Перейти к содержимому


Фото
- - - - -

Dr.Web changes HOSTS File (even with Behavior Analysis adjusted)


  • Please log in to reply
10 ответов в этой теме

#1 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 02:39

Hi! I'm on Windows 11 22H2 and just installed Dr.Web.

 

In my HOSTS file, I use some special entries (resolving to 0.0.0.0) I don't want to further discuss here))

 

Dr.Web constantly keeps commenting out my changes and keeps on reporting it as a neutralized threat.

 

I followed this guide <https://www.drweb.com/pravda/issue/?number=279&lng=en>

> Security Center > Preventive Protection > Behavior Analysis > Protection level > HOSTS file: Allow

...but Dr.Web still doesn't let me have my HOSTS file my way.

 

Is there a workaround?

Did I miss a system restart?

Program modules
Dr.Web Security Space 
Dr.Web Security Space (12.0)
Dr.Web Virus-Finding Engine 
drweb32.dll (7.00.59.12300)
Dr.Web Scanning Engine 
dwengine.exe (12.6.15.03240)
Dr.Web Anti-rootkit Server 
dwarkdaemon.exe (12.6.15.03240)
Dr.Web Anti-rootkit API 
dwarkapi.dll (12.6.21.202301273)
Dr.Web Thunderstorm Cloud Client SDK 
ccsdk.dll (12.0.29.02162)
Dr.Web Scanning Watcher 
dwwatcher.exe (12.6.15.03240)
Dr.Web Control Service 
dwservice.exe (12.12.6.01180)
Dr.Web WSC Service 
wsc-service.exe (1.0.0.04150)
Dr.Web Updater 
drwupsrv.exe (12.0.53.07181)
Dr.Web antimalware boot driver 
dwelam.sys (12.06.00.10110)
Dr.Web SpIDer Agent for Windows 
spideragent.exe (12.11.7.03272)
Dr.Web SpIDer Agent admin-mode module for Windows 
spideragent_adm.exe (12.11.7.03272)
Dr.Web Scanner SE 
dwscanner.exe (12.11.8.12280)
Dr.Web Console Scanner 
dwscancl.exe (12.6.15.03240)
Dr.Web File System Monitor 
spiderg3.sys (12.6.2.11161)
Dr.Web Protection for Windows 
dwprot.sys (12.06.15.9120)
Dr.Web Shellguard anti-exploit module 
dwsguard32.dll (12.06.13.3100)
Dr.Web Shellguard anti-exploit module 
dwsguard64.dll (12.06.13.3100)
Dr.Web device Guard for Windows 
dwdg.sys (12.06.03.10080)
Dr.Web Firewall for Windows driver 
drweblwf.sys (12.05.11.3061)
Dr.Web Shell Extension 
drwsxtn.dll (12.10.2.07290)
Dr.Web Shell Extension 
drwsxtn64.dll (12.10.2.07290)
Dr.Web SysInfo 
dwsysinfo.exe (12.5.3.202111100)
Dr.Web SysInfo library 
dwsysinfo.dll (12.5.3.202111100)
Dr.Web AMSI client 
drwamsi32.dll (12.5.8.202112200)
Dr.Web AMSI client 
drwamsi64.dll (12.5.8.202112200)
Dr.Web Security Space setup 
win-space-setup.exe (12.10.16.10140)
Virus databases
drwtoday.vdb 
    2098 virus records Date: 2023-04-12 23:12
dwf12000.vdb 
    8775 virus records Date: 2019-03-26 15:05
drwdaily.vdb 
    4731 virus records Date: 2023-04-12 08:06
drw12000.vdb 
    775706 virus records Date: 2016-04-01 06:00
...

 

 



#2 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 327 Сообщений:

Отправлено 13 Апрель 2023 - 11:04

Hello, barranja!

