Windows 10: HOSTS File Blocking Telemetry Is Now Flagged As a Risk (bleepingcomputer.com) 159
AmiMoJo writes: Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a 'Severe' security risk. Windows 10 users are reporting that Windows Defender had started detectingmodified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat. So it seems that Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file. Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection. Users who intentionally modify their HOSTS file can allow this 'threat,' but it may enable all HOSTS modifications, even malicious ones, going forward.
Comment removed (Score:5, Funny)
Re:Is APK affected? (Score:5, Funny)
Is APK affected
Ambiguous question. You mean by this, or his chronic condition?
Re:Is APK affected? (Score:5, Funny)
Yes?
Pour hot grits down APK's pants. (Score:2)
You beat me to it. Was rushing to post this same thought. Completely apropos it's the first post.
Re: (Score:2)
Probably! This is a direct attack by Redmond on the mighty APK!!!!
Re: Is APK affected? (Score:2)
He's probably off somewhere having an existential crisis.
Re: (Score:2)
Communicate with other humans? I always figured he communicated AT other humans.
Also it looks like he hasn't updated his HOSTS file engine in awhile, so maybe he's moved on to other things.
What's in a name (Score:5, Funny)
`Microsoft Defender` - defends Microsoft's interests.
Oh, you had the impression that this software was to protect the user? Microsoft apologizes for not being clear enough. It's to protect Microsoft against users.
Re:What's in a name (Score:5, Insightful)
Do all of the following https://www.techpout.com/how-t... [techpout.com], keep in mind with forced updates, they can undo it all, any time they want to and the EULA you agree to gives them permission to do so. Use windows for games and boot to linux for anything serious and general internet browsing. Just use the toy operating system to play games, that is all that it is good for, just like they play games with their users.
Re: (Score:2)
Linux is pretty good for games too, these days. It's not great. It's not as good as Windows. But it is much improved over the wasteland it was back before Steam made its big Linux push.
Re: (Score:2)
Re: (Score:2)
Enough for what?
Re: (Score:2)
In short, if all my friends are playing Borderlands 3 it's not really useful for me if Linux has only just gotten Borderlands 2 running.
Game name taken at random as the first one that popped into my head for use as an example; I have no idea which if any or all of the Borderlands games work on Linux.
Re: (Score:2)
Sounds like you need better friends.
We're doing BL2 Co-Op right now and having a blast.
The only problem is if you only hang around with people who absolutely must play the latest and greatest, and are willing to shell out any amount of money to do that. If that's your crowd, yeah, you're out of luck. But there are a whole lot of us out there who no longer are about that life, and just want to get together, drink some beers, and screw around in a game.
Re:What's in a name (Score:5, Informative)
Indeed. Linux is pretty decent. I have several games from Steam and I've gotten a lot working under Lutris. Not to mention emulators and actual open source games as well. Linux gaming has come a long way!
For those considering dual-booting. Something to also consider is using IOMMU. This is sometimes called PCI pass through, but it's a lot more than just that. In short, it allows you to create hardware pools that VMs can use natively. The catch is that your host OS will not be able to use anything in the pool. I helped a friend setup a Win 10 VM using IOMMU. If you're using Intel, you need to check all your hardware for proper support, your CPU, GPU, and your motherboard need to be able to support IOMMU. AMD, pretty much all their stuff supports this out of the box, except the really low end of those things (especially mobo, don't cheap out on that, get a good name brand). Also doesn't hurt to have a monitor with multiple inputs that can be switched easily.
For my friend we made a Linux host and a Linux VM and Win 10 VM. The two VMs used the one GPU in the pool so that meant that you'd have to save state for one VM before jumping into the other VM, but that was a lot faster than shutting down and booting up OSes between partitions. However, getting your host OS to create the pool and manage it, isn't some walk in the park. It's a lot of configuring that's involved and it's not something I'd recommend to someone who isn't completely comfortable with the command line. Also, there's all kinds of gotchas along the way (think USB and your keyboard and mouse. All the hardware you want to bring has to be in the pool beforehand, ALL of it.). But when you getting it working, it works flawlessly. Windows 10 will run games at native speeds within the VM because the VM has dedicated access to the bare metal. Also, when it's working perfectly, it's pretty slick swapping from OS to OS without a reboot and getting native speeds.
Re: (Score:3)
Just run Windows in a VM, and skip the booting.
https://www.reddit.com/r/VFIO/ [reddit.com]
Re: (Score:2)
Use proxifier. Donot set the Explorer/Edge/Windows proxy settings. Windows will think there is no internet. Allow the programs you do want to use the proxy. Whitelist ip addresses for things that cannot go through a proxy (games).
