HOSTS File

I'm giving Norton another try, before moving back to ESET, so far NIS is the wrong choice. Interface seems like it's been designed by monkey lemmings. ESET is a cleaner and more advanced piece of software. But... anyways.

 

How do I keep NIS from scanning the hosts file? Each time I add a line, save, or delete a line, save, NIS decides that it needs to scan it for 5 minutes and cause high system usage.

 

I've explicitly excluded from scans, Auto-Protect, SONAR, DID, and there are no other options that I can see, unless it's, obviously, obscured (as the NIS interface already is).

 

Explicitly added directory and file:

C:\Windows\System32\drivers\etc\

C:\Windows\System32\drivers\etc\hosts

Hi bose,

 

Malicious entries in the Hosts file are identified by the following signature: SecurityRisk.URLRedir.  Try excluding that signature from future detections.  In Norton Settings, open the Computer tab to Antivirus and SONAR Exclusions.  Click Configure [ + ] for Signatures to Exclude from All Detections.  In the Signature Exclusions box, click Add (it may take a short time for the list to populate - be patient).  Once the list is visible use the dropdown box above it and select Security Risk.  Scroll down to SecurityRisk.URLRedir, highlight the entry, click Add, Apply, OK.


Sandro_cm wrote:

I personally love the UI of NIS, simple, modern and suitable for both experts and beginners.
BTW, I don't like the UI of ESET that I've used in the past, it appears to me to be old and obsolete, like a software created 10 years ago, I think it is a matter of taste ... Anyway.


 

"simple, modern and suitable for both experts and beginners." ? Please, it's design looks like a child designed it while smoking crack. It's inefficent. Options are scattered all over the place. Some tools are blatently hidden below submenu after submenu.

 

ESET "appears" to be old and obsolete... ok whatever. It's very clean. Options are right there, instead of scattered. Tools are not hidden and no submenu to submenu's. You have a blatent "Advanced" settings which will take you to the cleanest toolsets available to the application and everything is straightforward. Besides who gives a bark if the UI looks like it's 20 years old, is sufficient, advanced and straightforward. However, NIS, looks like this childish "METRO" bs. The ONLY thing going for NIS that I currently see is the very minimal use of memory (40mb less), but kills SYSTEM performance when it's doing a scan, unlike ESET.

 

Futhermore, to answer your questions:

 

I doubt you have a mvps hosts file, with custom identifiers added. My hosts file is roughly 1.5mb in size, even with the IP's to URLs set as they ought to be as 0.0.0.0, excluding the loopback, of course. The problem is not an "installation" or "update" issue either, it's NIS method of scanning and exlusions. If I tell the program to exclude something it ought to exclude it globally, NOT per resource.

 

- Did you used the proper removal tool to uninstall the previous software?

There is no such thing as a "PROPER" removal tool. There are removal tools provided by the developer to uninstall the product. Besides this is a fresh installation of Windows and I can certainly reproduce the problem on a fresh, or even OLD, version on VMware image.

 

- Did you have the latest version of NIS and fully updated? The latest is the v. 20.1.1.7

Latest version of NIS shouldn't matter at all. Again, you fail to understand it's a problem with NIS scanning and exclusions. Anyway, I'm using the latest version to whatever NIS provided from the internet download link and from updates. In fact, I just ran another LiveUpdate again on this version, 21.1.0.18, and it requested that I apply the update and close some applications for it to continue, all while writing this, NIS began to shut down applications WITHOUT my approval, NOR stated anything about before applying these updates NIS needs to close applications and restart your computer. It stated NOTHING of the sort, nor warned me (the consumer) that NIS needed to reboot the system in order to apply the patche(s). Luckily I was fast enough to dos pskill. 

 

- Have you run LiveUpdate until NIS says that the product is updated and that there are not updates found.

As above.

 

- Have you always restarted your computer when prompted?

Really? Don't be naive.

 

 

 


SendOfJive wrote:

Hi bose,

 

Malicious entries in the Hosts file are identified by the following signature: SecurityRisk.URLRedir.  Try excluding that signature from future detections.  In Norton Settings, open the Computer tab to Antivirus and SONAR Exclusions.  Click Configure [ + ] for Signatures to Exclude from All Detections.  In the Signature Exclusions box, click Add (it may take a short time for the list to populate - be patient).  Once the list is visible use the dropdown box above it and select Security Risk.  Scroll down to SecurityRisk.URLRedir, highlight the entry, click Add, Apply, OK.


Did not solve the problem.

 

 

ATTACHED IMAGE: Displaying NIS hogging "SYSTEM" resources and lagging the computer. This is current, LIVE, as per writing this. This happens the minute I add/remove anything to the hosts file and save it, and nothing can be saved during the process until NIS completes the scan and unlocks the file. This is an annoyance.

 

 

Untitled-2.jpg

 

 

 

Another gripe I have is while having to exclude the hosts file from NIS, the drivers/etc/ directory does NOT display within it's browser, don't for a minute blame this on Windows, it's a NIS issue. All other AV software I've tried and used don't display this issue, granted some do but not worth the time of day to even gripe about. NIS on the other hand... well, from advanced experience, is no better when it ought to be.

I am aware that NIS slogs through the Hosts file.  When I was using a Hosts file the Quick Scans would take two minutes to scan for SecurityRisk.URLRedir, and the CPU would peg.  You don't say if you have tried excluding that detection from scans - that might solve the problem.


SendOfJive wrote:

You don't say if you have tried excluding that detection from scans - that might solve the problem.


I tried your method, as previously stated, and did not solve the issue. I even rebooted the system after adding SecurityRisk.URLRedir to the excluded security risks/signature exclusions.

Hi bose,

 

Honestly, I'm not going to argue with what you say.
I understand that you like ESET both for its UI and how it works.

You asked for suggestions about the problem you're having with NIS and I did my best in trying to help you.

 

Since you are a new user in this forum , it seems logical to ask if you performed all the procedures that calls may seem obvious to experienced users , but everything changes when the user is a beginner and it is impossible to know this in advance.
All the suggestions I provided, as a rule are given to anyone who needs help.
Often users are saying that their Norton is not working properly and many times the cause is due to a bad installation of the product, etc...

 

Bottom Line:
If NIS does not suit your needs, no one 's stopping you from changing product as well as I have done in the past but in the opposite way by uninstalling ESET and purchasing a license to use NIS.
Since then I have never changed my software with one of a competitor as I'm really pleased with how Norton / Symantec works .

 

Finally, I would be very happy if your problem will  be solved.

 

Sandro

If the annoyance is that this is happening when you are making modifications to the Hosts file, you could temporarily disable Norton for the time it takes to make your changes.  Right-click the Norton system tray icon and select Disable Antivirus Auto-Protect.

You're missing the point. I, nor anyone for that matter, shouldn't need to disable protection at all... that's the entire purpose to EXCLUDE directories and files from the scans.

 

Not surprised that a Symantec moderator or developer hasn't responded to this issue, as they always neglect improtant issues, pure ignorance.

Sorry, wrong place. I had already shared my thoughts about this thread.

I'm giving Norton another try, before moving back to ESET, so far NIS is the wrong choice. Interface seems like it's been designed by monkey lemmings. ESET is a cleaner and more advanced piece of software. But... anyways.

 

How do I keep NIS from scanning the hosts file? Each time I add a line, save, or delete a line, save, NIS decides that it needs to scan it for 5 minutes and cause high system usage.

 

I've explicitly excluded from scans, Auto-Protect, SONAR, DID, and there are no other options that I can see, unless it's, obviously, obscured (as the NIS interface already is).

 

Explicitly added directory and file:

C:\Windows\System32\drivers\etc\

C:\Windows\System32\drivers\etc\hosts


bose wrote:

You're missing the point. I, nor anyone for that matter, shouldn't need to disable protection at all... that's the entire purpose to EXCLUDE directories and files from the scans.


I am not missing the point, I was providing you with a workaround.

The hosts file is a file, but it is not treated like a normal file, it is treated like a configuration object.
The hosts file is scanned during a regular quick scan, and a quick scan is triggered whenever the hosts file is changed.

 

Some malware insert host file entries to disable or redirect traffic for critical services, such as Windows Update or Norton LiveUpdate.


Under normal conditions the hosts file is rarely changed, and the contents of the hosts file is very small.
Some tools frequently change the hosts file, resulting in frequent re-scans being triggered.
Some tools insert very large numbers of items in the hosts file, causing performance problems as each entry read and evaluated.

Unfortunately there is currently no way to disable scanning of the hosts file.

 

Pieter

I am well aware of malicious applications that modify the hosts file.

 

I also do not rely on Norton to manage my hosts file. I rely solely on MVPS and SBSD updates, which take care of most common threats of HOSTS file, browser redirects, and application hijacking. MVPS and SBSD are better alternatives to anything Symantec provides, or anyone else for that matter. Though they are not Anti-Virus platforms.

 

Norton, on the other hand, should not be given explicit permissions to lock down the hosts file, period. This issue, in a whole, is a Privacy issue and you are not allowed to do this, despite any statements within a license agreement. The hosts file is the consumers property and they have the inexplicable right to modify and append data to it as they please without hinderence, especially when an administrator and/or user explicitly excludes the file from scans.

 

I being the administrator ought to have super rights to tell what norton can and cannot do, NOT what "Symantec" believes what they should do to protect the consumer. Your job as a Developer is to provide users a security platform that provides the functionality to protect your consumers, YET provide administrators and users the ability to take control of their own system and exclude files as they deem.

