Перейти к содержимому

- - - - -

Dr.Web changes HOSTS File (even with Behavior Analysis adjusted)

  • Please log in to reply
10 ответов в этой теме

#1 barranja



  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 02:39

Hi! I'm on Windows 11 22H2 and just installed Dr.Web.


In my HOSTS file, I use some special entries (resolving to I don't want to further discuss here))


Dr.Web constantly keeps commenting out my changes and keeps on reporting it as a neutralized threat.


I followed this guide <https://www.drweb.com/pravda/issue/?number=279&lng=en>

> Security Center > Preventive Protection > Behavior Analysis > Protection level > HOSTS file: Allow

...but Dr.Web still doesn't let me have my HOSTS file my way.


Is there a workaround?

Did I miss a system restart?

Program modules
Dr.Web Security Space 
Dr.Web Security Space (12.0)
Dr.Web Virus-Finding Engine 
drweb32.dll (
Dr.Web Scanning Engine 
dwengine.exe (
Dr.Web Anti-rootkit Server 
dwarkdaemon.exe (
Dr.Web Anti-rootkit API 
dwarkapi.dll (
Dr.Web Thunderstorm Cloud Client SDK 
ccsdk.dll (
Dr.Web Scanning Watcher 
dwwatcher.exe (
Dr.Web Control Service 
dwservice.exe (
Dr.Web WSC Service 
wsc-service.exe (
Dr.Web Updater 
drwupsrv.exe (
Dr.Web antimalware boot driver 
dwelam.sys (
Dr.Web SpIDer Agent for Windows 
spideragent.exe (
Dr.Web SpIDer Agent admin-mode module for Windows 
spideragent_adm.exe (
Dr.Web Scanner SE 
dwscanner.exe (
Dr.Web Console Scanner 
dwscancl.exe (
Dr.Web File System Monitor 
spiderg3.sys (
Dr.Web Protection for Windows 
dwprot.sys (
Dr.Web Shellguard anti-exploit module 
dwsguard32.dll (
Dr.Web Shellguard anti-exploit module 
dwsguard64.dll (
Dr.Web device Guard for Windows 
dwdg.sys (
Dr.Web Firewall for Windows driver 
drweblwf.sys (
Dr.Web Shell Extension 
drwsxtn.dll (
Dr.Web Shell Extension 
drwsxtn64.dll (
Dr.Web SysInfo 
dwsysinfo.exe (
Dr.Web SysInfo library 
dwsysinfo.dll (
Dr.Web AMSI client 
drwamsi32.dll (
Dr.Web AMSI client 
drwamsi64.dll (
Dr.Web Security Space setup 
win-space-setup.exe (
Virus databases
    2098 virus records Date: 2023-04-12 23:12
    8775 virus records Date: 2019-03-26 15:05
    4731 virus records Date: 2023-04-12 08:06
    775706 virus records Date: 2016-04-01 06:00



#2 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 392 Сообщений:

Отправлено 13 Апрель 2023 - 11:04

Hello, barranja!

Couldn't you show, please, your log file: "%ProgramData%\Doctor Web\Logs\dwservice.log"

Сообщение было изменено Kirill Polubelov: 13 Апрель 2023 - 11:30

(exit 0)

#3 barranja



  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 12:09

Hello, Kirill! Thanks for your reply. Are you looking for something specific? The gzipped logs are roughly 100 MB.


