Microsoft flags using HOSTs file to block Windows 10 telemetry as a risk
Starting from the end of the July, Microsoft has begun detecting HOSTS files that block the Windows 10 telemetry server as “Severe” security risk.
HOSTS files are text files located at C:\Windows\system32\driver\etc\HOSTS. They can be edited through administrative privileges. Such files are used in resolving hostnames of IP addresses with the help of DNS. They are used to block computers from accessing a remote site by assigning hosts to the 127.0.0.1 or 0.0.0.0 IP address.
By the end of July, Windows 10 users have begun reporting that the Windows defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat. On the detection, when users click the See details option, they will be shown a Settings Modifier threat has infected their device, causing potentially unwanted behavior.
This issue was firstly detected by BornCity. As HOSTs hijack issue is not new, it was strange that many users suddenly started reporting about the detection. Since it was till unheard about such widespread infection hitting to customers at the past, it is quite unusual to see such issues at present with Windows 10. This leads to a question whether it is false positive case or some other non malicious issue.
On playing with various generic HOSTS file modifications, experts tried adding a blocklst for Microsoft’s telemetry to their HOSTS file. When they saved this file, they receive an alert that stated that they could not save the file as it “contains a virus or potentially unwanted software” and that the computer was infected with ‘SettingsModifier:Win32/HostsFileHijack.”
Thus, it seems like the Microsoft had recently updated the definition of Microsoft Defender to detect when their servers were added to the HOSTS file.
Users who utilize the HOSTS file to block the Windows 10 telemetry suddenly caused seeing the HOSTS file hijack detection. If you decide to clean the threat, Microsoft will restore the HOSTS file back to its default contents. Those users who intently modify their HOSTS file can allow the threat but it may enable all the HOST modifications. You should allow the threat when you aware about there is 100% risk involved in it.