Using A Hosts File For Security

One of the simplest ways of protecting yourself against outbound traffic to known malicious websites is with a Hosts file. If you want to prevent access to a known malicious website, for instance,, you would add an entry

Using a Hosts file in this way has its pluses and its minuses.


  • A Hosts file requires no software installation. The Hosts file is referenced, natively, by every IP stack in every operating system.
  • A Hosts file is universally used. There are multiple well known and reliable providers of free Hosts files, which define known malicious websites.


  • Each entry defines precisely one website. The entry

    blocks access to only A separate entry is required for, and another for
  • The Hosts file will become quite large. The HPGuru, a very comprehensive file, is currently over 1M in size, when expanded and installed.
  • Loading the file takes significant CPU power, if not configured properly. If the DNS Client service is running on your computer, and you make any change to Hosts, your system could be unusable for 10 to 16 minutes.
  • To be effective, the file must be kept up to date. The bad guys are constantly creating new domains, and subdomains.
  • It will only block access by website name. Neither of the following will work:

WiFi Will Never Be As Fast As Ethernet

With "Fast" Ethernet, you expect (and generally get) 100Mbps performance from the network. With Gigabit Ethernet, you expect (and possibly get) 1000Mbps. With 802.11g WiFi, you expect 54Mbps, but you seldom get that. Why is WiFi less reliable?

Ethernet (IEEE 802.3), and WiFi (IEEE 802.11) are Layer 2 specifications of the OSI Network Model. Physical Ethernet also occupies Layer 1 of the model.

If you observe the limitations imposed by IEEE specifications, you get predictable results - those limitations should exceed your operating requirements. For instance, 100M Ethernet is provided for cable runs of up to 100 Metres (300 feet) between the computer, and the other network device (generally a hub / router / switch, or another computer).

With Ethernet, you control the environment completely. That is, you own the physical network, and you control what you own. With WiFi, you use the radio frequency spectrum included in IEEE 802.11, but share that spectrum with other electronic devices. Some devices may be non compliant with 802.11 (baby monitors, portable phones, and microwave ovens may transmit on that frequency band), and may be treated as analogue interference. Other devices may be 802.11 compliant, but owned by your neighbours, may also operate in the same frequency spectrum, and may be treated as digital interference.

The bottom line - with WiFi, there are things you can't control easily, and others that you can't control at all.

  • Ethernet is a full duplex, dedicated medium. WiFi is half duplex, and shared - it has one media, the WiFi channel, which has to be shared for both sending and receiving the packets. And it's shared with your neighbours.

  • Ethernet is a mature technology - it's been around for much longer than WiFi. WiFi components have frequently upgraded firmware. Any time you ask the vendor for help, their first question will be "What version firmware are you running?". This is not a delaying tactic, or needless protocol - it's an attempt to ensure that your drivers are up to date, so they can help you effectively.

    Any time you get new hardware, you should always consider the possibility that the firmware was upgraded after your unit was packaged. Always get up to date firmware - and get it from the vendor.

  • Ethernet is a scalable medium. With Ethernet, each computer has its own cable connecting it to the network. With "n" number of computers in an Ethernet network, you can theoretically have "n/2" simultaneous conversations between computers. As you add computers, and cables (and higher rate cables), the total amount of bits being passed in any network, simultaneously, increases constantly. With WiFi, there is a ceiling. At any location in a WiFi neighbourhood, you can have a maximum number of bits being passed, "simultaneously", shared among all WiFi devices near that location. WiFi is not scalable.

  • Ethernet is a much more stable medium. With switched Ethernet, you have two hosts, for instance a router / switch, and a client computer. The two hosts are connected by a physical cable. The firmware and hardware on each host has to manage the conversation only with the other host.

    With WiFi, each host is managing / blocking conversations with dozens of other hosts (multiple channels, locations, and networks) constantly, and no two hosts are seeing the same complement of other hosts at any time or in any place. Managing relationships in the constantly changing WiFi population takes resources - and can make the WiFi device slower than it should be.

    Besides the constantly changing and differing population issue, there's the security needs. WEP, WPA, WPA2, AES, CCMP, TKIP... The list of security protocols and standards is endless, and changes frequently. Managing security in any WiFi conversation takes resources - and can make the WiFi device slower than it should be.

  • Can you actually see a computer from the Access Point? With WiFi, if you don't have a clear line of sight visibility between the network devices, you'll not get a full strength signal. Distance is another factor. Signal strength falls off as distance increases. Put the computer in one room, and the AP in another (a normal use for WiFi), and see what signal strength you get. Walls and floors are a major signal problem. Signal loss will be higher if the signal has to travel diagonally thru the wall or floor, rather than at a right angle.

