F5F Stay Refreshed Software Operating Systems Malware in host file?

Malware in host file?

Malware in host file?

E
Elektron2K02
Junior Member
Find
12
07-02-2021, 07:41 PM
#1
The Nessus scan highlighted this line in the hosts file as potentially suspicious:
C:\WINDOWS\system32\drivers\etc\hosts :
0.0.0.1 scinstallcheck.mcafee.com
Is that concerning? I'm uncertain about its legitimacy and how to verify it.
Reply
Reply
E
Elektron2K02
07-02-2021, 07:41 PM #1

The Nessus scan highlighted this line in the hosts file as potentially suspicious:
C:\WINDOWS\system32\drivers\etc\hosts :
0.0.0.1 scinstallcheck.mcafee.com
Is that concerning? I'm uncertain about its legitimacy and how to verify it.

Reply
Reply
S
samaclause
Member
Find
142
07-22-2021, 04:36 PM
#2
There are no unusual activities detected. The observed behavior indicates the domain is currently restricted.
Reply
Reply
S
samaclause
07-22-2021, 04:36 PM #2

There are no unusual activities detected. The observed behavior indicates the domain is currently restricted.

Reply
Reply
S
Skipper22778
Member
Find
197
07-23-2021, 01:22 AM
#3
Certainly, I can clarify. The system is likely blocking access due to security policies or misconfigurations. It may interpret the presence of a McAfee installation on the host as a potential threat, even though the software is actually running on the server. This could trigger restrictions based on detection rules or policy enforcement.
Reply
Reply
S
Skipper22778
07-23-2021, 01:22 AM #3

Certainly, I can clarify. The system is likely blocking access due to security policies or misconfigurations. It may interpret the presence of a McAfee installation on the host as a potential threat, even though the software is actually running on the server. This could trigger restrictions based on detection rules or policy enforcement.

Reply
Reply
M
MooMoo2011
Senior Member
Find
690
07-23-2021, 01:48 AM
#4
It's blocked due to the hosts file redirecting a domain name, sending traffic to the IP address 0.0.0.1—which is just a placeholder and not a real IP. That’s why it gets blocked.

Why was you asked? Do you have McAfee installed on your computer?
Reply
Reply
M
MooMoo2011
07-23-2021, 01:48 AM #4

It's blocked due to the hosts file redirecting a domain name, sending traffic to the IP address 0.0.0.1—which is just a placeholder and not a real IP. That’s why it gets blocked.

Why was you asked? Do you have McAfee installed on your computer?

Reply
Reply
T
tezer68
Member
Find
183
07-23-2021, 02:39 PM
#5
To follow
@Grobe
a brief update....
My hosts file is situated at
C:\WINDOWS\system32\drivers\etc
It can be accessed and modified using Notepad with administrative privileges.
Here is the content:
# Copyright © 1993-2009 Microsoft Corp.
#
# This sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# Each entry must remain on its own line. The IP address should come first, followed by the host name.
# A space should separate the IP from the host name.
#
# Comments like these can be placed on separate lines or after a '#' symbol.
# For instance:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is managed by DNS.
# 127.0.0.1 localhost
# ::1 localhost
If you follow this properly, you should be able to edit the file and comment out
0.0.0.1 scinstallcheck.mcafee.com
by adding a '#' before it.
Proceed only if you feel confident and have a backup of the original hosts file.
Reboot and check if McAfee updates automatically.
That said, you likely don’t need McAfee initially.
Windows Defender is excellent, and Malwarebytes (free) can be used for occasional scans as needed.
Reply
Reply
T
tezer68
07-23-2021, 02:39 PM #5

To follow
@Grobe
a brief update....
My hosts file is situated at
C:\WINDOWS\system32\drivers\etc
It can be accessed and modified using Notepad with administrative privileges.
Here is the content:
# Copyright © 1993-2009 Microsoft Corp.
#
# This sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# Each entry must remain on its own line. The IP address should come first, followed by the host name.
# A space should separate the IP from the host name.
#
# Comments like these can be placed on separate lines or after a '#' symbol.
# For instance:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is managed by DNS.
# 127.0.0.1 localhost
# ::1 localhost
If you follow this properly, you should be able to edit the file and comment out
0.0.0.1 scinstallcheck.mcafee.com
by adding a '#' before it.
Proceed only if you feel confident and have a backup of the original hosts file.
Reboot and check if McAfee updates automatically.
That said, you likely don’t need McAfee initially.
Windows Defender is excellent, and Malwarebytes (free) can be used for occasional scans as needed.

Reply
Reply
K
king_Rick_05
Member
Find
180
07-23-2021, 03:55 PM
#6
First remove the "Write Protect" flag from the file. Once done, set it back to its original state.
Reply
Reply
K
king_Rick_05
07-23-2021, 03:55 PM #6

First remove the "Write Protect" flag from the file. Once done, set it back to its original state.

Reply
Reply
M
Matesoman
Junior Member
Find
12
07-24-2021, 02:51 AM
#7
In general, you can simply remove the hosts file if you suspect a problem. The default file is just an example and contains only comments.
The hosts file was once considered useful, allowing easy blocking of websites like a small DNS server.
Even though it isn't the standard anymore, many people still use encrypted DNS.
However, in practice, encrypted DNS implementations often ignore entries in the host file.
Encrypted DNS serves two main purposes: hiding your DNS requests and ensuring the data comes from a trusted source.
The hosts file essentially acts as a private man-in-the-middle, protecting against man-in-the-middle attacks by blocking malicious actors online.
Reply
Reply
M
Matesoman
07-24-2021, 02:51 AM #7

In general, you can simply remove the hosts file if you suspect a problem. The default file is just an example and contains only comments.
The hosts file was once considered useful, allowing easy blocking of websites like a small DNS server.
Even though it isn't the standard anymore, many people still use encrypted DNS.
However, in practice, encrypted DNS implementations often ignore entries in the host file.
Encrypted DNS serves two main purposes: hiding your DNS requests and ensuring the data comes from a trusted source.
The hosts file essentially acts as a private man-in-the-middle, protecting against man-in-the-middle attacks by blocking malicious actors online.

Reply
Reply