hosts files block/unblock/remove

[tobe]

In Advanced tools/system Explorers/Networking there is a
Windows Hosts file, which shows a long list of sites
which are apparrently looped back to the local host
address 127.0.0.1. There are options to 'block
host', 'unblock host', and 'permanently remove host' for
each individual host. It appears that each host
is 'unblocked' by default.

What does it mean to block, unblock, or remove any
particular host on this screen? Which option provides
protection from the host (i.e. redirects it to the looped
back site instead of the actual host site)? The Help
section on this is useless.

 

[Guest]

-----Original Message-----
Hello Tobe

See the messages from 2/20/2005, for a message/thread
started by M8RIX with a solution to this issue.

Thanks. How do I access the discussion on that date?
The search function does not work, and the current list
(89 pages) only goes back to about May 05.

 

[Bill Sanderson]

In Advanced tools/system Explorers/Networking there is a
Windows Hosts file, which shows a long list of sites
which are apparrently looped back to the local host
address 127.0.0.1. There are options to 'block
host', 'unblock host', and 'permanently remove host' for
each individual host. It appears that each host
is 'unblocked' by default.

What does it mean to block, unblock, or remove any
particular host on this screen? Which option provides
protection from the host (i.e. redirects it to the looped
back site instead of the actual host site)? The Help
section on this is useless.

I agree--this help is not helpful.

By default, the hosts file has only a single active entry--127.0.0.1
localhost.

Your hosts file has been modified by one (or more!) third-party programs,
viruses, or spyware, to include lines which will cause various listed
domains to resolve to localhost (i.e. fail to be reached.)

As long as all those domains are ones you don't want to reach, you can leave
that alone--I know this begs the question of the meaning of the choices in
Microsoft Antispyware---I'll test that in a minute.

The problem with such a long list of hosts is that both the bad guys and the
good guys use this list--for opposing purposes. A number of viruses and
trojans add popular commercial antivirus vendors sites to the hosts file.
So--to be sure of what is happening, you need to examine every entry in that
file and satisfy yourself that they are all ones you wish to avoid visiting.

Thats why my hosts file has only the default single entry.

The hosts file is a simple text file located in
\windows\system32\drivers\etc

Its name is hosts with no suffix. It can be edited in notepad.

OK - I've added an entry 127.0.0.1 www.largeuniversitynearme.edu

Blue alert: A Windows hosts file change requires your approval
The hosts file can set which Web site your browser visits when you type a
URL in the address bar. This change occurs in limited circumstances. You
should block this change if you have not made the change or run a program to
do so.

Host: www.microsoft.com

IP Address: oft.com|127.0.0.1



Now, when I do ping www.largeuniversitynearme.edu, it goes to 127.0.0.1

If I try to open that URL in a browser, I get a 401.1 error.



So--host blocking is working, now what about Microsoft Antispyware?



The only valid (i.e. ungreyed out) choice is Block Host. So I "block host"
for www.largeuniversitynearme.edu.

And, at this point, pings and web access proceed to the correct public IP
address, and it all works.



So--the meaning of BLOCK HOST appears to be "remove this entry from the
hosts file."

In fact, when I look at the hosts file, the entries I have blocked are
commented out, with a # sign at the start of the line.

For extra credit--I'd be interested in hearing from someone who can explain
why putting www.microsoft.com or microsoft.com in such a line fails to have
the same effect--I'm intrigued--I don't know whether it is something
intentionally built into Windows DNS resolution, or a side-effect of the
load balancing mechanisms.

So--my preference, and that of a good many others, is to keep this file
near empty--just the default entry and anything necessary for work or
testing I'm engaged in. Opinions differ on this, and I concede that these
entries in a hosts file have probably saved much grief in families with
teenagers, say, over the years.



Does that help--or did I say too much?

 

[Bill Sanderson]

You're quite right about the HTML version of these groups.

