9

I have Avira installed with Hosts file protection enabled.

I've noticed a pattern where Avira warns me of an attempted modification of the Hosts file (but alas doesn't tell me which process did the attempt), and soon afterwards a Windows Update notification pops up.

Is this normal? Does this mean the attempt to modify the Hosts file came from Windows Update (for some security-related reason, etc)?

The closest subject I've seen on SE is this question, where apparently Windows Defender was involved: Something is changing my hosts file without asking

Medinoc
  • 191
  • 4
  • 2
    Have you tried the accepted answer of the question you link? – xvk3 Feb 10 '18 at 11:43
  • Alas no, because I only see one notification. There's no further attempt to modify the hosts file afterwards (perhaps until the next update). So, because I don't have a time machine, I'd need to have Process Monitor running all the time (though I could possibly do something more clever like starting it every Patch Tuesday, but the latest occurrence was today). – Medinoc Feb 10 '18 at 12:39
  • It's probably Microsoft trying to fix what those pesky kids are doing; turning off telemetry and shiny new Windows features. – YetAnotherRandomUser Feb 10 '18 at 14:32

1 Answers1

1

Consider the following scenario:

  • You install Windows 8.
  • You change the Hosts file by specifying custom IP-address-to-host-name mappings to prevent users from browsing to some websites.
  • You run a scan in Microsoft Windows Defender.

In this scenario, the Hosts file is detected as a SettingsModifier:Win32/PossibleHostsFileHijack malware threat by Windows Defender.

Reference

So when the host file is being restored by Windows Defender, Avira's host file protection could be detecting the change.

Daniel Netto
  • 144
  • 7
  • Thanks for the succestion. I have run a few Windows Defender scans, it does not appear to try and change the Hosts file. – Medinoc Feb 21 '18 at 06:23