entries, and uses fast/ smart searching.

I don’t know if Hosts operation has changed (as I said, in those days it was only designed to hold a handful of entries) or whether the performance hit is noticable on today’s more powerful machines. All said & done though, have you considered using something like Proxomitron? It’s JunkBuster + Hosts + a whole lot more.

Alan

Reply | Quote

Joe

That’s just the usual maintenance you need with any application, surely, though 30,000 entries is certainly non-trivial! I feel a BATch file coming on, to sort and deduplicate lists. Alternatively, some way of making such a list specific to the things you look at might be a better idea…

What a pity there couldn’t be a generalised entry saying “no spyware, popups or anything nasty”!

John

Reply | Quote

John,

Once you start using a HOSTS file you have the challenge of keeping all the addresses correct.

Joe

--Joe

Reply | Quote

Pieter

Golly! About 4,800 addresses from my reference, and about 26,000 from yours! That’s a lot to be looked up each time by IE!

John

Reply | Quote

great tip. i combine mvps’s host file with hpguru’s one. i look for updates on security sofware (including several hosts list definitions) at the calendar of security updates

Reply | Quote