Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

My anti-spyware tool is reporting errors in my hosts file. What is that, and why?

Question:

I tried a different anti-spyware program which reported a stream of
different trojans all related to my HOSTS file. This list (1677 in all) are
listed on my hosts file as inserted by Spybot. The program I was testing told
me to delete them immediately. I am very confused, should I remove all these
entries?? I understood that they were placed there by Spybot so that these
sites could not be accessed. Each entry follows the loopback address
127.0.0.1

You’re bumping into a classic problem that results from running more than
one anti-spyware program. One program thinks that the other is itself
spyware.

Who do you believe?

In this case, if we understand why the hosts file is so important and how it
can be used and misused, we’ll have our answer.

]]>

Machines on the internet are located by their IP address. The server that hosts Ask Leo! For example is (today) at 72.32.63.173. To avoid needing to remember that, and to enable hosting more than one site on a single IP address, the Domain Name System, or DNS, provides a way to associate names with IP addresses. So when you visit http://ask-leo.com your browser “looks up” ask-leo.com, and then establishes a connection to the machine on the internet at the associated IP address.

“… anything that’s present in the hosts file actually overrides whatever the DNS server might have said …”

That “looking up” is typically itself an internet based request. There are DNS servers who’s job it is to respond to questions like “what’s the IP address of ask-leo.com?”.

The hosts file is a simple text file on your system that can also contain name/IP mappings. It’s checked first – before asking a DNS server – so anything that’s present in the hosts file actually overrides whatever the DNS server might have said had it been asked.

There are two major ways that the hosts file can be used with respect to malware:

  • By the bad guys: spyware can place fake entries into the hosts file. For example, the spyware might add an entry for “paypal.com”. If you then attempt to visit Paypal, the fake IP address from the hosts file overrides the real address from DNS, and you’re sent to whatever server the bad guys have set up, all the while thinking you’re connecting to paypal.com.

  • By the good guys: anti-spyware programs can place entries into the hosts file that prevent you from even accidentally visiting bad sites. For example, if “somerandomservice.com” were a known malicious site, then by adding a special entry to the hosts file attempting to look up that domain will result in an IP address that simply does not take you there.

Same technique – adding entries to the hosts file – with completely different objectives, good and evil.

So knowing this, we can deduce what’s happening to you.

Spybot added information to your hosts file to block sites that it knows are malicious in order to prevent you from even accidentally visiting them. That’s actually a pretty nifty approach, in my opinion, particularly if you’ve got a machine being used by someone who’s not perhaps as careful as they should be about web surfing. My test copy of Spybot added over 11,000 different domains to my hosts file.

If you look at the hosts file (it’s just a text file, typically in C:\WINDOWS\system32\drivers\etc\hosts), you’ll even see Spybot’s list:

# Start of entries inserted by Spybot – Search & Destroy
127.0.0.1 (domain name)
127.0.0.1 (domain name)

127.0.0.1 (domain name)
127.0.0.1 (domain name)
# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot – Search & Destroy

The other software you’re testing doesn’t know this. It doesn’t know that you’re running Spybot, or that Spybot does this to the hosts file.

But it does check to see if the hosts file has been modified. And if it has, it simply assumes that the file was modified by spyware.

Hence the warning; the “false positive” warning. In fact, since you point out that the domains are all redirected to the “loop back” address of 127.0.0.1, that further confirms the likelihood of it being a false positive. Had the domains been redirected to a live IP address, then it might be worth further investigation (though Spybot’s already watching this for you).

My recommendation works out to be this:

  • Run only one anti-spyware tool regularly. Spybot’s good, and there are others.

  • Leave the hosts file entries placed by Spybot.

  • Only run a second anti-spyware tool if you suspect or are specifically battling an infection that the first did not get. In this case, you’ll need to carefully understand the reports, as false positives like this are quite possible.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “My anti-spyware tool is reporting errors in my hosts file. What is that, and why?”

  1. Also Leo, you forgot to mention that there are many “bogus” anti-spyware programs out there that would not like Spybot’s Hosts file at all at all. There are hundreds of antispy programs that are nothing but spyware in disguise. This may be what the person is using, unless you purposefully left out the name of the offending program, and it is in fact a real antispy program. I run several (Spybot, Adaware, Super Antispyware, Malwarebytes, and none have ever said anything about Spybot’s Hosts file.

    Reply
  2. Can one anti-spware program delete the additions to the Host File made by another?

    Can they? Sure. Do they? Don’t know. Depends on the programs in question.

    Leo
    24-May-2011

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.