  • Look at the antennas on the AP and the computer, and see how much they are parallel - you will get maximum signal strength only when the 2 are perfectly parallel. Draw an imaginary line, extending at a right angle, from one antenna towards the other. Does it intersect the other? Try and make a line between the two intersect at a right angle. Signal loss will be higher if one network device is located directly above the other, and on another floor, if both antennas are pointed vertically.

    To make this simplest to understand, look at some examples.

    • If the AP and a computer are in the same room, locate both devices so both antennas are the same height off the floor. Point both antennas vertically.
    • If the AP and a computer are on different floors, locate both devices so the antennas are immediately above and below each other. Point both antennas horizontally.
    • If the AP and a computer are in different rooms, position both so a line from one to the other goes at a right angle thru the wall. Locate both devices so both antennas are the same height off the floor. Point both antennas vertically.
    • When you can't be so precise in physical placement, point both antennas parallel to each other, per the above strategies.

  • An Ethernet cable is a media that YOU own, and physically control. With WiFi, you have to share the channel with all of your neighbours. And, with CSMA/CA, the sum of your usable bandwidth plus your neighbours usable bandwidth will never add up to 54M (for 802.11g) or 108M (or whatever is promised, for 802.11n). Relying upon Collision Avoidance will always require wait time, where neither of you is transmitting. And the more neighbours that you have, the more time that your equipment will be waiting to use the channel.

    • If your equipment is compatible, you may benefit from using NetStumbler, or a similar product. Find out how many of your neighbours are also using WiFi, and how close each is.
    • Try using a channel that isn't being used by a neighbour close to you. With 802.11G 54M, only channels 1, 6, and 11 don't overlap in frequency. If you have 2 neighbours - one on channel 1, and the other on channel 6, your best choice (avoiding digital interference) is channel 11. Analogue interference, or noise, may make this conclusion less certain.
    • Remember that wireless networks may come and go, so watch over a period of hours, if not days. NetStumbler is great for this - leave it running, and it will make a running list, showing each observed access point, and graphing its signal strength by time.

  • Your wireless neighbours are interference sources outside your home. You probably also have interference sources inside your home.

    • Baby monitors.
    • Computers.
    • Cordless phones.
    • Microwave ovens.
    • Wireless stereo speakers.

    If you install a WiFi device on your desktop computer, try and get one with an antenna that you can move above, and away from, the computer. Signal loss will be higher with a PCI WiFi card, with the antenna stuck at the back of the computer. This is particularly the case if your computer is a tower, sitting on the floor. The higher the antenna from the floor, the better the signal level.

  • You will only get maximum performance from similar equipment, and with no WiFi neighbours. You will have to share the channels with your neighbours. In any WiFi neighbourhood, no two WiFi devices will be within range of the same complement of other WiFi devices. The hidden node problem, where it is recognised that no two networks have to share the spectrum with the identical complement of other networks, is a well known WiFi issue.

  • Maybe the router configuration has a setting that's causing your problem. Start by checking your Transmission Rate setting.

    • If it's on Auto, try setting it to a realistic rate. Start by setting it at the rate you think you're getting, and see if your bandwidth improves even slightly. If there is any problem with your signal, auto may make the router spend more time recovering from problems, and less time actually sending and receiving.
    • If it's on a low rate, try setting it at a higher rate. See if your bandwidth improves.
    • When tuning your Transmission Rate, using NetStumbler to analyse performance would be a very good idea.

  • For more thoughts on this subject, see BBR Forums How Can I Boost My Range? (#10944).

  • And consider that, even though WiFi doesn't use wires as heavily, general physical networking principles may still apply.

And however you set up your WiFi in the end, please secure your LAN. The performance hit you get, when your neighbours WiFi LAN comes on, pales in comparison to what happens if your computer is hacked, and joins a botnet.

>> Top

Check Your Hosts File VERY Carefully

The bad guys have been using entries in YOUR Hosts file, to block you from accessing the websites that can protect YOU, for quite a while now. So instructing you to examine your Hosts file, for entries like:

is nothing new. This entry, if present in your Hosts file, will block you from getting access to the Symantec servers, including online help, and LiveUpdate. It's one of the earliest hijacks used by the bad guys.

Anyway, I just copied the above example line from this example Hijacked Hosts file. Go there, and see if you can find the example.

"No", you mighht answer. "The only non-comment line is: localhost".

But, you would be wrong. Look again, but look more carefully.

