F-Secure modifies hosts file and states that it can be restored but it's not possible

hibi
hibi Posts: 3 Observer
edited November 2023 in Device Protection

I'm on windows and after installing f-secure just found that the hosts file in


C:\Windows\System32\drivers\etc\hosts


got replaced by F-Secure. There's this message at the top of the file now:

#

# Copyright (c) 2007 F-Secure Corporation 

# This is a HOSTS file created during malware removal. 

#

# Your original HOSTS file was infected and it was replaced 

# by this file containing only clean default entries. 

# The original HOSTS file may be restored from the product's

# quarantine feature.




As the file states, the original HOSTS file may be restored from the product's quarantine feature.

Opening the quarantine feature dialog (App and file control->tab "Quarantined"), there is no entry of hosts.


I also checked the full timeline of events for F-secure with admin rights and can see the first entry (F-Secure was installed) to the last entry; nowhere is a entry for hosts.


Is the hosts gone forever or is there a possibility to restore it like it's stated in the new file?

Accepted Answer

  • Ukko
    Ukko Posts: 3,733 Superuser
    edited May 2023 Answer ✓

    Hello,

    I am only an F-Secure user. So, sorry for my suggestions. And if you want to get a certified assistance - it is better to contact their Official Support channel, for example, web-chat widget there: Contact support | F-Secure

    where Support Agents with an ability to provide technical investigation.

    However, some points about your situation:

    • your "hosts" file was extensively modified by you? and you did not have any backup/copy of these changes? I mean, is it impossible to re-create entries which you want to put in hosts?
    • you can try to use Quarantine Dumper - How do I collect quarantined files? - F-Secure Community (and then if failed: Collecting quarantined files manually when the Quarantine Dumper tool fails - F-Secure Community);
    • did you use F-Secure solutions before on that system? Or Online Scanner, for example? Just to understanding - why something 'quarantined' - but no notes about it in UI. Although it is possible that during installation there is a brief security check - but if so.. it is something unexpected, when 'restoring'-feature is missed after (and no report about detections).
    • // one addition - if any malware was detected/removed on your system from a critical place - then some important parts of system will be restored to default set up (as a routine of 'cleaning' system). For example, it can be an explanation that your hosts was not detected as such (something in there or 'maliciously' modified hosts file) - but restored to default state after cleaning another malware in system. As part of other actions to ensure that system with 'safe' state (in case if there any undetected malicious editions).
    • // and one more: you checked "Quarantined" tab of App and file control - I think "yes", but did you check "Blocked" tab (next to Quarantined)?

    Similar situation was discussed there:

    Thanks!

Answers

  • hibi
    hibi Posts: 3 Observer

    Hi Ukko

    Thanks a lot for your help.

    >if you want to get a certified assistance - it is better to contact their Official Support channel, for example, web-chat widget there

    I did that immediately after i found out that the hosts file was deleted but the support guy didn't know what a hosts file is. But he promised to write me an email with more info. If he does, i'll update here.


    >your "hosts" file was extensively modified by you? and you did not have any backup/copy of these changes?

    No, and this is the honestly first time in more than 20 years i'd need one.

    >you can try to use Quarantine Dumper

    Ok, the manual approach worked, but it seems like the files in there are either encrypted or don't contain the hosts file. There is a file named "00000001" though which contains the path to the hosts file in unicode. Maybe the next one ("00000002") is the old hosts file in encrypted form? Do you know if they're encrypted and how to decrypt them?

    >did you use F-Secure solutions before on that system? Or Online Scanner, for example? 

    No, neither. This is the first time i'm using this product because i got it for free and it's been recommended to me.

    > [...]it can be an explanation that your hosts was not detected as such [...] but restored to default state after cleaning another malware in system

    I see your point but this would be a very bad implementation because the file header clearly says "Your original HOSTS file was infected" and "The original HOSTS file may be restored from the product's quarantine feature" and both is wrong.

    >you checked "Quarantined" tab of App and file control - I think "yes", but did you check "Blocked" tab (next to Quarantined)?

    Yes, i checked the quarantined tab, the blocked tab (it's empty) and all other tabs and also all other things in the ui i could find but couldn't find any mentions of hosts.

    >Similar situation was discussed there

    They mention a KB article whose link is dead.

    They also say to submit the file to their labs. Do you know if the process is still like this and if yes, how to do that?

  • Ukko
    Ukko Posts: 3,733 Superuser

    Hello,

    Thanks for your feedback and response!

    No, and this is the honestly first time in more than 20 years i'd need one.

    Yes, I do not mean that backup was a necessary thing in your case. I just wanted to understand if there was the hosts file with a lot of additions / editions , and if so, what if somewhere or somehow there might be a backup copy of its contents. But I think that if it were possible - you would have already tried to do it (let's say another system with the same approach, and so on).

    And in other words, to understand the scale of the trouble - is it possible to restore all the edits manually by yourself (in case there is no way to find a proper solution).

    However, it's good that there is already a potential possibility to communicate with Support Agent via the email channel.

