Host resolution priority -> vulnerable to malware tampering?

[Virus Guy]

I wasn't aware that you could set the priority for host resolution.

http://www.speedguide.net/read_articles.php?id=1130

Could this mean that with the right settings, that the hosts file could
be essentially deactivated by setting it to a very low priority and
setting DnsPriority to a high priority?

If so, does any anti-malware software examine those registry settings
and look for malicious tampering?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| I wasn't aware that you could set the priority for host resolution.

| http://www.speedguide.net/read_articles.php?id=1130

| Could this mean that with the right settings, that the hosts file could
| be essentially deactivated by setting it to a very low priority and
| setting DnsPriority to a high priority?

| If so, does any anti-malware software examine those registry settings
| and look for malicious tampering?

No, it wouldn't deactivate the resolution via the etc/hosts file.

The information cited is really for changing the resolution sequence depending on your
situation. For example is you are in a workgroup or Domain and how the OS reacts to such
named hosts as...

\\machinename

http://hostname

With this one may choose the etc/hosts to have a lower number than the other resolution
methods but I don't think it will disable it altogether.

If one wants to do that, it is much better to just redirect the location of the etc/hosts
file via the "DataBasePath" key in..
HLKM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

 

[Virus Guy]

| Could this mean that with the right settings, that the hosts
| file could be essentially deactivated

No, it wouldn't deactivate the resolution via the etc/hosts file.

The information cited is really for changing the resolution sequence
depending on your situation.

Seems to me that these settings are for setting the priority of those
services with respect to other services running on the machine.

If they also set the sequence or order of which method is used to
perform a host resolution, then setting the local hosts value to the
highest numerical value out of the 4 of them would mean that the hosts
file would always be the last to be queried - which would effectively
deactivate it as resolution method. No?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| Seems to me that these settings are for setting the priority of those
| services with respect to other services running on the machine.

| If they also set the sequence or order of which method is used to
| perform a host resolution, then setting the local hosts value to the
| highest numerical value out of the 4 of them would mean that the hosts
| file would always be the last to be queried - which would effectively
| deactivate it as resolution method. No?

OK, rethinking this...

It would "deactivate" it. However if a DNS resoltion to a malicious site is first and you
are affectively getting that address then the etc/hosts file redirection to the IP
responder address would be a moot point.

Deactived - no.

Inffectual - yes.