Re:What's in a name (Score:5, Insightful)
... Just use the toy operating system to play games, that is all that it is good for, just like they play games with their users.
To call Windows a 'toy operating system' is to praise it with faint damns. Call it what it is - a collection of spyware, adware, rentware, and shovelware masquerading as an OS.
Re: (Score:3)
Use windows for games and boot to linux for anything serious and general internet browsing.
Exactly.
Windows has become an unmanageable nightmare of interconnected crap, telemetry, tracking, and forced insistence on doing it "their way".
Re:What's in a name (Score:4, Interesting)
It's to protect Microsoft against users.
No, it's to protect Microsoft against the used. Microsoft no longer has users as we knew them - they simply have the modern tech equivalent of feudal serfs.
Re: (Score:2)
Sure.
So long as by "it" you mean any software malicious to Microsoft's interests.
Blockage. (Score:5, Informative)
So block at the router then.
Re: (Score:3)
So block at the router then.
This.
At first I was going to cite laziness or a lack of knowledge, but those who are coding hosts files should have the skills to put a filter in a router.
And what's up with this "HOSTS" nonsense? Making this an acronym now? What, HOse System Telemetry Shit?
Re: (Score:3)
Wikipedia says it's a reference to the ARPANET days, when a HOSTS.txt file was shared manually. Windows 3.1 maintained the capitals in its HOSTS file. But when they adopted the BSD TCP/IP, Windows reverted to a lowercase etc\hosts file.
Re: Blockage. (Score:3)
I doubt it was ever called ".txt". This extension == file type concept is a very DOS/Windows-y thing. So much so, that OS/2, which as you might know, was the IBM fork of what NT was the MS fork of, actually supported file type info in the file system itself, independently of the file name.
Re: (Score:3)
It predated DOS also. This particular usage seems to have been from TOPS-20, and other mainframe systems. The extension didn't always mean file type, it was mostly a convention, it let the user know what this was a text file and could be viewed or printed out without showing gibberish.
Remember, when MS-DOS came out, the computer world had already matured quite a lot, Unix was already a few years old, Emacs was five years old, the Mother of All Demos was over ten years old, GUIs existed, complex command lin
Re: (Score:2)
Wikipedia says HOSTS.TXT, which makes a lot more sense than the mixed case version does.
Re: (Score:3)
...Windows 3.1 maintained the capitals in its HOSTS file. But when they adopted the BSD TCP/IP, Windows reverted to a lowercase etc\hosts file.
Makes sense. I mean, this just happened last week, right? So naturally we'll see some residual "HOSTS.txt" typos...
Next week's title: "MICROS~1 TELEME~1.TXT AND YOU"
Re: (Score:3)
Could you use the Microsoft built-in firewall rules to block outbound traffic to particular IPs?
Re:Blockage. (Score:5, Informative)
No. I personally tried that. The traffic went through regardless - even when I deleted all the rules, added an explicit 'deny all' rule, and put the default policy to deny. I do not know the exact hard-coded rules responsible for this, but I suspect it is something like 'any traffic originating from a 'system' process.'
Re: (Score:2)
What are the addresses so I can block at my router?
Re: (Score:3)
In other words, I just need to hijack a system process with my malware to bypass firewall and antivirus?
*golfclap* Great work, MS.
Re: (Score:2)
IIRC you can, you just can't block Microsoft's IPs.
Re: Blockage. (Score:2)
... you run an OpenVPN connection to your home server / router.
Using your devices on some random wifi... don't be silly. We're pros here.
Doing it for years now, on my phone and laptop.
In always on mode, with a firewall that blocks everything but OpenVPN from using anything but the VPN interface.
It works much better in tap mode, by the way, but not every device can do that.
Re:Blockage. (Score:5, Informative)
Re: (Score:3)
Doesn't help you when you join another wifi you don't control. Then windows can send all the information that's been backing up in it's queue.
Re:Blockage. (Score:5, Funny)
That blocks it for everyone dumbass.
You say that like it's a bad thing.
Re: Blockage. (Score:2)
Yah, if we still run Windows nowadays, we run it for precisely those use cases where a VM or Wine won't do: Recent large games and speciality hardware with only Windows drivers.
Alarmist much? (Score:5, Insightful)
Most times the hosts file is fucked with, it's for nefarious purposes. Double checking that's what the user wanted (and allowing it, and from the sound of it being able to turn off that alert going forward) seems reasonable.
