Microsoft has added a small change for Windows 10 users. If you use the HOSTS file to block telemetry or Windows 10 updates, we have some bad news for you.
Microsoft Defender will flag it as malicious and display "critical" warnings.
It is known that Windows 10 does not use the HOSTS file to block addresses on specific Windows servers. So the Microsoft Defender behavior change was probably to be expected.
The Hosts file can be modified using any word processor, but the editor must start with administrator privileges. The hosts file is in a system folder, so applications without administrator privileges will not be able to save it.
The Hosts file consists of lines of text. Each row must include an IP address in the first column followed by one or more hostnames. The text columns are separated by a space.
Lines starting with the # character are not read by the operating system.
So if you put Microsoft servers in the HOSTS file and send them to the internal address 127.0.0.1, you will stop the operating system from accessing the actual servers.
So there comes Microsoft Defender which prevents you from saving this file and will show you the following dialog.
Note: SettingsModifier: Win32 / HostsFileHijack is a new, proprietary category for the modified file. It seems that Microsoft recently updated its Microsoft Defender definitions to track when their servers are added to the HOSTS file.
According to BleepingComputer, the following HOSTS recordings will enable detection:
If you decide to clear this "threat" with Microsoft Defender, the company will restore the HOSTS file to its default contents.
Modifying the HOSTS file is not a good idea anyway, especially if it is done improperly or by malware.
However, for users who really know what they are doing, it is a great way to leave less control of their operating system in the hands of Microsoft, while protecting their privacy.