can programs bypass Windows' "hosts" file?

jarthel · 07-22-08, 08:33 AM

I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.

Uing tcpview (from sysinternal), I found the software is calling home. I just do not like the fact that it needs to call home now and then and I do not know what data (if any) is passed on to the vendor.

so I added the domain to my hosts file. This is the entry I created:

127.0.0.1 domain-here.com.

If I view domain-here.com using a browser, I get an error message which is correct since I do not have a webserver running in localhost.

BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.

any ideas (other than install a firewall and blocking the offending domain) on how to prevent the program from calling home?

thank you very much

petteyg359 · 07-22-08, 08:47 AM

ipconfig /flushdns

And how do you domain-here.com in IE is going to 127.0.0.1? Did you check that in your tcpview? The "phone" may be going to a different port, and domain-here.com may not be running on port 80.

CGR · 07-22-08, 10:50 AM

Does the software have an auto update application? May just be checking for updates periodically.

mortimer · 07-22-08, 09:01 PM

Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.

ShadowPho · 07-22-08, 09:28 PM

Quote:

127.0.0.1 domain-here.com.

replace with 127.0.0.1 their-ip.com

And programs don't use hosts file per say. Widnows uses the hosts file to see if it needs to redirect the request somewhere.

petteyg359 · 07-22-08, 10:22 PM

Quote:

Originally Posted by mortimer

Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.

Any program needing network access must communicate with the OS network stack. The network stack will communicate with the IP it is given, or if it is given a domain name, will check the local hosts file (whether Windows or other operating system), and only if the name is not found in the hosts file will it check remote DNS servers. Of course it will check cached entries first, hence using ipconfig /flushdns to make sure that it will look in the hosts file. A very easy way to block any program is PeerGuardian. Much less resource-intensive than ZoneAlarm, and does basically the same thing, filters incoming/outgoing connection based on IP. Just make a list of IPs the program is calling, add them to a PG2 list, and enable it as a block list.

hansen · 07-23-08, 06:40 AM

Quote:

Originally Posted by jarthel

BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.

You cannot determine from tcpview how the program connects. tcpview will just try and resolve the remote ip to a hostname, if one has been configured.

The program can resolve a name like everybody else, it can have the ip hardcoded, it can manually ask a dns server (bypassing the dns in windows, and therefor the hosts file), ...

petteyg359 · 07-23-08, 10:00 AM

Quote:

Originally Posted by jarthel

I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.

Here, I must say something. The simple act of denying illegal use in the original post is rather suspicious... The fact that you won't tell us what this software is, or the domain it is attempting to connect to, is even more suspicious.

We could probably help more if you'd tell us what software it is. If you can't do that, then most of us are left thinking you're using this forum for a purpose that is against the rules.

=ACID RAIN= · 07-23-08, 10:21 AM

Dude said he bought the software. It could be quicktime pro, or some legit (ha!) porn updater. Either way, he said he paid for it, so who cares about what the software is. Not like you can hack out a fix if it's not open source anyways LOL.

Firewall it, if it somehow bypasses internal DNS/hosts entries.

edit: Or make a dns server on your lan and make a manual entry with a bogus IP. I'd go with option A though.

07-22-08, 08:33 AM	Thread Starter #1
jarthel Member Join Date: Aug 2001	can programs bypass Windows' "hosts" file? I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for. Uing tcpview (from sysinternal), I found the software is calling home. I just do not like the fact that it needs to call home now and then and I do not know what data (if any) is passed on to the vendor. so I added the domain to my hosts file. This is the entry I created: 127.0.0.1 domain-here.com. If I view domain-here.com using a browser, I get an error message which is correct since I do not have a webserver running in localhost. BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP. any ideas (other than install a firewall and blocking the offending domain) on how to prevent the program from calling home? thank you very much
	QUOTE Thanks

07-22-08, 08:47 AM	#2
petteyg359 Join Date: Jul 2004 Location: University of Southern Mississippi	ipconfig /flushdns And how do you domain-here.com in IE is going to 127.0.0.1? Did you check that in your tcpview? The "phone" may be going to a different port, and domain-here.com may not be running on port 80. __________________ MSI 890GXM-G65 - X6 1055T - 16GiB 10700 - 5850 1GiB - 7 Pro x64 / Gentoo amd64 - HX520 Dell XPS 15 L502x - i7 2760QM - 16GiB 12800 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB [GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit] "Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
	QUOTE Thanks

07-22-08, 10:50 AM	#3
CGR Member Join Date: Jan 2001 Location: Lower NY	Does the software have an auto update application? May just be checking for updates periodically. __________________ Main System:.................................................. ......................Second System: DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7 G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb) HIS 4850 680/1108.................................................. .............Nvidia 7600GT WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb OCZ GameXtreme 600SLI
	QUOTE Thanks

07-22-08, 09:01 PM	#4
mortimer Member Join Date: Mar 2005 Location: Spokane...	Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.
	QUOTE Thanks

07-23-08, 10:21 AM	#9
=ACID RAIN= Member Join Date: May 2003 Location: Kingwood, TX	Dude said he bought the software. It could be quicktime pro, or some legit (ha!) porn updater. Either way, he said he paid for it, so who cares about what the software is. Not like you can hack out a fix if it's not open source anyways LOL. Firewall it, if it somehow bypasses internal DNS/hosts entries. edit: Or make a dns server on your lan and make a manual entry with a bogus IP. I'd go with option A though. __________________ MY HEAT \| Websense who? \| Windows lockdown Mine: Q6600 . IP35 Pro . 8GB RAM . Velociraptor 150 . Win7 Enterprise Wife: E6600 . GA-G31M-ES2 . 4GB RAM . Buncha drives . WinXP Pro Domain Controller: E6600 . GA-G31M-S2L . 2GB RAM . 36GB Raptor . 2 x 1.5TB WD Green . 2008 R2 HTPC: E6300 . P5B . 1GB RAM . 320GB . Win7 Enterprise Sandbox 1: Dell Optiplex GX270 SFF (new caps) . 1GB RAM . 120GB . FreeBSD 7.2 Sandbox 2: 3800+ X2. K8N Neo4 (new caps) . 1GB RAM . 4 x 400GB RAID0 . 2008 R2 (WDS, WSUS) Sandbox 3: Opteron 146 . 768MB RAM . 120GB . 2008 R2 (headless, no video, remote only) Laptop: Vostro 1700 . 4GB RAM . Win7 Enterprise
	QUOTE Thanks

can programs bypass Windows' "hosts" file?

Internet Services

Website Development

Tech Hardware

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search