A Little Embarrassed to Even Ask This......RE: Hosts File / Windows 7



  • As I just said, I'm really embarrassed to even have to ask about this but I'm out of knowledge and I have a extremely irritated user who's not buying my technical insight regarding hosts files.

    Yes. hosts files.

    I have an applications engineer who does demos of software off site quite often, and they rely on our current VPN to access licensing for CAD Apps. The host file apparently has changed on it's own, and they had a license failure during a demo. I was told that all entries were commented out, and they hadn't changed it and they are also convinced that I did this through some GPO or AV application, which I have not. I'm almost afraid to touch the machine at times because they can get a little twerked and basically discount whatever it is I say. I was told today to fix it for good or basically they were going to get really upset next time it happens.

    So, besides malware changing this, has anyone ever witnessed such a thing and knows what can cause the hosts file to change without interaction?

    BTW, they conveniently deleted the file, so I can't even check time stamps on it. facepalm.



  • @Bill-Kindle Are you talking about the C:\Windows\System32\drivers\etc\hosts file? They deleted it? By default, I believe it's set to read-only for normal users. So unless you explicitly open it as admin to edit it you can't. So I suppose a rogue app (or just a poorly written one) could change it if running as administrator. I have seen that, but I don't remember what "legit" app it was. If I recall correctly, it was just the programmer being lazy.



  • @ITcrackerjack said:

    @Bill-Kindle Are you talking about the C:\Windows\System32\drivers\etc\hosts file? They deleted it? By default, I believe it's set to read-only for normal users. So unless you explicitly open it as admin to edit it you can't. So I suppose a rogue app (or just a poorly written one) could change it if running as administrator. I have seen that, but I don't remember what "legit" app it was. If I recall correctly, it was just the programmer being lazy.

    Yes, they are a local admin by demand. I have no say because they are my boss. If I explain that it's because they disabled UAC, run as an admin they will probably lose it. (I've already hinted that to them, but for now I'm blaming Symantec because I'm only using them for another week before I cut over to Webroot).

    But yes, it's that hosts file.



  • @Bill-Kindle said:

    @ITcrackerjack said:

    @Bill-Kindle Are you talking about the C:\Windows\System32\drivers\etc\hosts file? They deleted it? By default, I believe it's set to read-only for normal users. So unless you explicitly open it as admin to edit it you can't. So I suppose a rogue app (or just a poorly written one) could change it if running as administrator. I have seen that, but I don't remember what "legit" app it was. If I recall correctly, it was just the programmer being lazy.

    Yes, they are a local admin by demand. I have no say because they are my boss. If I explain that it's because they disabled UAC, run as an admin they will probably lose it. (I've already hinted that to them, but for now I'm blaming Symantec because I'm only using them for another week before I cut over to Webroot).

    But yes, it's that hosts file.

    That may actually be a legit response. Anti-virus often monitor the hosts file, so maybe it quarantined the changed one and reverted to an older one?



  • @Bill-Kindle said:

    I was told today to fix it for good or basically they were going to get really upset next time it happens.

    Let them. If they have their own admin rights, that's upon them to fix the problem. We have people who do this kind of [moderated] all the time in their environments and blame us for their shortcomings. Stick to your support bounds, they are outside of it therefore they are on their own.

    Yes, you can modify stuff via GPO, but it's not as simple or as likely as them going in there and modifying the file themselves. And considering it was # out and not deleted wholesale, that says to me someone went in there and did it manually.



  • @PSX_Defector said:

    @Bill-Kindle said:

    Yes, you can modify stuff via GPO, but it's not as simple or as likely as them going in there and modifying the file themselves. And considering it was # out and not deleted wholesale, that says to me someone went in there and did it manually.

    ^^which happens all the damn time, and I actually advise against it. I also hate the current VPN config because if this were a Pertino VPN, I wouldn't be having this problem. I've already verified it.



  • So right now we have:

    • list item Antivirus

    • list item UAC / Admin rights

    • list item Malware



  • Sounds like you're in a rough spot. Not sure there is anything much you can do since you can't remove local admin rights, therefore you can't lock it down. I suppose you could find and install a file monitoring softaware that sends its logs to the server.

    Do you report to these sales people? or do you report to the owner who is the sales person?



  • @Dashrender said:

    Sounds like you're in a rough spot. Not sure there is anything much you can do since you can't remove local admin rights, therefore you can't lock it down. I suppose you could find and install a file monitoring softaware that sends its logs to the server.

    Do you report to these sales people? or do you report to the owner who is the sales person?

    Actually this is the Sr. Applications Engineer for our US Office, he's my direct report before it goes to the owner over in the UK. This is because my main job duties are support. IT for our US operations is the other half.



  • Sounds like you have a malicious, rogue user. The are local admins, they are likely making the changes and lying. I would escalate this over them. They are setting you up.



  • @scottalanmiller said:

    Sounds like you have a malicious, rogue user. The are local admins, they are likely making the changes and lying. I would escalate this over them. They are setting you up.

    I would like to think that's not the case, but the last couple of 'issues' have really made my meter go off the scale........

    Bull_Shit_Detector_2.jpg

    Same user was saying my Meraki AP was garbage because their Samsung S4 constantly dropped wifi.........yeah. Only device doing that too.



  • @Bill-Kindle said:

    @scottalanmiller said:

    Sounds like you have a malicious, rogue user. The are local admins, they are likely making the changes and lying. I would escalate this over them. They are setting you up.

    I would like to think that's not the case, but the last couple of 'issues' have really made my meter go off the scale........

    Bull_Shit_Detector_2.jpg

    Same user was saying my Meraki AP was garbage because their Samsung S4 constantly dropped wifi.........yeah. Only device doing that too.

    Sounds like either non-technical or malicious. They hosts file interaction sounds malicious. Being an idiot doesn't mean that you blame others for your failings. Being an ass does.



  • @scottalanmiller I'm doing some more sluething right now and Symantec may indeed be the cause. The Sonar feature apparently does monitor for alterations and protects against it (which is good IMHO) and a copy was made of the file on the 12th, of the same file...........

    Maybe if Nick or Richard see this they can clue me in on how I can avoid this when I deploy Webroot next week, or at least make an exception to this.

    Did I mention this user never placed a ticket either? lol





  • Who is responsible for having symantec in there?



  • @scottalanmiller said:

    Who is responsible for having symantec in there?

    hides 🙂

    It's what our UK office has been using since before I started, so in an effort to not rock the boat too much with the other System's Admin I tried to keep everything similar so that things are uniform across the network. Since then, I've been given a little more leway with IT decisions here in the US office. I was even scoffed at by this same user this morning for saving the company a few dollars by switching to Webroot and getting an extra year compared to the costs I was looking at for renewing with Symantec.



  • Blame the British then 😉


Log in to reply