HOSTS File for malware prevention

[techidave]

I have been reading about the use of the HOSTS file to prevent malware, etc., from getting on  your computer.  I am having trouble determing if Firefox and Opera use the HOSTS file like IE does.  how does the HOSTS file supplied by mvps.org differ from that of Spyware Blaster or Spybot's Search and Destory Immunize feature?

I am trying to figure out if the HOST file is a good way to prevent malware on computers??

How does this differ from Restricted Sites (probably IE only)?

Dave

[sajman99]

I am trying to figure out if the HOST file is a good way to prevent malware on computers??

-techidave (August 21, 2010, 02:35 PM)

Apparently folks aren't using the HOSTS file as a malware blocker as much as they used to. Perhaps many users now more effectively rely on sandboxing and virtualization software for malware protection.

In this Wilders poll "Do you use HOSTS file?", the majority of respondents (60.90%) indicated they no longer use it. Many folks indicated maintaining the HOSTS file is a futile exercise.

[Krishean]

to answer your question, yes firefox and opera are affected by the hosts file. the hosts file is used to alter domain name resolution in windows, and affects anything that uses windows for networking (if a program uses its own network driver than i think it can get around anything in the hosts file anyway)

the problem with using the hosts file for malware protection is that it ONLY affects domain name resolution. so its good if an entire domain is dedicated to malware, but if a site is infected with malware through an ad (example: http://techcrunch.com/2010/03/23/yahoo-top-ad-malware-distributor-says-its-not-their-problem/) or some other attack, its not going to block that, and as malware domains are constantly changing on an hour-by-hour basis, keeping an updated hosts file is next to impossible

also if a program does not use dns resolution and uses an ip like 173.194.33.104 (www.google.com) or if malware comes from an ip (http://173.194.33.104/) the hosts file is not going to block it

EDIT: that said, i do use the "immunize" feature of spybot s&d, which does add entries to the hosts file (in some cases i have it seen it ignore the hosts file tho), because it doesn't hurt (unless of course one of the sites in the hosts file is legitimate and you are trying to go there, it makes it unplesant to diagnose why its not working)

EDIT2: i should probably explain how the hosts file works exactly. when you click on a website, for example www.google.com, "www.google.com" is meaningless to a computer, computers only understand ip addresses (173.194.33.104) so before you are able to get to google, your computer must first contant a domain name server to look up the ip address of the domain name. the domain name server tells your computer the ip address of google and your computer then contacts google and you go on your merry searching way... however, if www.google.com is in your hosts file your computer skips the step where it contacts the domain name server and uses the entry in the hosts file. so if you put "127.0.0.1 www.google.com" (DONT DO THIS) in your hosts file, instead of going to google your computer would try to contact 127.0.0.1 (which is a local address for your own computer) and this would not work. thats how the hosts file works, it reassigns domain names to some other ip address.

[Stoic Joker]

OpenDNS would be a better way of effecting the same thing as it can be configured in a single location (the network border) and can be used to block many other network nuisances (FaceBook).

[techidave]

Good idea sj. I keep forgetting about this program.

[Renegade]

+1 for Krishean -- Excellent explanations.

[sajman99]

The security company Sunbelt Software is establishing a DNS Server named ClearCloud DNS which can be used to block malware sites.

This is a free service (currently in beta) which is designed to add an additional layer of security.

Details can be found here:  http://www.clearclouddns.com/

[Russ V]

Cool;  you can also use google dns at: http://code.google.com/speed/public-dns/
Note: if you use services by your internet provider...like news groups or use local content, can stop working for days when local network changes occur.   in that case, i recommend keeping your secondary dns search ip to something your provider provides.

Lastly, i've stopped using spybot immunization on my slow machine at work.  i find myself removing a lot of programs i once thought would help.

[f0dder]

Using the hosts file for anything but specialized purposes (like blocking a few call-home servers, or *very* limited LAN computer naming) is pretty bad, imho. It takes a bit of time to process large hosts files, and it's futile trying to keep a hosts file up to date wrt. malware and ads.

What you need is an ad-blocker for your browser combined with anti-malware software.

[app103]

What you need is an ad-blocker for your browser combined with anti-malware software.

-f0dder (August 26, 2010, 10:33 AM)

I recommend Ad Muncher (munches more than just ads, in more than just browsers) along with whatever hosts file entries your anti-malware may want to add. (remember that neither are a substitute for a good antivirus, and nothing is a good substitute for common sense...you need all of it!)

And please, please, please, run noscript and turn off Java in your browser unless you are about to use a site you know you can trust that needs it.

[sajman99]

Comodo has now went live with the "malware site blocking" feature of Comodo SecureDNS.

Announcement and site.

Perhaps it's all part of their attempt to rule the world.   Just kidding--but it seems they have software and services for darn near everything.

[Bamse]

Malwarebytes and Emsisofts site-blocking is based on hphosts which can be implemented as good old hosts file with daily updates, so not exactly futile. Hosts files are not better than content of course, so most suck in a security context.

Please, please give me a valid non-paranoid reason to turn off javascrip per default - or java Go YesScript https://addons.mozil.../firefox/addon/4922/