Spybot and the HOSTS file

[Soultrain]

Hello there

After trying to customize my Hosts file to be like this:

0.0.0.0 badsite1 badsite2 badsite3 badsite4 badsite5 badsite6 badsite7 badsite 8 badsite 9
0.0.0.0 badsite 10 ... (always with 9 entries per line)

I ran Spybot and it went crazy. It kept saying that the scan was cancelled by user. It clearly hasn't been.

The reason for that is the way how the hosts file is customized. There is nothing wrong with the hosts file, though.

Perhaps you guys could update Spybot to solve that problem?

[Greyfox]

Hello there

After trying to customize my Hosts file to be like this:

0.0.0.0 badsite1 badsite2 badsite3 badsite4 badsite5 badsite6 badsite7 badsite 8 badsite 9
0.0.0.0 badsite 10 ... (always with 9 entries per line)

Now why would you do that?

The Microsoft host file contains the following
"This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.

[Soultrain]

Now why would you do that?

The Microsoft host file contains the following
"This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.

That's what they say. Now does that entirely correspond to the reality?

The point is that it is possible to do what I mentioned (not my discovery, though).
So, I am guessing that it would be appropriate for Spybot team to fix it? I mean, let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

Quite simple the reason why they should update Spybot, don't you agree?

[Greyfox]

Soultrain,

No I don't agree!

What possible gain would there be for any sofware producer to try to make their product work with "one off" customised installations. SpybotSD is not the only antispyware product that uses the hosts file, and to me this is a good reason for keeping it standard.

Assuming for whatever reason you want to continue with your non standard format, have you tried unticking the host file in the immunisation page so Spybot doesn't try to add entries to it.

You said

.. let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

Spybot provides the means to lock the hosts file against alteration, but that aside the Spybot entries in the hosts file are part of the immunisation procedure. They are not relevant to the on demand scanning procedure.

So that's my 5 cents worth - it's not up to me anyhow, but I will be interested to see what others think

[blues]

I mean, let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

is this a new discovery? maybe the malware writers starts doing this to avoid spybot detect that security sites or other sites is blocked by the hostsfile.

i can notice that the spybot scan takes longer to finish when using "mvps hosts" and hphosts hostsfiles together with the spybot hostsfile.

[Soultrain]

Soultrain,

No I don't agree!

What possible gain would there be for any sofware producer to try to make their product work with "one off" customised installations. SpybotSD is not the only antispyware product that uses the hosts file, and to me this is a good reason for keeping it standard.

Assuming for whatever reason you want to continue with your non standard format, have you tried unticking the host file in the immunisation page so Spybot doesn't try to add entries to it.

You said

Spybot provides the means to lock the hosts file against alteration, but that aside the Spybot entries in the hosts file are part of the immunisation procedure. They are not relevant to the on demand scanning procedure.

So that's my 5 cents worth - it's not up to me anyhow, but I will be interested to see what others think

Spybot protects nothing against Hosts file modification.

Not when I update it with my entries, not when I use third party applications to update it, etc. Never.

Should it not block those attempts? It never asked me a damn thing...

My HIPS does, though.

If malware wants to change entries, it will, unless you keep your Hosts file under your eyes and protect it properly with other tools, such as HIPS.

Besides, the point is that:

- there is nothing wrong with the way I have my HOSTS file.
- Spybot dies if the HOSTS file's entries are ordered the way I mentioned.

This is something that should be fixed and not just because I use my hosts file that way and use Spybot.

If Spybot team doesn't change their product to be able to handle with such HOSTS file, then they will be one step behind providing what they provide - protection. Simple

[blues]

the "read only" that spybot sets on the hostsfile doesnt block all malware from changing the hostsfile. i just remove the "read only" that spybot sets to avoid it to stop hostsman from changing the hostsfile, but i dont know if that is necessary.

[Soultrain]

the "read only" that spybot sets on the hostsfile doesnt block all malware from changing the hostsfile. i just remove the "read only" that spybot sets to avoid it to stop hostsman from changing the hostsfile, but i dont know if that is necessary.

Even if Spybot is blocking the HOSTS file to remain "read only", you still can unblock using Hostsman without any sort of problem.

Now wonder malware

[blues]

the "read only" that spybot sets on the hostsfile is useless.

[Soultrain]

the "read only" that spybot sets on the hostsfile is useless.

I haven't tested it yet, but I think Hostsman does a better job at protecting the Hosts file and keeping good hosts out of the hosts file. Something used by malware creators to prevent users from accessing antivirus/antispyware web site or even update their antivirus and antispyware.

And Hostsman isn't even a security tool!

And for those wanting to monitor the Hosts file, among other things, Winpatrol 2008 would be a good asset.

But, I do hope that Spybot team does fix this. It is not something that I want done for me, but that should be done for all users who rely their spyware and some other malware protection on Spybot.

The question is: Don't supporters of Spybot deserve the best protection possible? I believe they do. Am I wrong?

I also find it quite surprising that no Spybot staff commented this thread. Is this thread so trivial, that developers don't give a damn about this flaw?