PDA

View Full Version : Spybot and the HOSTS file



Soultrain
2008-08-26, 15:35
Hello there

After trying to customize my Hosts file to be like this:

0.0.0.0 badsite1 badsite2 badsite3 badsite4 badsite5 badsite6 badsite7 badsite 8 badsite 9
0.0.0.0 badsite 10 ... (always with 9 entries per line)

I ran Spybot and it went crazy. It kept saying that the scan was cancelled by user. It clearly hasn't been.

The reason for that is the way how the hosts file is customized. There is nothing wrong with the hosts file, though.

Perhaps you guys could update Spybot to solve that problem?

Greyfox
2008-08-26, 17:15
Hello there

After trying to customize my Hosts file to be like this:

0.0.0.0 badsite1 badsite2 badsite3 badsite4 badsite5 badsite6 badsite7 badsite 8 badsite 9
0.0.0.0 badsite 10 ... (always with 9 entries per line)

Now why would you do that?

The Microsoft host file contains the following
"This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.

Soultrain
2008-08-26, 17:20
Now why would you do that?

The Microsoft host file contains the following
"This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.

That's what they say. Now does that entirely correspond to the reality?

The point is that it is possible to do what I mentioned (not my discovery, though).
So, I am guessing that it would be appropriate for Spybot team to fix it? I mean, let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

Quite simple the reason why they should update Spybot, don't you agree?

Greyfox
2008-08-26, 17:48
Soultrain,

No I don't agree!

What possible gain would there be for any sofware producer to try to make their product work with "one off" customised installations. SpybotSD is not the only antispyware product that uses the hosts file, and to me this is a good reason for keeping it standard.

Assuming for whatever reason you want to continue with your non standard format, have you tried unticking the host file in the immunisation page so Spybot doesn't try to add entries to it.

You said
.. let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

Spybot provides the means to lock the hosts file against alteration, but that aside the Spybot entries in the hosts file are part of the immunisation procedure. They are not relevant to the on demand scanning procedure.

So that's my 5 cents worth - it's not up to me anyhow, but I will be interested to see what others think

blues
2008-08-26, 18:06
I mean, let's suppose that someone creates malware to put the hosts file, just like I did. Then Spybot won't even be able to do a damn thing against it, as it won't even be able to scan the system.

is this a new discovery? maybe the malware writers starts doing this to avoid spybot detect that security sites or other sites is blocked by the hostsfile.

i can notice that the spybot scan takes longer to finish when using "mvps hosts" and hphosts hostsfiles together with the spybot hostsfile.

Soultrain
2008-08-26, 21:33
Soultrain,

No I don't agree!

What possible gain would there be for any sofware producer to try to make their product work with "one off" customised installations. SpybotSD is not the only antispyware product that uses the hosts file, and to me this is a good reason for keeping it standard.

Assuming for whatever reason you want to continue with your non standard format, have you tried unticking the host file in the immunisation page so Spybot doesn't try to add entries to it.

You said

Spybot provides the means to lock the hosts file against alteration, but that aside the Spybot entries in the hosts file are part of the immunisation procedure. They are not relevant to the on demand scanning procedure.

So that's my 5 cents worth - it's not up to me anyhow, but I will be interested to see what others think

Spybot protects nothing against Hosts file modification.

Not when I update it with my entries, not when I use third party applications to update it, etc. Never.

Should it not block those attempts? It never asked me a damn thing...

My HIPS does, though.

If malware wants to change entries, it will, unless you keep your Hosts file under your eyes and protect it properly with other tools, such as HIPS.

Besides, the point is that:

- there is nothing wrong with the way I have my HOSTS file.
- Spybot dies if the HOSTS file's entries are ordered the way I mentioned.

This is something that should be fixed and not just because I use my hosts file that way and use Spybot.

If Spybot team doesn't change their product to be able to handle with such HOSTS file, then they will be one step behind providing what they provide - protection. Simple

blues
2008-08-26, 21:40
the "read only" that spybot sets on the hostsfile doesnt block all malware from changing the hostsfile. i just remove the "read only" that spybot sets to avoid it to stop hostsman from changing the hostsfile, but i dont know if that is necessary.

Soultrain
2008-08-26, 21:43
the "read only" that spybot sets on the hostsfile doesnt block all malware from changing the hostsfile. i just remove the "read only" that spybot sets to avoid it to stop hostsman from changing the hostsfile, but i dont know if that is necessary.

Even if Spybot is blocking the HOSTS file to remain "read only", you still can unblock using Hostsman without any sort of problem.

Now wonder malware ;)

blues
2008-08-26, 21:47
the "read only" that spybot sets on the hostsfile is useless.

Soultrain
2008-08-28, 17:21
the "read only" that spybot sets on the hostsfile is useless.

I haven't tested it yet, but I think Hostsman does a better job at protecting the Hosts file and keeping good hosts out of the hosts file. Something used by malware creators to prevent users from accessing antivirus/antispyware web site or even update their antivirus and antispyware.

And Hostsman isn't even a security tool!

And for those wanting to monitor the Hosts file, among other things, Winpatrol 2008 would be a good asset.

But, I do hope that Spybot team does fix this. It is not something that I want done for me, but that should be done for all users who rely their spyware and some other malware protection on Spybot.

The question is: Don't supporters of Spybot deserve the best protection possible? I believe they do. Am I wrong?

I also find it quite surprising that no Spybot staff commented this thread. Is this thread so trivial, that developers don't give a damn about this flaw?

Soultrain
2009-01-10, 23:40
I'm reawakening this thread to say, that, I believe Spybot team should make Spybot S&D support such type of HOSTS file.

That way, to a certain point, will also be possible to have DNS Client enabled, if we use other hosts file as well, and make user of tools to maintain the HOSTS file.

I make use of Hostsman, and version 4 will already support such. It will convert normal HOSTS file to an optimized HOSTS file. It is possible to do it, already, with a tool that the same creator of Hostman, offers - http://forum.abelhadigital.com/index.php?showtopic=637

hpHosts already offers an optimized version of their HOSTS file, converted by Hostsman 4.

Spybot should support such format, otherwise it will just crash.