Defender - Requests for Enhancement

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Defenderv reports "Possible Hosts File Hijack" and the following details.
Notice the
Description. Notice that "this program" is not specified, assuming that the
HOSTS file is not in any sense, a "program." Saving out HOSTS file
periodically indicates that if it does change, the changes do not persist.

"Category:
Configuration Change

Description:
This program has potentially unwanted behavior.

Advice:
Allow this configuration change only if you trust its origin. It is
recommended that you run a quick scan if you choose to block this change.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\HOSTS

Summary:
System Configuration change occurred.

This agent monitors security related configuration changes made to Windows.

Checkpoint:
Hosts File

View more information about this item online."

It would be an improvement if we could tell what was trying to access the
HOSTS file.

Didrik Thede
 
dthede;
Are you also using Webroot's SpySweeper, and do you have the Common Ads Site
Shield of SpySweeper enabled? That could be a possible explanation for
recurring HOSTS file changes...
 
Thanks for your prompt response on this.

Yes. I believe you're exactly correct. And Spysweeper no doubt touches
this file, presumably triggering Defender's response. But as reported, the
HOSTS file does not reflect any changes -- although I acknowledge that the
file _might_ temporarily be changed and then changed back to its former
content.

What needs to be reported by Defender is an attempt to alter the HOSTS
file, not simply report an attempt to read it. And, as mentioned it would be
important to have the information that it's Spysweeper which is touching the
file, especially since the dialog boxes pretend to report the program
accessing it.

Regards,
Didrik
 
I would like to see an option in the History to reclassify already classified
programs and settings, next I would like to see an option to classify
programs as a whole "OK" or "Block" etc. For example media player (Your own
product) likes to use multiple ports for MMS, HTTP, etc streaming and each of
these make defender want to have you classify the prgram over and over and
over again if it uses a different port. Thanks,
 
I would like to see an option in the History to reclassify already classified
programs and settings, next I would like to see an option to classify
programs as a whole "OK" or "Block" etc.
Click to expand...

I would like capabilities such as those suggested by Michael. Unlike Mr
Cat, I use Spy Sweeper's real-time protection, so I do not use WD's real-time
protection. However, when I run a WD scan, it reports suspected hijacks in
the HOSTS file. So far, all of the suspect entries in the HOSTS file had a
suffix of "#SpySweeperCASS" & I'm pretty sure these are valid entries. For
example, by doing a comparison of HOSTS files, I see that WD cleaned the
HOSTS file entry

127.0.0.1 media.fastclick.net #SpySweeperCASS

An alternative would be to let the user see each suspect entry and select
those that the user wants WD to clean

-- FrowningBob
 
Back
Top