Jump to content

Suggestion

Felburg

By Felburg
in Malwarebytes for Windows

 Share

Recommended Posts

  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted

Hi.

This is something we've looked into, but not sure if or when we'll get it added to the application. Maybe one of the developers can offer more clarity.

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
Good suggestion, but will it be able to identify changes I did to my host file without it thinking it was a hijack?
Far too soon in planning to even address as yet. I'm not even sure development has commenced or not.
Link to post
Share on other sites
exile360

exile360

Posted
Posted

In my opinion if a HOSTS file has been hijacked by malware it should just be reset to default, which can be done by replacing it (Microsoft also has an automated "Fix-it" tool to do this), even if it's a custom ad/malware blocking HOSTS file because MBAM or any other scanner might miss some malicious entries in a large HOSTS file or might misinterpret some of the legit entries as malicious.

Link to post
Share on other sites
Marcus

Marcus

Posted
Posted

i normally keep a couple of copies of the default Hosts file for my system in separate places just for that purpose.

There are only two entries for Vista which kinda makes it easy to see what's there! No place for bad redirects to hide in amongst that lot of white space!

Link to post
Share on other sites
Felburg

Felburg

Posted
  • Author
Posted

That's what I am thinking as well.

I just want to see a simple one click option within MBAM to reset the hosts file back to default. Also, I think it would be good if MBAM scanned the hosts file during a full scan to check for inconsistencies. Most people don't even think to check their hosts file after cleaning up an infection of malware.

In my opinion if a HOSTS file has been hijacked by malware it should just be reset to default, which can be done by replacing it (Microsoft also has an automated "Fix-it" tool to do this), even if it's a custom ad/malware blocking HOSTS file because MBAM or any other scanner might miss some malicious entries in a large HOSTS file or might misinterpret some of the legit entries as malicious.
Link to post
Share on other sites
YoKenny1

YoKenny1

Posted
Posted

I do not want MBAM tinkering with my HOSTS file as I manage it myself and know if it has been tinkered with as WinPatrol on my XP Pro system warns me it has been changed. B)

If MBAM were to scan my HOSTS file for inconsistencies it would take a very long time. :D

There are several reputable sources for HOSTS file updates so how would MBAM know what sources I use for the HOSTS file and if they are reputable or not? :o

Link to post
Share on other sites
Ibrad

Ibrad

Posted
Posted
There are several reputable sources for HOSTS file updates so how would MBAM know what sources I use for the HOSTS file and if they are reputable or not? :o

Using heuristics, why would malware change your host file to 1mb+ size it would only normally make few changes. If MBAM dev's were to figure out how many sites malware try's to block via host files then figures out how big those changes are they could write a malware pattern file to detect if malware changed the host file. Well that's how I would do it :D

Well most malware I have seen have only make 10-30 changes to your host file.

Link to post
Share on other sites
mountaintree16

mountaintree16

Posted
Posted

Personally, I would not like Mbam to detect my HOSTS file alteration just because I alter it myself with a HOSTS file manager.

Also Kaspersky gives me several pop ups each day alerting me to the fact that my HOSTS file is changed. I appreciate it, and it is useful for the average user who may have no clue, but, I find it annoying. Only reason I find it annoying though is because I made the changes and I want it that way. At least I don't have it auto-fix it anymore :D hehe.

That being said, it could be useful for those whose HOSTS file have been altered by malware to block them from updating their AV & AM software and prevents them from going to AV and security websites.

Link to post
Share on other sites
YoKenny1

YoKenny1

Posted
Posted
The only thing I can think of is checking against the IP Blocker.

Where do you think the IPs come from?

Maybe a clue will help that comes from the source of many of the IP blocks?

@ Ibrad

The key is to monitor when the HOSTS file changes and prevent un-authorised changes and on XP WinPatrol is good:

http://www.winpatrol.com/options.html

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted

@YoKenny1-

I wasn't thinking straight on that. How about this. MBAM should have a list of known safe addresses, then check the hosts file to see if they are blocked/redirected to different/malicious sites. Then have mbam create backups or fix/restore the correct addresses. :D

Link to post
Share on other sites
exile360

exile360

Posted
Posted
MBAM should have a list of known safe addresses, then check the hosts file to see if they are blocked/redirected to different/malicious sites.

Many AV's (Kaspersky and Norton come to mind as examples I'm certain of) already do this. Parsing a large HOSTS file (for example, one where a tool like HostsMan has been used to add entries, or Spybot, Spy Sweeper etc) would require a lot of CPU to check all those entries and dramatically increase scan times.

As for how malware does it, I haven't seen any HOSTS file hijacks in at least a couple of years, most infections that block downloads/sites are doing so through other means, such as DNS hijacks which completely bypass the HOSTS file (MBAM already detects these by the way :D).

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted
As for how malware does it, I haven't seen any HOSTS file hijacks in at least a couple of years, most infections that block downloads/sites are doing so through other means, such as DNS hijacks which completely bypass the HOSTS file (MBAM already detects these by the way )

@exile360-

Well that's good. I use OpenDNS now for extra protection. Seems to block ad's. :D

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted
DNS hijacks can often be shown in HijackThis logs (and other tools). In HijackThis they show up as 017 entries (keep in mind that just because such an entry exists, it does not mean that it's malicious). More info can be found here.

Yep, I know. Definitely gotta know that for my training at geekstogo. :D

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted
If at very least, there should be an option under the "More Tools" tab to reset the hosts file back to default.

I am only thinking about the users that don't know anything about the hosts file.

I'm not sure that's really necessary. Many people here use SpywareBlaster which creates backups of the host file. :D If used correctly, it can restore the original file.

Link to post
Share on other sites
Felburg

Felburg

Posted
  • Author
Posted

What does Spywareblaster do that MBAM won't do?

I'm thinking in the way to ensure everything is clean and the way it should be.

I'm not sure that's really necessary. Many people here use SpywareBlaster which creates backups of the host file. :D If used correctly, it can restore the original file.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.