If you go to the groups anew from the Help entry in Microsoft Antispyware,
and click in the top right pane, and scroll down, it'll give you information
about access to these groups via NNTP, using Microsoft Outlook Express, or
the newsreader of your choice.

I haven't checked, but I suspect that the NNTP version of these groups has a
longer retention period,so if you were on broadband, and had lots of
patience, or interest, you could download headers and messages, and do full
text searches, and learn all of what we've posted about hosts over the
history of this beta.

Or, you could read the other reply.

I don't believe Engel meant to mislead--I'm not certain exactly how he
accesses these groups, but I'm sure he was unaware that that message
wouldn't be easily accessable.


--

 

[plun]

Bill Sanderson wrote on 2005-08-21 :

Does that help--or did I say too much?

Hi Bill

Nope, great !

 

[Bill Sanderson]

Well, I missed a little editing on the real-life example. I started out
using www.microsoft.com, and was startled when the hosts file entry appeared
to have no effect whatsoever.

So I switched to www.upenn.edu, but didn't want to name them directly.

But then the print as copy/pasted from the app was so tiny, that I failed to
be consistent in my editing.

and why DOES www.microsoft.com get through, when www.upenn.edu does not?


--

 

[JRosenfeld]

I agree that examining a hosts file with many entries to
find any unwanted entries put there by malware is more
difficult than when it is empty (though find works in
Notepad OK).

However, I think that consideration is outweighed by the
convenience and pleasure of blocking unwanted third party
ads and ensuring that I don't accidentally go to a 'bad'
site. I therefore do use a readymade HOSTS file from
mvps.org. I trust their definition of 'bad' sites. They
update their HOSTS file regularly, their entries are
briefly annotated and separated from any others that might
be there, thus easing the search for unwanted entries.

So im my opinion the two schools of thought about the use
of HOSTS are both defensible. It depends on one's
priorities.

-----Original Message-----
Well, I missed a little editing on the real-life example. I started out
using www.microsoft.com, and was startled when the hosts file entry appeared
to have no effect whatsoever.

So I switched to www.upenn.edu, but didn't want to name them directly.

But then the print as copy/pasted from the app was so tiny, that I failed to
be consistent in my editing.

and why DOES www.microsoft.com get through, when

www.upenn.edu does not?

 

[Bill Sanderson]

I agree that examining a hosts file with many entries to
find any unwanted entries put there by malware is more
difficult than when it is empty (though find works in
Notepad OK).

However, I think that consideration is outweighed by the
convenience and pleasure of blocking unwanted third party
ads and ensuring that I don't accidentally go to a 'bad'
site. I therefore do use a readymade HOSTS file from
mvps.org. I trust their definition of 'bad' sites. They
update their HOSTS file regularly, their entries are
briefly annotated and separated from any others that might
be there, thus easing the search for unwanted entries.

So im my opinion the two schools of thought about the use
of HOSTS are both defensible. It depends on one's
priorities.

I agree that this one is a matter of opinion and experience.

I have seen regular messages here from novices who use the system explorer
and are astounded to find "sewage" in their hosts file--and can't imagine
how all that bad stuff got there or what they are supposed to do about it.

OTOH, I'm quite sure there are many kids out there who've been saved some
experiences by the presence of those lines in the hosts file. They are
there on other machines in my household--I've never bothered to remove them.

 

[tobe]

From: "Bill Sanderson"

You're quite right about [search not currently working within] the HTML
version of these groups.

If you go to the groups anew from the Help entry in Microsoft Antispyware,
and click in the top right pane, and scroll down, it'll give you
information about access to these groups via NNTP, using Microsoft Outlook
Express, or the newsreader of your choice.

I did, indeed access this newsgroup from Outlook Express, ended up
downloading all 26000+ entries and did a search on HOSTS.

What I found is that Spybot Search & Destroy adds a gazillion hosts to the
HOSTS file, all directed to the loopback 127.0.0.1 site.

By default, MSAS shows all of these as 'active', meaning any attempt by an
accessed URL to direct the browser to the sites contained in the HOSTS file
will end up to the dead end loopback address.

