Jump to content
siliconman01

Windows\System32\drivers\etc\HOST file reported as Hijack.Host

Recommended Posts

Greetings,

Please execute the following command from a command prompt (START and type cmd then press Enter) by copying and pasting the following text into the command prompt:

copy "%windir%\system32\drivers\etc\HOSTS" "%userprofile%\desktop\hosts.txt"

Once it completes you'll find a text file on your desktop called hosts.txt, right-click on it and hover your mouse over Send to and select Compressed (zipped) folder then attach the resulting hosts.zip file to your next reply for analysis.

I'm guessing that you're using a HOSTS file for blocking ads, malware, telemetry etc. and that's what Malwarebytes is detecting for whatever reason, likely due to an issue with a new signature.

Edited by exile360

Share this post


Link to post
Share on other sites

As avast shouldn't normally be blocked in the hosts file, you are running a non standard hosts file you so you will have to add this to the ignore list.

Thanks.

 

Share this post


Link to post
Share on other sites

I use the Steven Black Unified Hosts file as shown in the attached pic.  If I remove the following AVAST entries from this HOSTS file, Malwarebytes scans clean.

avast-downloads.com
get-avast.com
www.avast-downloads.com
www.get-avast.com
ipm-provider.ff.avast.com

Note that MB does detect www.avast-downloads.com and avast-downloads.com as fraudulent websites.  If I attempt to open the other 3, they appear as inaccessible.  I suggest that finding the word AVAST in a HOSTS file entry does not constitute Malwarebytes calling the HOSTS file hijacked.  There are entries showing the words Norton, Symantec, Bitdefender, and even Malwarebytes in my HOSTS file and they pass the MB scanner okay.

 

 

 

StevenBlackHost.png

Share this post


Link to post
Share on other sites

We are not looking for avast. We are looking for this

 

.avast.com

 

If you remove the last one it should scan clean.

Which should not normally be in a host file.

 

Edited by shadowwar

Share this post


Link to post
Share on other sites

Just FYI, I've got this in my HOSTS file and Malwarebytes does not detect it:

ipm-provider.ff.avast.com

You can verify with Steven, but just because a domain ends with <website>.com does not mean that it's actually part of the actual <website>.com domain.  The leading parts before the other . are just as meaningful as the rest of the URL.

Now, with that said, this particular URL does actually belong to Avast!, but it's used as a mechanism for delivering ads through CCleaner so I'd argue that it's a legitimate block for privacy/anti-adware reasons.  You may refer to this thread from the Piriform forums for more info.

Share this post


Link to post
Share on other sites

@exile360 sounds like you have a different issue. I just tested the following line and it gets flagged for me. Are you sure your HOSTS file isn't excluded?

127.0.0.1 ipm-provider.ff.avast.com

 

Share this post


Link to post
Share on other sites

It may have to do with the formatting of my HOSTS file.  For one thing, I use HostsMan which has an option to place 9 URLs on each line rather than just 1.  It functions normally but makes use of the space more efficiently (and can also speed up lookups/blocks when using a large HOSTS file).  I also block using 0.0.0.0 rather than 127.0.0.1 because it tends to be faster, redirecting to a null address rather than the system's loopback adapter (no waiting for the timeout).  My HOSTS file is also very large with over 1 million entries and clocks in at around 28MB in size.

Here's the line where that address appears:

0.0.0.0 www.adremover.org v8.analytics.pinsightmedia.com v8engine.pinsightmedia.com v8push.pinsightmedia.com www.findalgorithm.com www.upgradeexplorer.com ipm-provider.ff.avast.com 100.mtcdevsite.com 15255577722.com

Share this post


Link to post
Share on other sites
19 hours ago, shadowwar said:

We are not looking for avast. We are looking for this

 

.avast.com

 

If you remove the last one it should scan clean.

Which should not normally be in a host file.

 

Yes, removing ipm-provider.ff.avast.com does permit Malwarebytes to scan clean and not flag the HOSTS file.  HOWEVER, I agree with exile360 that this entry is a valid block entry for the HOSTS file.  I also use CCleaner and do not it to add anything associated with Avast Security to my systems...now or ever.

Share this post


Link to post
Share on other sites

This is where exclusions come in. If you feel it should be blocked in your host then you are welcome to add it to the exclusions. We see too many malware blocking the avast update with blocking the avast domain in the hosts file. For that reason we have to leave it in.

 

Share this post


Link to post
Share on other sites

Fair enough, but can that individual entry be excluded from detection without excluding the entire HOSTS file?  I understand if it cannot, however I'd suggest looking into it as a future feature if it can't for cases like this because malware could still hijack a user's HOSTS file when using a custom HOSTS file like this so it's important to be able to delineate undesired malicious entries from those that are deliberately being blocked by the user to protect their privacy etc. (this server is used for telemetry/cookies only as I understand it, and is not actually used by Avast! AV proper for updating or anything).

Eventually I'd also like to see real-time monitoring of the HOSTS file along with certain key registry values/keys (PUMs mostly) as a means of extending the protection to more closely coincide with the remediation capabilities of the scanner for the sake of more proactive protection against such attacks, but that's a separate issue.

Share this post


Link to post
Share on other sites

This is a per line detection. However ganging up urls on the same line will cause the whole line to be deleted. This is a non standard format to have multiple urls per line.

 

Share this post


Link to post
Share on other sites

No worries, I wasn't concerned about my HOSTS file as MB3 isn't even detecting the entry (likely due to my non-standard, though fully functional, formatting).  I was simply concerned for the user and others like them who may encounter this issue now that Avast! has done what they've done to CCleaner.

Share this post


Link to post
Share on other sites

Next time MBAM detects that line, you *should* be able to tell MBAM to ignore always and it should no longer detect it.
Can you confirm?
If that works as expected, then you shouldn't need to exclude the entire HOSTS file and if something malicious modifies it, the bad modifications will still be detected.

Share this post


Link to post
Share on other sites
58 minutes ago, blender said:

Next time MBAM detects that line, you *should* be able to tell MBAM to ignore always and it should no longer detect it.
Can you confirm?
If that works as expected, then you shouldn't need to exclude the entire HOSTS file and if something malicious modifies it, the bad modifications will still be detected.

Nope, that's not the way it works.  To test this, I did the following:

1.  I arranged the HOSTS file in single line entries....1 entry per line.

2.  I ran a Normal Scan.  It detected 80 entries as Hijack.Hosts because of ipm-provider.ff.avast.com.  See the attached .txt named NormalScan.  I unchecked these entries and told Malwarebytes to "ignore once".

3.  I then ran a Custom Scan on my C/D drive with "check for rootkits selected. It detected 1 entry as Hijack.Hosts because of ipm-provider.ff.avast.com.  See the attached .txt named CustomScanCDwithRootkits.  I unchecked this one entry and told Malwarebytes to "exclude always".

4.  Malwarebytes appears to have excluded the entire HOSTS file.  See the pic "Exclusions".

Therefore, there is no way to exclude a single entry in the HOSTS file.  In addition, Malwarebytes has a bug in how it scans the HOSTS file during a Normal Scan.

CustomScanCDwithRootkits.txt

Exclusions.png

NormalScan.txt

Share this post


Link to post
Share on other sites

Yep - I see that now & just tested myself by adding another line in my hosts file that is in our db (but is not normally in the hosts file (and should not be) )
You can leave the hosts file out of exclusions & just cancel or ignore each time. You can be pretty sure every time you scan & only that entry comes up that is the one you want to keep.
If for some reason you get infected, you can uncheck that one entry pointing to hosts & let MBAM clean up the rest.

Share this post


Link to post
Share on other sites
1 hour ago, blender said:

Yep - I see that now & just tested myself by adding another line in my hosts file that is in our db (but is not normally in the hosts file (and should not be) )
You can leave the hosts file out of exclusions & just cancel or ignore each time. You can be pretty sure every time you scan & only that entry comes up that is the one you want to keep.
If for some reason you get infected, you can uncheck that one entry pointing to hosts & let MBAM clean up the rest.

There's one BIG problem with that, however.  Malwarebytes does NOT just remove the one item that was flagged.  It quarantines the entire HOSTS file.  UGH!

EntireHOSTSFileQuarantined..png

HOSTSRestored.png

QuarantineHOSTS.png

Share this post


Link to post
Share on other sites

Yep, Malwarebytes doesn't generally do any file editing, just straight quarantine so unless that is changed, it isn't going to be able to edit the HOSTS file to just remove the individual entries it has detected.

Honestly, if you use a custom managed HOSTS file, I wouldn't rely on Malwarebytes to deal with it and would just monitor it myself.  In fact, if you use a tool like HostsMan then every time you update (at least by default, though it can be changed) it will replace the entire HOSTS file, rebuilding it out of the lists of sites from the most recent copies from the update sources you've chosen (it stores each in a backup location as separate files so it may merge new ones from those with updates available with existing ones from sources that may not have a new version published yet so that it doesn't have to re-download copies of HOSTS files you already have on disk).

Share this post


Link to post
Share on other sites
2 hours ago, exile360 said:

Yep, Malwarebytes doesn't generally do any file editing, just straight quarantine so unless that is changed, it isn't going to be able to edit the HOSTS file to just remove the individual entries it has detected.

Honestly, if you use a custom managed HOSTS file, I wouldn't rely on Malwarebytes to deal with it and would just monitor it myself.  In fact, if you use a tool like HostsMan then every time you update (at least by default, though it can be changed) it will replace the entire HOSTS file, rebuilding it out of the lists of sites from the most recent copies from the update sources you've chosen (it stores each in a backup location as separate files so it may merge new ones from those with updates available with existing ones from sources that may not have a new version published yet so that it doesn't have to re-download copies of HOSTS files you already have on disk).

exile360, thanks much for your feedback and guidance.  I do use HostsMan v4.7.105 and have it set to overwrite the entire HOSTS file on update...which I manually control.  I just wanted to let the MB techs know that the HOSTS file seems to be managed by MB differently than how they think it is.  ?

Share this post


Link to post
Share on other sites

Thanks i am discussing this with development.

We can edit files actually and remove single lines. This def is that type and should only remove that single line. Let me know if you want to further test and verify.

However i believe the entire file is supposed to be copied to quarantine to restore the single line in future if need be. Removing a line is simple. Trying to restore a single line in the correct place with correct formatting is another story.

That said i am following up with dev why we cant exclude a single line. I wasn't aware of this and trying to see what is going on.

Thanks for your very thorough report!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.