The content provided on the site is specifically structured and follows an unusual format, which at times conflicts with the practices and business models of large companies. This can sometimes lead to incorrect classification by security software.
All content is regularly tested with various security solutions from home, business, and enterprise sectors. Considerable efforts are made to defend against daily attacks, spam, hacks, and brute-force attempts by individuals and bots to ensure secure use for all visitors.
Additionally, filter lists are provided to assist website operators in effectively protecting their servers from bots.
Nevertheless, it is up to each user to verify the provided content independently.
Various programs react adversely to the offered hosts files and classify them as harmful. This category includes Kaspersky Internet Suite and Windows Defender.
While Windows Defender simply wants to move the hosts file to quarantine
This message indicates that a potential security incident has been detected on your computer. Specifically, it refers to a modification of the system’s hosts file that the security software flagged as suspicious.
The hosts-file is used, among other things, to manually map certain domain names to IP addresses. If an entry in this file is manipulated, internet requests could be redirected to undesirable or malicious websites.
Kaspersky's software, on the other hand, blocks access to the hosts downloads, deletes entries from the hosts file on its own, and prevents the hosts file from being written.
Trojan.Win32.Hosts2.gen is a malicious program designed to electronically spy on a user’s activities. It can intercept keyboard input, take screenshots, and capture a list of active applications. The gathered data is then sent to cybercriminals via various means, including email, FTP, and HTTP requests. This Trojan operates on Windows NT-based operating systems and supports 32-bit applications.
Kaspersky has been repeatedly asked for a statement but has ignored all requests.
Alongside Microsoft Corporation, companies such as BitDefender and G-Data were also contacted, and the website and lists were submitted for review.
F-Secure Corporation provides us with an explanation of why the hosts offered on these pages are classified as malware.
This detection is intended to flag hosts files with multiple entries pointing to a single IP address or IP block. This is a characteristic of many trojans that modify the hosts file to facilitate communication with a malicious remote server.
The filter files are structured so that these entries are included per product, resulting in many identical entries all being redirected to a target "0.0.0.0" in the hosts files.
Another issue for consumers is that the offered filter lists on this or other websites can be deleted or even altered independently by third-party software (mainly so-called "snake oil" software). The reasons for this are manifold.
However, it often stems from prioritizing profit over security interests.
This results in consumers being intentionally misled and confused by companies that are supposed to ensure security. Even more problematic is that, through spyware and the constant bypassing of protective measures such as filter lists, end consumers end up paying twice and are misled into a false sense of security.
False Positive detection by Windows Defender
In some tests, the compiled file "GI-Host-Templates.exe" from the downloads section was mistakenly detected as a virus by Windows Defender and automatically moved to quarantine.
The hosts file itself is also affected by this issue. The website Bleepingcomputer has summarized the issue well.
Blocking spyware and telemetry services can be problematic, especially in the case of Microsoft Corporation, as it collects extensive telemetry data and runs background services via Windows that trigger Windows Defender when blocked by programs such as the hosts setup. The question of who is truly at risk in this case remains open.
The Microsoft case shows that company interests are being enforced here – particularly the preservation of data collection and surveillance mechanisms – and a non-existent threat is being raised that has nothing to do with actual "security".
This approach not only leads to false alerts but also confuses users through aggressive business practices. Instead of protecting user interests, an environment is created where security software protects corporate strategies rather than the privacy and security of end users.
Since this issue causes problems not only for me as a developer but also for users, the hosts setup and associated files were also submitted to Microsoft Security Intelligence for review.
For Windows Defender, the only solution is to create an exception rule.