  • The first line there (other than a lot of comments), and the only non-comment line in an otherwise empty file, will APPEAR to be " localhost".
  • Scroll to the end of the file, by hitting Ctrl-End.
  • Scroll back up to the top, page by page, looking for any unrecognised entries, possibly placed there by malware.
  • Look out for blank lines at the beginning and end of the file, after "localhost", placed there by an exploit.
  • Do not assume that a file is empty simply because you see "localhost" followed by 50 blank lines!
  • Do not assume that a file is empty simply because you see 50 blank lines anywhere!

Now aware of this devious, and o so simple, mechanism that the bad guys can use, check YOUR Hosts file. To clean your Hosts file, if anything of interest is found, and assuming NO valid entries other than " localhost", simply:

  1. Place the cursor at the end of the " localhost" line.
  2. Hold down "Ctrl" and "Shift", and hit "End".
  3. With everything after " localhost" highlighted, hit "Delete".
  4. Save Hosts, as name "Hosts." (note the "."!), as type "All Files".

If you find that you have valid entries other than " localhost", which you need to retain, be aware of this hijack, and edit the file very carefully.

An Example Of A Hijacked Hosts File

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# # source server
# # x client host localhost


Irregularities In Workgroup Visibility

Let's say you connect 2 computers, running any of the many versions and editions of Windows, with default configurations, in a network. To find each computer from the other, you open Windows Explorer (don't confuse this with Internet Explorer, please), and look in My Network Places (aka Network Neighborhood). On a fully working LAN, this will work just fine. In your case, it may not.

In your case, Computer A shows both Computers A and B, as it should, and files on Computer B are accessible. On Computer B, either you don't see Computer A, or when you try to access Computer A, you get an error. You may, or it may not, see Computer B. This visibility problem may be observed constantly, or it may come and go.

This visibility problem is possible on LANs with Windows 2000, Windows XP, and / or Windows Vista, in any combination.

Now before you start, you should be aware that you will enjoy this more, and frequently will be more successful, when you work on a properly designed and setup network. After you review that tutorial, I recommend that you tackle the task at hand in this order.

Basic Diagnostics

  1. Check for a personal firewall problem. A misconfigured or malfunctioning personal firewall, on either computer, can block browser access. Do you have antivirus protection? Make sure that your antivirus is not part of a package that contains a personal firewall, and does not contain a component that acts as a firewall.

  2. Look carefully for a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

  3. Some newer, WiFi routers, have a complete firewall between ALL client computers, connected wired or wireless. Look for an "Isolation Mode" setting, if no computers are visible to each other. Each vendor uses a different name for this feature, so read your user guide carefully, if you suspect that this is a problem.

  4. Make sure that NetBIOS Over TCP is consistently set, in TCP/IP Properties for each computer in your network.

  5. Does your LAN include any computers running Windows Vista? If so, be aware of the additional issues involved in Windows Vista and Windows Networking.

  6. Do you have a share setup on each computer? With Windows XP / Vista, only computers with non-administrative shares (not ending in "$") will be visible in My Network Places (aka Network Neighborhood).

  7. Make sure that all computers are in the same workgroup, if you expect to see them in the root of Network Neighborhood (My Network Places).

  8. Check for several well known and lesser known registry settings, which will affect visibility of, and access to, your server.

  9. Look at the content of the error message. Do you see either "error = 5" (aka "access denied"), or "error = 53" (aka "name not found")? Read the appropriate article.

  10. Look again at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.

  11. Run, and examine output from, "browstat status", "ipconfig /all", and "net config server" and "net config workstation", for each computer.

  12. Post output from the above step for expert interpretation and advice. Include relevant background details in your post. When including diagnostic logs, such as "browstat status", "ipconfig /all", or background details, format them properly when you post them.

Intermediate Diagnostics

  1. Make any changes in your network per the advice of the helpers in the forums. Retest as advised.

  2. Run, and examine, CDiag output for each computer. If you have more than 3 computers, post diagnostics for at least 3, and try and include some computers which show no symptoms of the problem (if any exist), as a control. The more data here the better.

  3. Post output from the above step for expert interpretation and advice. Again, format CDiag logs properly when you post them.

  4. Check that all necessary network components and services are provided. The necessary protocols and transports must be loaded and activated. The necessary services should be Started and Automatic.

  5. Run, and examine, CPSServ output for each computer. Try and do this on the same computers that you ran CDiag (above) on, to make the diagnostics more effective.

  6. Post output from the above step for expert interpretation and advice. Again, format CPSServ logs properly when you post them.

