Jump to content
Deakus

Kaspersky keeps deleting my hosts file [ How to exclude host file ]

Recommended Posts

Deakus   

Hello,

 

We have Kaspersky installed in the office and since yesterday all users have had the virus alert trojan.win32.hosts2.gen which subsequently removes the system32/Drivers/Etc/hosts file (or any other hosts file backups).

 

We are a web company so we use the hosts file a lot for test and dev purposes.

 

I've discovered that if the same IP is repeated several times and the domain names are similar kaspersky will assume that the file's been infected.

 

Does anyone know how to stop this?

Share this post


Link to post
Share on other sites

here the same :angry:

and despite the fact it's plain text if you just change the name it stops bother you... what kind of "euristic" approach is that?!?! I dont like at all this new version and I'm wondering if it should be better to change a bit after years of KIS...

Edited by lvalnegri

Share this post


Link to post
Share on other sites
Deakus   

I agree it's annoying me so much I too am thinking about uninstalling the software and installing a more sensible application.

Share this post


Link to post
Share on other sites
richbuff   
I've discovered that if the same IP is repeated several times and the domain names are similar kaspersky will assume that the file's been infected.
Please inform the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881

Share this post


Link to post
Share on other sites
Slavian   

Hello.

 

We won`t change detection logic, if you want to use modified 'hosts' files add it to 'white list'.

Share this post


Link to post
Share on other sites
feno   
We won`t change detection logic, if you want to use modified 'hosts' files add it to 'white list'.

Hello,

How then to add the hosts file to "white list" ?

Thanks

Share this post


Link to post
Share on other sites
Rene-gad   
How then to add the hosts file to "white list" ?

I'm not sure, it is a good solution: if hosts file would be really changed from any malware application, than we've got a really problem.

 

Share this post


Link to post
Share on other sites
dawgg   
I'm not sure, it is a good solution: if hosts file would be really changed from any malware application, than we've got a really problem.

Hello, you can define the exclusion to exclude only certain detection names, eg, "Trojan.Win32.Hosts2.gen", so other detected items in that location will still be detected, so no problems.

 

Hello,

I added my hosts file to the exclusions, but it's still been removed by KIS

Hi, in your first screenshot, delete the Hosts entry you added there. It is not needed.

In your second screenshot, select the Host entry, click "Modifier" and post a screenshot of that window. Also make sure the detection name is exactly "Trojan.Win32.Hosts2.gen" if that is what is detected.

Edited by dawgg

Share this post


Link to post
Share on other sites
Rene-gad   
In your second screenshot, select the Host entry, click "Modifier" and post a screenshot of that window. Also make sure the detection name is exactly "Trojan.Win32.Hosts2.gen" if that is what is detected.

Possibly I'm an full idiot, but it does not work...

post-3028-1302799567_thumb.jpg

post-3028-1302799652_thumb.jpg

Share this post


Link to post
Share on other sites
dawgg   

Rene-gad, when you scan the individual file, then the exclusion will not work (by design of Kaspersky).

 

If in the Exclusion setting you've chose "Protection Components: Any", Kaspersky should not detect it unless you intentionally scan the file via the right-click - Scan.

 

feno, the exclusion setting should be as shown in the screenshot below (including Protection component "Any"). Again, as I just said above, when you scan the individual file, it will still be detected. Other than that, it should not be detected.

post-10444-1302807502_thumb.png

Share this post


Link to post
Share on other sites
Rene-gad   

It's clear, what you have explained, thank you.

What is NOT clear :

- if any file IS a virus it has to be detected ALWAYS and with ANY MODULE of antivirus program

- if any file IS NOT a virus it has to be detected NEVER and with NO MODULE of antivirus program

Another way we cannot talk about virus protection AT ALL.

Share this post


Link to post
Share on other sites
dawgg   
It's clear, what you have explained, thank you.

What is NOT clear :

- if any file IS a virus it has to be detected ALWAYS and with ANY MODULE of antivirus program

- if any file IS NOT a virus it has to be detected NEVER and with NO MODULE of antivirus program

Another way we cannot talk about virus protection AT ALL.

Sorry, I do not understand about what you are not clear about.

If a file is malicious or related to a malicious/suspicious behavior, then yes, it should be detected - unless the user wishes it to no-longer be detected, whereby they will add it to exclusions.

If a file is not malicious or related to malicious/suspicious behavior, then as you correctly say, it should not be detected.

Share this post


Link to post
Share on other sites
Rene-gad   
Sorry, I do not understand about what you are not clear about.

