Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Windows IT

Windows 10: HOSTS File Blocking Telemetry Is Now Flagged As a Risk (bleepingcomputer.com) 159

AmiMoJo writes: Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a 'Severe' security risk. Windows 10 users are reporting that Windows Defender had started detectingmodified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat. So it seems that Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file. Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection. Users who intentionally modify their HOSTS file can allow this 'threat,' but it may enable all HOSTS modifications, even malicious ones, going forward.
This discussion has been archived. No new comments can be posted.

Windows 10: HOSTS File Blocking Telemetry Is Now Flagged As a Risk

Comments Filter:
  • by account_deleted ( 4530225 ) on Tuesday August 04, 2020 @09:08AM (#60364749)
    Comment removed based on user account deletion
  • by xonen ( 774419 ) on Tuesday August 04, 2020 @09:09AM (#60364753) Journal

    `Microsoft Defender` - defends Microsoft's interests.

    Oh, you had the impression that this software was to protect the user? Microsoft apologizes for not being clear enough. It's to protect Microsoft against users.

    • by rtb61 ( 674572 ) on Tuesday August 04, 2020 @09:17AM (#60364781) Homepage

      Do all of the following https://www.techpout.com/how-t... [techpout.com], keep in mind with forced updates, they can undo it all, any time they want to and the EULA you agree to gives them permission to do so. Use windows for games and boot to linux for anything serious and general internet browsing. Just use the toy operating system to play games, that is all that it is good for, just like they play games with their users.

      • Linux is pretty good for games too, these days. It's not great. It's not as good as Windows. But it is much improved over the wasteland it was back before Steam made its big Linux push.

        • Still not nearly enough there.
          • Enough for what?

            • by Calydor ( 739835 )

              In short, if all my friends are playing Borderlands 3 it's not really useful for me if Linux has only just gotten Borderlands 2 running.

              Game name taken at random as the first one that popped into my head for use as an example; I have no idea which if any or all of the Borderlands games work on Linux.

              • Sounds like you need better friends.

                We're doing BL2 Co-Op right now and having a blast.

                The only problem is if you only hang around with people who absolutely must play the latest and greatest, and are willing to shell out any amount of money to do that. If that's your crowd, yeah, you're out of luck. But there are a whole lot of us out there who no longer are about that life, and just want to get together, drink some beers, and screw around in a game.

        • Re:What's in a name (Score:5, Informative)

          by slack_justyb ( 862874 ) on Tuesday August 04, 2020 @11:04AM (#60365165)

          Indeed. Linux is pretty decent. I have several games from Steam and I've gotten a lot working under Lutris. Not to mention emulators and actual open source games as well. Linux gaming has come a long way!

          For those considering dual-booting. Something to also consider is using IOMMU. This is sometimes called PCI pass through, but it's a lot more than just that. In short, it allows you to create hardware pools that VMs can use natively. The catch is that your host OS will not be able to use anything in the pool. I helped a friend setup a Win 10 VM using IOMMU. If you're using Intel, you need to check all your hardware for proper support, your CPU, GPU, and your motherboard need to be able to support IOMMU. AMD, pretty much all their stuff supports this out of the box, except the really low end of those things (especially mobo, don't cheap out on that, get a good name brand). Also doesn't hurt to have a monitor with multiple inputs that can be switched easily.

          For my friend we made a Linux host and a Linux VM and Win 10 VM. The two VMs used the one GPU in the pool so that meant that you'd have to save state for one VM before jumping into the other VM, but that was a lot faster than shutting down and booting up OSes between partitions. However, getting your host OS to create the pool and manage it, isn't some walk in the park. It's a lot of configuring that's involved and it's not something I'd recommend to someone who isn't completely comfortable with the command line. Also, there's all kinds of gotchas along the way (think USB and your keyboard and mouse. All the hardware you want to bring has to be in the pool beforehand, ALL of it.). But when you getting it working, it works flawlessly. Windows 10 will run games at native speeds within the VM because the VM has dedicated access to the bare metal. Also, when it's working perfectly, it's pretty slick swapping from OS to OS without a reboot and getting native speeds.

      • Just run Windows in a VM, and skip the booting.

        https://www.reddit.com/r/VFIO/ [reddit.com]

      • by swilver ( 617741 )

        Use proxifier. Donot set the Explorer/Edge/Windows proxy settings. Windows will think there is no internet. Allow the programs you do want to use the proxy. Whitelist ip addresses for things that cannot go through a proxy (games).

      • by jenningsthecat ( 1525947 ) on Tuesday August 04, 2020 @11:40AM (#60365351)

        ... Just use the toy operating system to play games, that is all that it is good for, just like they play games with their users.

        To call Windows a 'toy operating system' is to praise it with faint damns. Call it what it is - a collection of spyware, adware, rentware, and shovelware masquerading as an OS.

      • Use windows for games and boot to linux for anything serious and general internet browsing.

        Exactly.

        Windows has become an unmanageable nightmare of interconnected crap, telemetry, tracking, and forced insistence on doing it "their way".

    • Re:What's in a name (Score:4, Interesting)

      by jenningsthecat ( 1525947 ) on Tuesday August 04, 2020 @11:37AM (#60365333)

      It's to protect Microsoft against users.

      No, it's to protect Microsoft against the used. Microsoft no longer has users as we knew them - they simply have the modern tech equivalent of feudal serfs.

  • Blockage. (Score:5, Informative)

    by Ostracus ( 1354233 ) on Tuesday August 04, 2020 @09:11AM (#60364761) Journal

    So block at the router then.

    • So block at the router then.

      This.

      At first I was going to cite laziness or a lack of knowledge, but those who are coding hosts files should have the skills to put a filter in a router.

      And what's up with this "HOSTS" nonsense? Making this an acronym now? What, HOse System Telemetry Shit?

      • Wikipedia says it's a reference to the ARPANET days, when a HOSTS.txt file was shared manually. Windows 3.1 maintained the capitals in its HOSTS file. But when they adopted the BSD TCP/IP, Windows reverted to a lowercase etc\hosts file.

        • I doubt it was ever called ".txt". This extension == file type concept is a very DOS/Windows-y thing. So much so, that OS/2, which as you might know, was the IBM fork of what NT was the MS fork of, actually supported file type info in the file system itself, independently of the file name.

          • It predated DOS also. This particular usage seems to have been from TOPS-20, and other mainframe systems. The extension didn't always mean file type, it was mostly a convention, it let the user know what this was a text file and could be viewed or printed out without showing gibberish.

            Remember, when MS-DOS came out, the computer world had already matured quite a lot, Unix was already a few years old, Emacs was five years old, the Mother of All Demos was over ten years old, GUIs existed, complex command lin

        • Wikipedia says HOSTS.TXT, which makes a lot more sense than the mixed case version does.

        • ...Windows 3.1 maintained the capitals in its HOSTS file. But when they adopted the BSD TCP/IP, Windows reverted to a lowercase etc\hosts file.

          Makes sense. I mean, this just happened last week, right? So naturally we'll see some residual "HOSTS.txt" typos...

          Next week's title: "MICROS~1 TELEME~1.TXT AND YOU"

  • Alarmist much? (Score:5, Insightful)

    by Actually, I do RTFA ( 1058596 ) on Tuesday August 04, 2020 @09:12AM (#60364765)

    Most times the hosts file is fucked with, it's for nefarious purposes. Double checking that's what the user wanted (and allowing it, and from the sound of it being able to turn off that alert going forward) seems reasonable.

    Meanwhile, of course saying "don't scan my hosts file" because you changed it means that if your hosts file is compromised by another actor it won't detect it. Duh. If you had the ability to make computers do exactly what you wanted even if you told them otherwise you'd be retired on a beach somewhere, not working on Windows Defender.

    • Most times the hosts file is fucked with, it's for nefarious purposes.

      Every time telemetry is defended, it's for nefarious purposes.

      • Re:Alarmist much? (Score:4, Informative)

        by Actually, I do RTFA ( 1058596 ) on Tuesday August 04, 2020 @11:30AM (#60365305)

        It's not defending telemetry. It's detecting changes to the hosts file that weren't made by whitelisted apps. Don't let the fact that the example they used involved telemetry to generate a more clickbait headline confuse you.

        This, by the way, is why turning off the warning allows any changes to the hosts file without the warning in the future. It's not a strange punishment.

    • by pjt33 ( 739471 )

      Having hosts file modifications might be a symptom of some hijacking software, but is it a "risk" as claimed by Defender? Assuming that the telemetry upload uses TLS and requires the server to have a valid cert, it's not going to send the telemetry to a third party.

      • WTF does it have to do with telemetry being TLS? The fact that the telemetry is turned off in the hosts means the hosts file is changed. Nothing in the article even implies that blocking Google Analytics in the host file doesn't cause the same popup warning. Which, since the warning is "host file fucked with" makes sense..

        They just chose an example of a legitimate use that seems like its specifically opposed by Microsoft. When it just detects any changes to the hosts file not via MS's whitelisted apps.

        S

        • by pjt33 ( 739471 )

          I block Google Analytics in the hosts file and haven't had any warnings. And I edit it with Notepad, which probably isn't in any such whitelist.

          • Add/modify a Google Analytic or similar record. Save. Confirm it doesn't alert. Then add an MS domain the same way and see if it alerts. Because I haven't seen anyone isolate that change as the cause. And while it's technically doable, nothing in the article suggests that's the cause.

            It's entirely possible that they are on a different Windows Defender version or with different options.

        • by GuB-42 ( 2483988 )

          Hosts files are not a block list, they are an name resolver. They can be used to have an name resolve to an invalid address but that's not their primary purpose.

          Often the address 127.0.0.1 (loopback) is used, and since most consumer PCs don't run servers, it effectively blocks the domain. But if you run a server, you are going to see "blocked" services connect to your own machine.
          But you don't have to use 127.0.0.1, for example, an attacker can use his own server and steal telemetry data. Or have a server r

      • For most users who are unaware of what is a hosts file, yes. For advanced users modifying their own hosts file? No.

        • by pjt33 ( 739471 )

          In what way is it a risk? What harm can result from the modification?

          • I've seen malware run a local proxy and direct antivirus sites, google, mail services, bank services, etc. through it vis 'hosts', probably to avoid modifying system proxy settings (which are fairly easy to revert, even for average users). Then they either deliver alternate forms of the sites, or inject nonsense (e.g. all antivirus get redirected to some bogus antivirus 'solution' that wants to charge you exorbitant sums to fix stuff that isn't broken, or simply more malware). I've also seen the redirect th
    • Re:Alarmist much? (Score:4, Insightful)

      by DRJlaw ( 946416 ) on Tuesday August 04, 2020 @10:06AM (#60364983)

      Meanwhile, of course saying "don't scan my hosts file" because you changed it means that if your hosts file is compromised by another actor it won't detect it. Duh.

      So Windows Defender is smart enough to:
      1. Parse the hosts file to see if Microsoft's telemetry servers are blocked (e.g.,routed to localhost)
      2. Ignore that other servers are blocked (again, routed to localhost), which I know because I do that.
      3. Not smart enough to parse the hosts file to see if other particular servers are blocked that may be associated with "nefarious purposes"
      4. Not smart enough to allow particular hosts file entries to be be excluded from warnings while continuing to scan for others

      Bull. This is a fit of pique. "Allow our telemetry servers or screw you." Next they'll refuse to allow file-level exceptions if you block telemetry from applications using the Windows Defender Firewall.

      • Windows Defender is smart enough to that the hosts file got changed. It's not clear at all that this new detection specifically finds MS entries in the hosts file. The article implies it just finds changes in the hosts file made from sources other than whitelisted apps. That's why turning off the detection leaves yourself open to other hosts hijacking.

        If you have other information, you should write it up. Because that's not what the article says.

        • by DRJlaw ( 946416 )

          Windows Defender is smart enough to that the hosts file got changed. It's not clear at all that this new detection specifically finds MS entries in the hosts file.

          Read my initial post, item 2. It is clear, because I've do it and it doesn't get flagged.

          You may read RTFA, but you don't actually RTFC, do you?

          • I do. That 's why instead of just dismissing your claim out of hand (like I did to other responders who based their statements on the headlines) I asked you to write it up. A single detailless assertion isn't a write up. Have you never done bug-fixing? I have no idea when you last updated Windows Defender or even if it runs. It's not an always-on update and a lot of people on this site would turn it off and use another security tool.

            If you want to demonstrate it, I recommend checking there's no detecti

            • by DRJlaw ( 946416 )

              I do. That 's why instead of just dismissing your claim out of hand (like I did to other responders who based their statements on the headlines) I asked you to write it up. A single detailless assertion isn't a write up.

              I did write it up. That you don't think it's a write up is your problem. You can get firsthand experience yourself, trivially, and write it up in whatever format you prefer.

              I have no idea when you last updated Windows Defender or even if it runs. It's not an always-on update and a lot of p

    • by swilver ( 617741 )

      Or perhaps only alert if the host file signature changed. But that would be too difficult. Creating a signature of a file is much harder than scanning it specifically looking for blocking telemetry hosts.

      Only positive thing that can come from this bullshit is that we might be able to extract from Windows Defender the full list of telemetry hosts... and block those at the router.

      • Nothing in the article says it looks for specific changes in the host file. It implies that it detects and blocks any changes to the hosts file that comes from non-approved applications. Which makes sense for most users. The average user is more likely to be hijacked by the hosts file than block telemetry.

        Now, I think blocking telemetry is objectively good. In fact, I need to set up a new computer with windows telemetry blocking... any good link would be appreciated.

    • by jythie ( 914043 )
      I had a similar thought. It really can not tell if you or malware changed the file, and it is unusual for a user to try to bypass things that way, so it makes sense that the 'find common intrusion signs' tool would flag it and ask the user what to do.
    • Or you know, you could see that the *only* entries in the hosts file are the ones that block Microsoft telemetry and decide the changes are benign. Sure that's more work and MSFT is unlikely to do it (since its not in their interest) but it's not like parsing a hosts file to see what the changes are is a particularly difficult task.
    • Re:Alarmist much? (Score:4, Informative)

      by Solandri ( 704621 ) on Tuesday August 04, 2020 @03:06PM (#60366199)
      Malware won't modify your hosts file to redirect traffic to 127.0.0.1 (localhost). To do so would be pointless (unless the malware's intent is to break your computer's access to the Internet). Most malware which modifies the hosts file will redirect common secure sites like citibank.com to the IP address of servers under their control.

      OTOH, when you use the hosts file to block sites from being accessed, you do so by redirecting sites to 127.0.0.1.

      So it's trivial to implement a check to see whether the hosts file has been modified in a non-malicious manner. For the purpose of malware detection, just ignore all entries which redirect to 127.0.0.1. That Microsoft isn't implementing this simple exclusion, is evidence that they're doing this explicitly to try to thwart blocking of undesired telementry and services.
  • by jacks smirking reven ( 909048 ) on Tuesday August 04, 2020 @09:15AM (#60364773)

    For real Microsoft, if you want Win10 to be this big data collection machine then just make it free and let power users pay to "unlock" the system and eliminate dumb nonsense like this. At least Google has the sense to give services for free to individuals in exchange for our sweet succulent data.

    • I'm sure Microsoft would have gotten this message if power users didn't disable telemetry in the first place.

    • "Make it free" won't work when they can make people pay by bundling. What else are they going to do, buy Apple? ... Maybe if Apple ever came out with a low-cost model of anything. ChromeOS and Linux are non-starters for the majority, since they need specific applications to work. They think repo is something that happens to their truck. What's a config file?

      I could maybe see them doing a Super Pro Ultimate version that lets you turn off the tracking, though. Unless any of the threeletter boys have an object

    • Comment removed based on user account deletion
      • by An Ominous Cow Erred ( 28892 ) on Tuesday August 04, 2020 @12:14PM (#60365507)

        It's worse than that, they won't even SELL you the corporate edition unless you meet their requirements. They refuse to sell it to individuals, and they won't sell it to you if you're just some person who self-incorporated. You need to be a big enough outfit that you fall under their corporate customer service department.

        (This also goes for the education edition, which also lets you turn off telemetry.)

        • I just stole my copy of the corporate edition. Oddly enough it didn't cause me to lose any sleep.

          I only use Windows to run some security camera software; everything else is on Linux, including the NAS.

    • Yep. With Windows 10 I feel like they're making me pay twice. Give me spying for free or a nice, clean system for money.
  • by DarkRookie2 ( 5551422 ) on Tuesday August 04, 2020 @09:31AM (#60364827)
    It is not like they are using telemetry to fix or improve anything
    Win 10 still runs poorly if on a mech drive. You still cannot search file extensions in Settings. Start Menu is still a mess.
    • It is not like they are using telemetry to fix or improve anything

      Based on your single use case from search? MS has shown that telemetry drives absolutely every decision they make in the damn OS. This is also why "experts" keep complaining that Windows is getting dumbed down. No shit, MS doesn't know how "experts" use the OS because they block telemetry.

      • Goddamn, man. Have you NEVER had to try and change the settings on an extension in that turd? Why the fuck is there not a search box?

        Or setup a network printer on a network with lots of users? It forces you to wait while every device is displayed, then you have to scroll all the way to the bottom of this gargantuan list and click the "device isn't listed" link so you can enter the address manually. Why not look in the list? Oh yeah, NO SEARCH BOX. And yes, they're talking gleefully about fully sunsetting th

    • Not just on a mech drive
  • by VeryFluffyBunny ( 5037285 ) on Tuesday August 04, 2020 @09:42AM (#60364869)
    Right, that does it! I'm indignantly outraged. I'm sticking with Windows 9 from now on.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday August 04, 2020 @10:00AM (#60364955)
    Comment removed based on user account deletion
  • That soylent green you want to eat? That's actually people...

    • That soylent green you want to eat? That's actually people...

      Shhhh! Don't tell them that you fool!! You'll make them want it even more!!!

  • by BAReFO0t ( 6240524 ) on Tuesday August 04, 2020 @10:50AM (#60365117)

    That does its own resolution. (No forwarding. But caching.)
    And have your home server's DNS announce it, so Windows automatically grabs it.
    And block passing through DNS packets in your home server's firewall.
    It is really not that hard.

    The only asshole on the block (apart from MS) is DoH-using software, like browsers, which circumvent your DNS server and firewall AFAIK. (Though isn't that a nightmare for every business intranet?)
    I guess you need to do deep packet inspection to block those in your firewall, in case the browser "forgets" your changed name resolution settings yet again.

  • I mean basically the first thing nearly every malware does is disable updates and block all MS servers in the HOSTS file. Why the hell hasn't defender done this for years?

    Oh sure plenty of people will frame this as not blocking telemetry, but the reality is this change blocks any change that block any Microsoft servers, no kidding, that's what malware does.

  • While telemetry is the focus of the article, it looks like the actual threat detection is if the hosts file has been modified to block any of microsoft's servers INCLUDING telemetry related ones. While people are assuming the worst, I suspect the telemetry bit was more of a side effect of lazy list making, and the actual objective was looking for hijacks that redirect the user to fake microsoft sites in general.

    Just because a change effects something does not mean the thing was the intended target, esp w
  • What telemetry? I never gave them permission to look at my web sites or watch what I type, and don't use their browser.

  • by NotInKansas ( 5367383 ) on Tuesday August 04, 2020 @11:30AM (#60365303)
    HOSTS file entries for Windows telemetry servers has always been quietly ignored, i.e. it didn't work. The only difference here is that Defender is now specifically calling it out.

    If you thought your HOSTS file entries were blocking all of the Microsoft "phone home" information, you were sadly mistaken!
    • by Flurg ( 7107107 )
      Not true. Windows ignores the HOSTS file for a few services like Update but the telemetry servers are not among them. You can find this confirmed by users if you search.

      I think people are crazy to use Windows as laxly as they do and almost all my use of it is done via air-gapped PCs, but this has been a long running urban legend since Microsoft announced the use of hard coded IPs. All of the services they put that way were dangerously susceptible to hijack and it was actually one of the rare things they
  • Never mind HOSTS. It's trivial for Microsoft (or any other virus author) to roll their own name resolution and then deliver an IP address to set up a connection. Anything from DoH to hard-coded IPs in an app can get around HOSTS blocks. And if you think you can set up a firewall rule on your system, the people who actually administrate your machine (Microsoft) can easily un-set it.

    Block communications using dedicated network gateway hardware. Something that Microsoft can't reset or in any way get inside of

    • by Bert64 ( 520050 )

      Unless you use the windows system to administer your dedicated network gateway hardware, and then there's nothing really stopping them from hijacking that too aside from the complexity of handling multiple different ways of doing so for different types of hardware.

  • OMG, the hapless screamer known as "APK" is going to freak the fuck out. How will he ever survive?

    BTW, I've noticed almost none of his drivel polluting slashdot lately, so whatever the mods are doing, keep it up.

    • So far as I understand it, though don't allow AC posts from posters not already signed in. Frankly, at this point, they should just get rid of AC posts completely, but at least this modest change sent APK into a kind of purgatory, and since it seems likely that sooner or later the hosts file is likely to be ignored, at least where it tries to alter Windows telemetry, I'd say his Windows NT 4-era app is even less interesting than it was before.

  • Just out of curiosity: has anyone discovered where Windows 10 is caching all this 'telemetry' data?
  • User: What does my telemetry data tell you?

    Microsoft #1: It's telling us that our software is broken.

    Microsoft #2: Uh, that's not true at all. Telemetry works.
  • I guess it's time everyone started nipping this shit at the network entrance. Those who don't have control of their router should purchase a good Tomato compatable router or give a Raspberry Pi Router a go. This corporate control over how/what we do with our own systems, spying on us, tracking us, etc.. all needs to stop.

    Or, you know, run a better OS...

  • Someone needs to launch a DNS service that sends telemetry hosts to nowhere. Or run your own nameserver and answer for the hosts you want to BL. Then you just set your DNS to match these new nameservers and Windows doesn't know.

  • If it can detect modified dubious entries in the HOSTS file, it should be able to clean the ones you deem dubious, and keep the ones you deem ok. It's not like it's flagging it if you just modify you HOSTS file, so it does know which ones it doesn't like.

Remember, UNIX spelled backwards is XINU. -- Mt.

Working...