{"id":17759,"date":"2020-08-05T13:38:11","date_gmt":"2020-08-05T08:08:11","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=17759"},"modified":"2023-08-02T20:40:13","modified_gmt":"2023-08-02T15:10:13","slug":"windows-defender-hostsfilehijack-alert-telemetry-block","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/windows-defender-hostsfilehijack-alert-telemetry-block\/","title":{"rendered":"Windows Defender “HostsFileHijack” alert appears if Telemetry is blocked"},"content":{"rendered":"

Since July last week, Windows Defender started issuing Win32\/HostsFileHijack<\/code> “potentially unwanted behavior” alerts if you had blocked Microsoft’s Telemetry servers using the HOSTS file.<\/p>\n

\"defender<\/p>\n

Out of the SettingsModifier:Win32\/HostsFileHijack<\/code> cases reported online, the earliest one was reported at the Microsoft Answers forums<\/a> where the user stated:<\/p>\n

I’m getting a serious “potentially unwanted” message. I have the current Windows 10 2004 (1904.388) and only Defender as permanent protection.
\nHow is that to evaluate, since nothing has changed at my hosts, I know that. Or is this a false positive message? A second check with AdwCleaner or Malwarebytes or SUPERAntiSpyware shows no infection.<\/p><\/blockquote>\n

“HostsFileHijack” alert if Telemetry is blocked<\/h2>\n

After inspecting the HOSTS<\/code> file from that system, it was observed that the user had added Microsoft Telemetry servers to the HOSTS file and routed it to 0.0.0.0 (known as “null-routing”) to block those addresses. Here is the list of telemetry addresses null-routed by that user.<\/p>\n

