about the Hosts file

[Marcus]

A thought on this...

Instead of putting in lists of redirected malevolent sites in Hosts why not insert a list of sites that you want to go to (ie.. Google, Amazon, Malwarebytes etc).

Would that not make access to these sites quicker? One less server to query?

And if the Hosts file is read-only how does malware manage to insert entries in there anyway in the first place?

I know I'm missing something here somewhere but I cannot fault my own logic !!

No doubt some expert or other will stroll round here and pick holes in this!

[YoKenny1]

The real reason for the HOSTS file was that in the begining of the Internet there was no such thing as DNS:

How Domain Name Servers Work

http://www.howstuffworks.com/dns.htm

Computers like IP addresses but people like easily understandable names called URLs:

http://www.webopedia.com/term/u/url.html

With Vista and Windows 7 the HOSTS file is set to read-only.

I like to use a HOSTS file manager like HostsMan with the hpHosts and MVPS HOSTS files:

http://www.abelhadigital.com <== I use HostsMan 3.2.71 Beta7

The browser speedup proxy HostsServer is good as it can be set to run automatically and can log the effectivness of the HOSTS file.

HostsMan has to be Run as administrator on Vista and Windows 7 systems for it to be able to update the HOSTS files.

Its not a good idea to put Google or Amazon into the HOSTS file as their IP addresses can change and you will not be able to reach the sites.

[Marcus]

Thanks for those informative links, YoKenny. I will bookmark them, read them, and learn about this.

It's not a good idea to put Google or Amazon into the HOSTS file as their IP addresses can change and you will not be able to reach the sites.

Still, I wonder what would happen if you listed, say, for example, Amazon.com in the Hosts and then listed all Amazon's IP addresses incuding any other TLDs they use?

I supose one would have to check regularly for changes to a given site's IP address(es) and then manually change it in Hosts.

I'm tempted to give this an experimental try with one of my regularly-visited sites like, Oh, I dunno, http://www.theregister.co.uk for a month or two and see what happens. I might even do this with the malwarebytes site instead of (or even as well as) and watch what happens.

I'm in experimental mood this week! :)

[exile360]

It can't do any harm to try it out and see, because if you end up not being able to connect to the site you can always use notepad and remove the entry in question, or just make a backup of your HOSTS file before you make the alterations.

Let us know your findings .

[Marcus]

SO far...preliminary findings - Part 1(!)

Here is the bit of my Hosts file that matters. As you can see there's not a lot in it...bear in mind this is from a Vista system hence the second localhost line.

127.0.0.1 localhost

::1 localhost

69.162.79.74 malwarebytes.org

212.100.234.54 theregister.co.uk

209.85.229.99 google.co.uk

Obtained these IPs from http://ip-lookup.net/domain.php

below that lot is a lot of white space; ie nothing. Do not take that to mean that the same applies between my ears!! This has a brain which doesn't turn at the same speed or even think in the same way as everybody else.

It's in a league all by itself!

An independent sort of semi-eejit just about sums me up!

My impression (totally subjective and without any form of data-documented, timed testing) is that those sites are found and displayed noticeably quicker on my system, if only by a couple of seconds, if that. There is a definite sense (at least in my mind) of "no hanging about" and no delay with those sites now that they're listed in Hosts.

Put it this way: it just feels quicker

Interestingly if you do a domain search on malwarebytes' IP up there on ip-lookup.net you get this:

alpha.malwarebytes.org

Anyway, no matter. The IP's correct because you get to the Malwarebytes' homepage in the blink of an eye!

..hmm..Is it possible you could mix the above with any number of hosts lists so you'd have a combined redirection and a faster search in one?

@exile - took your advice and have several copies of my default Hosts file, including one right on my desktop where this eejit can see it and not lose it!

Isn't life good when things go right for a change.

I have the whole of next year to mess about in the registry and bugger it up again in the name of learning; I have full confidence in the ability of MBAM's experts et al here to..ah..erm..haul my * out of the * and send me on my way with a flea in my ear!

This post has been edited following some strong coffee with brandy added having just been drunk. ("No, not me sir" - "it's just the coffee talking"). No doubt I'll be re-editing when a semblance of rationality and err..sobriety (God how I loathe that word!) and english coolness have returned from the planet to which they've temporarily escaped. Jeez was that a mouthfull of typing!

[Marcus]

48 hrs later...

Computer working normally; logging on and off into Windows normal; no error messages; informative (or bossy, depending on your point of view) message / dialog boxes have appeared at all during this period. No blue / black or any other colour of screen appearing (hahah ). Logging on and off the internet is normal and fast. Can access all the sites I've put in Hosts without any difficulty, quickly, and with no perceptible hesitation.