Couldn't you show, please, your log file: "%ProgramData%\Doctor Web\Logs\dwservice.log"


Сообщение было изменено Kirill Polubelov: 13 Апрель 2023 - 11:30

(exit 0)

#3 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 12:09

Hello, Kirill! Thanks for your reply. Are you looking for something specific? The gzipped logs are roughly 100 MB.

 

2023-Apr-13 03:35:41.131409 [ 5572] [INF] [LOG] Rotate log...
===============================================================================
 Dr.Web Control Service for Windows v12.12.6.01180
 Copyright (c) Doctor Web, Ltd., 1992-2023
 Current arch: x64
 Binary: x64
 Operating System: Windows 11 x64 (Build 22621)
 Command line: C:\Program Files\DrWeb\dwservice.exe --logfile=C:\ProgramData\Doctor Web\Logs\dwservice.log 
===============================================================================
2023-Apr-13 03:35:41.131471 [ 7172] [INF] [arkdll] 

id: 642441, timestamp: 13.04.2023 03:35:41.0127, type: FileVolWrite (1), flags: 1 (wait: 1)
sid: S-1-5-18, cid: 4/10056:\Device\HarddiskVolume3\Windows\system32\ntoskrnl.exe
unique id: 4-133257995482431473-18446735292665692160
hips: type: 2, action: ask [0]
type: 0, new: 0, suspicious: 0, cmd: 
fileinfo: size: 11986304, easize: 404, attr: 0x20, buildtime: 07.07.1915 15:39:29.0000, ctime: 12.04.2023 04:31:36.0682, atime: 12.04.2023 20:59:20.0184, mtime: 12.04.2023 04:31:37.0014, descr: NT Kernel & System, ver: 10.0.22621.1555 (WinBuild.160101.0800), company: Microsoft Corporation, oname: ntkrnlmp.exe
signer: C=US|ST=Washington|L=Redmond|O=Microsoft Corporation|CN=Microsoft Windows, issuer: C=US|ST=Washington|L=Redmond|O=Microsoft Corporation|CN=Microsoft Windows Production PCA 2011, timestamp: 28.03.2023 05:38:13.0000, thumbprint: 58fd671e2d4d200ce92d6e799ec70df96e6d2664, eku: unknown [28], flags: 0x2a, hash alg: Sha256
catfile: {f750e6c3-38ee-11d1-85e5-00c04fc295ee}\microsoft-windows-client-desktop-required-package05142030~31bf3856ad364e35~amd64~~10.0.22621.1555.cat
creator name: Microsoft Windows
creator url: http://www.microsoft.com/windows
file sha1: b364388ebc1313a7d2dff39fdd0ec916f60c6c8a
file sha256: 35c9d3384ab1858b5460415ce752daa884dfd73eb25c02755909cd82a130103f
status: signed_catroot, sfc, pe64, driver, spc / signed_catroot / unknown / unknown / unknown / unknown
type: unknown, object: \Device\HarddiskVolume6
area: Unknown [1], offset: 0xef6a05000, size: 4096
id: 642441 ==> allowed [2], time: 0.075100 ms

...

2023-Apr-13 04:07:46.847864 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 04:07:46.848022 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 04:07:46.848158 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts

...

2023-Apr-13 09:05:54.095179 [ 6872] [INF] [arkdll] 

id: 836874, timestamp: 13.04.2023 09:05:54.0095, type: FileCreate (5), flags: 1 (wait: 1)
sid: S-1-5-21-1587951583-132931476-2871531754-1001, cid: 17932/11976:\Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2302.26.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe
context: start addr: 0x7ff91a6392d0, image: 0x7ff91a610000:\Device\HarddiskVolume3\Windows\System32\ucrtbase.dll
unique id: 17932-133258168196751663-140697325600768
behaviour: change_hosts, run_from_shortcut
hips: type: 1, action: allow [2]
type: 0, new: 0, suspicious: 0, cmd: "C:\Windows\System32\notepad.exe" C:\Windows\System32\drivers\etc\hosts
fileinfo: size: 958976, easize: 228, attr: 0x20, buildtime: 24.02.2023 19:54:10.0000, ctime: 03.04.2023 02:09:27.0869, atime: 12.04.2023 22:22:53.0245, mtime: 03.04.2023 02:09:28.0429, descr: Notepad.exe, ver: 11.2302.26.0, company: Microsoft Corporation, oname: Notepad.exe
file sha1: 867a33f328293063732a179df7ae95e897d8322f
file sha256: 5430e6254023f0803ee1107108ee3f24153647967b00667d70a8e95389e685e2
status: unsigned, pe64 / unsigned / unknown / unknown / unknown / unknown
file: \Device\HarddiskVolume3\Windows\System32\drivers\etc\hosts
access: 0x12019f, create options: 0x60, disposition: 0x3
id: 836874 ==> allowed [2], time: 0.131300 ms