0.0.0.0 alpha.telemetry.microsoft.com\r\n0.0.0.0 alpha.telemetry.microsoft.com\r\n0.0.0.0 asimov-win.settings.data.microsoft.com.akadns.net\r\n0.0.0.0 candycrushsoda.king.com\r\n0.0.0.0 ceuswatcab01.blob.core.windows.net\r\n0.0.0.0 ceuswatcab02.blob.core.windows.net\r\n0.0.0.0 choice.microsoft.com\r\n0.0.0.0 choice.microsoft.com.nsatc.net\r\n0.0.0.0 co4.telecommand.telemetry.microsoft.com\r\n0.0.0.0 cs11.wpc.v0cdn.net\r\n0.0.0.0 cs1137.wpc.gammacdn.net\r\n0.0.0.0 cy2.settings.data.microsoft.com.akadns.net\r\n0.0.0.0 cy2.vortex.data.microsoft.com.akadns.net\r\n0.0.0.0 db5.settings-win.data.microsoft.com.akadns.net\r\n0.0.0.0 db5.vortex.data.microsoft.com.akadns.net\r\n0.0.0.0 db5-eap.settings-win.data.microsoft.com.akadns.net\r\n0.0.0.0 df.telemetry.microsoft.com\r\n0.0.0.0 diagnostics.support.microsoft.com\r\n0.0.0.0 eaus2watcab01.blob.core.windows.net\r\n0.0.0.0 eaus2watcab02.blob.core.windows.net\r\n0.0.0.0 eu.vortex-win.data.microsoft.com\r\n0.0.0.0 eu.vortex-win.data.microsoft.com\r\n0.0.0.0 feedback.microsoft-hohm.com\r\n0.0.0.0 feedback.search.microsoft.com\r\n0.0.0.0 feedback.windows.com\r\n0.0.0.0 geo.settings-win.data.microsoft.com.akadns.net\r\n0.0.0.0 geo.vortex.data.microsoft.com.akadns.net\r\n0.0.0.0 modern.watson.data.microsoft.com\r\n0.0.0.0 modern.watson.data.microsoft.com.akadns.net\r\n0.0.0.0 oca.telemetry.microsoft.com\r\n0.0.0.0 oca.telemetry.microsoft.com\r\n0.0.0.0 oca.telemetry.microsoft.com.nsatc.net\r\n0.0.0.0 onecollector.cloudapp.aria.akadns.net\r\n0.0.0.0 onesettings-bn2.metron.live.com.nsatc.net\r\n0.0.0.0 onesettings-cy2.metron.live.com.nsatc.net\r\n0.0.0.0 onesettings-db5.metron.live.com.nsatc.net\r\n0.0.0.0 onesettings-hk2.metron.live.com.nsatc.net\r\n0.0.0.0 reports.wes.df.telemetry.microsoft.com\r\n0.0.0.0 self.events.data.microsoft.com\r\n0.0.0.0 settings.data.microsoft.com\r\n0.0.0.0 services.wes.df.telemetry.microsoft.com\r\n0.0.0.0 settings.data.glbdns2.microsoft.com\r\n0.0.0.0 settings-sandbox.data.microsoft.com\r\n0.0.0.0 settings-win.data.microsoft.com\r\n0.0.0.0 sqm.df.telemetry.microsoft.com\r\n0.0.0.0 sqm.telemetry.microsoft.com\r\n0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net\r\n0.0.0.0 statsfe1.ws.microsoft.com\r\n0.0.0.0 statsfe2.update.microsoft.com.akadns.net\r\n0.0.0.0 statsfe2.ws.microsoft.com\r\n0.0.0.0 survey.watson.microsoft.com\r\n0.0.0.0 tele.trafficmanager.net\r\n0.0.0.0 telecommand.telemetry.microsoft.com\r\n0.0.0.0 telecommand.telemetry.microsoft.com.nsat\u00adc.net\r\n0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net\r\n0.0.0.0 telemetry.appex.bing.net\r\n0.0.0.0 telemetry.microsoft.com\r\n0.0.0.0 telemetry.remoteapp.windowsazure.com\r\n0.0.0.0 telemetry.urs.microsoft.com\r\n0.0.0.0 tsfe.trafficshaping.dsp.mp.microsoft.com\r\n0.0.0.0 us.vortex-win.data.microsoft.com\r\n0.0.0.0 us.vortex-win.data.microsoft.com\r\n0.0.0.0 v10.events.data.microsoft.com\r\n0.0.0.0 v10.vortex-win.data.microsoft.com\r\n0.0.0.0 v10.vortex-win.data.microsoft.com\r\n0.0.0.0 v10-win.vortex.data.microsoft.com.akadns.net\r\n0.0.0.0 v10-win.vortex.data.microsoft.com.akadns.net\r\n0.0.0.0 v10.vortex-win.data.metron.live.com.nsatc.net\r\n0.0.0.0 v10c.events.data.microsoft.com\r\n0.0.0.0 v10c.vortex-win.data.microsoft.com\r\n0.0.0.0 v20.events.data.microsoft.com\r\n0.0.0.0 v20.vortex-win.data.microsoft.com\r\n0.0.0.0 vortex.data.glbdns2.microsoft.com\r\n0.0.0.0 vortex.data.microsoft.com\r\n0.0.0.0 vortex.data.metron.live.com.nsatc.net\r\n0.0.0.0 vortex-bn2.metron.live.com.nsatc.net\r\n0.0.0.0 vortex-cy2.metron.live.com.nsatc.net\r\n0.0.0.0 vortex-db5.metron.live.com.nsatc.net\r\n0.0.0.0 vortex-hk2.metron.live.com.nsatc.net\r\n0.0.0.0 vortex-sandbox.data.microsoft.com\r\n0.0.0.0 vortex-win-sandbox.data.microsoft.com\r\n0.0.0.0 vortex-win.data.microsoft.com\r\n0.0.0.0 vortex-win.data.metron.live.com.nsatc.net\r\n0.0.0.0 watson.live.com\r\n0.0.0.0 watson.microsoft.com\r\n0.0.0.0 watson.ppe.telemetry.microsoft.com\r\n0.0.0.0 watson.telemetry.microsoft.com\r\n0.0.0.0 watson.telemetry.microsoft.com.nsatc.net\r\n0.0.0.0 wes.df.telemetry.microsoft.com\r\n0.0.0.0 weus2watcab01.blob.core.windows.net\r\n0.0.0.0 weus2watcab02.blob.core.windows.net<\/pre>\n
And the expert Rob Koch responded saying:<\/p>\n
Since you’re null routing Microsoft.com and other reputable websites into a black hole, Microsoft would obviously see this as potentially unwanted activity, so of course they detect these as PUA (not necessarily malicious, but undesired) activity, related to a Hosts File Hijack.<\/p>\n
That you’ve decided it’s something you wish to do is basically irrelevant.<\/p>\n
As I clearly explained in my first post, the change to perform the PUA detections was enabled by default with the release of Windows 10 Version 2004, so that’s the entire reason for your sudden issue. Nothing is wrong except that you don’t prefer to operate Windows in the manner that the developer Microsoft intended.<\/p>\n
However, since your wish is to retain these unsupported modifications in the Hosts file, despite the fact they’ll clearly break many of the Windows functions those sites are designed to support, you’d likely be better off to revert the PUA detection portion of Windows Defender to disabled as it used to be in previous versions of Windows.<\/p><\/blockquote>\n
\n
It was G\u00fcnter Born<\/strong> who blogged about this issue first. Check out his excellent post Defender flags Windows Hosts file as malicious<\/a> and his subsequent post on this topic. G\u00fcnter was also the first to write about the Windows Defender\/CCleaner PUP detection.<\/em><\/p>\n
In his blog, G\u00fcnter notes this has been happening since July 28, 2020. However, the Microsoft Answers post discussed above, was created on July 23, 2020, though. So, we don’t know which Windows Defender Engine\/client version introduced the Win32\/HostsFileHijack<\/code> telemetry block detection exactly.<\/em><\/p>\n<\/div>\n
The recent Windows Defender definitions (issued from July 3rd week onwards) consider those ‘tampered’ entries in the HOSTS file as undesirable and warns the user of “potentially unwanted behavior” — with the threat level denoted as “severe”.<\/p>\n
Any HOSTS file entry containing a Microsoft domain (e.g. microsoft.com) such as the one below, would trigger an alert:<\/p>\n
0.0.0.0 www.microsoft.com\r\n\r\n\r\n(or)\r\n\r\n127.0.0.1 www.microsoft.com<\/pre>\n
Windows Defender would then provide three options to the user:<\/p>\n