Microsoft: Blocking Telemetry in HOSTS file a security risk

Topic

New Reply

[Alex5723]

From Lawrence Abrams at BleepingComputer:

Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk.

Microsoft now detects HOSTS files that block Windows telemetry
Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat.

When detected, if a user clicks on the ‘See details’ option, they will simply be shown that they are affected by a ‘Settings Modifier’ threat and has ‘potentially unwanted behavior,’ as shown below..

What next ? Microsoft’s defender will block 3rd party apps that block Telemetry, block updates, remove Microsoft store apps….?

• This topic was modified 4 years, 8 months ago by Alex5723.
• This topic was modified 4 years, 8 months ago by woody.

8 users thanked author for this post.

Myst, Elly, Norio, leland, Cybertooth, Coldheart9020, woody, Fred

Reply | Quote

Replies

One more reason not to use Windows Defender but some more advanced AV product.

2 users thanked author for this post.

DriftyDonN, Fred

Reply | Quote

Alex5723 wrote:

What next ? Microsoft’s defender will block 3rd party apps that block Telemetry, block updates, remove Microsoft store apps….?

The real privacy dashboard for Windows [ https://wpd.app/ ] seems to do a good job in blocking telemetry and unwanted msstuff

* _ ... _ *

5 users thanked author for this post.

a, Norio, DriftyDonN, Microfix, Coldheart9020

Reply | Quote

Will take a look at WPD. I’ve been using O&O ShutUp10 and used Windows 10 Debloater (which uses Powershell) in the past to remove some of the bloatware that comes pre-installed in Windows 10.

For HOSTS, I use the custom MVPS file with additional hosts appended by Spybot – Search and Destroy’s Immunization component. I use Avast as my main antivirus, but keep Windows Defender definitions up to date and run a full scan with it every so often.

So far, no detections about a HOSTS “Hijack” but that may well change in the future.

Reply | Quote

I really appreciate Windows defender, since one does not need to buy separate product for this.
And I can remember AV programs that sell data (Avast) and programs that are more adware than antivirus (AVG and other as well).

I understand this desire, because if HOSTS file blocks telemetry/update its simple to identify the issue (missing/edited record in HOSTS).

But what if I modify HOSTS in the way I need? Adding file server address for example. Is this going to be evaluated as security risk?

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Lawrence Abrams has a detailed article about this on BleepingComputer.

Günter Born posted the initial alarm on Borncity.

Yep, MS is whittling away our control, bit by bit.

7 users thanked author for this post.

Myst, Elly, Norio, leland, Alex5723, RamRod, Cybertooth

Reply | Quote

Yep, MS is whittling away our control, bit by bit.

As noted by Günter Born in the link above, a user can “… define the [HOSTS] file in Defender as an exception and exclude it from the check (see also Part 2). In this case, Defender does not monitor any malware manipulation of the hosts file.”

So we still have (but for how long) the ability to stop Defender from flagging the presence of MS telemetry URLs as “malware”-induced.  The sad thing is that monitoring the HOSTS file for unwanted changes is at base a valid security mechanism that should have been included in the Defender and the OS a long time ago; MS finally gets around to it, NOT to defend users, but to defend MS’s access to telemetry information (that must be why they call it “Defender”).

Reply | Quote

Is it just Windows 10 telemetry blocking via the HOSTS file that’s triggering the Windows Defender detection?

I’m using Windows 10 Professional 2004 64bit  here – clean install 31st May 2020. ‘Extra Privacy’ handled by O&O’s ShutUp10 (if it makes any difference to the following).

I have extra entries in my Hosts file blocking 9 Avast and Piriform addresses to prevent CCleaner taking about 10 seconds to open as I have both CCleaner executables in Program Files blocked from accessing the Internet with OneClickFirewall and have for the past 2 or 3 years.

The 10 second delay if CCleaner is blocked with a firewall is something new that started happening about 2 or 3 releases back – it is obviously trying to access the Internet for something every time you launch the program now.

Anyway, back to the subject at hand – I’ve just done a quick scan with Windows Defender (fully up to date) and it hasn’t detected any changes to my Hosts file (or any other issues).

 

3 users thanked author for this post.

leland, Coldheart9020, silvatek

Reply | Quote

I use O&O Shutup10 to control telemetry for Version 2004 (OS Build 19041.388), and it does not in any way modify the HOSTS file.  My HOSTS file has only two entries that are not commented out:

127.0.0.1 localhost
::1 localhost

O&O Shutup10 uses the registry to control telemetry.  My Windows Defender (Windows Security) has green check-marks everywhere.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Microfix

Reply | Quote

Carl D wrote:

Is it just Windows 10 telemetry blocking via the HOSTS file that’s triggering the Windows Defender detection?

It is Microsoft’s URLs including Telemetry that are blocked.

http://www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

Reply | Quote

Huh, interesting. I thought I’d read years ago, not long after Windows 10 first came out, that Microsoft had arranged things so that its telemetry URLs were “hard-coded” into the OS and they would ignore the Hosts file.

Maybe that’s changed more recently, or maybe I remember it wrong?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Carl D

Reply | Quote

I also remember reading about that some years ago. Can’t remember whether it was someone at Microsoft or somewhere else that said it though.

So, I’m now pondering whether this was also one of the many items of misinformation we’ve been hearing about Windows 10 since it was released or, as you say, its been changed recently (and perhaps MS hoped that no-one would notice?).

Anyway, I’ve added all of these entries from here to my Windows 10 Hosts file:

https://encrypt-the-planet.com/downloads/hosts

and added an exclusion for the Hosts file to Windows Defender.

This is in addition to using O&O’s ShutUp10. Don’t know if I’m blocking the telemetry, etc. “twice” now but it hasn’t caused any issues so far.

I’ve also made the Windows 10 Hosts file Read Only (which it was by default in Windows 7 but isn’t in Windows 10 for some reason?). I’ve read somewhere that it probably doesn’t make much difference but I’ve done it anyway.

I’ll continue to use Windows Defender in Windows 10 because, for me anyway, it does the job plus it also now has an excellent Anti Ransomware protection feature (which isn’t turned on by default, possibly because it may cause issues with certain programs which save or alter files in one of the ‘protected’ locations – Documents, Pictures, etc.).

Be interesting to see what happens with the next Windows 10 release due shortly – will MS be taking more steps to defeat attempts at disabling telemetry, etc. I wonder?

1 user thanked author for this post.

Cybertooth

Reply | Quote

My laptop runs on win 8.1.

Every time I have rebooted it recently Windows Defender has flagged multiple entries of  “SettingsModifier:Win32/HostsFileHijack”.  Each time Defender removes them to quarantine but they are back again after the next reboot.

Is this the same as discussed above or do I have some malware somewhere?

Both ESET online scanner and MS own online security safety scanner do not pick it up.  This latest reboot has 2 instances of this, it used to be only 2.

Reply | Quote

I suggest reading this MSFT Security Intelligence article.
It’s possibly a trojan, malwarebytes FREE version would probably be your best bet to scan for, and if anything found, remove it.

Windows - commercial by definition and now function...

Reply | Quote

@den4, similar problems with Windows 8.1 and Defender. Do you use a third party anti telemetry program that automatically re-adds the anti-telemetry sites to your host file on reboot? Or did you, as in my case rerun a program that adds entries to the host file.
In my case, when testing this issue, Defender flagged (same entry as your post) each time I ran Spybot Anti-beacon. Defender kept adding instances to the history section of Defender. Once I realized what was causing the issue, I de-selected Anti-telemetry in Spybot Anti-beacon, and Selected “Remove for all detected items from Defender’s history section.

1 user thanked author for this post.

Microfix

Reply | Quote

Sueska, there was this thread that went over that last year. Also therein is an alternative 3rd party solution that does not alter your HOST file..

Windows - commercial by definition and now function...

1 user thanked author for this post.

Sueska

Reply | Quote

Thank you Microfix, will try the firewall method.

Reply | Quote

Thanks for the reply.

I do have MBAM premium already and it does not pick up anything either.  Slight correction to above post, I meant it now shows 4 instances where it was showing 2.

I read the MSSI report but it didn’t really make things clearer.

My main concern was that it reappears after every reboot despite being quarantined by Defender and then deleted, and the number on instances is increasing.

Reply | Quote

den4 wrote:

Every time I have rebooted it recently Windows Defender has flagged multiple entries of  “SettingsModifier:Win32/HostsFileHijack”.  Each time Defender removes them to quarantine but they are back again after the next reboot.

Is this the same as discussed above or do I have some malware somewhere?

It is the same as discussed above.

Reply | Quote

den4 wrote:

Windows Defender has flagged multiple entries of  “SettingsModifier:Win32/HostsFileHijack”

Can you post details of the report?

cheers, Paul

Reply | Quote

It has now gone up to 5 instances, here’s the report from Defender.

Reply | Quote

Defender is reporting the changes to HOSTS, not the “offending” program.

Post the text from your HOSTS file and we will advise if any of the changes seem malicious. If not you can tell defender to ignore those changes.

cheers, Paul

Reply | Quote

As requested content of Host file.

—————————————————————————-

AutoGenerated by Microsoft (R) Malware Protection Engine.
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

Reply | Quote

That is a standard harmless HOSTS file.

Do you have a copy of the one Defender complained about? Try restoring one from Defender.

cheers, Paul

Reply | Quote

That’s what I thought as well But I didn’t think to restore one for a look.

Here’s the text from a restored one.  It seems to concern Spybot Anti Beacon entries.

————————————————————————————–

# Start of entries inserted by Spybot – Search & Destroy
# This list is Copyright 2000-2015 Safer-Networking Ltd.
# End of entries inserted by Spybot – Search & Destroy

# Start of entries inserted by Spybot Anti-Beacon for Windows 10
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nstac.net
0.0.0.0 df.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 reports.wes.df.telemetry.microsoft.com
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 settings-win.data.microsoft.com
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.microsoft.com
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 vortex-sandbox.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 vortex.data.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 vortex-cy2.metron.live.com.nsatc.net
0.0.0.0 watson.live.com
0.0.0.0 watson.microsoft.com
0.0.0.0 feedback.search.microsoft.com
0.0.0.0 feedback.windows.com
0.0.0.0 corp.sts.microsoft.com
0.0.0.0 diagnostics.support.microsoft.com
0.0.0.0 i1.services.social.microsoft.com
0.0.0.0 i1.services.social.microsoft.com.nsatc.net
0.0.0.0 vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 vortex-cy2.metron.live.com.nsatc.net
# End of entries inserted by Spybot Anti-Beacon for Windows 10

Reply | Quote

Your original file shows that MS is attempting to remove telemetry blocks and calling it malware to justify the behaviour.
Disingenuous at best.

Tell Defender to ignore the file (allow).

cheers, Paul

1 user thanked author for this post.

den4

Reply | Quote

Many thanks Paul. I wasn’t sure so I thought I’d better ask someone who knows better.

Reply | Quote

It NOT what MicroSoft “want” to DO,
It is merely that “MS” looks inside that HOST file, and SEES ALL ones IP related ROUTINGS.
..
It is NOT the way for them, conducting SEARCHES on ONES PC…
..
I can only say, THAT IS ILLEGAL !!…
IT IS OUR PC, NOT THERES….

Reply | Quote