    Ok, the manual approach worked, but it seems like the files in there are either encrypted or don't contain the hosts file. There is a file named "00000001" though which contains the path to the hosts file in unicode. Maybe the next one ("00000002") is the old hosts file in encrypted form? Do you know if they're encrypted and how to decrypt them?

    I tried to quarantine two Eicars(test-file). It was generic "eicar.com"

    Then, tried to use fsdumpqrt.exe. My "malware_samples.zip" structure is:

    • Quarantine-folder with two folders "00000001" and "00000002"; each then with another folder that contained Info.xml and then path to the quarantined item (starting from Drive-letter). Both then with 'eicar.com' at the end.

    I don't know if they encrypt, but it would make sense (to be honest). In my testing, nothing appears to be encrypted (except that the .zip file itself was password protected). If you got it not with Quarantine Dumper, but in a really complete manual approach (as described in KB article if Quarantine Dumper does not help) - then there may still be some differences. I did not check it (yet)

    In Info.xml there is a 'binary' (?) description in base32 or base64 or something which looks like that. I did not manage to convert it to file by some online tools (but I think quarantined .com is a bit of 'tricky' - I just puzzled how to do so properly).

    No, neither. This is the first time i'm using this product because i got it for free and it's been recommended to me.

    Too bad, then I would have thought - that with some other tool (as with F-Secure Online Scanner) or version - item would be visible in the quarantine.

    It remains possible that some kind of scan was performed during the installation (it used to be, but as far as I remember, this has not been used for a long time). However, I haven't tried a clean install for a long time, and perhaps such a check happens only in very unique cases, the very-very first installation, or when some conditions arrives (there was no Windows Defender turned on or something like that, for example).

    In any case, of course I think - that there should have been some kind of notification about the detection or information about. Could you also tried to check Windows Event Viewer (Journal) - Windows 7 (Start : Control Panel : System and Security : Administrative Tools --> Event Viewer) and Windows 8, Windows 10 (11?) by opening start menu (or whatever it called) and typing Event Viewer (or your local name of that tool; if Windows is localized).

    For example, "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may be with a bit more information about blocking/detecting event. Whether something was even logged or not.

    I see your point but this would be a very bad implementation because the file header clearly says "Your original HOSTS file was infected" and "The original HOSTS file may be restored from the product's quarantine feature" and both is wrong.

    Yes, true.

    I can only note that if this was such a reason (that is, the hosts file was restored to the default view due to the detection and fixing of something else) - then it would be difficult for the software to evaluate the changes made to the hosts - are they safe or not (in the case if they are not known to be "dangerous" and when hosts-file itself is detected/quarantined). Therefore, such a rather generic title as ""Your original HOSTS file was infected"" is more like a limitation (and may be ok for most situations).

    What about restoring from quarantine - still good to keep the potential opportunity.. that it will be possible to do it even if with the help of Support agents.

    They mention a KB article whose link is dead.

    The Communtiy engine was changed and some of these resources (there are many of them, unfortunately) were not automatically available at the new URLs. But I think that mentioned one is which I provided in the first reply (about Quarantine Dumper).

    How do I collect quarantined files? - F-Secure Community

    They also say to submit the file to their labs. Do you know if the process is still like this and if yes, how to do that?

    I think yes. Although I would consider that there is little difference with contacting Support (especially since you may be contacted by email).

    I think it meant there that F-Secure Labs will evaluate if it was a false positive or if there was a reason to quarantine the Hosts file.

    Therefore, assuming that your result with a manual approach was with Quarantine Dumper (if not - could you try to use it?). F-Secure SAS is still there: Submit a sample | F-Secure (KB article about procedure: How can I submit samples to F-Secure? - F-Secure Community). Also, you can try to send already gathered files\folders 00000010 and 00000020.

    But I think they might be empty.. By the way, what is their file size (does it look like an empty file or maybe a modified hosts file)?

    If still not possible to deal with the situation (restore from quarantine). It might have been some kind of bug. And the quarantine process itself was not successfully completed or failed. This should not be, of course, in the best understanding. But, for example, if the system name or path, or username or something else contained / contains some features - the tool with which the attempt was made (at some stage) did not cope with the task. Well, this is just an virtual example (I don't know if this scenario is possible).

    Then or still now (if the Support Agent contacts) - create fsdiag (Using the support tool | Total | Latest | F-Secure User Guides) and send it for analysis.

    It's just not clear to me - when, at what stage and why the hosts file was changed. Especially if, as you say, there were no notifications about this.

    Thanks!

  • hibi
    hibi Posts: 3 Observer

    is it possible to restore all the edits manually by yourself

    It's always hard when this grow over a long time. Also i found that some entries made by various apps like docker are now also gone.

    If you got it not with Quarantine Dumper, but in a really complete manual approach (as described in KB article if Quarantine Dumper does not help) - then there may still be some differences. I did not check it

    Yes, the contents from manual collection are totally different. All those files are binary and maybe partially encrypted or compressed. There might be a known description for the format but i didn't search for it.

    Then, tried to use fsdumpqrt.exe. My "malware_samples.zip" structure is:

    Quarantine-folder with two folders "00000001" and "00000002"; each then with another folder that contained Info.xml and then path to the quarantined item (starting from Drive-letter). Both then with 'eicar.com' at the end.

