Tips & Tricks Prevent Malwarebytes Corporate from modifying Windows host file [Trick]

juanamm · May 1, 2020

Prevent Malwarebytes Corporate from modifying Windows host file [Trick]

I had trouble running a version of IDM and I started to investigate why.
After looking closely I realized that some lines of the Windows host file were disabled (commented with #).
Those lines referenced the IDM host, so I removed the # to get them active again.
But when restarting PC Malwarebytes Corporate comments them again with #.

I know MB is doing that because in Avast I have the file excluded.

This specific version of Malwarebytes does not allow to manually add the paths to the files that I want to exclude (ignore list, whitelist).
You have to navigate to be able to include files there, but when I browse, it doesn't show me the "etc" folder, it only allows me to get to:
C:\Windows\System32\drivers\
So I will never be able to tell MB to ignore the host file that is on this path:
C:\Windows\System32\drivers\etc

I thought about modifying access permissions to the host file, but that brings problems, because if I remove the permissions from the administrators when you want to install a program (such as silent IDM or other versions) that modify the file they will not be modified.

Then I thought about programming a .bat file with timers, so that after MB was loaded it would modify the host file again.

The only solution I found to keep MB from modifying the host file was by putting "read only" attributes on it.
It seems like a silly solution, I thought MB would break the attribute, but it worked.

If someone comes up with a more ingenious idea so that MB doesn't modify the host file, don't hesitate to share it.

Don007 · May 1, 2020

Nice Trick ! @juanamm

Cyler · May 1, 2020

You could also try to block the System admin account from having access to that specific file.

Right-click on hosts file go to properties.
Go to the Security tab.
Under Groups and users go to the System and edit permissions.
Deny write permissions for the System.
Press OK and Done.

Some programs might edit the read-only attribute but they can never change the system without you doing it. You can reverse it at any time if you see any issues.

verash · May 1, 2020

Nice work

juanamm · May 1, 2020

Cyler said:
You could also try to block the System admin account from having access to that specific file....

I waited until today to answer you waiting for MB's behavior.
So far MB has not broken the read-only attribute, so I think it is a simple solution and it works.
In this specific case I will not change the access permissions of System, but it is a good idea for other programs that can break the attributes of the files.
Thank you very much for your suggestion.

2go2ozz · May 15, 2020

What a coincidence.
I was also concerned about how to block the MB Corporate accessing to the hosts file and couldn't manage to see the hosts within the "MB corporate" whereas it was always possible within MB premiere.
I wonder if there's any other way to block access to the hosts file maybe through registry or something else

You must be registered for see links

SlavkoPejic · May 15, 2020

Thanks

Ziggi123 · May 15, 2020

Thanks

Mr. Spacely · May 15, 2020

I usually just added hosts file to exceptions in MB corporate or any version and never had problems, you should check to show hidden files and folders

2go2ozz · May 16, 2020

Iceman96: I am afraid that I cannot find it and it is not possible in Corporate, it seems unless you share the screenshots on finding it.
I could go as far as drivers folder, not the etc and contents via corporate

juanamm · May 16, 2020

Iceman96 said:
I usually just added hosts file to exceptions in MB corporate or any version and never had problems, you should check to show hidden files and folders

2go2ozz said:
Iceman96: I am afraid that I cannot find it and it is not possible in Corporate, it seems unless you share the screenshots on finding it.
I could go as far as drivers folder, not the etc and contents via corporate

I would also like to see the screenshot of how you do it @Iceman96.

Cyler · May 16, 2020

In the corporate version, the exclusion list is called... allow list as in allowing NOT to scan or allow to skip specific files/folders/sites. In previous versions, it was called exclusion.

Click the Detection History card.
Click the Allow List tab.
To add an item to the Allow List, click Add.
Select the type of exclusion you want to add. (file, folder, website, etc)

I think after that it's simple.

Click Allow a file or folder, click Select a file or Select a folder, choose the file or folder you wish to exclude, then click Open.
Under Exclusion rules, choose how you would like to exclude the file or folder. Exclude from all detections or exclude from detection as malware or potentially unwanted item only or Exclude from detection as ransomware only
Click Done to confirm your changes.