...


2023-Apr-13 10:01:56.565401 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 10:01:56.565447 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 10:01:56.565628 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts

...


Log ID 836874 is me having notepad.exe open to overwrite (when the Dr.Web alert about neutralized threat appears :-))
 



#4 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 327 Сообщений:

Отправлено 13 Апрель 2023 - 12:36

Are you looking for something specific?

Yes, but I already saw what I needed in your quote, thanks.

bg-scan -- this is background scanning.

You can add exclude path: C:\Windows\System32\drivers\etc\hosts for SpIDer Guard.


(exit 0)

#5 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 12:41

 

Are you looking for something specific?

Yes, but I already saw what I needed in your quote, thanks.

bg-scan -- this is background scanning.

You can add exclude path: C:\Windows\System32\drivers\etc\hosts for SpIDer Guard.

 

Thank you! Will try it and come back here for final feedback.



#6 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 16:13

Hello again Kirill, sorry for the bad news.

 

Even-though I excluded the path you specified, it still doesn't work. Dr.Web keeps on changing the hosts file.


2023-Apr-13 13:01:48.888767 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 13:01:48.888821 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 13:01:48.889028 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 13:01:49.279715 [ 7240] [INF] [arkdll] 

To reiterate the current settings:

  1. Security Center > Preventive Protection > Behavior Analysis > Protection level > HOSTS file: Allow
  2. Path excluded C:\Windows\System32\drivers\etc\hosts for SpIDer Guard

Is there another workaround? Or did we find a bug?
 



#7 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 327 Сообщений:

Отправлено 13 Апрель 2023 - 16:53

Hello, barranja! I'm sorry.

 

Please open utility: regedit.exe and find in "HKLM\SOFTWARE\Doctor Web\Settings\Netting\Security" there parameter:

"Heuristic/Scan/HostsFile"

If this not exist, create it as type: REG_DWORD and set to 0

 

Regards!

 

UPD: Before the actions, please disable our self protection.


Сообщение было изменено Kirill Polubelov: 13 Апрель 2023 - 16:54

(exit 0)

#8 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 18:37

Hello Kirill,

I don't know if the registry hack fixed it -or- the deacitvation/reactivation of all components -or- both.

Looks like it's working now, I'll append to this thread if the issue returns.

 

By the way: No need to be sorry! I'm very happy with your quick and high quality support.

 

Best regards!



#9 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 327 Сообщений:

Отправлено 14 Апрель 2023 - 11:37

Hello, barranja!

Thanks for your feedback!

Apropos, If you use registry way, you don't need path exclude for hosts in SpIDer Guard.

 

Have nice day!


Сообщение было изменено Kirill Polubelov: 14 Апрель 2023 - 18:55

(exit 0)

#10 Dmitry_rus

Dmitry_rus

    Guru

  • Helpers
  • 3 621 Сообщений:

Отправлено 19 Апрель 2023 - 11:32

AFAIR, you have to reboot your PC after adding C:\Windows\System32\drivers\etc\hosts into SpiderGuard's exclusions. Doesn't work properly without reboot.



#11 barranja

barranja

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 22 Апрель 2023 - 05:37

Thanks @Dmitry_rus, I learned that the hard way :-)




Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых