Windows 10: Microsoft Defender flags hosts files with Microsoft server redirects as malicious

The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.

The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.

All you have to do is add redirects in the form of 127.0.0.1 www.microsoft.com to the hosts file to redirect requests to the site "www.microsoft.com" in this case to the local computer. The effect is simple: the request is blocked.

With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.

As of July 28, 2020, it appears that Microsoft Defender is flagging hosts files as malicious if they contain certain redirects. According to Günter Born, the following versions introduced the new behavior:

• Antimalware-Clientversion: 4.18.2006.10
• Modulversion: 1.1.17300.4
• Antiviren-Version: 1.321.144.0
• Antispyware-Version: 1.321.144.0

Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.



Attempts to save the file may display the following notification by Microsoft Defender:

Operation did not complete successfully because the file contains a virus or potentially unwanted software.
​

Restoring of the file did not restore the listing. Bleeping Computer's Lawrence Abrahams ran a few tests and discovered the following servers that Microsoft Defender flags when they are added to the hosts file on Windows 10 devices.

www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.

A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.

Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.

Now You: do you use Microsoft Defender or another security solution on Windows?

Thank you for being a Ghacks reader. The post Microsoft Defender flags hosts files with Microsoft server redirects as malicious appeared first on gHacks Technology News.

read more...

 

Microsoft Windows Home Server Corrupts Files

Microsoft has warned Windows Home Server users not to edit files stored on their backup systems with several of its programs, including Vista Photo Gallery and Office's OneNote and Outlook, as well as files generated by popular finance software such as Quicken and QuickBooks. "When you use certain programs to edit files on a home computer that uses Windows Home Server, the files may become corrupted when you save them to the home server," Microsoft said in a support document posted last week. The document went on to list the software, which includes Windows Vista Photo Gallery, Windows Live Photo Gallery, OneNote 2003, OneNote 2007, Outlook 2007, Microsoft Money 2007 and SyncToy 2.0 Beta. Others programs, however, may also corrupt files stored on a home server powered by Microsoft's operating system. "Additionally, there have been customer reports of issues with Torrent applications, with Intuit Quicken and with QuickBooks program files," the document said. "Until an update for Windows Home Server is available, we recommend that [you] do not use the programs that are listed to save or to edit program-specific files that are stored on a Windows Home Server-based system."

Source: Computerworld

 

Microsoft Defender Smartscreen

Hi COLINGILBERT1,

Sorry to hear you're experiencing this issue. I'm an Independent Advisor and consumer of Microsoft products just like you. Let me help you with your concern.

Microsoft Defender SmartScreen checks downloaded files against a list of reported malicious software sites and known unsafe programs and against list of files that are well known and downloaded by many Windows users. If the file you downloaded is on the malicious
list or is not commonly downloaded it will show a warning, advising caution. If you believe that the file is not malicious and you trust the source then you can ignore the warning by clicking "Run anyway".

Refer to the below link for the benefits of Microsoft Defender SmartScreen.

https://docs.microsoft.com/en-us/windows/securi...

 

Host file not redirecting

I believe you are misunderstanding the purpose of the hosts.txt file.

If all you care about is the TL;DR (too long; didn't read), then scroll down to the bottom of the answer. What follows is an explanation of what's going on, to help you understand why you are getting the results you are getting.

hosts.txt (typically /etc/hosts on Unix-like systems) provides a mapping between a host name and an IP address. The system name resolver is then typically configured to prefer hosts.txt entries over DNS, such that hosts.txt can be used as a DNS override. This is useful particularly in cases where local names don't exist in DNS, but you simply don't have enough hosts on your network to warrant setting up a local all-out authoritative DNS server with all of what that entails.

However, modern web browsing relies on far more than just the name to IP address mapping.

The typical process goes like something similar to:

1. User enters a URL into the browser's address field, or otherwise triggers a web request
   
2. Browser looks up the host name from the URL, to an IP address, and connects to that IP address
   
3. Browser sets up a HTTPS session, if the url is a https:// URL
   
   • Browser aborts if the certificate presented does not match the host name in the URL
     
4. Browser tells the remote web server to give it path /something/whatever from the host name from the URL
   
5. Remote web server responds with the requested resource, or typically an error if the request cannot be fulfilled for some reason
   
6. Browser interprets and displays or acts on the data received from the remote web server
   
   • If the data received is a redirection, then the process starts over on step 1 with that URL instead
     

By editing hosts.txt you change only what happens in step 2 above. Web browsing is a lot more complex than just a name lookup!

Also note that web browsers sometimes implement their own name lookup functionality, instead of offloading to the resolver provided by the operating system. In such a case, even step 2 won't necessarily get you the result you are after, because it might very well follow the normal name delegation path from the DNS root, so you get the same response as you otherwise would; in that case, hosts.txt never gets consulted!

Notably, the browser will still be expecting a certificate for the specific host name in the URL in step 3; and it will tell the remote web server the host name you gave it in step 4.

Since Google's web servers are unlikely to be set up to serve www.yahoo.com, whether over HTTP or HTTPS, this fails no later than between step 4 and 5 (the remote web server cannot provide the requested resource).

I have no good explanation for why you are getting a timeout rather than a web server error response, but the means of failure is largely up to the remote server, so I suspect it is well within its rights to not respond at all when asked about a host it simply doesn't know about.

And of course, if you are just experimenting, there is no need to use Yahoo or Google. Rather, there are Internet IP addresses and host names specifically set aside for example and documentation purposes which are good for this. For example, you could use 192.0.2.100 for the IP address and test.example.com for the host name, as neither of these belongs to anyone in particular. That, or RFC 1918 space (10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255 or 192.168.0.0 through 192.168.255.255), but you'd still want a corresponding domain name, for which those reserved are good.

TL;DR:

If you want to see that your hosts.txt entry is doing what it should, then open a command prompt and issue the command ping -n 1 www.yahoo.com (in your case). It should respond with the IP address you configured. The -n 1 causes only a single echo request to be sent, because all we are really interested in is the results of the name lookup.

I would prefer nslookup www.yahoo.com, but apparently on Windows nslookup doesn't look at hosts.txt either. (On Linux, it typically does, because it asks the system resolver and the system resolver is normally configured to consult the hosts file; if you want a pure DNS lookup on Linux, you'd typically use host or dig instead.)