News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft: Blocking Telemetry in HOSTS file a security risk

    Posted on Alex5723 Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 Microsoft: Blocking Telemetry in HOSTS file a security risk

    Viewing 7 reply threads
    • Author
      Posts
      • #2286151 Reply
        Alex5723
        AskWoody Plus

        From Lawrence Abrams at BleepingComputer:

        Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk.

        Microsoft now detects HOSTS files that block Windows telemetry
        Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat.

        When detected, if a user clicks on the ‘See details’ option, they will simply be shown that they are affected by a ‘Settings Modifier’ threat and has ‘potentially unwanted behavior,’ as shown below..

        What next ? Microsoft’s defender will block 3rd party apps that block Telemetry, block updates, remove Microsoft store apps….?

        • This topic was modified 1 month, 2 weeks ago by Alex5723.
        • This topic was modified 1 month, 2 weeks ago by woody.
        Attachments:
        7 users thanked author for this post.
      • #2286178 Reply
        anonymous
        Guest

        One more reason not to use Windows Defender but some more advanced AV product.

        2 users thanked author for this post.
      • #2286195 Reply
        Fred
        AskWoody Plus

        What next ? Microsoft’s defender will block 3rd party apps that block Telemetry, block updates, remove Microsoft store apps….?

        The real privacy dashboard for Windows [ https://wpd.app/ ] seems to do a good job in blocking telemetry and unwanted msstuff

        ~ ~ ~
        4 users thanked author for this post.
        • #2286206 Reply
          Coldheart9020
          AskWoody Lounger

          Will take a look at WPD. I’ve been using O&O ShutUp10 and used Windows 10 Debloater (which uses Powershell) in the past to remove some of the bloatware that comes pre-installed in Windows 10.

          For HOSTS, I use the custom MVPS file with additional hosts appended by Spybot – Search and Destroy’s Immunization component. I use Avast as my main antivirus, but keep Windows Defender definitions up to date and run a full scan with it every so often.

          So far, no detections about a HOSTS “Hijack” but that may well change in the future.

      • #2286197 Reply
        doriel
        AskWoody Lounger

        I really appreciate Windows defender, since one does not need to buy separate product for this.
        And I can remember AV programs that sell data (Avast) and programs that are more adware than antivirus (AVG and other as well).

        I understand this desire, because if HOSTS file blocks telemetry/update its simple to identify the issue (missing/edited record in HOSTS).

        But what if I modify HOSTS in the way I need? Adding file server address for example. Is this going to be evaluated as security risk?

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      • #2286201 Reply
        woody
        Da Boss

        Lawrence Abrams has a detailed article about this on BleepingComputer.

        Günter Born posted the initial alarm on Borncity.

        Yep, MS is whittling away our control, bit by bit.

        6 users thanked author for this post.
        • #2286760 Reply
          Norio
          AskWoody Plus

          Yep, MS is whittling away our control, bit by bit.

          As noted by Günter Born in the link above, a user can “… define the [HOSTS] file in Defender as an exception and exclude it from the check (see also Part 2). In this case, Defender does not monitor any malware manipulation of the hosts file.”

          So we still have (but for how long) the ability to stop Defender from flagging the presence of MS telemetry URLs as “malware”-induced.  The sad thing is that monitoring the HOSTS file for unwanted changes is at base a valid security mechanism that should have been included in the Defender and the OS a long time ago; MS finally gets around to it, NOT to defend users, but to defend MS’s access to telemetry information (that must be why they call it “Defender”).

      • #2286207 Reply
        Carl D
        AskWoody Lounger

        Is it just Windows 10 telemetry blocking via the HOSTS file that’s triggering the Windows Defender detection?

        I’m using Windows 10 Professional 2004 64bit  here – clean install 31st May 2020. ‘Extra Privacy’ handled by O&O’s ShutUp10 (if it makes any difference to the following).

        I have extra entries in my Hosts file blocking 9 Avast and Piriform addresses to prevent CCleaner taking about 10 seconds to open as I have both CCleaner executables in Program Files blocked from accessing the Internet with OneClickFirewall and have for the past 2 or 3 years.

        The 10 second delay if CCleaner is blocked with a firewall is something new that started happening about 2 or 3 releases back – it is obviously trying to access the Internet for something every time you launch the program now.

        Anyway, back to the subject at hand – I’ve just done a quick scan with Windows Defender (fully up to date) and it hasn’t detected any changes to my Hosts file (or any other issues).

         

        Gigabyte GA-B250M-D3H Motherboard, Intel i5-7600 CPU, 32GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 860 EVO 250GB SSD, 1x Samsung 850 EVO 250GB SSD, Windows 10 Professional 2004 64bit.

        3 users thanked author for this post.
      • #2286225 Reply
        bbearren
        AskWoody MVP

        I use O&O Shutup10 to control telemetry for Version 2004 (OS Build 19041.388), and it does not in any way modify the HOSTS file.  My HOSTS file has only two entries that are not commented out:

        127.0.0.1 localhost
        ::1 localhost

        O&O Shutup10 uses the registry to control telemetry.  My Windows Defender (Windows Security) has green check-marks everywhere.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        1 user thanked author for this post.
      • #2286764 Reply
        Alex5723
        AskWoody Plus

        Is it just Windows 10 telemetry blocking via the HOSTS file that’s triggering the Windows Defender detection?

        It is Microsoft’s URLs including Telemetry that are blocked.

        http://www.microsoft.com
        microsoft.com
        telemetry.microsoft.com
        wns.notify.windows.com.akadns.net
        v10-win.vortex.data.microsoft.com.akadns.net
        us.vortex-win.data.microsoft.com
        us-v10.events.data.microsoft.com
        urs.microsoft.com.nsatc.net
        watson.telemetry.microsoft.com
        watson.ppe.telemetry.microsoft.com
        vsgallery.com
        watson.live.com
        watson.microsoft.com
        telemetry.remoteapp.windowsazure.com
        telemetry.urs.microsoft.com

    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft: Blocking Telemetry in HOSTS file a security risk

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.