Question Malware in host file?

[securitynoob]

A Nessus scan said the below entry in the host file is suspicious:

C:\WINDOWS\system32\drivers\etc\hosts :

0.0.0.1 scinstallcheck.mcafee.com

Does that look malicious to anyone? I'm not sure how to confirm or deny that 0.0.0.1 scinstallcheck.mcafee.com is malicious.

 

[Grobe]

No suspicious entries here. What you see is that the domain is actually being blocked.

 

[securitynoob]

No suspicious entries here. What you see is that the domain is actually being blocked.

Thank you for replying but can you elaborate please? Why's it being blocked and why there? What makes it think that a mcafee domain is bad when mcafee is installed on the host?

 

[Grobe]

It's blocked because the hosts file cause a domain name to be redirected - in this case the traffic are being redirected to the ip address 0.0.0.1. But that particular IP are just a placeholder so to say, and not a valid IP address.
That is why it's blocked.

Why blocked you ask? Do you have mcafee installed on your computer?

Ehrr, wait a moment. I may be wrong actually in my lasts post, because if that entry purpose is to block mcafee to update (if that is where mcafee get its updates from) then I'm inclined to suspect you may have had malware and this has changed the hosts file in order to prevent mcafee to update.

 

[Ralston18]

To follow @Grobe a bit....

My hosts file is located in

C:\WINDOWS\system32\drivers\etc

When opened via Notepad (as admin) the file can be viewed and edited.

Here is my file:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

= = = =

If I follow correctly you should be able to edit the file and comment out that

0.0.0.1 scinstallcheck.mcafee.com

by preceeding it with a #.

Do so only if you are comfortable with doing such things and if you are able to make and save a copy of the original hosts file in the same sub-directory.

Then reboot and determine if MacAfee will update.

= = = =

That said, you probably do not need McAfee to begin with.

Windows Defender/Security is very good and you can install Malwarebytes (free) for occassional scans if and as you deem necessary.

 

[ex_bubblehead]

Make sure to clear the "Write Protect" ("Read only") flag on the file first though. Then reset it after the fact.

 

[bill001g]

You in general can just delete the hosts file if you suspect there is a issue. The default file is just a example and all the lines in it are just comments.

Hosts files is old news basically. Used to be you would use HOSTS to provide a easy way to block sites, kinda like you own small dns server.

Although it is still not the default...I don't think at least...many people are using encrypted DNS. Although in theory the host file could still be used from what it appears the implementations of encrypted DNS do not check entries in the host file. The whole point of encrypted DNS it both to hide the DNS requests and also be sure that the results you get are actually coming from the DNS server and not being modified. The hosts file is in effect your own private man in the middle attack. Because it prevents bad people on the internet form doing man in the middle attacks it also prevent you from doing it yourself using a simple hosts file.