Host is modified although it is excluded

Scholar

Host is modified although it is excluded

I have win7 64 bit and have excluded the c:\Windows\System32\drivers\etc\hosts from scanning in the settings of F-secure antivirus (latest version) Still it cleans the host file and ....it does not show up in the quarantine. (I have some  modifications in my host file as developer of software) Anyone have an idea ?

7 REPLIES 7
Superuser

Re: Host is modified although it is excluded

Hello,

 

Do you mean that there have prompt about hosts-file is modified?! If yes...

 

Do you have experience with Spyware-part of Quarantine (as default opened malicious-part; and can be other two variants of Quarantine-storage for suspicious and spyware). Information about hosts-file can be under Spyware-part. And current kind of "detection" (close to suspicious) should be with option to excluded it by prompt (during detection and warning about this) - such as "trusted thing and ignore it".

 

Sorry if I wrong understand your situation.

Scholar

Re: Host is modified although it is excluded

There is no prompt but the hostfile is silently modified to a barebone config and does not popup in the quarentine virus,spyware or riskware.

This is how fsecure modiefies it

 

#
# Copyright (c) 2007 F-Secure Corporation
#
# This is a HOSTS file created during malware removal.
#
# Your original HOSTS file was infected and it was replaced
# by this file containing only clean default entries.
# The original HOSTS file may be restored from the product's
# quarantine feature.
#
127.0.0.1 localhost
::1 localhost

Superuser

Re: Host is modified although it is excluded

Hello,

 

Yes, I have experience about hosts-file and F-Secure protection.

 

OK, just for understand background with your situation:

 

-> Your exclusions lists have hosts file (if it possible)  or directory... for both of exclusion-lists (for real-time scanning and for manual scanning - it's different things).

 

-> Quarantine with "Spyware" (second part of quarnatine catalog) without information for hosts file (such as cleaning). And History of Removal Viruses/Spyware (Removal History) also without anything around.

 

Situation with that background?

 

It's can be, of course, related with something.. if settings have "automatic handle" or cleaning for (manual scanning) or something else. But maybe need to re-check first ones things (or re-check settings for manual decision and choose "ignore"-option).

 

Sorry again for my reply. It just suggestion before anything else.

Scholar

Re: Host is modified although it is excluded

What I did was adding the exclusion of c:\Windows\System32\drivers\etc\ to the manual scan also. It was not there. Although I hardly ever do a manual scan.....

Superuser

Re: Host is modified although it is excluded

Hello,

 

OK. And sorry again for my reply.

 

Basically.. if there something related with platform or AV-solution (just because my experience about another platform and IS-solution)..... I'm sorry.

 

But with my experience... exclusion list (both) with current directory should be work (or more better to add... with additional "\hosts"). It will be certainly excluded as real-time scanning (during browsing experience as example). And for scanning folders.

But PROBABLY it will be still detected during "context-scan" for certain "hosts"-file. It's probably normal... such as... exclusion list have three kind of (applications/objects as directories-based/extensions as type based).

 

Anyway if you have experience about Scan Wizard prompt (or spyware-protection wizard) - there anyway should be option (if you have settings about "Ask me" when something found) for manual decision.

And there should be option for "ignore it" (whitelisted/excluded).
And already with current step.... probably hosts files goes be under "application" part of both lists (exclusion-lists). And maybe current background should to prevent ANY detections (but need to check it more maybe.. with full scan or real-time background scanning. but it should be with variants for prevent it too maybe).

 

And also... if it's cleaning by F-Secure... maybe it's should be under Quarantine (spyware part) or removal history also. If it's without current information.... maybe there something wrong with design.

But with that.. maybe need to wait... answer by F-Secure team, because all of my words - just as suggestions around.

 

Superuser

Re: Host is modified although it is excluded

Hello,

 

Also... maybe it's known limitation.... which hosts file.

Such as... there was next topic -> https://community.f-secure.com/t5/Security/F-Secure-modifies-hosts-file/m-p/24962#M4543

 

But potentially... it's should be related just with manual scan (or with full scan);

Because.. as example... with my experience real-time "blocking" not happened. Just with full scan / scheduled scan can be detection as "something wrong with system" (during excluded directory and file). Such as.. not really "file" as hosts; But as result of malicious actions.

 

Anyway... I not check it with next settings (some kind of "normal check" and more time):


Add to both exclusion-lists:

 

-> Trigger detection by any variant (scanning or real-time prompt) with manual-decision. Add to exclusion.

It will be under "First part" of exclusion-lists.

 

-> Add directory and file under "Second part" of exclusions-lists. As object, folder, file and etc. There maybe available to add direct-link for file; for file and just as "hosts".

 

-> Add "extension/type" as "hosts" (hosts as extension/type) for "Third part" of exclusions-lists. As type of files extensions.

 

What if it will be work... and detection can to be dropped during manual full / scheduled scanning also.

But if there anyway will be advanced catch for "malicious results with system, which need to fix" (which marked more important, than exclusions-list.. in somewhat reason). Maybe there available to set up manual decision after full scan ... and will see.. if there available to exclude it again. What if it will be different-point around.

 

But commonly.. maybe your situation related (?) with another link.

But basically... it's can be with "not always" detected, but with some of steps. Such as.. it's can be that hosts is modified and it's work without blocking by F-Secure. But with some of specific background... will be detection.

Scholar

Re: Host is modified although it is excluded

Thank you for the link...that is exactly what I'm experiencing.   I see there is no solution given for that post.