Assistance with Host file scan

Hi,

I have a large hosts file (attached) with 411k+ entries, A remnant from before using PeerBlock/Peergaurdian but still prefer having it. Created using Hostman and populated using the sources from within + hxxp://www.mvps.org/winhelp2002/hosts.zip +
hxxp://www.bluetack.co.uk/config/HOSTS.zip + hxxp://www.mdgx.com/files/MDGXHOST.EXE hosts.

As my primary AV is Avast 6.0.1023 I generally don’t use CAV (no Scheduled or Real-Time scans set) except for a bi-monthly scan just as a cross-check measure that my system is ok.

However this time after a MANUAL scan with the latest
CIS version 5.5.195786.1383
Signature DB : 9486

Received a large number of entries in the AV log marked as TrojWare.Win32.Qhost.~14S9[at]116242354

All are marked as 0.0.0.0 i.e. null except 2 marked as 127.0.0.1 as I find that more convenient especially when using local servers for java development like Apache Tomcat/RedHat JBoss. The plus is also lesser loopback which means its faster.

Assuming as not all the 411k+ entries were alerted upon within the CIS logs (perhaps because CIS hung my system) I’ll elaborate on that later.

Part 1

Agreed it could be just a generic heuristic pattern match

  1. How do I identify from the log file entries the record is for which line in the hosts file so that I can check and confirm its not indeed for a valid domain e.g. comodo.com or microsoft.com which i should rather keep open.

  2. If CAV has reported in general then the detection goes against a popular approach of block all and allow only what I want a far better way of accessing the internet rather than allow all and block only known :wink:

  3. Any assistance I can receive on identification of the entry ?

  4. If it cannot be resolved in current builds should these queries go onto the wishlist ?

Part 2

Scanning the host file possibly hung CAV.

At this point there is a high CPU memory usage spikes but low memory utilization in the Paging file available. Although the system barely responds its to the point of unusable that I have to restart it to fix the issue.

The report file i[/i] is attached.

I experienced the same issue 2 times then decided to report it.

  1. Any assistance on it other than adding to ignores ? But that means it will be a workaround and not a solution.

System specs

Intel Pentium D 2.66 GHZ, 1GB DDR1 memory
Microsoft XP Sp3 patched latest (slimmed down services, unnecessary disabled)
CIS - Firewall and Defense+ only
Avast 6.0.1023 AV only.
No other Security /Anti-malware S/w in active background / HIPS mode.
And CIS working great with minimal slowdown of the system !!! Might be a little slow as compared to a higher spec setup but others works good for me.

Regards

[attachment deleted by admin]

[attachment deleted by admin]

Hi Mohan,

CIS is flagging unusual/suspicious entries from hosts file which are related or have a history with the malicious activities. Please add the file to exclusions list in order to further use respective hosts configuration.

Regarding high resources usage, please verify using task manager or other resource monitor if any of the CIS-related processes (cavscan.exe, cfp.exe, cmdagent.exe) is the reason for the issue.

Thanks,
Ionel

Thx Ionel.

I didn’t know the AV also looked of suspicious IP addresses. Are they coming from the Site Inspector branch?

In my view it would make sense to further refine the suspicious IP addresses detection to being able to see that it is actually part of a block list. Otherwise users may end up with enormous amounts of f/p’s.

Thanks Ionel & EricJH

Sorry for delay I’ll update back after testing this weekend.

Also raised a wishlist item
https://forums.comodo.com/wishlist-cis/enhancement-suspect-ips-in-hosts-please-report-in-detection-log-the-hostname-t74837.0.html

Regards