Yesterday, one guy wrote me a mail stating that his antivirus complains about the hosts file being infected.
The only script that touches the hosts file is block-telemetry.ps1 and it only uses Out-File with the append flag. My guess is that malware commonly patches the hosts file to prevent system or antivirus updates. And now the antivirus triggers if it detects that the hostsfile has been altered in a similar fashion by the scripts. Therefore I'd count this as a false-positive.
Let me know if anyone has additional information regarding this topic.
W4RH4WK
commented
4 years ago
Yesterday, one guy wrote me a mail stating that his antivirus complains about the hosts file being infected.
The only script that touches the hosts file is
block-telemetry.ps1and it only usesOut-Filewith the append flag. My guess is that malware commonly patches the hosts file to prevent system or antivirus updates. And now the antivirus triggers if it detects that the hostsfile has been altered in a similar fashion by the scripts. Therefore I'd count this as a false-positive.Let me know if anyone has additional information regarding this topic.