I agree with David - the hosts file on windows only manages DNS lookups and can
often be used by a malware infection to redirect your DNS lookups, will not
stop direct IP address connects, and as David says, would have to be huge to be
of any affect, which windows is not really set up to handle well. In fact could
probably be giving you all sorts other problems with your browsers that would
be hard to figure out. localhost is all you need there. I real firewall blocks
IP addresses not hostnames. Another solution is to use uBlock origin, ghostery,
noscript, privacy badger ... which will do the hosts blocking for you, and if
you do use these, some sites are not going to work well.
I have a separate firewall and periodically download bad IP addresses into an
ipset on Linux. ipsets are designed to be efficient IP lookup. Mostly I use the
lists from abuse.ch malware trackers and dshield.com. That is also good to
prevent out-going connections in the case I have been infected to prevent
further malware payload download. I would give it overall a 60% advantage to
preventing malware. It is only a piece, and only for malware that has known IP
addresses. But blocking IP addresses only works 100% if you block the entire
internet.
Chris, I don't get your obsession with deliberately doing things very
insecurely and then complain when that causes problems? If you are going to
connect to some public wifi that has a high probability of being compromised,
and don't use a VPN, use IE, don't have patched OS, and then expect to get
around problems with some hosts entries file, IMO, is magical thinking.
Why not just run linux in a VM if you are not going to use a VPN, or TOR, or
get Tails and boot from a USB stick?
Now if you are a malware researcher, I would say you have good honey pot.
WayneS
At 5/1/2019 05:19 AM, David wrote:
>On Tue, Apr 30, 2019 at 08:16:56AM -0700, Chris Trask wrote:
>> If you're not familiar with that, the hosts file is your first and foremost
>> firewall when using a Microsoft OS.
>
>Definitely NOT a "firewall" :)
>
>Great if it's working for controlling your unwanted bandwidth-wasting
>adverts/webtrackers in your particularly unique set of circumstances,
>Chris, but I'd definitely not recommend reliance upon it for prevention
>of malware infection.
>
>Note that surreptitious modification of the hosts file is the way quite
>a number of different malware variants work. It is pretty common for
>applications to run their own internal DNS forwarders and completely
>ignore the hosts file for exactly this reason.
>
>The hosts file is a local domain name query override. Basically the only
>thing that should be in there is "localhost" 127.0.0.1 (and ::1 if you
>have an ipv6 stack) and maybe, just maybe, the local machine name.
>
>It CAN be used to override DNS lookups for undesirable destination names
>for many applications, but unless the file can be made system-immutable
>- which I'm not sure is even possible in windows, it can be overwritten
>or appended to by anything with administrator privileges in an instant.
>This includes just about any bit of random javascript unwittingly run
>by a normal windows user running a browser or an e-mail client,
>rendering it useless while the user thinks they are protected. Further,
>if it's a big file (which it will be, if used in this manner), it can't
>be easily inspected for external modifications. If I HAD to do
>something like this, I'd keep a separate file, make changes to that, and
>copy it over the main file.
>
>davidt
>
>
>
>
>
>
>--
>_________________________________________________________________
>Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>Themed Olympus Photo Exhibition: http://www.tope.nl/
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|