If Mr. Smith IS a good guy - he IS a good guy in America, Europe and on the Moon

If Mr. Smith IS NOT a good guy - he IS NOT a good guy in America, Europe and on the Moon and should be placed in a jail ;).

It cannot be dependent form the METHOD OF CHECKING of his travel pass.

Share this post


Link to post
Share on other sites
feno   

dawgg : thanks for your attention,

Here is my screenshot :

jOrn3.png

Apart from the language, I don't see any difference between yours and mine.

Share this post


Link to post
Share on other sites
dawgg   

Rene-gad, I understand now.

 

Sometimes files are 'greyware', where there it can be good or bad depending on the purpose it is used for. For example, a Remote Administrator program is useful for administrators, support staff, or anyone else you want to explicitly allow to use your computer over the internet. This type of software can be very useful.

 

On other occasions, it is malicious if it was used as trojan and someone is on your computer without your permission.

 

Other potentialy unwanted programs such as port or network scanners, irc clients, hard-drive flashing programs etc can also be classed as malicious or legitimate depending on what they are used for.

 

Take a knife as an anology - it can be used to cut food (good), cut other things in construction/manufacturing (good), cut people to save their lives in surgery (good) and cut people to hurt or kill them (bad).

So, it can be good or bad depending on what it's being used for.

Edited by dawgg

Share this post


Link to post
Share on other sites
dawgg   

feno, is it being removed only when you scan it via the right-click or also when you do not scan it?

 

Please open Kaspersky, click Quarantine (at the top) and select All in the drop-down list on the top-left.

Click Save on the top-right and attach that txt file here.

Share this post


Link to post
Share on other sites
feno   

It is removed :

- every time I boot up the computer, so every morning I have to create the hosts file before working

- sometimes promptly without any particular reason

 

Here is the content of the file saved from kaspersky

 

Détectés (7)    
23/12/2010 10:59:04    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\APPDATA\LOCAL\TEMP\    LBK_20100921150151_MULTILNG.EXE    Elevées    
23/12/2010 10:59:38    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\APPDATA\LOCAL\TEMP\    LBK_20101117150244_MULTILNG.EXE    Elevées    
04/02/2011 16:22:19    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PROGRAM FILES\MYSQL\MYSQL WORKBENCH 5.2 CE\    MYSQLWORKBENCH.EXE    Elevées    
18/02/2011 15:54:42    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\DOWNLOADS\    NETBEANS-6.9.1-ML-PHP-WINDOWS.EXE    Elevées    
22/02/2011 11:39:15    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\XAMPP\PHP\    PHPUNIT.BAT    Elevées    
13/04/2011 09:12:17    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PHP\    PHPUNIT.BAT    Elevées    
22/02/2011 15:43:37    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PHP\    PHPCS.BAT    Elevées    
Réparés (1)    
07/04/2011 10:56:27    Réparés    cheval de Troie Trojan.Win32.Hosts2.gen    Fichier        c:\Windows\System32\drivers\etc\    hosts    Elevées

Share this post


Link to post
Share on other sites
dawgg   

Strange, I cannot reproduce what you are seeing - the exclusion works on my computer.

 

What Kaspersky version are you using? Hover your cursor over the red K icon to see. It should be in the format 11.0.#.###.

Share this post


Link to post
Share on other sites
feno   

Hi dawgg,

I use Kaspersky Internet Security 11.0.1.400 on Windows Vista Home Premium SP1 32bits.

 

Plz, how do you verify if the exclusion works or not ? By performing a scan ?

Share this post


Link to post
Share on other sites
dawgg   
Hi dawgg,

I use Kaspersky Internet Security 11.0.1.400 on Windows Vista Home Premium SP1 32bits.

 

Plz, how do you verify if the exclusion works or not ? By performing a scan ?

Restarted the computer (as you stated) and also scanned the folder C:\Windows\System32\drivers\etc\ (by right-clicking the actual folder and clicking Scan rather than the contents of the folder. As I explaned in post #13, if you scan the actual file, it will be detected as the exclusion rule will be overridden).

 

Try to use the latest version of Kaspersky. Recommended guidance is shown here.

Share this post


Link to post
Share on other sites

Sorry for my intrusion, I also would recommend updating Your Windows Vista with Service Pack 2.

 

Regards.

Share this post


Link to post
Share on other sites
xadrian   
Sorry for my intrusion, I also would recommend updating Your Windows Vista with Service Pack 2.

 

Regards.

 

Running into the same things here on Win7 and Server 2008 web dev and web db machines.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×