Access time = a couple of eyeblinks . Seriously, it is perceptibly quicker both when you click on its bookmarked url and when you go back to it from another site compared with not having the sites in Hosts.

Thinking about YoKenny's remarks I'm inclined to take Google.com out of Hosts just in case although I can't imagine them changing their IP adresses without good reason; on the other hand you could always use another search engine (not in Hosts) to find Google if they ever did change them.

At present I'm undecided about this. More thinking and caffeine required!

[YoKenny1]

More thinking and caffeine required!

Its Egg Nog and rum time now.

[Marcus]

Decision made...

Gonna take Google out of Hosts; playing safe here. Difference in access time is, so far as Google is concerned, frankly negligible.

"See, YoKenny, I do listen to you,. Now I have to go and check my rum supplies in the fridge to add to my premium-grade filter coffee...now, do, please, excuse me".

[swagger]

Hate to rehash but you're original thinking in your first post was flawed... Removing the malicious sites and adding the good sites would defeat the purpose of HOSTS file such as MVP and hpHosts. Without those sites included in your HOSTS file as redirected to localhost (127.0.0.1), you would be able to access them, even if it was by accident. I hope you see that clearly now

Regards,

Keith

[exile360]

@swagger: he never said he wanted to remove the blocked localhost entries for malicious sites, simply to add legitimate sites along with their actual IP's. I've been testing this myself with malwarebytes.org for the past few days but I can't say I've noticed any difference in speed at all, but I also have the DNS Service disabled which may have something to do with it.

@Marcus: I just noticed one of your initial questions and I'll offer an answer for you: Malware is able to alter the HOSTS file even though it may be set to Read Only because most malware runs with either administrative privelages or system level privelages, both of which allow for altering read-only files and folders. That's why running as a Standard or Limited user in Windows can do much to prevent malware from wreaking havoc on a system, although most modern infections have ways around that as well .

[YoKenny1]

Marcus why don't you update your signature by going to My Controls then > Edit Signature and add your system information like my signature.

WinPatrol can monitor HOSTS file changes on XP but not on Vista nor Windows 7

[exile360]

WinPatrol can monitor HOSTS file changes on XP but not on Vista nor Windows 7

True, but Windows Defender can, at least if you have it set to do so (alert to changes by unknown or unclassified software).

[YoKenny1]

True, but Windows Defender can, at least if you have it set to do so (alert to changes by unknown or unclassified software).

Where do I set that?

[exile360]

Where do I set that?

• Open Windows Defender
  
• Click on Tools at the top
  
• Click on Options
  
• Scroll down to Real-time protection options
  
• Check the box next to Software that has not yet been classified for risks under Choose if Windows Defender should notify you about:
  
• You may also optionally check the box next to Changes made to your computer by software that is permitted to run, but be aware that this may make it conflict with the removal procedures of software such as MBAM
  

[YoKenny1]

I do not see Software that has not yet been classified for risks

About Windows Defender

Client Version: 6.1.7600.16385

Engine Version: 1.1.5302.0

Antispyware definitions: 1.71.1143.0

[exile360]

It may not exist in Windows 7, I know they took a LOT of stuff out of the Windows 7 version of Windows Defender. It might be under the Advanced or Administrator settings though, but I doubt it . You could also look through the Default actions tab as they may have moved it there, but again, I doubt it.

[Marcus]

Marcus why don't you update your signature by going to My Controls then > Edit Signature and add your system information like my signature.

WinPatrol can monitor HOSTS file changes on XP but not on Vista nor Windows 7

I'll do that, YoKenny, when I get home. At the moment I'm at work in the middle of the night in a hospital intensive care unit. And in case you're wondering I am at my "lunchbreak" right now.

Hmm... I understood that WinPatrol does monitor the Hosts file in Vista; at least it does on my system! I actually have WinPatrol Plus.

[Or am I confusing that with Windows itself asking me to accept changes in the Hosts file?] Thinking about it I think your right, YoKenny, as the unmistakable grey screen of WinPatrol doesn't appear with this as it does with permission-requests that arise with other WinPatrol-monitored areas.

Slowly but surely learning with a brain that's as slow as Aristotle's slow and dimwitted horse!

@ exile - It's obvious now that you've mentioned it that the very last thing any malware wants to do is to abide by / follow permission restrictions with regard to access or actions set by Windows or perhaps customized by a given user - otherwise it wouldn't be malware at all! Now that is called stating the bleedin' obvious and yet it takes an Expert to get this into my head!

[YoKenny1]

Marcus your brain is not as slow as Aristotle's slow and dimwitted horse! but it is learning.

How was all that snow you recently had?