2023-Apr-13 03:35:41.131409 [ 5572] [INF] [LOG] Rotate log...
 Dr.Web Control Service for Windows v12.12.6.01180
 Copyright (c) Doctor Web, Ltd., 1992-2023
 Current arch: x64
 Binary: x64
 Operating System: Windows 11 x64 (Build 22621)
 Command line: C:\Program Files\DrWeb\dwservice.exe --logfile=C:\ProgramData\Doctor Web\Logs\dwservice.log 
2023-Apr-13 03:35:41.131471 [ 7172] [INF] [arkdll] 

id: 642441, timestamp: 13.04.2023 03:35:41.0127, type: FileVolWrite (1), flags: 1 (wait: 1)
sid: S-1-5-18, cid: 4/10056:\Device\HarddiskVolume3\Windows\system32\ntoskrnl.exe
unique id: 4-133257995482431473-18446735292665692160
hips: type: 2, action: ask [0]
type: 0, new: 0, suspicious: 0, cmd: 
fileinfo: size: 11986304, easize: 404, attr: 0x20, buildtime: 07.07.1915 15:39:29.0000, ctime: 12.04.2023 04:31:36.0682, atime: 12.04.2023 20:59:20.0184, mtime: 12.04.2023 04:31:37.0014, descr: NT Kernel & System, ver: 10.0.22621.1555 (WinBuild.160101.0800), company: Microsoft Corporation, oname: ntkrnlmp.exe
signer: C=US|ST=Washington|L=Redmond|O=Microsoft Corporation|CN=Microsoft Windows, issuer: C=US|ST=Washington|L=Redmond|O=Microsoft Corporation|CN=Microsoft Windows Production PCA 2011, timestamp: 28.03.2023 05:38:13.0000, thumbprint: 58fd671e2d4d200ce92d6e799ec70df96e6d2664, eku: unknown [28], flags: 0x2a, hash alg: Sha256
catfile: {f750e6c3-38ee-11d1-85e5-00c04fc295ee}\microsoft-windows-client-desktop-required-package05142030~31bf3856ad364e35~amd64~~10.0.22621.1555.cat
creator name: Microsoft Windows
creator url: http://www.microsoft.com/windows
file sha1: b364388ebc1313a7d2dff39fdd0ec916f60c6c8a
file sha256: 35c9d3384ab1858b5460415ce752daa884dfd73eb25c02755909cd82a130103f
status: signed_catroot, sfc, pe64, driver, spc / signed_catroot / unknown / unknown / unknown / unknown
type: unknown, object: \Device\HarddiskVolume6
area: Unknown [1], offset: 0xef6a05000, size: 4096
id: 642441 ==> allowed [2], time: 0.075100 ms


2023-Apr-13 04:07:46.847864 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 04:07:46.848022 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 04:07:46.848158 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts


2023-Apr-13 09:05:54.095179 [ 6872] [INF] [arkdll] 

id: 836874, timestamp: 13.04.2023 09:05:54.0095, type: FileCreate (5), flags: 1 (wait: 1)
sid: S-1-5-21-1587951583-132931476-2871531754-1001, cid: 17932/11976:\Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2302.26.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe
context: start addr: 0x7ff91a6392d0, image: 0x7ff91a610000:\Device\HarddiskVolume3\Windows\System32\ucrtbase.dll
unique id: 17932-133258168196751663-140697325600768
behaviour: change_hosts, run_from_shortcut
hips: type: 1, action: allow [2]
type: 0, new: 0, suspicious: 0, cmd: "C:\Windows\System32\notepad.exe" C:\Windows\System32\drivers\etc\hosts
fileinfo: size: 958976, easize: 228, attr: 0x20, buildtime: 24.02.2023 19:54:10.0000, ctime: 03.04.2023 02:09:27.0869, atime: 12.04.2023 22:22:53.0245, mtime: 03.04.2023 02:09:28.0429, descr: Notepad.exe, ver: 11.2302.26.0, company: Microsoft Corporation, oname: Notepad.exe
file sha1: 867a33f328293063732a179df7ae95e897d8322f
file sha256: 5430e6254023f0803ee1107108ee3f24153647967b00667d70a8e95389e685e2
status: unsigned, pe64 / unsigned / unknown / unknown / unknown / unknown
file: \Device\HarddiskVolume3\Windows\System32\drivers\etc\hosts
access: 0x12019f, create options: 0x60, disposition: 0x3
id: 836874 ==> allowed [2], time: 0.131300 ms


2023-Apr-13 10:01:56.565401 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 10:01:56.565447 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 10:01:56.565628 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts


Log ID 836874 is me having notepad.exe open to overwrite (when the Dr.Web alert about neutralized threat appears :-))

#4 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 392 Сообщений:

Отправлено 13 Апрель 2023 - 12:36

Are you looking for something specific?

