HOSTS file lock?

I searched the forum and there was a discussion back in 2006 of adding the ability to lock the HOSTs file. I don’t see that in version 3.0?? Meanwhile, I have to keep running Winpatrol 24/7 to notify me of any changes to the HOSTs file.

I use Hostsman to update the hosts list of “bad” sites to blacklist. I’ve tested Comodo – it doesn’t pick up the changes but Winpatrol does. I have also manually opened Hosts in Notepad, eliminated some of the sites and Comodo doesn’t say a peep.


You can go to D+/my protected files and add the HOSTS file, but it isn’t there by default.

That’s strange, since %windir%\system32* is added in My Protected Files. I get alerted when trying to modify/delete hosts.


Interesting. I just replaced and modified my HOSTS file again since it had been a couple of weeks. And the same entry is in “My Protected Files”-didn’t look hard enough; just assumed it wasn’t there because it didn’t stop me. Added and removed a couple files to that directory, again without a peep. Maybe it doesn’t stop Vista admins with UAC turned off. In any case, sure looks like a bug to me. :frowning:

Ed, make sure your file manager and app you use to modify hosts file do not have appropriate permissions.
When i try to modify or delete it with any app which doesn’t have permissions i always receive alert from d+ (paranoid mode). Don’t have special entry for hosts file, just %windir%\system32* like Ragwing mentioned.

Let’s see, since explorer is a windows system application, as well as a file manager, and notepad is a trusted application, explorer should be able to modify any protected file using notepad, and to modify the HOSTS file without indicating it. And to replace it using explorer. I have paranoid mode too. So not exactly locking the host file from user modification is it? My mistake- CFP3 still can’t do it. :slight_smile:

I guess you are right. D+ will be silent according to policy.

Yes, indeed at default settings if using explorer.exe.

Just tried what the original poster did(ie edit hosts with notepad) in clean pc mode and got alert,
Notpad is trying to modify file C:\Windows\System 32\drivers\etc\hosts



[attachment deleted by admin]

Are you using Vista? I update the hosts file about monthly and have never seen an alert. Sometimes I edit with notepad, sometimes with textpad, but the replacement from the .zip never gives a message, whether I use Explorer or PowerDesk. So all users should be able to modify/replace all protected files? Sound like the utility of tits on a boar hog to me. :slight_smile:

The same for me as for riggers.
And I also use a program called Hosts Manager to manage my Hosts file, it will also fabricate an alert.

But you can delete, copy and rename Hosts via explorer without alerts by design.

B.t.w. Both Notepad and Hosts Manager is set to Custom Policy.

What I do is just do a drag and drop of the new HOSTS file to overwrite the old, then edit a few entries (CQCounter related) for website statistics programs I use with either textpad or notepad and save the file. Just like CFP wasn’t there at all. Fooled me. :wink:

explorer.exe is not a Windows System Application.

I’m not sure if explorer.exe is allowed to access Protected Files by default, but mine’s set to Ask. Here’s my configuration for explorer.exe:


IIRC, default ruleset for explorer.exe is to allow everything, except “run executable”, i. e. very similar to “trusted app” policy. I have default config of 3.0.21 as file, but lazy to check this :stuck_out_tongue:

Seems that allthough explorer.exe is given as “custom” by default it has the same privelages as a “Trusred” app.So by default it has carte blanche for everything except run an executable.
Although it may be “Trusted” at default,but as soon as it runs an executable it will change to “Custom”


So as long as we don’t mistakenly select trusted or windows system application or allow and remember -or maybe remember to actively change our settings for “explorer”-our protected files will be safe? Sounds like it is too hard-must not be many protected files out there. ???

Hi all,
jon.bean, you’ve dropped a stone and caused a tsunami (:KWL)

Yours hosts and all files from %windir%\system32* are safe, unless modified by a trusted application, like explorer. Looks that Notepad is not.
My rules set dates back from the old 3.018 times, with small adjustments.

I have also included explorer to WOS, mainly to deny them all together from accessing loopback and DNS. This has worked up to the logs, because explorer has some intimate relations with iexplorer. Unless you block also the latter or make a rule for it in FW, explorer generates a log entry but tries to access the network.

BTW Ragwing, I think you’ve created all those rules yourself, and like goodbrazer was mentioning, they didn’t came out like this in 3.021. I’ll try them one by one, thanks.
Unfortunately, the script made by gibran and grue doesn’t work on my system.
I’m also trying to keep D+ rules in path’s order, to prevent rule duplicates with the ones from my groups. Explorer is for sure whitelisted. But how can I tell if an application is whitelisted or not? – please don’t send me searching for hexeditors.

Regards, Gabi

Yes, I like to configure everything myself. I don’t have much (if any) of the default configuration left.


Notepad is a well known application to most users, and when they get a popup for it the most likely selection is windows system application or trusted application. Even if they are careful, that just means those who edit first, then drag and drop, don’t get any indications. How about regedit32? First thought, “windows system application”. Poof go the protected reg keys. I think the names of the predefined policies gives such strong indications of which should be used, and no warnings, that they do a lot of unprotecting of things. And there is not a gradation like for the firewall. Our discussions/help file about trusting well known programs leads users there. And the nuisance of turning off “remember” and looking each time (or does D+ remember for the session anyway?) makes it unlikely that most users still are protected. Fortunately I don’t count on D+ for much of anything, so usually don’t answer users on it. Is it time to confess to Mike and David yet? :wink: Or change the predefined policies and their usage? Or even the way custom policies are handled for “remember”? ???

My 2 cents: if we talk about protection from real malware, then system is protected even if regedit.exe, explorer.exe, notepad.exe etc. are declared as “windows system apps”. Because real malware executable first of all must hijack (take control over) regedit.exe etc. to receive appropriate permissions to delete/modify protected registry keys/files/folders etc.
The only way to do this is to bypass d+. So far i don’t know any real malware that can do this. Please tell me if exists some.

If we talk about protection from user, then yes, there is no protection in this case because he/she can launch regedit.exe, explorer.exe, notepad.exe etc. and perform “malicious” actions ;D (e. g. deleting crucial system’s stuff).
…And d+ will be silent according to policy. The only way to avoid this is to tighten computer security policy.

Seems to be a misconception on the part of CFP users that these protections also stop accidental or purposeful damage by themselves or other users. And a global lack of caution in assigning the predefined policies. BTW, ALL trusted or windows system applications can modify the protected registry keys. Threads on how the machine is unusable because of limiting explorer or wininit, this discussion on how selecting windows system or trusted unprotects everything for the particular application, … We simply don’t do enough to limit the damage that can be caused by a simple mistake. The concept that the user will keep clicking “allow but don’t remember” until his fingers drop off, understanding each step, rather than choosing a Comodo recommended policy that sounds right and remembering certainly doesn’t sound reasonable. Something like allowing the custom rules to define a new policy, so a user can at least, for Opera, say “do like FF” might help. Or in the library of safe programs, have the default permissions as part of the database. This would sure beat choosing allow or block based on voting. Or other ideas-security cannot depend on perfect users. ???