Meanwhile, of course saying "don't scan my hosts file" because you changed it means that if your hosts file is compromised by another actor it won't detect it. Duh. If you had the ability to make computers do exactly what you wanted even if you told them otherwise you'd be retired on a beach somewhere, not working on Windows Defender.
Re: (Score:3)
Most times the hosts file is fucked with, it's for nefarious purposes.
Every time telemetry is defended, it's for nefarious purposes.
Re:Alarmist much? (Score:4, Informative)
It's not defending telemetry. It's detecting changes to the hosts file that weren't made by whitelisted apps. Don't let the fact that the example they used involved telemetry to generate a more clickbait headline confuse you.
This, by the way, is why turning off the warning allows any changes to the hosts file without the warning in the future. It's not a strange punishment.
Re: (Score:2)
Having hosts file modifications might be a symptom of some hijacking software, but is it a "risk" as claimed by Defender? Assuming that the telemetry upload uses TLS and requires the server to have a valid cert, it's not going to send the telemetry to a third party.
Re: (Score:2)
WTF does it have to do with telemetry being TLS? The fact that the telemetry is turned off in the hosts means the hosts file is changed. Nothing in the article even implies that blocking Google Analytics in the host file doesn't cause the same popup warning. Which, since the warning is "host file fucked with" makes sense..
They just chose an example of a legitimate use that seems like its specifically opposed by Microsoft. When it just detects any changes to the hosts file not via MS's whitelisted apps.
S
Re: (Score:2)
I block Google Analytics in the hosts file and haven't had any warnings. And I edit it with Notepad, which probably isn't in any such whitelist.
Re: (Score:2)
Add/modify a Google Analytic or similar record. Save. Confirm it doesn't alert. Then add an MS domain the same way and see if it alerts. Because I haven't seen anyone isolate that change as the cause. And while it's technically doable, nothing in the article suggests that's the cause.
It's entirely possible that they are on a different Windows Defender version or with different options.
Re: (Score:2)
Hosts files are not a block list, they are an name resolver. They can be used to have an name resolve to an invalid address but that's not their primary purpose.
Often the address 127.0.0.1 (loopback) is used, and since most consumer PCs don't run servers, it effectively blocks the domain. But if you run a server, you are going to see "blocked" services connect to your own machine.
But you don't have to use 127.0.0.1, for example, an attacker can use his own server and steal telemetry data. Or have a server r
Re: (Score:2)
For most users who are unaware of what is a hosts file, yes. For advanced users modifying their own hosts file? No.
Re: (Score:2)
In what way is it a risk? What harm can result from the modification?
Re: (Score:3)
Re:Alarmist much? (Score:4, Insightful)
So Windows Defender is smart enough to:
1. Parse the hosts file to see if Microsoft's telemetry servers are blocked (e.g.,routed to localhost)
2. Ignore that other servers are blocked (again, routed to localhost), which I know because I do that.
3. Not smart enough to parse the hosts file to see if other particular servers are blocked that may be associated with "nefarious purposes"
4. Not smart enough to allow particular hosts file entries to be be excluded from warnings while continuing to scan for others
Bull. This is a fit of pique. "Allow our telemetry servers or screw you." Next they'll refuse to allow file-level exceptions if you block telemetry from applications using the Windows Defender Firewall.
Re: (Score:2)
Windows Defender is smart enough to that the hosts file got changed. It's not clear at all that this new detection specifically finds MS entries in the hosts file. The article implies it just finds changes in the hosts file made from sources other than whitelisted apps. That's why turning off the detection leaves yourself open to other hosts hijacking.
If you have other information, you should write it up. Because that's not what the article says.
Re: (Score:2)
Read my initial post, item 2. It is clear, because I've do it and it doesn't get flagged.
You may read RTFA, but you don't actually RTFC, do you?
Re: (Score:3)
I do. That 's why instead of just dismissing your claim out of hand (like I did to other responders who based their statements on the headlines) I asked you to write it up. A single detailless assertion isn't a write up. Have you never done bug-fixing? I have no idea when you last updated Windows Defender or even if it runs. It's not an always-on update and a lot of people on this site would turn it off and use another security tool.
If you want to demonstrate it, I recommend checking there's no detecti
Re: (Score:2)
I did write it up. That you don't think it's a write up is your problem. You can get firsthand experience yourself, trivially, and write it up in whatever format you prefer.
Re: (Score:2)
Or perhaps only alert if the host file signature changed. But that would be too difficult. Creating a signature of a file is much harder than scanning it specifically looking for blocking telemetry hosts.
Only positive thing that can come from this bullshit is that we might be able to extract from Windows Defender the full list of telemetry hosts... and block those at the router.
Re: (Score:2)
Nothing in the article says it looks for specific changes in the host file. It implies that it detects and blocks any changes to the hosts file that comes from non-approved applications. Which makes sense for most users. The average user is more likely to be hijacked by the hosts file than block telemetry.
Now, I think blocking telemetry is objectively good. In fact, I need to set up a new computer with windows telemetry blocking... any good link would be appreciated.
Re: (Score:2)
Re: (Score:2)
Re:Alarmist much? (Score:4, Informative)
OTOH, when you use the hosts file to block sites from being accessed, you do so by redirecting sites to 127.0.0.1.
So it's trivial to implement a check to see whether the hosts file has been modified in a non-malicious manner. For the purpose of malware detection, just ignore all entries which redirect to 127.0.0.1. That Microsoft isn't implementing this simple exclusion, is evidence that they're doing this explicitly to try to thwart blocking of undesired telementry and services.
Re: (Score:2)
Maybe, but the problem with hosts is it's inflexibility. A local DNS server can allow for things like wildcards. Run on a Pi for example.
Re: (Score:2)
Anyone who writes their website to need a wild card probably isn't worth visiting...
Re: (Score:2)
Any web site that puts accounts on subdomains (hosted business services, e.g.) needs wildcard DNS. Slashdot has wildcard DNS for no apparent reason. I read about it at https://reallystupididea.slash... [slashdot.org]
Re: (Score:3)
It already takes Admin permissions to modify it. It wouldn't be that hard for malware to change the permissions too.
Re: Alarmist much? (Score:2)
Anyone capable of writing a virus can fairly easily bypass a read only flag. The basic problem is any change a user can make, a virus can make too.
I like the idea of blocking at the roter/firewall.
Just make Windows F2P (Score:5, Interesting)
For real Microsoft, if you want Win10 to be this big data collection machine then just make it free and let power users pay to "unlock" the system and eliminate dumb nonsense like this. At least Google has the sense to give services for free to individuals in exchange for our sweet succulent data.
Re: (Score:2)
I'm sure Microsoft would have gotten this message if power users didn't disable telemetry in the first place.
Re: (Score:2)
"Make it free" won't work when they can make people pay by bundling. What else are they going to do, buy Apple? ... Maybe if Apple ever came out with a low-cost model of anything. ChromeOS and Linux are non-starters for the majority, since they need specific applications to work. They think repo is something that happens to their truck. What's a config file?
I could maybe see them doing a Super Pro Ultimate version that lets you turn off the tracking, though. Unless any of the threeletter boys have an object
Re: (Score:2)
Re:Just make Windows F2P (Score:4, Informative)
It's worse than that, they won't even SELL you the corporate edition unless you meet their requirements. They refuse to sell it to individuals, and they won't sell it to you if you're just some person who self-incorporated. You need to be a big enough outfit that you fall under their corporate customer service department.
(This also goes for the education edition, which also lets you turn off telemetry.)
Re: (Score:2)
I just stole my copy of the corporate edition. Oddly enough it didn't cause me to lose any sleep.
I only use Windows to run some security camera software; everything else is on Linux, including the NAS.
Re: (Score:2)
Awesome sauce (Score:3)
Win 10 still runs poorly if on a mech drive. You still cannot search file extensions in Settings. Start Menu is still a mess.
Re: (Score:3)
It is not like they are using telemetry to fix or improve anything
Based on your single use case from search? MS has shown that telemetry drives absolutely every decision they make in the damn OS. This is also why "experts" keep complaining that Windows is getting dumbed down. No shit, MS doesn't know how "experts" use the OS because they block telemetry.
Re: (Score:3)
Goddamn, man. Have you NEVER had to try and change the settings on an extension in that turd? Why the fuck is there not a search box?
Or setup a network printer on a network with lots of users? It forces you to wait while every device is displayed, then you have to scroll all the way to the bottom of this gargantuan list and click the "device isn't listed" link so you can enter the address manually. Why not look in the list? Oh yeah, NO SEARCH BOX. And yes, they're talking gleefully about fully sunsetting th
Re: (Score:2)
Windows 9 (Score:3)
Re: (Score:2)
Sign me up!
Re: Windows 9 (Score:2)
I prefer Windows RG! (Really Good edition)
The last version after NT, still based on Windows ME.
Look it up! O:-)
Comment removed (Score:5, Insightful)
Re: (Score:2)
I wish they would make their scripts portable instead of having it tied to the Pi. I haven't even looked at what's inside but I can guess it uses ip chains and maybe a local DNS resolver to block things.
Re:perfect use case for pihole (Score:5, Informative)
--IDK what you're on about, I was able to install pihole in a Virtualbox 6 VM running 32-bit Devuan with no issues.
Re: (Score:2)
Hey, Microsoft! (Score:2)
That soylent green you want to eat? That's actually people...
Re: (Score:3)
That soylent green you want to eat? That's actually people...
Shhhh! Don't tell them that you fool!! You'll make them want it even more!!!
Set up your local DNS home server. (Score:4, Interesting)
That does its own resolution. (No forwarding. But caching.)
And have your home server's DNS announce it, so Windows automatically grabs it.
And block passing through DNS packets in your home server's firewall.
It is really not that hard.
The only asshole on the block (apart from MS) is DoH-using software, like browsers, which circumvent your DNS server and firewall AFAIK. (Though isn't that a nightmare for every business intranet?)
I guess you need to do deep packet inspection to block those in your firewall, in case the browser "forgets" your changed name resolution settings yet again.
Re: (Score:2)
I run OSS on my router and it has an entry for just that kind of browser behavior.
Why hasn't it done this sooner? (Score:2)
I mean basically the first thing nearly every malware does is disable updates and block all MS servers in the HOSTS file. Why the hell hasn't defender done this for years?
Oh sure plenty of people will frame this as not blocking telemetry, but the reality is this change blocks any change that block any Microsoft servers, no kidding, that's what malware does.
Not just telemetry. (Score:2)
Just because a change effects something does not mean the thing was the intended target, esp w
Huh? (Score:2)
What telemetry? I never gave them permission to look at my web sites or watch what I type, and don't use their browser.
Windows never honored HOSTS for its own servers (Score:4, Informative)
If you thought your HOSTS file entries were blocking all of the Microsoft "phone home" information, you were sadly mistaken!
Re: (Score:2)
I think people are crazy to use Windows as laxly as they do and almost all my use of it is done via air-gapped PCs, but this has been a long running urban legend since Microsoft announced the use of hard coded IPs. All of the services they put that way were dangerously susceptible to hijack and it was actually one of the rare things they
Blocked at firewall (Score:2)
Never mind HOSTS. It's trivial for Microsoft (or any other virus author) to roll their own name resolution and then deliver an IP address to set up a connection. Anything from DoH to hard-coded IPs in an app can get around HOSTS blocks. And if you think you can set up a firewall rule on your system, the people who actually administrate your machine (Microsoft) can easily un-set it.
Block communications using dedicated network gateway hardware. Something that Microsoft can't reset or in any way get inside of
Re: (Score:2)
Unless you use the windows system to administer your dedicated network gateway hardware, and then there's nothing really stopping them from hijacking that too aside from the complexity of handling multiple different ways of doing so for different types of hardware.
OMG, you-know-who is going to freak out (Score:2)
OMG, the hapless screamer known as "APK" is going to freak the fuck out. How will he ever survive?
BTW, I've noticed almost none of his drivel polluting slashdot lately, so whatever the mods are doing, keep it up.
Re: (Score:2)
So far as I understand it, though don't allow AC posts from posters not already signed in. Frankly, at this point, they should just get rid of AC posts completely, but at least this modest change sent APK into a kind of purgatory, and since it seems likely that sooner or later the hosts file is likely to be ignored, at least where it tries to alter Windows telemetry, I'd say his Windows NT 4-era app is even less interesting than it was before.
Not using WIndows 10, but a question: (Score:2)
Is Telemetry data helping to make sw better? (Score:2)
Microsoft #1: It's telling us that our software is broken.
Microsoft #2: Uh, that's not true at all. Telemetry works.
Router Time... (Score:2)
I guess it's time everyone started nipping this shit at the network entrance. Those who don't have control of their router should purchase a good Tomato compatable router or give a Raspberry Pi Router a go. This corporate control over how/what we do with our own systems, spying on us, tracking us, etc.. all needs to stop.
Or, you know, run a better OS...
Here's a work-around (Score:2)
Someone needs to launch a DNS service that sends telemetry hosts to nowhere. Or run your own nameserver and answer for the hosts you want to BL. Then you just set your DNS to match these new nameservers and Windows doesn't know.
hmmm... (Score:2)