Yes, but I already saw what I needed in your quote, thanks.

bg-scan -- this is background scanning.

You can add exclude path: C:\Windows\System32\drivers\etc\hosts for SpIDer Guard.

(exit 0)

#5 barranja



  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 12:41


Are you looking for something specific?

Yes, but I already saw what I needed in your quote, thanks.

bg-scan -- this is background scanning.

You can add exclude path: C:\Windows\System32\drivers\etc\hosts for SpIDer Guard.


Thank you! Will try it and come back here for final feedback.

#6 barranja



  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 16:13

Hello again Kirill, sorry for the bad news.


Even-though I excluded the path you specified, it still doesn't work. Dr.Web keeps on changing the hosts file.

2023-Apr-13 13:01:48.888767 [ 5236] [WRN] [bg-scan] scan result \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts infection: HOSTS:SUSPICIOUS.URL (type: 4; code: 8; )
2023-Apr-13 13:01:48.888821 [ 5236] [INF] [events uniter] registered virus component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 13:01:48.889028 [ 5236] [INF] [events uniter] registered server event component: component_guard, threat: HOSTS:SUSPICIOUS.URL, type: 0(ALERT_FILE_OBJECT), infection type: 4(Suspicious), action: 8( cured), user: SYSTEM, path: \Device\HarddiskVolume3\Windows\system32\drivers\etc\hosts
2023-Apr-13 13:01:49.279715 [ 7240] [INF] [arkdll] 

To reiterate the current settings:

  1. Security Center > Preventive Protection > Behavior Analysis > Protection level > HOSTS file: Allow
  2. Path excluded C:\Windows\System32\drivers\etc\hosts for SpIDer Guard

Is there another workaround? Or did we find a bug?

#7 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 392 Сообщений:

Отправлено 13 Апрель 2023 - 16:53

Hello, barranja! I'm sorry.


Please open utility: regedit.exe and find in "HKLM\SOFTWARE\Doctor Web\Settings\Netting\Security" there parameter:


If this not exist, create it as type: REG_DWORD and set to 0




UPD: Before the actions, please disable our self protection.

Сообщение было изменено Kirill Polubelov: 13 Апрель 2023 - 16:54

(exit 0)

#8 barranja



  • Posters
  • 9 Сообщений:

Отправлено 13 Апрель 2023 - 18:37

Hello Kirill,

I don't know if the registry hack fixed it -or- the deacitvation/reactivation of all components -or- both.

Looks like it's working now, I'll append to this thread if the issue returns.


By the way: No need to be sorry! I'm very happy with your quick and high quality support.


Best regards!

#9 Kirill Polubelov

Kirill Polubelov

    Hr. Schreibikus

  • Dr.Web Staff
  • 4 392 Сообщений:

Отправлено 14 Апрель 2023 - 11:37

Hello, barranja!

Thanks for your feedback!

Apropos, If you use registry way, you don't need path exclude for hosts in SpIDer Guard.


Have nice day!

Сообщение было изменено Kirill Polubelov: 14 Апрель 2023 - 18:55

(exit 0)

#10 Dmitry_rus



  • Helpers
  • 3 652 Сообщений:

Отправлено 19 Апрель 2023 - 11:32

AFAIR, you have to reboot your PC after adding C:\Windows\System32\drivers\etc\hosts into SpiderGuard's exclusions. Doesn't work properly without reboot.

#11 barranja



  • Posters
  • 9 Сообщений:

Отправлено 22 Апрель 2023 - 05:37

Thanks @Dmitry_rus, I learned that the hard way :-)

Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых