Jump to content

Custom HOSTS file faslely being quarantined an deleted.


Recommended Posts

Decided to run a TRIAL version of ESET on a windows 10 laptop build rather than the machine using the default windows defender.

I have a custom hosts file setup on this machine using "Spybot - Search and destroy" as well as several other host blocklists added.

For some reason the hosts file keeps disappearing after about a hour of viewing I noticed EST is removing this custom hosts file.

under the quarantine tab I can restore the file but have no way to exclude this from being quarantined again.

So I'm stuck in a loop of restoring the file from quarantine and then it being re quarantined over and over and over ...

Error message: " hosts - Win32/Qhost trojan - cleaned by deleting [1] "

I created this hosts file myself I don't know why eset is not allowing me to exclude or not have it removed.

Very Annoying ...

Under the Quarantine options it has the exclude option greyed out how can I stop this from happening.

 

No option to exclude a custom hosts file from auto deletion "Quarantine"


I tried to google why this is happening and how to fix it and only found one article with any reference at all with no replies.

 

exclude-gone.png

Link to comment
Share on other sites

  • Administrators

It's not a false positive. If you want to use an intentionally modified hosts file, add it to detection exclusions.

Link to comment
Share on other sites

So I figured out why it is being flagged and removed for the record.

at the top of my hosts list a long long long time ago I thought I would be cool and add figlet text at the top of my hosts

as you can see here in the photo lines 1-23 have my name as figlet text.

If I remove lines 1-23 the file does not get flagged.

Just food for thought.

Lots of auto hosts file builders do this with custom set rules so as you scroll threw you can see where filters are applied
 

as you can guess blocking stuff out with custom hosts file can get very lengthy and long but I digress.

after re scanning and trying to figure this out I found this error:
      <COLUMN NAME="Log">[1] Object has been deleted as it only contained the virus body.</COLUMN>

 

virus-body.png

Link to comment
Share on other sites

So at first the figlet text was with the * character I thought maybe replacing the * with a # character would help.

it did not.

so I removed the whole figlet text entirely to correct this.

I guess I could also have done what you suggest, and add it to detection exclusions, but I'm not that familiar with ESET.

Link to comment
Share on other sites

  • Administrators

Please provide the detected file in an archive encrypted with the password "infected".

Link to comment
Share on other sites

I've been struggling with this as well. First on my desktop, now on my laptop as well when I booted it up to retrieve my custom hosts file. The only modifications made were ensuring custom names were routed to the correct local IP (e.g. desktop.local)

In my case though, Eset deleted the hosts files without quarantine so it is impossible to retrieve them. Why is this happening and is there any way to get them back?

Link to comment
Share on other sites

  • Administrators
46 minutes ago, Tadsz said:

In my case though, Eset deleted the hosts files without quarantine so it is impossible to retrieve them. Why is this happening and is there any way to get them back?

I was unable to reproduce it. The hosts file was quarantined and I was able to restore it. If you are able to reproduce the issue with quarantining the file, please provide step-by-step instructions.

Link to comment
Share on other sites

On 1/26/2021 at 11:16 AM, Marcos said:

I was unable to reproduce it. The hosts file was quarantined and I was able to restore it. If you are able to reproduce the issue with quarantining the file, please provide step-by-step instructions.

Apologies for the delay. On my laptop, it does get quarantined and I was able to restore it. Narrowing down the list accumulated over the past 10 years, Eset was triggered on one specific line (made it quite easy, two lines would have been harder to figure out) which still routes to 0.0.0.0.  I decided to rerun a scan on my desktop and Eset was triggered on two other hosts file, one in use by git and the other by WSL but this could be explained by them being automatic copies of my windows hosts file.

As I've narrowed the list down to the specific line that triggered it; I still cannot explain why Eset would be triggered but as this is a line I've had from the beginning and since then unused for years I've decided to remove it and call it a day. Only thought it was odd that Eset was not triggered by actually visiting that website.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...