MSAS Detects HOSTS file Redirection - How do I accept this one?

[Alan Alan]

Hi All,

MSAS is currently set to protect my HOSTS file, and it duly asks
whether a change I make should be allowed - that works fine.


However, upon a scan, MSAS is detecting a single entry (one of
thousands) in my HOSTS file
that directs as follows:

216.109.127.60 mail.yahoo.com

I have about a dozen frequently used redirections that I use to save
time (no need to go to an external DNS), plus thousands of
redirections to 127.0.0.1 (localhost) as security precautions such as
the following example in case I mistype:

127.0.0.1 ourceforge.net

Obviously I do not wish to remove these and reduce my security.


Two questions:


1) Why is MSAS picking up just one entry in the HOSTS file? There
are others in there such as:

206.24.190.25 www.hotmail.com

which it is not detecting / reporting as a potential threat.


2) How can I tell MSAS that a given redirection is correct?

Obviously I can tell MSAS to ignore this type of threat altogether
(the 'Always Ignore' option), and it *is* already protecting the HOSTS
file so that should be okay in theory, but I would prefer that it
identifies potential problems such as the one above and lets me
explicitly choose that it is okay.


Thanks in advance,

Alan.

 

[Bill Sanderson]

Does it suggest that this particular hosts file line is some particular
threat?

 

[Alan Alan]

Does it suggest that this particular hosts file line is some
particular threat?

Hi Bill,

The full message reads (in the spyware scan results):

Threat Name: Possible hosts file hijack (spyware).

Threat Level: High (coloured bars are red)


Under that, there is a plus button to 'view all detected locations'.

If I click on that plus button, the only line that shows reads:

Host file redirection of 216.109.127.60 mail.yahoo.com


So therefore, I interpret the scan results to mean that the particular
line is a threat (as opposed to any other / all lines in the HOSTS
file).


Thanks for your advice,

Alan.

 

[Bill Sanderson]

I'm experimenting. My own hosts file is bog-standard default--i.e. the
single localhost line is all that isn't a comment.

I cut and pasted your line in, replacing the space between the terms with a
tab to make it all look need.

Microsoft Antispyware came up with a blue flag allowing me to choose to
accept or reject the change. I accepted.

I'm now doing a scan, but I think it'll be ok.

So--my thought is you should chop it out, put it back in again, and see
whether that does the trick. As to the why----I've no idea!

 

[Bill Sanderson]

Hmm - I give up.

I was mistaken, and the scan of the hosts file did indeed flag your
redirection, even though I had ok'd it when I made the change.

So, I chose always ignore.

I then made another change to the hosts file:
216.109.127.61 mail2.yahoo.com
(gotta remember to take this stuff out again)

Again the blue flag, which I accepted. This time when I did a scan, nothing
found.

So--looks like the always ignore on the first one "took"--and that the
second one wasn't taken as a threat--so perhaps there is something specific
about either the name or the IP on that redirection that is seen as bad.

That IP isn't hard to find in Google, but I didn't immediately spot it as
implicated somehow in something "bad."

OK - did some more. I deleted those two entries, exited from Notepad, went
back in, and re-added the original entry. This time, I got a Green flag
stating that the change was being allowed based on my earlier expressed
choice. It also gave me a link to edit allowed hosts entries--this link
showed the two entries I had made. I wiped them out, went back and cleaned
up the hosts file, and decide to quit.

Bottom line: I think you are safe choosing always ignore. The instruction
seems to relate to specific individual lines in the hosts file, and not to
something broader.

 

[Alan Alan]

Hmm - I give up.

I was mistaken, and the scan of the hosts file did indeed flag your
redirection, even though I had ok'd it when I made the change.

So, I chose always ignore.

I then made another change to the hosts file:
216.109.127.61 mail2.yahoo.com
(gotta remember to take this stuff out again)

Again the blue flag, which I accepted. This time when I did a scan,
nothing found.

So--looks like the always ignore on the first one "took"--and that
the second one wasn't taken as a threat--so perhaps there is
something specific about either the name or the IP on that
redirection that is seen as bad.

That IP isn't hard to find in Google, but I didn't immediately spot
it as implicated somehow in something "bad."

OK - did some more. I deleted those two entries, exited from
Notepad, went back in, and re-added the original entry. This time,
I got a Green flag stating that the change was being allowed based
on my earlier expressed choice. It also gave me a link to edit
allowed hosts entries--this link showed the two entries I had made.
I wiped them out, went back and cleaned up the hosts file, and
decide to quit.

Bottom line: I think you are safe choosing always ignore. The
instruction seems to relate to specific individual lines in the
hosts file, and not to something broader.

Hi Bill,

Thanks for your assistance on this.

I concur that it is reasonably safe to choose 'always ignore'.

The only risk is that, somehow, a rogue entry makes it into my HOSTS
file and is not then picked up by MSAS.

However, for that to actually happen, it would have to get past the
fact that the HOSTS file it protected by MSAS from *any* changes being
made in the first place.

I think I can live with that and certainly a hell of a lot safer than
removing the 127.0.0.1 entries that block access to dubious sites!

Thanks again,

Alan.

 

[Jacques]

Hi,

I found something like that in my first time on MSAS. It was the last line
of my host file with no blank line after.
Could help ?

 

[Alan Alan]

Hi,

I found something like that in my first time on MSAS. It was the last
line of my host file with no blank line after.
Could help ?

Hi Jacques,

Not in this case. The line in question (mail.yahoo.com) was in the
middle of a block, and nowhere near the bottom.

There were entries immediately above and below it.

Really quite odd all round!

Alan.