It's a good list, for the most part, but I think he's a bit clueless when it comes to blocking malware with a hosts file.
Special AntiSpyware Hosts Files attempt to associate a known safe, numeric address with the names of sites you want to block. When the user or any process on the PC then tries to access a blocked site, it is instead directed to the safe location. This works as long as the site's numeric IP address never changes. But IP addresses do change and they're supposed to be able to. The Web operates via "dynamic" naming, where a human friendly name (www.google.com) is actually an alias for the real address, which is numeric. The numeric address can and will change from time to time as a site or server is moved or reconfigured.
You are supposed to use the localhost IP of 127.0.0.1 as the safe location. I have never known that to change when some other site changes their IP. It doesn't point google.com to Google's IP. It points BadMalwareSite.com to your own pc, where you are not likely to pick up a malware infection from.
The Hosts entry will permanently point them to a dead location!
That's the whole point to it! That's how it works!
People with out-of-date addresses hardwired into their Hosts File will no longer be able to connect to any site whose numeric address has changed.
How can localhost be out-of-date? It doesn't change. And how can pointing the domain name of a bad site to yourself block a good site with a different domain name that wouldn't be in your hosts file to begin with?
It's almost impossible to update a Hosts file frequently enough to guard against all threats and even if you did, you'd probably also run into problems in accidentally blocking good sites that happened to move to new numeric addresses.
He is only partially right there...you can't add entries fast enough to block all malware, nor can you ever know all of the possible ones you should block.
But since you are only redirecting the bad ones to yourself, the good ones are not affected by an IP change....they were never in your hosts file to begin with.
When cleaning Malware/Spyware from a PC, it is much easier to check a clean Hosts File then one filled with thousands of lines of addresses.
How hard is it to open the Hosts file in Word (or a small free proggie like my AlphaSort
) and alphabetize the lines?
All the malware entries will be the lines beginning with a different IP than 127.0.0.1 ...and they will either rise to the top, listed after the #comment lines, or drop to the bottom, when you alphabetize the whole list.
Notes - There is a much better solution for bad site blocking using SpywareBlaster which more intelligently use's Internet Explorer's built-in Zone Security settings and the registry.
That only works for IE and IE based browsers, which even though they are the ones that end up being the cause/victim of spyware most of the time, it is theoretically possible to get an infection while using Firefox, Opera, or something else....and sooner or later you will start hearing of it happening.
ActiveX isn't the only way malware gets onto a PC through a browser...Java & Flash are also exploitable paths to your PC.
Using a hosts file to block the same domains that would be entered into your registry by SpywareBlaster will accomplish the same thing that software does...only it will protect all users of any browser or any software on that pc. The domains will be unreachable with anything you could possibly run...not just IE.
And the InformationWeek article
he references has nothing to do with using the hosts file for prevention of malware. It was referring to using the hosts file for speeding up your connection by including the IP's of sites you visit often.
There is one thing I have to say about a hosts file he didn't mention...and his SpywareBlaster solution would also fail miserably too. And that is in the case of scripts that reference an IP directly and not use a domain name at all.
You can't redirect an IP to yourself with a hosts file...only a domain name and be redirected.
And if you start adding IP's to your security zones, you will eventually end up in a similar hell to one he was warning you about, where websites you want to use end up not working right because their IP's may have changed to ones you added. And finding the IP in your registry that is the cause of a problem is tougher than you could imagine when you have a whole bunch in there. You would have to remove them all and add them back 1 at a time till you discovered the one that breaks the good site.
In a case such as this, I would add IP's to my firewall if I wanted to block them. And if a good site is somehow blocked, it would be easy to figure out which IP to remove from your list by checking the firewall log and see what was just blocked when trying to access the good site...that's the one that needs to be removed.
so in summary...
the hosts file is used for blocking domains you want no contact with, ever
firewall to block ip's you want no contact with, ever
and zones for sites & ip's you want contact with, but you want them to be broken.