  7. Check for, and remove, unnecessary protocols and transports, like IPV6, IPX/SPX, and NetBEUI. Unnecessary protocols and transports can block Server Message Blocks, and cause problems. Check "browstat status" logs for evidence of IPX/SPX or NetBEUI. Check "ipconfig /all" logs for evidence of IPV6. Remove any protocols found. If you solve your immediate problems, you can re in stall any protocols removed, later.

  8. Check for LSP / Winsock / TCP/IP corruption. The LSP / Winsock layer in the network, on either computer, can malfunction, and drop SMBs. If you have more than 2 computers, the computer causing your problems may not be immediately apparent. Use CDiag to identify the computers to work on first.

Advanced Diagnostics

  1. Learn how to solve network problems.

  2. Try my comprehensive troubleshooting guide, Troubleshooting Network Neighborhood Problems. Use CDiag and / or CPSServ logs, to identify the computers to work on first.

  3. Read about The NT Browser and Windows Networking.

  4. Read about File Sharing Under Windows XP.

NOTE: The comprehensive troubleshooting guides, referenced in Advanced Diagnostics, contain all of the other sections and more, sequenced by network design (ie, physical connectivity issues first, and file sharing permissioning last). The last article talks about problems specific to File Sharing, such as authentication and authorisation, and it is most useful when all other problems (such as are discussed in the previous step) are resolved. This article, as a whole, emphasises the most productive procedures for resolving your symptoms. You are free to try any of the above steps, in any order which pleases you - it is, after all, your network.

These are simply the procedures which currently seem to produce the best results. So become familiar with them, because, if you ask for help and I am involved, I will likely ask you for the diagnostics discussed above. And, if we don't get immediate results here or elsewhere, I'll ask you to repeat each step above, one by one, as I examine the results. Read each linked article.

Now I'm a Networking and Security advisor, and I don't provide advice on security issues casually. Using the Internet, without considering the privacy and security implications, makes trouble for a lot of innocent people. When you're considering the necessity of providing requested details about your computer network, in an open Internet forum, please read this brief Privacy Statement. Help us to help you.

Online Analysis Of Suspicious Files

Let's say you run any one of my favourite problem analysis or detection tools, such as:

and you find one or more mysterious entries. What do you do now? Kill, then delete the processes? It may not be quite that easy - or that safe. Please, research what you're deleting, and the possible consequences of deleting it, BEFORE you do so.

A lot of malware today will install itself in a package - creating 2 or more processes on your computer. Also, some security software, badly designed, may protect you, but may use names, or other identity elements, that may give it the appearance of malware.

It's relatively easy to identify a single, active process that steals your passwords, throws ads on the screen, or creates links to distant, mysterious computers.

Some malware, though, will package itself in 2 or more components. It will include protective components, that ensure that the other process(es) continue running on your computer, even if you try to delete or kill them. When the protective processes detect that the active processes were deleted or terminated, it will make new copies of the other processes, frequently using different names, and restart the bad active processes.

Delete or kill one program, and suddenly you'll have a second program (maybe with a different name), doing the work of the process that you just killed. You have to kill the background protective processes first. When you find a suspicious file or process, examine it, and ensure that there's no other process referencing or protecting it.

There are several web sites where you can upload any suspicious file found on your computer, which will submit your uploaded file to multiple scanning engines for intensive analysis. Just go to either website and upload the file using the web page. This takes maybe 30 seconds to upload a file, then wait 5 - 10 minutes for a free analysis.

Examining the logs from any of the above utilities, do you see any malware identified? If so, don't panic - do some research. Note which scanning engines detected the malware, and cross-reference those to free, online system scanning services.

In order for a protective bad process to restart a protected bad process (one that's detected by HijackThis), the protective bad process has to contain some portion of, or reference to, the active bad process. Any individual scanning engine (called by Jotti and/or VirusTotal), that can find malware in an active bad process, should similarly be able to find the same malware in any other file on the computer, if additional bad files exist. Running a whole system scan, you look for other files that contain the detected malware.

Pick one or more of the scanning services which identified the malware, and do a complete system scan. Either a HijackFree, or a HijackThis, log is a good starting point; but both HJF and HJT are limited, in that they find malware using established patterns. Make sure the malware you are experiencing is not in other places too. Use all possible analytic tools.

In the case of very well written malware, it may be very difficult (if not impossible) for YOU to identify, and delete, all components of the malware simultaneously. Its protective processes may be written to detect your feeble human actions, and it can restart itself faster than you can kill or delete it.

But don't despair! Just identify all components of the malware at any time (without killing and / or deleting anything). Then use Pocket Killbox. You identify ALL of the bad files or processes to Pocket Killbox, and Pocket Killbox takes care of them for you. It's like having a team of well trained snipers, each aiming at a different bad guy. firing simultaneously, and killing all of the bad guys without warning any.

If you have any doubts about this technique, or if even Killbox can't get rid of the bad stuff, remember the Expert Help Forums. Any time Jotti or VirusTotal identifies a bad file, spend some time searching thru 2 or 3 of these forums. Find out what techniques and tools are currently being used to remove the identified malware. Again, Strength Thru Diversity.

Just don't guess at the problem. Use the power of the web, and work from the experience of those who have already dealt with your malware.

Now for the bad news. Some malware may protect itself, from being deleted or interrupted, by hiding itself. You cannot delete that which you cannot see.

As malware has evolved, the properly designed anti-malware protection will also scan each web page as you surf the Internet. In some cases, you should have access to an OnLine Web Site Analysis product.

>> Top

Computer Uniqueness

My personal theorem is that, outside of computers owned by large corporations that have a standard hardware and software configuration, and a very strict Corporate Security Policy, there are not any 2 computers in the world that are identical. Consider just a basic list of factors:

  • Hardware configuration.
  • Software configuration.
  • Ownership policy (CSP, if one exists).
  • Individual usage.
  • Network usage / Internet connectivity.

Each of the above factors will cause some varying complement of files - configuration, data, software - to be placed on a given computer, or group of computers. This variance in files, and in computer use, affects what malware may or may not be found on an individual computer, or on any network.

That being the case, any set of computer problems (or symptoms) should also be regarded as unique. This is why I recommend diagnosing any computer problem as unique.

Take, for example, the "access denied" symptom. Look at how many possible causes there are for that simple message. Now consider how many different ways that message might be interpreted, by different people.

So, please don't assume any "one size fits all" application of a symptom, to a diagnosis. One of my pet peeves is someone who accepts advice in a forum, is given a very simple solution (following considerable diagnosis work, to find the specific cause) to what appears to be a common problem, and then tries to advise that simple solution to other folks later asking for advice, in that forum.

If you go to the doctor with a cough, he prescribes a certain medication to you, and you are cured, would you stand outside the pharmacy and recommend that medication to everybody approaching the door? I hope not. Please don't be that guy.

Also, I hope that you wouldn't go to the doctor and say
My neighbor had this cough, and you gave him x medicine. I have the same cough, and need the same medicine.
Nor should you go into a forum, and post your problem report at the end of somebody else's problem report. Solve one problem in one thread, please, and let the doctors do the diagnostic work.

Approach every problem with basic and methodical diagnosis. Whether the complaint is about lack of Internet service, about inability to share files, or about unknown programs running on your computer, diagnose each problem methodically, and from the bottom up. And protect your computers, using a layered security strategy.

Analyse every computer network, and its security needs, individually. To debate any one characteristic of an operating system, such as Linux vs Windows, as being inherently more secure or stable, while ignoring the infrastructure where it is used, is so much Hoya. The security of the operating system, on any computer, can only be assessed, and improved, based upon the total environment in which it operates.

>> Top

MAC Addresses

The MAC, or Media Access Control Address, is one of the most vital identity elements in computer networking.

Every addressable network device, be it a managed switch, modem, network card, or router, is assigned a unique address when it is manufactured. The MAC address has a format


where each "x" is a hexadecimal character. The string of 12 hexadecimal characters is assigned, intentionally, by the manufacturer, to prevent duplication by any other networked device, either now, or in the future.

Some misguided persons believe that changing the MAC address of their computer (network card) is a way to hide themselves, or to change their identity at will. This is an erroneous assumption, and can lead to worse problems.

  • You absolutely must have a unique MAC address on all networked devices, in any connected network. If you go changing this identity element, and cause a conflict, you could cause yourself and other people grief.
  • If you change your MAC address in an attempt to change your IP address on a public Internet service, you could cause pain for a few people, including another subscriber, and the ISP. Changing your IP address is yet another form of Security by Obscurity.
  • Note the MAC addresses do not pass between routed network segments, they are only seen by other hosts on the same subnet. It's possible that, if you setup a network device on your computer with a phony MAC address, that's unique on your subnet, one day you may carry that computer to a network where that address is legitimately in use. Either your computer, or the legitimate owner of the address (and probably both) will suffer from your hijacking of that address.

There is one specific situation where your MAC address should be changed. In any other situation, changing the MAC address just isn't a valid solution.

If you need to associate a MAC address with its vendor, the IEEE OUI / Company_id Assignments database can be searched for this information.