We Cannucks take that stuff in our stride

[swagger]

A thought on this...

Instead of putting in lists of redirected malevolent sites in Hosts why not insert a list of sites that you want to go to (ie.. Google, Amazon, Malwarebytes etc).

@exile, I must have misinterpreted this line then. It sounds like Marcus wanted to reverse what was included in the HOSTS file. Disregard then I suppose.

Regards,

Keith

[Marcus]

Marcus your brain is not as slow as Aristotle's slow and dimwitted horse! but it is learning.

How was all that snow you recently had?

We Cannucks take that stuff in our stride

Trains running..sort of..occasionally..depending if the driver feels like taking it out and how cold he is and whatever else. Airlines:...Ryannair grounded all flights yesterday..Virgin didn't cancel any. Half the population didn't turn up for work and yesterday 20 to 30 min journeys were taking round about a couple of hours. A general moan / whinge /carp / discussion / all day on the radio about a maximum of 6 inches of snow anywhere in the country.

As you know our lovely little country can just about cope with half an inch of snow; we descend into a huge pile of muddled chaos if there's anymore than that! I just love my mad little country - it's the same with any amount of rain beyond that which would make a couple of puddles; absolutely hopeless.

[YoKenny1]

As you know our lovely little country can just about cope with half an inch of snow; we descend into a huge muddled chaos if there's anymore than that! I just love my mad little country - it's the same with any amount of rain beyond that which would make a couple of puddles; absolutely hopeless.

You have the best Fish and Chips though

[Marcus]

Yep! Especially when wrapped up in newspaper with loads of salt 'n vinegar.

Reminds me of my childhood - many a friday night did my dad nip round to the local chippie and treat me to cod and chips wrapped in newspaper as a friday night treat after school. Sheer heaven!

Happy days, those., having fish 'n chips in the old-fashioned way.

Hang on a bit! I think I've hijacked my own thread here! "haha "

I'll steer it back to Hosts an' things as and when I make discoveries :)

[exile360]

These are the additional sources I use with HostsMan as requested. I decided to post them here so everyone could have access. Note that these are used in addition to all of the HOSTS files that are updated with the latest version of HostsMan, which thankfully deletes duplicates (as you could imagine, some of these sources will have many entries in common with other sources on the default lists):

HostsMan Update Sources:

• Bluetack
  
  • http://www.bluetack.co.uk/config/HOSTS.zip
    

  [*]MalwareDomainsList

  • http://www.malwaredomainlist.com/hostslist/hosts.txt
    

  [*]Cameleon Ad's

  • http://sysctl.org/cameleon/hosts.win
    

Enjoy

[Marcus]

I'll check those lists out, Exile; thank you for providing them. You may have guessed that the only Hosts' entries I have are Vista's defaults and IP addresses of my most frequently-accessed favourites. Currently not using any hosts' lists at all.

..thinking about something here..."[be prepared! ; hope you guys have had your morning's worth of srong filter coffees or perhaps a stiff drink with your morning toast]:

1. why do we have 127.0.0.1 as the local address? That address just looks odd. There doesn't seem to me to be any mathematical logic to IP address allocation or perhaps there is and I cannot see it. Why the "1" at the end or indeed why have "127" at all? I could understand an address of, say, 1.0.0.0 or 0.0.0.1 or even 1.1.1.1. But "127"?

2. Vista doesn't have 0.0.0.0 as a local host. It's not listed in the default Vista Hosts file although it's present in XP's. Why is this?

3. Could the Hosts file be password-protected up to and including, say, Administrator-level of privilege so that, for example write-access (without entering a password) would only be available at Trusted Installers' level of privilege (or the one just below it which I think is SYSTEM). Would that not help in mitigating a Hosts' file > browser hijack?

I'm afraid I tend to look at things somewhat differently to everybody else. I like to "walk round the back", turn them upside down and look at them from behind, from above looking down, from underneath looking up; any way you like as well as head on!!

I've had too much strong black coffee this morning hence the brain is way too active and Aristotle's slow and dimwitted horse is positively galloping along

And I hope you're not too hung over, guys. Just don't strain the brain this morning coz' that'll make your headache worse!

[noknojon]

Here you go sunshine -

Some good reading from YoKenny1 - Only a 5 min scan for you -

Regards -

How Domain Name Servers Work

http://www.howstuffworks.com/dns.htm

From Google - Type the numbers into the search box -

127.0.0.1 - Localhost IP Address127.0.0.1 is an reserved IPv4 address.

127.0.0.1 is a special purpose address conventionally used as a computer's loopback address.

compnetworking.about.com/od/.../g/127_0_0_1_def.htm - Cached - Similar