PDA

View Full Version : [Bug] Hosts file leftovers



Tarun
2007-08-19, 01:52
When you remove the Spybot Hosts file, these leftovers are present:

# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

It also keeps the read-only attribute, whereas the default is not to have the Hosts file with read-only.

PepiMK
2007-08-19, 16:26
Well, these entries do no harm, right? And they may speed up an immunization in the future ;)

The read-only attribute is to prevent simple malware from writing to it. Since it's a file not written to be the system by default, I don't see any harm in that as well.

Tarun
2007-08-19, 17:45
Malware can still alter and even replace your Hosts file. Malware is an executable file, just like everything else you use. It sends a command line parameter to change the state of the Hosts file from a read-only state to writable. After that it replaces it with whatever it wants. All it does is send the ATTRIB command along with -R.

That's not very secure if it's that simple to disable the read-only attribute, is it?

wk357mag
2007-08-19, 20:41
so when does "SpyBot-Tarun" get released???

Tarun
2007-08-20, 05:04
Just saying that if someone wants to remove the Hosts file protection, everything should be removed. Leftovers are considered sloppy.

PepiMK
2007-08-20, 10:38
Well, if we're about being smart-ass, I'm pretty sure absolutely NO malware would ever send the ATTRIB command :laugh: What malware would do would be to use kernel32.dll:SetFileAttributes (http://msdn2.microsoft.com/en-us/library/aa365535.aspx).

But then, you're going into the general direction of "every protection is useless, because it can be circumvented". The important point is that some silly malware can be stopped there, and an additional layer, however small it is, cannot really harm ;)

Tarun
2007-08-20, 18:52
Just saying that if someone wants to remove the Hosts file protection, everything should be removed. Leftovers are considered sloppy.

What I meant by this statement is:
If a person opts to remove the Spybot S&D Hosts file additions, it should remove all the code, including
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

Tarun
2007-09-03, 22:22
So were the remnants removed when you remove the Hosts file Immunizations/"protections"?