Defender hijacks host files now ..

The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.

The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.

All you have to do is add redirects in the form of 127.0.0.1 http://www.microsoft.com to the hosts file to redirect requests to the site “www.microsoft.com” in this case to the local computer. The effect is simple: the request is blocked.

With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.

Antimalware-Clientversion: 4.18.2006.10
Modulversion: 1.1.17300.4
Antiviren-Version: 1.321.144.0
Antispyware-Version: 1.321.144.0

Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.

Attempts to save the file may display the following notification by Microsoft Defender:

Operation did not complete successfully because the file contains a virus or potentially unwanted software.

It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.

A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.

Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s