However, that also means that the MSAS 'Block' option within the HOSTS file
means that, if you 'block' a host, a request for that URL will now no longer
loopback to 127.0.0.1, but will progress to the actual site! This is a very
strange use of the word "block"! Logic would indicate that to 'block'
something using an anti-spyware program would be a good thing!

Just a little note of explanation within that part of MSAS or within the
Help file would really be...well....helpful!!

I would also suggest using different terminology, other than 'block' and
'unblock'. Perhaps something such as: "Enable host redirection" and
"Disable host redirection". That actually explains what one would be
doing!!

Yours,

Tobe

 

[Bill Sanderson]

Just a little note of explanation within that part of MSAS or within the
Help file would really be...well....helpful!!

I would also suggest using different terminology, other than 'block' and
'unblock'. Perhaps something such as: "Enable host redirection" and
"Disable host redirection". That actually explains what one would be
doing!!

I agree completely--I'll make sure this is passed on. I've seen a number of
messages from confused novices (why do I have 211 hosts files?) and looking
at the feature closely I can see just why they are confused. Partly because
mine is empty, I never really paid attention to how the UI reads.

 

[Bill Sanderson]

I did, indeed access this newsgroup from Outlook Express, ended up
downloading all 26000+ entries and did a search on HOSTS.

I want to go back and say how impressed I am that you actually did this. I
wish more people here would, because that full text search capability is
pretty valuable, although you run the risk of seeing a lot of old
information, or workarounds that have changed in the course of this
unusually lengthy beta.

Thanks for posting that count of posts, too. One use of that metric is to
compare it with the number of downloads of the program (more than 20
million, I believe) and consider that even in its current imperfect state,
it must be doing quite a bit right, or we'd be hearing more from the unhappy
users.

Actually, if I add the counts in my own browser, I think I get more like
35000, but that is still a drop in the bucket. There probably are not 20
million installed machines, but there are in excess of 10 million for sure.

Do you see posts going back to early January?

 

[tobe]

"Bill Sanderson" wrote

Do you see posts going back to early January?

Sometime in January. Since the posts I was directed to were about February
20th, I didn't actually look a the posts dated earlier than that (although I
did download them). I downloaded them in batches of 300 at a time (I have a
cable connection - it didn't take very long - perhaps under 2 seconds per
300). By February 20th I was somewhere near 20,000 I think.

Tobe

 

[Bill Sanderson]

Thanks--it sounds like there is no age cap on the post in the NNTP store.
There's a lot of complexity behind the scenes--separate stores for the HTML
and the NNTP, and mechanisms to (try) to keep both in synch. Microsoft and
much of the rest of the online world see the future growth as HTML oriented,
I believe, but they are committed to maintaining NNTP, and even making some
of the more advanced features of the newer HTML interfaces available via
NNTP.

These groups use an older version of the HTML interface which has a number
of serious drawbacks even with the search feature functional. If you want
to see an example of a newer interface with added functionality, try this
one:

http://www.microsoft.com/athome/sec...osoft.public.security.homeusers&lang=en&cr=US

The beauty of the HTML interface is its accessability--from anywhere, and
from within the product you are using. NNTP users tend to find it slow,
awkward, and inefficient to use, though.

Whoops--more than you wanted to know--Thanks!
--

 

[tobe]

Just an FYI for users of both Spybot Search & Destroy and MSAS:

I decided to look at my HOSTS file more closely. It is at
Windows/System32/Drivers/Etc, as a read-only file. I opened it with WordPad
and found that it was 260 pages long! It turns out that Spybot Search &
Destroy had duplicated its entries in there something like seven times. I
think it may have added the entire file again each time I updated S&D. I
have edited it down to one copy of each entry, saved it as HOSTS.txt then
renamed it HOSTS (after saving a copy of the original HOSTS file for
backup). Everything seems to work fine and the list in MSAS HOSTS file is
now manageable.

Yours

Tobe