I got an alarming popup from Windows Defender tonight: it had detected Win32/PossibleHostsFileHijack in the C:\Windows\System32\drivers\etc\hosts file. That’s pretty worrisome and unexpected! I looked at the file but it seemed uninteresting. The only non-comment entries were:
127.0.0.1 localhost ::1 localhost
I made a backup of the file, then I let Defender “clean” it. OK… it only removed the 127.0.0.1 line (in red above). Weird: that’s a pretty standard setting and it doesn’t seem like it should be going anywhere.
I searched around for this and found this thread on the matter. I then used Windows update to get the latest version of the Defender database (it was last checked about 18 hours ago) and reverted the “fix” Defender had made (in Vista you must edit the hosts file with an editor running in Admin mode… as always be careful!) Sure enough, it found and installed a newer version and a re-scan of the hosts file showed… no problems whatsoever. Apparently one of Monday’s Defender definition updates might have had a bug in it.
Note: This is NOT to imply this is always a false alarm! But if the only line that was removed is the standard localhost address as above, update Defender and re-scan. This “problem” may not be a problem after all.
Now, I wonder how many people screwed up their hosts file today by letting this rather ubiquitous setting get removed? I can imagine there are some apps that’ll be unhappy not to find a localhost route. If this post helped you avoid some fun config headaches later please drop a quick comment.
Update: more info at this site about this issue.