Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Windows Defender considers the HOSTS file to be malicious if it blocks telemetry

Now Reading
Windows Defender considers the HOSTS file to be malicious if it blocks telemetry

Bleeping Computer reporters noticed that recently Windows 10 and Windows Defender consider the hosts file (C:\Windows\system32\driver\etc\hosts) to be malicious if it contains settings that block telemetry collection.

According to the publication, since the end of July, the modified hosts file has been identified as posing a threat “SettingsModifier: Win32/HostsFileHijack“. If the user clicks on “More” after receiving such a warning, nothing is explained to him, only he is told that the file exhibits “potentially unwanted behavior.”

Windows considers hosts as malicious

If the user agrees to eliminate the “threat”, the system will clear the hosts file and return it to its default state. It is also possible to ignore the problem, but this will allow any modifications to hosts in the future, including malicious ones.

Windows considers hosts as malicious

Lawrence Abrams, Bleeping Computer founder, notes that overall the problem of false positives for the hosts file is not new, but in recent weeks people have suddenly started to massively complain about such warnings (1, 2, 3).

Abrams writes that he thought it was false positives again, but still runing several tests.

“As it turned out, it is enough to block the Microsoft servers collecting telemetry through the hosts file, and then the problems begin”, – says Lawrence Abrams.

In particular, problems arise when you try to block the following addresses:

  • www.microsoft.com
  • microsoft.com
  • telemetry.microsoft.com
  • wns.notify.windows.com.akadns.net
  • v10-win.vortex.data.microsoft.com.akadns.net
  • us.vortex-win.data.microsoft.com
  • us-v10.events.data.microsoft.com
  • urs.microsoft.com.nsatc.net
  • watson.telemetry.microsoft.com
  • watson.ppe.telemetry.microsoft.com
  • vsgallery.com
  • watson.live.com
  • watson.microsoft.com
  • telemetry.remoteapp.windowsazure.com
  • telemetry.urs.microsoft.com

Because of this, the specialist came to the conclusion that Microsoft apparently recently updated Defender in such a way that it would detect if the company’s servers were added to the hosts file and the user is trying to block collection of telemetry.

Microsoft has not yet commented on the situation.

It looks like Windows Defender is behaving more and more aggressively (actually Microsoft developers, of course) – we recently wrote that Windows Defender recognizes CCleaner as PUA.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response