{"id":5,"date":"2009-03-10T02:47:13","date_gmt":"2009-03-10T07:47:13","guid":{"rendered":"https:\/\/www.falatic.com\/?p=5"},"modified":"2010-11-23T08:56:50","modified_gmt":"2010-11-23T13:56:50","slug":"windows-defender-apparent-false-alarm-win32possiblehostsfilehijack","status":"publish","type":"post","link":"https:\/\/www.falatic.com\/index.php\/5\/windows-defender-apparent-false-alarm-win32possiblehostsfilehijack","title":{"rendered":"Windows Defender apparent false alarm (Win32\/PossibleHostsFileHijack)"},"content":{"rendered":"<p>I got an alarming popup from Windows Defender tonight: it had detected <strong>Win32\/PossibleHostsFileHijack<\/strong> in the <em>C:\\Windows\\System32\\drivers\\etc\\hosts<\/em> file.\u00a0 That&#8217;s pretty worrisome and unexpected!\u00a0 I looked at the file but it seemed uninteresting.\u00a0 The only non-comment entries were:<\/p>\n<pre><span style=\"color: #ff0000;\">127.0.0.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 localhost<\/span>\r\n::1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 localhost<\/pre>\n<p><!--more--><\/p>\n<p>I made a backup of the file, then I let Defender &#8220;clean&#8221; it.\u00a0 OK&#8230; it only removed the 127.0.0.1 line (in red above).\u00a0 Weird: that&#8217;s a pretty standard setting and it doesn&#8217;t seem like it should be going anywhere.<\/p>\n<p>I searched around for this and found <a title=\"Thread on the Norton forums\" href=\"http:\/\/community.norton.com\/norton\/board\/message?board.id=nis_feedback&amp;message.id=37891\" target=\"_blank\">this thread on the matter<\/a>.\u00a0 I then used Windows update to get the latest version of the Defender database (it was last checked about 18 hours ago) and reverted the &#8220;fix&#8221; Defender had made (in Vista you must edit the <em>hosts <\/em>file with an editor running in Admin mode&#8230; as always <em>be careful<\/em>!)\u00a0 Sure enough, it found and installed a newer version and a re-scan of the <em>hosts <\/em>file showed&#8230; no problems whatsoever.\u00a0 Apparently one of Monday&#8217;s Defender definition updates might have had a bug in it.<\/p>\n<p><em>Note: This is NOT to imply this is always a false alarm!\u00a0 But if the only line that was removed is the standard localhost address as above, update Defender and re-scan.\u00a0 This &#8220;problem&#8221; may not be a problem after all.<\/em><\/p>\n<p>Now, I wonder how many people screwed up their <em>hosts<\/em> file today by letting this rather ubiquitous setting get removed?\u00a0 I can imagine there are some apps that&#8217;ll be unhappy not to find a localhost route.\u00a0 If this post helped you avoid some fun config headaches later please drop a quick comment.<\/p>\n<p><strong>Update: <a title=\"More info\" href=\"http:\/\/www.h-online.com\/security\/Windows-Defender-False-alarm-triggered-by-hosts-file--\/news\/112814\" target=\"_blank\">more info at this site <\/a>about this issue.<\/strong><\/p>\n<!-- wpsso rrssb get buttons: buttons on archive option not enabled -->\n","protected":false},"excerpt":{"rendered":"<p>I got an alarming popup from Windows Defender tonight: it had detected Win32\/PossibleHostsFileHijack in the C:\\Windows\\System32\\drivers\\etc\\hosts file.\u00a0 That&#8217;s pretty worrisome and unexpected!\u00a0 I looked at the file but it seemed <a href=\"https:\/\/www.falatic.com\/index.php\/5\/windows-defender-apparent-false-alarm-win32possiblehostsfilehijack\" class=\"more-link\">[&hellip;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"Layout":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[3],"tags":[10,11,9],"class_list":["entry","author-marty","has-more-link","post-5","post","type-post","status-publish","format-standard","category-general","tag-defender","tag-false-positive","tag-win32possiblehostsfilehijack"],"_links":{"self":[{"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/posts\/5","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/comments?post=5"}],"version-history":[{"count":0,"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/posts\/5\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/media?parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/categories?post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.falatic.com\/index.php\/wp-json\/wp\/v2\/tags?post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}