    I don't know if they encrypt, but it would make sense (to be honest). In my testing, nothing appears to be encrypted (except that the .zip file itself was password protected). 

    I should have tested the dumper first! I tried it now and got the same structure as you got and all the files were in clear text including the missing hosts file which i now successfully restored.

    Interestingly, some app or maybe windows changed it at some time and excluded explicit entries for localhost which i didn't even remember:

    # localhost name resolution is handled within DNS itself.
    #	127.0.0.1    localhost
    #	::1       localhost
    

    F-Secure added those again in their replacement file.

    Apparently during this possibly initial scan and actions F-Secure also removed some registry keys of which i couldn't find any mention in the logs either. It saved these old values

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=1
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv]
    "Start"=3
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoActiveDesktopChanges"=1
    

    and changed them to 0, 2, 0. I've been already wondering why the hidden files didn't get displayed anymore in windows explorer. Strange thing to silently change these settings.

    But I think they might be empty.. By the way, what is their file size?

    There are 11 files in the tar from manual collection, 00000000 to 00000010, where all but one are between 1 and 2kb. Number 10 is 25kb. Here's the one which likely is used to "index" the changed hosts file:

    22 04 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 72 00 69 00 76 00 65 00 72 00 73 00 5C 00 65 00 74 00 63 00 5C 00 68 00 6F 00 73 00 74 00 73 00 00 00 00 00
    

    It's some sort of header and then the unicode path to the replaced hosts file.

    Three similar files contained a header and unicode paths to the three changed registry keys.

    My old hosts file has a length of hex 430 and the size of the file 00000000 almost matches that. The first few bytes are

    19 49 19 49 01 00 01 00 05 00 00 00 00 00 00 00 93 A9 78 7E E5 6F 71 DB 73 61 B5 A1 98 3D EB 79 3C AD BA 6C A0 7F E9 4F 80 F8 C4 F2 5C 17 C2 79 50 93 66 6B 3C 64 7A 2F E2 30 4F 86 78 E4 C9 C8
    

    It's just not clear to me - when, at what stage and why the hosts file was changed. Especially if, as you say, there were no notifications about this.

    Yes, this is really strange. Also that not only hosts but also some registry keys got silently changed. But i'd go with your first guess that this is part of some initial scan right after installation. F-Secure never was installed on this or any other of my PCs before. But there was always some Virusscanner active; last was Windows Defender.


    Thanks for all your help!🙏 Now that i was able to restore the things manually from the files dumped by fsdumpqrt.exe everything seems to be back to normal. I will keep monitoring for such issues by dumping from time to time and comparing the contents with the logs.

  • Ukko
    Ukko Posts: 3,733 Superuser

    Hello,

    Good to hear that all is fine now!

    and changed them to 0, 2, 0. I've been already wondering why the hidden files didn't get displayed anymore in windows explorer. Strange thing to silently change these settings.

    Yes, mentioned thing is also part of 'post-removal' routine. I never experienced this by only installing F-Secure. Also, not every detection or 'cleaning up' will ended with those changes.

    My understanding - if a malicious file (or something) found in critical area of system (let's say, even 'Desktop' folder) or many of them at once - situation can be treated as 'infection'. So, to disinfect: items are quarantined (or deleted); some settings are reverted to default state (which considered to be safe or secure).

    Apparently during this possibly initial scan and actions F-Secure also removed some registry keys of which i couldn't find any mention in the logs either. It saved these old values

    So, to uncheck "show hidden files" is surely one of them (which I experienced a lot). And it is likely that "Windows Updates" (manual or disabled) can be reverted to be active (auto). In my Windows 10 it is 'on and active', but based on my past experience - probably that was a case indeed (as 'system updates' are recommended and malware will try to disable this component or 'replace' it sometimes).

    So, these changes are not a detection of something suspicious - but was part of 'removal operation'. I think, it may be described somewhere in KB articles or Online Guides. I mean, I feel that you can use these settings - it can be 'restored' to default only after removing something (from critical area or a certain type of threat). If not - well, need to find a reason.

    Thanks for all your help!🙏 Now that i was able to restore the things manually from the files dumped by fsdumpqrt.exe everything seems to be back to normal. I will keep monitoring for such issues by dumping from time to time and comparing the contents with the logs.

    A good idea. :) But if it will be so - I mean, no prompts about any actions, but still something quarantined / changed - good to create a Support ticket. With fsdiag (F-Secure User Guides) - it may be easy to find out why such situations there.

    Because it should not be like that (I think). Like if F-Secure failed to show popup or prompt/toast in very certain system's background.. or something malfunctioning.

    You, also, can to exclude things to prevent any unwanted detections. For example, 'hosts' file was possible to exclude before. However, manual (context) scan will still detect it if something 'malicious' in there.

    But I am not sure that excluding 'hosts'-file will prevent reverting back to default view in case of 'virus removal operation' (as other changes like 'showing hidden files'..) ... but I never tried to check this.

    Thanks!

This discussion has been closed.