
Windows 10: HOSTS file blocking telemetry is now flagged as a risk - maltalex
https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/
======
maltalex
> In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS
> file include the following:
    
    
        www.microsoft.com
        microsoft.com
        telemetry.microsoft.com
        wns.notify.windows.com.akadns.net
        v10-win.vortex.data.microsoft.com.akadns.net
        us.vortex-win.data.microsoft.com
        us-v10.events.data.microsoft.com
        urs.microsoft.com.nsatc.net
        watson.telemetry.microsoft.com
        watson.ppe.telemetry.microsoft.com
        vsgallery.com
        watson.live.com
        watson.microsoft.com
        telemetry.remoteapp.windowsazure.com
        telemetry.urs.microsoft.com
    

I can see the argument for disallowing remapping Microsoft domains in the
hosts file as a security precaution [0], but this seems a bit heavy handed.

Oh well, there's always pihole.

Edit: On second thought, how long before they just start hard coding IP
addresses?

[0]: [https://blog.malwarebytes.com/cybercrime/2016/09/hosts-
file-...](https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-
hijacks/)

~~~
dvfjsdhgfv
> Edit: On second thought, how long before they just start hard coding IP
> addresses?

What would be the benefit of it? IP addresses are as easy to block as domain
names, but the number of IP adresses available to them is much smaller than
the number of possible domain names.

~~~
Mindwipe
> IP addresses are as easy to block as domain names, but the number of IP
> adresses available to them is much smaller than the number of possible
> domain names.

Is it? If they wanted to be toxic they could mix the telemetry IPs around with
the windows update IPs inside a fairly significant block of IPv6 addresses. It
would be hard to block the entire range because you'd hit the update servers.

------
LinuxBender
Telemetry isn't even the nasty one. Look for "activity" in your DNS logs. Just
try to block that... All the Windows 10 machines (home and pro) on your
network will freeze up and hang for extended periods of time. Microsoft wants
to know every time you spawn an application, what it was, who launched it. It
doesn't matter how you block it, NXDOMAIN, REFUSE, fake IP, null route, all of
those will cause machines to hang. A tcp-reset will reduce the impact a
little.

[Edit] MS may have wised up and consolidated the activity endpoints / vips
into another endpoint. You may have to clear cache on the PC and your router,
reboot and watch DNS requests as you launch applications to see where they
moved.

To stop this behavior requires registry changes unless you are on Enterprise
or LTSC in which case you can use GPO. There are some free programs that will
do the registry tweaks for you.

Here is a video talking about manually changing some things [1] and they link
to free tools that can do the changes as well [2].

[1] -
[https://www.youtube.com/watch?v=tgW7iXejfqQ](https://www.youtube.com/watch?v=tgW7iXejfqQ)

[2] - [https://www.oo-software.com/en/shutup10](https://www.oo-
software.com/en/shutup10)

~~~
at_a_remove
Ah, LTSC ... never has one of my hunch-based technical decisions kept paying
off again and again. if only I knew the right people instead of having to get
licenses in very sketchy ways.

~~~
jabroni_salad
Just get yourself a volume license and talk to a distributor.

You do not need any crazy volume. I was able to get it in place, legitimately,
for a metal fabricator that has maybe 20 computers total not including their
operational technology (CNC devices) that they wanted LTSC for.

[https://www.cdw.com/search/?key=ltsc&searchscope=all&sr=1](https://www.cdw.com/search/?key=ltsc&searchscope=all&sr=1)

~~~
at_a_remove
As just a guy? Not so easy. I'm not a company, I'm just a person.

~~~
throwanem
It looks like CDW, at least, sells by the individual license, to judge from
the search results at that link. Top one is "Windows 10 Enterprise LTSC 2019 -
upgrade license - 1 license".

~~~
mjcl
That link is for an Open License. The MS Open License program allows you to
purchase volume licenses individually, but the initial MS Open License order
must be for at least 5 licenses (of something).

~~~
EvanAnderson
CDW will happily sell you once license of LTSC and 4 of the cheapest SKU in
the catalog (I don't know what that is, currently-- in the past it has been
stuff like $5 DVD playback licenses) to get you over the minimum purchase qty.

~~~
fl0wenol
I did exactly this with PC Connection and got into the Open license program.
What's great is that you get 50 activations out of the box, so while it's a
bit of money up front, it effectively allows you to use a bunch of systems and
VMs internally without worry. No one is going to say anything about this
especially if it's for personal use.

If you were supporting multiple users in a small business environment
definitely make sure you buy as many Windows SKUs as you have end users to be
compliant, however.

All of this becomes moot once you have >25 clients; then you can transition to
using volume licensing and it's essentially unlimited. It still tracks it
though and Microsoft can ask to look at it, especially if you change from Open
to Select or some other volume pricing agreement, so keep that in mind.

~~~
EvanAnderson
I've had a sharp increase in the number of license compliance audits coming
from Microsoft in the last couple years. A couple of my Customers have been
targeted annually 3 years in a row. The most recent round of audits included
probing questions that were clearly looking for SaaS sales opportunities.

------
fbelzile
That's not all. Starting in Windows 8, Windows silently ignores entries in the
hosts file for popular domains (ex: facebook.com). The only way to stop this
is to add a file exception for C:\Windows\system32\drivers\etc\hosts in
Windows Defender. As far as I know, there was no documentation explaining
this.

Also, I don't know what threat model they're using to make these decisions. If
you can edit the hosts file with administrative privileges, you can also add
registry entry that adds a file exception in Windows Defender with the same
permissions...

~~~
bserge
It was working for me last year, and I literally just tried it with "127.0.0.1
facebook.com" \+ "127.0.0.1 www.facebook.com" and it still works.

------
afrcnc
The article's title is misleading and clickbait. Windows is not flagging
telemetry. It's flagging remapping of Microsoft domains, which is a very big
no-no for every vendor.

~~~
JadeNB
> The article's title is misleading and clickbait. Windows is not flagging
> telemetry. It's flagging remapping of Microsoft domains, which is a very big
> no-no for every vendor.

The title is:

> Windows 10: HOSTS file blocking telemetry is now flagged as a risk

That seems clear to me about what is being flagged. I don't see any
implication that telemetry is being flagged, and I'm not quite sure why anyone
would think it would be—although I'd love it if Windows were to start
reporting that its own telemetry was a risk, I don't see that in the cards.

------
Wowfunhappy
Want to Jailbreak your iPhone with unc0ver? You're probably going to go to
unc0ver.dev and download unc0ver.ipa for sideloading. However, if you're on
Windows 10, you may find that the the ipa file suddenly disappears from your
PC as soon as it has finished downloading.

Surprise! Windows Defender detected the Jailbreak and helpfully removed the
file to keep you safe! This is _not_ a false positive, Windows Defender
literally lists "Jailbreak" as the reason the file is dangerous. Never mind
that it's a user-initiated jailbreak for an entirely different, non-Microsoft
Operating System!

Repeat the same process on macOS—y'know, the OS from a company that actually
has an interest in stopping this stuff. Does unc0ver.ipa get deleted by
XProtect? Nope! Apple understands that these systems should only ever be used
for actual viruses. To do anything else is a severe betrayal of user trust.

IMO, Windows Defender has jumped the shark, and sadly, I've now resorted to
disabling it on all personal Windows machines.

~~~
ZekeSulastin
I downloaded the unc0ver IPA just now. Still there. Ran a scan on my downloads
folder to see if it gets picked up. Still there. Don't know what the heck is
going on with your system _shrug_

~~~
Wowfunhappy
Huh, well I last did this around a year ago, so it may be that an update to
either Windows Defender or unc0ver fixed/avoided the problem.

The fact that it happened at all, however, seriously doesn't sit right with
me.

~~~
kbenson
> The fact that it happened at all, however, seriously doesn't sit right with
> me.

It probably detected some of the techniques they used in the file as things
used in exploits (since there's little difference in a jailbreak/security
exploit from a technical perspective). The fact that it catches is in that
case a good thing. That it doesn't catch it anymore might point towards them
getting a report that it's a false positive of their automated binary
matching, and making an exception to allow it. Apple not catching it could
then indicate that either Apple already allowed it, or Apple's exploit
detection is less sophisticated and wasn't able to see the problem.

I don't know if that situation is correct, but it seems just as plausible to
me, and in that case, Defender is doing exactly what I would want, responded
to a report exactly as I would want and expect, and has multiple mechanisms to
bypass the initial problem (add folder that's not scanned, disable entirely,
etc), and your experience with Apple points towards them either being a little
quicker with the exception or just worse at doing what I would want.

~~~
Wowfunhappy
If it was a mistake due to overall techniques, why did Windows Defender mark
it as a "Jailbreak" as opposed to a trojan or some such? That was the thing
that made me really upset, once I saw it.

~~~
kbenson
Possibly because windows offers sandbox capabilities as well, and breaking out
of that would be classified as a jailbreak.

Even if someone at Microsoft got overzealous (or a third party reported it),
the software is literally designed to find and quarantine exploits (which a
jailbreak is), and there are ways to bypass it even if it wasn't apparently
reversed later. The item detected _is_ an exploit, just for a different
system. It's exactly the sort of false positive I would expect, and the fact
that you can work around it without major issues (whether through a special
download folder you create and mark as not scanned immediately or temporarily
disabling it) is exactly what I would expect.

It's sort of like if you owned a furniture store, and have a security guard to
watch it. One night after hours, some guys in street clothes show up in a
truck and loiter for a bit before going in the back and starting to take some
furniture to the truck. Sure, these guys are your cousins, and are doing stuff
on your behalf, but does the guard know that? Did you tell the guard? Would
you rather the security guard go stop everything immediately and call you to
confirm what's going on, or just shrug and say "eh, it's probably fine"?
You're paying them to stop bad stuff, you should expect them to stop bad
stuff, and when they find false positives that look like the real thing, that
should be reassuring that they're doing their job, not grounds for dismissal.

------
AlexDragusin
Skip the Windows HOSTS file and use something like Acrylic DNS[0], works great
for me and supports wildcards.

I even use it together with the router to have my phone use the DNS and you
can see which hosts get connected and so on as you use the phone. It ain't
pretty.

[0]:
[https://mayakron.altervista.org/support/acrylic/Home.htm](https://mayakron.altervista.org/support/acrylic/Home.htm)

~~~
cdurth
any curated block lists you recommend for the lazy?

~~~
ffpip
I have an extremely basic one on my Windows machine -
[https://pastebin.com/ZfUv6E2c](https://pastebin.com/ZfUv6E2c)

Bing, Facebook, Windows Web Search and some other sites don't work (unless you
use DNS over https in Firefox, which ignores the host files.)

Go through r/pihole for the recommended ones.

------
a012
For DNS blocking, I've switched my home devices to NextDNS and it works great.
It has DoH/DoT, bundles a lot of blocking lists and has no logs option which
are all I need. And I can manually add these domain names to blocklist if
they're not added in any one yet.

------
Justsignedup
www.microsoft.com is also used for updates. By doing this block a lot of
viruses prevent defender and windows from patching.

------
metalliqaz
I have Win10 Enterprise from a corporate MSDN license. So, I just used gpedit
to disable telemetry. What else should I be doing to my install to get rid of
all the "leakiness"?

~~~
metalliqaz
Actually I found this, which seems to be comprehensive (though a bit out of
date)

[https://proprivacy.com/privacy-service/guides/how-to-
disable...](https://proprivacy.com/privacy-service/guides/how-to-disable-
windows-10-data-collection)

~~~
Spunkie
Doesn't seem very comprehensive if you are using an enterprise of LTSC build,
no mention of gpedit.

------
fortran77
These blocks may also prevent Microsoft from getting updates, including new
virus scanning profiles. I'd say that blocking access to them could be a risk.

~~~
dylan604
"Accept our tracking your every move or you don't get virus updates" sounds
like "Give me your wallet and I won't shoot you".

------
frou_dh
If I lost trust in an OS, I would stop running it. Trying to fight an OS as a
mere client of the OS is asymmetric warfare

~~~
mmm_grayons
And use what instead? I generally use linux on my desktop but have to reboot
fairly often to do something windows-related. Libreoffice botches document
formatting every time I use it on something above "hello, world." Lots of
stuff still only works on windows, though wine compatibility is getting
better.

~~~
Snawoot
I use Windows inside Linux KVM virtual machine mostly for gaming. One of my
GPUs passed through into VM with PCI passthrough.

~~~
bavell
Same setup here. Best of both worlds IMO. Only drawback is to use the GPU on
the linux host for e.g. Blender, I need to reboot (GPU can't rebind to PCIe
root otherwise or something... thanks Nvidia)

~~~
em-bee
to you and parent, what's your experience running games in a VM? i prefer to
run linux, but there are a few games that are windows only that i'd like to
play.

which VM software are you using? can you recommend any resources?

~~~
Snawoot
It's very close to native performance. Only major issue I had is crackling
sound, but it's resolvable. In my setup I have second set of controls
(keyboard + mouse) to be forwarded to guest and HDMI output of guest GPU is
connected to HDMI switch. Once everything set up, it looks and feels like you
have second PC under your desk.

I use conventional Linux KVM virtualization ("libvirtd" \+ "virt-manager" GUI)
on Fedora 32 (previously used Debian).

Most valuable resource is Arch Wiki:
[https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVM...](https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF)

I've never used Arch Linux, however I always refer to Arch Wiki - it's
extremely useful even for other distros.

~~~
em-bee
nice, a second desktop would mean that two people can use the machine at the
same time. i like that.

i was mostly worried about demanding games needing graphics features that
would not work in a VM. (and usb support for the bank dongle)

i am also

~~~
em-bee
aparently incapable of properly proofreading my messages

------
firebaze
Users blocking telemetry using .../etc/hosts are presumably power users, and,
as such, are informed about this new twist - and this twist may even inform
them that Microsoft uses IPs as a fallback in case DNS resolution fails. The
outcome of this stunt may thus be worse than before it.

So what is to be gained from this?

------
rafaelturk
This should somehow be defined as ilegal.

I, as user, should have the power, to definitely, unquestionably block MS to
track my computer.

~~~
yjftsjthsd-h
I'm actually curious if this happens in the EU, and if so how it doesn't
violate GDPR.

~~~
ClikeX
I'm not a lawyer, but I think might depend on what data is being collected
here. I believe they'd be fine if it doesn't fall under the "personal data"
category.

You might actually be accepting some GDPR processing agreement when setting up
Windows nowadays.

And there's a whole thing in GDPR about grandfathering consent. Which they
might fall back on.

But like I said, I'm not a lawyer. I'm not qualified enough to know for sure.

~~~
JadeNB
> And there's a whole thing in GDPR about grandfathering consent. Which they
> might fall back on.

Wouldn't that apply, if at all, only to users who started before GDPR?

~~~
ClikeX
Yes, that's specifically for users before GDPR.

But GDPR can be a bit vague, both in definition and enforcement.

I'm not sure how Microsoft implements GDPR agreements. But I'm not sure if
you'd have to agree to their policies on a Microsoft account level, or if it's
per installation of Windows.

------
wayneftw
The Pro and higher versions allow you to just disable Defender via GPO. That’s
what I always do anyway.

------
jedisct1
Block these domains with dnscrypt-proxy instead.

------
fractal618
It must be hard making decisions at that level.

------
pojntfx
Use Linux

------
nvr219
Do pi-hole you fools

