Avast and Hosts file

[kpfuser]

Just recently I ran into the following problem involving a Hosts file monitoring utility (WinPatrol) and avast:

I made and saved some changes in my Hosts file. WinPatrol, which monitors the Hosts file continually in order to detect unauthorized changes, flagged the changes (as was expected) and prompted me to accept or decline them. I, of course accepted. A few minutes later, however, WinPatrol warned me again that the Hosts file had changed. Since I had made no additional changes to the Hosts file myself, I declined the (presumably new) changes. This caused a bombardment of my pc (WinXP Home SP 2) with repeated WinPatrol warnings every two minutes or so which virtually brought my work to an end.

Seeing that obviously something was wrong, I employed a file monitoring utility (Filemon from Sysinternals) to see which programs were accessing my Hosts file. Filemon indicated that during this erratic behavior Hosts was accessed by WinPatrol (presumably for monitoring purposes) and by avast (presumably for virus scanning purposes). Seeing no danger in this case, I made copies of both the old and new versions of Hosts and I accepted the changes. This led to an error message claiming that there was some accessibility problem regarding Hosts but put an end to the series of WinPatrol warnings.

Next I employed a file comparing utility (ExamDiff) to see what changes were made to the Hosts file. However, the saved copies of the old and new versions of Hosts turned out to be identical. Referring the whole matter to the author of WinPatrol produced a suggestion from the latter that some other program was also monitoring Hosts causing in the process changes not in content but in other file attributes (creating backups, changing the time Hosts was created or modified, etc.) all of which would be seen as changes in the Hosts file by WinPatrol.

So here comes the relevant question for this forum: Were such changes (in file attributes other than content-related) caused by avast? If yes, how does avast interact with the Hosts file?

One last detail: Following the second acceptance of the Hosts file changes, Filemon indicated that Hosts was now accessed by WinPatrol and svchost.exe but not by avast anymore.

Can anyone decipher all this?

[mauserme]

Hi kpfuser,

I'm not currently using a hosts file but have done so in the past with no conflicts with avast!  And I'm not aware of avast! doing any sort of process monitoring.

I have, however, had a similar experience while trying to run WinPatrol and Spybot S&D TeaTimer concurrently.  So my guess would also be that you have something else monitoring for changes.

Are you using Microsoft Antispyware?  That has a component that looks at the host file.  Svchost.exe is responsible for running any number of windows processes and since the MS Antispyware Data Service runs under this I would look there.

[DavidR]

Monitoring the changes is not the issue as all programs appear to be monitoring correctly. What you have to identify what is making the changes to the hosts file (or what is blocking changes without warning).

avast's monitoring or scanning of the hosts file shouldn't stop the legitimate changes unless they were suspicious/infected and you would get an alert from avast. Having multiple programs monitoring/protecting changes could cause this as one blocks the changes.
Have you modified the avast Standard Shield blocking settings (see image) ?

Some malware will attempt to modify the hosts file to stop you getting to security related websites. However, there a number of legitimate reasons to change the hosts file if you are using some form of ad blocker, etc. that modifies the host file. But I asssume it isn't malware as you would have notice those types of changes on examination of ExamDiff.

I would suggest you check and ensure only one program is protecting the hosts file.

[igor]

avast! does not interact with the hosts file in any way.

[kpfuser]

Thank you all for your replies.

Here are some additional comments to clarify matters a bit more:

1. I did not install/run any other Hosts monitoring utility, unless some utility does this without my knowledge and without reporting back to me. In fact, I installed WinPatrol for the sole purpose of having a Hosts monitor in my system.

2. I do have Spybot Search and Destroy (and Adaware too) but I do not use the Tea Timer feature, which I am not sure what it does. To the best of my knowledge, Spybot runs scans when I activate it and not on a continual basis. Needless to say, at the time of the mentioned popups, Spybot was not running. I have read somewhere that Spybot also offers the option of locking the Hosts file, but I have not opted for this feature either.

3. Filemon did indicate that avast was contacting Hosts during popup time and svchost.exe after the popups subsided. Now as to whether avast was making any sort of change whatsoever to Hosts during its numerous visits, I must take Igor's word and leave it at that.

This is not the most conclusive outcome to my querry, but since there is an easy workaround to this messy situation, should it ever appear again, I'd consider this matter closed unless someone else has anything more revealing to contribute.