MS Defender detects "Possible Hosts File Hijack"

[Guest]

Every time I restart my PC, Defender finds "Possible Hosts File Hijack" and
recommends removal.
What is it?
Should I be worried about it?
Why did my previous AntiSpyware not detect it?
I also use Webroot Spy Sweeper which does not detect it.

 

[Tom Emmelot]

Hello Bill,

the problem is that spysweeper is working with your host file!
To stop this add him in the Ignore files or paths in the advanced options.

Regards >*< TOM >*<

Bill schreef:

 

[Guest]

Hi Tom

Many, many thanks for your very quick response to my query. I will attempt
to follow your advice.
Kind regards.
Bill

 

[Richard Urban]

Right!

If you have the "Common Ad Site Shield" in Spy Sweeper enabled, this will
occur. Every time Spy Sweeper makes an entry into the hosts file, MS
Defender will catch it.


--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[Guest]

HI Richard
Yes I do have the "Common Ad Site Shield" enabled.
Can I safely disable it?
Regards Bill

 

[Guest]

I don't believe that adding Spysweeper to the "don't scan" list in advanced
options is going to stop DEfender from alerting to HOst file changes made by
Spysweeper, It might, but I chose another alternative. I cut off Spysweeprs
common ads sites sheild after making a backup of it with Hoster by Funky
Toad. For some reason, Spysweeper reloads items into the host file with every
reboot. Sbybot S&D can be used to add items to the Host file also, but they
seem to be stable and are not constantly being added back. I just simplye
applied Spysweepsers add shield and added its entries, along with Sybots,
then I back that host file up with Hoster, turnef off Spysweepers ad sites
shield, and then restored the backup host file fromHoster. I had to tell
Defender to allow or ignore at each step, but now Defender has stopped all
the alerts. If I get an alert now, it will have to be from an unknown
program, not spysweeper. Hoster makes it very easy to inspect and manipulate
your host file and when done, you can change the file to read only.
http://www.funkytoad.com/hoster.htm

 

[Guest]

I use mvps hosts file. It is updated regularly. Spybot's is somewhat out of
date, I think.
http://www.mvps.org/winhelp2002/hosts.htm

 

[Guest]

I have been meaning to check that one out, but have been hesitant. Spysweeper
develops problems if the hosts file is too large. Do you happen to know if
the MVPS version works well in conjunction with Spysweeper?

 

[Guest]

I have had the same problem. Instead of disabling the "Common Ad Site Shield"
in Spy Sweeper, couldn't you just have Defender allow the change instead?
Forgive me if that is basically what you have already said but as a "novice
user" I was a little confused with all the backing up & adding through other
programs & such that "Old Rebel" discussed. Would that be safe to do that or
would that lead to unknown programs being able to reconfigure the hosts
files? I hope that I am understanding all of this properly. So, to also be
clear of that & please correct be if I am not: the point of Sweeper doing
that is to redirect you away from all the sites that it puts into the hosts
files? & MS Defender is just trying to make sure that it is the safe thing to
do? & as long as when you open up your hosts file in notepad & there is a #
sign in front of all of those entries then hosts files are safe but if no #
sign in front, that is bad? I hope I haven't been to annoying but I really
want to make sure that I get this right. Thank you in advance for all your
help & advice.

 

[Guest]

Hi! Yes, it would be fine just to have Defender "Allow" the Spysweeper host
file changes each time. What I did not like was the frequent host file alerts
this caused, when nothing had really been changed in the host file. I prefer
not to be notified unless there are real changes from unknown reasons. I was
afraid that routinely clicking "allow" for the Spysweeper changes would get
me in the habit of clicking allow without really checking things out. Plus,
I enjoy the extra benefits of using Hoster as opposed to just opening the
hostfile in notepad. Hoster does that for me and also will mark the host file
as "read only" so changes can't be made, or delete everthing in the host file
and return it to the Mircosoft original host file - with one click. I have
other programs that add entries to the host file for dangerous web sites, and
I just got tired of all the Defender alerts everytime one of them
updated.When they update now, I temporarily turn off Defenders RTP, make my
changes, and then turn Defenders RTP back on. If I get any alerts, it will be
for changes made by malware, not by my security programs.

 

[Tom Emmelot]

Hello Old Rebel,

i installed SPYSWEEPER just to test and i got a red alert "Possible
Hosts File Hijack", but then you can choose for BLOCK/ALLOW/Always ALLOW
!!!!! I choose the last won and no problems anymore! It is than in the
Allow list!!!

Regards >*< TOM >*<

Old Rebel schreef:

 

[Dave M]

Hi Rebel;
No I'm afraid not, the MVPS hosts contain far too many additions to be
compatible with SpySweeper. I've had to disable the Hosts File and Common
Ad Sites Shields within SS, and instead use HostsMan to manage hosts
updates which are a consolidation of past Common ad sites from SS and the
regular updates to the MVPS file. As I recall the cutoff for SS is about
6000 max entries, whereas my current consolidated hosts count is at 11491
using HostsMan.

 

[Guest]

Hi, Tom! Are we using the same program??? When Defender's RTP alerts me to
a host file change (by Spysweeper or anything else) there is NO option to
"Always Allow" , only to "allow". I went back and redid everything, and
cannot find any alway allow option. Are you an advanced member of Spynet, or
does that make the difference?

 

[Tom Emmelot]

Hello Old Rebel,

Yes we are using the same
My settings are indeed Advanced Member of Spynet
The only program that give me the red alert was Spysweeper and that was
the only time i got that choice!!!!

Regards >*< TOM >*<

Old Rebel schreef: