The operation of the hosts file is quite simple. This file, which requires administrator permissions to be edited, is used to resolve domains to IP addresses without using the DNS system. Thanks to this, we can assign an IP address as 127.0.0.1 or 0.0.0.0 to a web address to prevent our computer from making a connection to it.
For example, if we add the line 127.0.0.1 www.google.es to the hosts file, we will not be able to access Google because our browser will be trying to connect to the address 127.0.0.1, which is the local IP of our computer.
Windows Defender blocks any address with the word “microsoft”
Since the end of July, many users have started to see that Windows Defender detects the modified hosts files as if they were a threat called «SettingsModifier: Win32 / HostsFileHijack«. When you look at the details of the threat, only the degree of alert is shown, the date, and that there is a modification of settings.
The problem is that this is only detected when certain IP addresses are entered. When we introduce some as innocuous as Google.com or similar, there is no problem. However, if we introduce 0.0.0.0 www.microsoft.com, that’s when the alert goes off with Windows Defender.
Thus, it appears that Microsoft has updated Windows Defender to detect when a user has made changes to block addresses that contain the word Microsoft or that are related to Microsoft. From Bleeping Computer they state that entering the following URLs makes Windows Defender jump:
In the event that you tell Windows Defender that you want to remove the threat, it will return to leave the default hosts file without the modifications we have added. If we want to keep the modifications we have made, we can give “allow” this threat, although with this we would be allowing any modification to the file; even malicious ones.
Use a better antivirus
Microsoft seems to be doing this to avoid what programs like O&O ShutUp10, which modify the hosts file to block Microsoft telemetry addresses. Blocking this type of modification makes sense against malware, since for example an attacker can substitute the IP address of our bank and put one controlled by it so that, when we visit the website, we access the one he controls and not the real one. . However, just skipping the antivirus when we enter Microsoft addresses is a pretty messy move on the part of the company.
Therefore, although Windows Defender has been improving its protection in recent years, it is recommended that you use another better antivirus Do not make this type of arbitrary blocking to prevent the company from spying on you.