 

You're basically telling consumers and experienced professionals that we don't attain the knowledge or ability to manage our own system platforms and that we need our hands held and parental guidence. WRONG. Again, administrators, and users, ought to have the EXPLICIT right to EXCLUDE ANY FILE from Norton security methods.


SendOfJive wrote:

bose wrote:

You're missing the point. I, nor anyone for that matter, shouldn't need to disable protection at all... that's the entire purpose to EXCLUDE directories and files from the scans.


I am not missing the point, I was providing you with a workaround.


I also want to add that "disabling" Norton protection does NOT mitigate HOSTS file scans nor does it alleviate high kernal/cpu usage.

 

People need to wake up... Norton, Symantec, does NOT have any right to lock down the HOSTS file or any file for that matter especially when there is an explicit EXCLUSION to exclude it from scans. Period.

Norton products are developed for home users, and the majority of those would not know a HOST file if they saw it. The products are designed to be as close to set and forget as possible.

 

Someone with your knowledge and experience in computers may be better off with a product that does not cause the hassles you are seeing. An IT expert may be better off with a business class product that allows more detailed control over the operation of the program.

 

 

 

There is a growing community of people who want to strengthen their Window security through host file blocking, as evidence by the numerous sites like http://winhelp2002.mvps.org/hostsfaq.htm ...

I see no reason why a person should must forgo the best rated anti virus, to sure up host file blocking.  That would be the equivolent of saying you can have a firewall or antivirus, but not both.

i would think it a good idea to consider in a future patch/version to add a setting in NIS to turn off Host file Scanning

Norton does not prevent use of the Hosts file.  The main issue is that the scan of the Hosts file adds several minutes to the scan time and can use a lot of CPU cycles.  If you change the Hosts file frequently, this might be a major annoyance - if you update it only occasionally, then the only noticeable impact will be longer-than-usual Quick Scans.  At least that has been my experience.  I am not sure if bose was having additional issues.

soj:
> Norton does not prevent use of the Hosts file.

You're missing the point.

> The main issue is that the scan of the Hosts file adds several minutes to the scan time and can use a lot of CPU cycles.

But not the sole issue.

> I am not sure if bose was having additional issues.


bose:
> I also want to add that
> "disabling" Norton protection does NOT mitigate HOSTS file scans
> nor does it alleviate high kernal/cpu usage.

Those are problems.

> Norton, Symantec, does NOT have any right to lock down the HOSTS file or any file for that matter
> especially when there is an explicit EXCLUSION to exclude it from scans.

That's the real problem.

Is it true that even if the hosts file is in the NIS _Exclude list_ that NIS still scans it (quick scan and/or full scan)?  (Yes/No)


joen wrote:

> Norton, Symantec, does NOT have any right to lock down the HOSTS file or any file for that matter
> especially when there is an explicit EXCLUSION to exclude it from scans.

That's the real problem.


Norton does not "lock down" the HOSTS file.  You can still add anything you want to the HOSTS file.  It does, apparently, include the file in all scans however, regardless of the exclusion selection.  Remember, Norton is a consumer-grade security product.  Design considerations lean more towards making fundamental protections fool-proof, rather than providing granularity for advanced users.  Malware frequently uses the HOSTS file to prevent users from updating their antivirus or obtaining removal help.  So Norton is configured to always check the HOSTS file for unwanted changes.  Not an unreasonable thing for a consumer product to do. 

[Those should have been >>, not >.
  bose said that.]

> Malware frequently uses the HOSTS file to prevent users from updating their antivirus or obtaining removal help.  
> So Norton is configured to always check the HOSTS file for unwanted changes.

I understand what you're saying, and I agree with it to some extent.  But NIS has _so very many_ settings, virtually all of which affect overall security in some way or the other, that I see little overall difference if the hosts file is excluded from scans.

Case in point, Symantec even allows "Disable Antivirus Auto-Protect."  How does _no_ security compare to excluding the hosts file?

> Not an unreasonable thing for a consumer product to do.

Well, that's a slippery slope.  A year or two ago there was a huge flap when the new year's NIS version limited the number of user generated firewall rules.  Huge uproar.  Some product designer must have figured that no user would ever create more than X firewall rules.  Wrong.  Moral of the story: don't place limitations on the product.  Create a default, but allow configuration.

There are users who have needs that you don't know about.

Regarding this issue:
I use the mvps hosts file.  It's an additional layer of security.  I recommend it.
I do not recommend excluding it from scans.

Somewhere out there is a gamer who's trying to knock a fraction of a second off of some game's reaction time.  Be careful what you ask for.  But as long as you accept responsibility for your actions, ... .