From Malware's site

The exclusion list in older versions.

juanamm · May 16, 2020

Cyler said:
......

Up to here we will all agree with you.
But the problem posed in this thread is how to exclude Windows "host" file and this doesn't fix it.
What you mark in the screenshot with number 3 allows you to navigate to the file to be excluded, but the problem is that you will never get to the host file, since MB hides the path to it.
I already shared a screenshot at startup but will be repeating it again just to be clear.

What we ask Iceman for is a screenshot excluding the host file.
If I missed something and you can share that screenshot we will all be grateful to you.

Cyler · May 16, 2020

I think I figured where the problem/misunderstanding is. You were talking specifically and only about the corporate version which does not allow to exclude several files, not just system32/etc. The "normal" versions don't have that issue and that's why the confusion. You can see in the image below that host file from etc is added to the list. To be honest I thought it would be the same for all MBAM products. You learn something every day.

Since the corporate version is part of the endpoint product solution, I suspect that you will also need the endpoint management console to further expand the exclusion lists. I don't use that version tho so I can't be 100% sure.

juanamm · May 16, 2020

Cyler said:
.....Since the corporate version is part of the endpoint product solution, I suspect that you will also need the endpoint management console to further expand the exclusion lists. I don't use that version tho so I can't be 100% sure.

In the corporate version it does not allow that.
Perhaps it was some agreement with software providers to prevent the host file from being excluded so that it would not be used for piracy.
Or to protect the user in the event that some malware modifies such a file to be able to scan it.
Anyway, this issue is resolved in the way explained at the beginning of thread and since the corporate version is discontinued, engine is not updated, we can rest assured that the read-only attribute will not be broken in the future.

Mr. Spacely · May 16, 2020

Cyler said:
I think I figured where the problem/misunderstanding is. You were talking specifically and only about the corporate version which does not allow to exclude several files, not just system32/etc. The "normal" versions don't have that issue and that's why the confusion. You can see in the image below that host file from etc is added to the list. To be honest I thought it would be the same for all MBAM products. You learn something every day.

Since the corporate version is part of the endpoint product solution, I suspect that you will also need the endpoint management console to further expand the exclusion lists. I don't use that version tho so I can't be 100% sure.

@juanamm that's how I usually do it thanks for showing what I mean @Cyler

juanamm · May 16, 2020

Iceman96 said:
@juanamm that's how I usually do it thanks for showing what I mean @Cyler

Unfortunately, that doesn't work for the host file in the corporate version.
Anyway, thanks to you and @Cyler for sharing it.

Mr. Spacely · May 16, 2020

juanamm said:
Unfortunately, that doesn't work for the host file in the corporate version.
Anyway, thanks to you and @Cyler for sharing it.

I don't know then, it worked for me in that same corporate version, it was detecting changes then I added there and everything was okay, maybe problem is on your side?

juanamm · May 16, 2020

Iceman96 said:
I don't know then, it worked for me in that same corporate version, it was detecting changes then I added there and everything was okay, maybe problem is on your side?

No friend, you have already seen that other users have raised the same problem.
So far I have not seen any screenshots of the corporate version where the Windows host file can be added.
If you are so kind to share it, we will thank you, otherwise we leave the subject like that so that it does not become a chit-chat.

Mr. Spacely · May 16, 2020

juanamm said:
No friend, you have already seen that other users have raised the same problem.
So far I have not seen any screenshots of the corporate version where the Windows host file can be added.
If you are so kind to share it, we will thank you, otherwise we leave the subject like that so that it does not become a chit-chat.

Sure, let me just dig it up somewhere and I will post

Tips & Tricks Prevent Malwarebytes Corporate from modifying Windows host file [Trick]

juanamm

Uploader

Don007

Cyler

verash

juanamm

Uploader

2go2ozz

SlavkoPejic

Ziggi123

Mr. Spacely

2go2ozz

juanamm

Uploader

Cyler

juanamm

Uploader

Cyler

juanamm

Uploader

Mr. Spacely

juanamm

Uploader

Mr. Spacely

juanamm

Uploader

Mr. Spacely