Windows Defender apparent false alarm (Win32/PossibleHostsFileHijack)

I got an alarming popup from Windows Defender tonight: it had detected Win32/PossibleHostsFileHijack in the C:\Windows\System32\drivers\etc\hosts file.  That’s pretty worrisome and unexpected!  I looked at the file but it seemed uninteresting.  The only non-comment entries were:

127.0.0.1       localhost
::1             localhost

I made a backup of the file, then I let Defender “clean” it.  OK… it only removed the 127.0.0.1 line (in red above).  Weird: that’s a pretty standard setting and it doesn’t seem like it should be going anywhere.

I searched around for this and found this thread on the matter.  I then used Windows update to get the latest version of the Defender database (it was last checked about 18 hours ago) and reverted the “fix” Defender had made (in Vista you must edit the hosts file with an editor running in Admin mode… as always be careful!)  Sure enough, it found and installed a newer version and a re-scan of the hosts file showed… no problems whatsoever.  Apparently one of Monday’s Defender definition updates might have had a bug in it.

Note: This is NOT to imply this is always a false alarm!  But if the only line that was removed is the standard localhost address as above, update Defender and re-scan.  This “problem” may not be a problem after all.

Now, I wonder how many people screwed up their hosts file today by letting this rather ubiquitous setting get removed?  I can imagine there are some apps that’ll be unhappy not to find a localhost route.  If this post helped you avoid some fun config headaches later please drop a quick comment.

Update: more info at this site about this issue.

7 Comments


  1. Last night suddenly mysql was not reachable, I have wasted 3/4h rebooting and looking in the wrong site till I have seen in the system recovery that the son of a bitch of Windows Defender (and his Microsoft f*cking mother) have removed the localhost.
    Sorry for my language but at this time to get calm I only have two options, blame Microsoft or smash Balmer’s face. I think many times about installing linux but as it takes time to migrate I never do and then I waste my time with the Microsoft bugs…

    Reply

  2. Phew – I’ve not done the techy stuff yet because I’m not sure how (log in as administrator? Is that just my usual log in as it’s my own pc) but didn’t want to remove the ‘threat’ without checking it out first. Thank goodness I found your blog.

    Will it just update automatically with the next automatic update from windows or do I need to go through the admin process as described above and on the link you gave?

    Reply

  3. I’m working at a software company that sells server/client based RIPs.
    Customers started complaining today about this issue. Good I found this entry. Keep it up!

    Reply

  4. All I know for sure is that the latest update did NOT fix the hosts file if you already cleaned it, only that Defender didn’t re-detect the localhost entry as a problem once I restored the original version.

    Note that I’ve got v1.53.288 of the definitions right now (last night’s update). I’d expect that one or a later one should be OK.

    If you didn’t clean it yet just run Windows update and see that Defender updates. A quick scan should be clean after that. If NOT then you may have a real issue in the hosts file that requires attention (it’d be wise to make a copy of this text-only file to your desktop before allowing it to be cleaned).

    Mistakes happen. Hopefully the extent of this is just that one line. God knows I’ve had some pretty interesting problems crop up with Linux hotfixes as well so nobody is immune.

    Reply

  5. I’ve updated the post to add another informational link at the bottom. Nothing really new, just more confirmation that this was a transient false positive and some info on how to fix it. It might have been Vista-only as well.

    Reply

  6. I let defender place the file in quarantaine. Then I looked in quarantaine and found: nothing
    My PC seems to function stil normal. The content of the file is only an instrction. Nothing seems to heve been changed, as the date of the file is 04-08-2004….

    Reply

  7. How come a big company like MS make this fatal bug. That line 127.0.0.1 is so important that many networking application depend on it for loopbact test/service. Ms must reward you with something.
    Domain Name

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.