I use the hosts files to block some websites from resolving and it has never failed me before. Today I noticed a few Microsoft addresses completely ignore the hosts file, such as windowsupdate.com, microsoft.com, etc. (also including www prefix). They are still making connections. It seems only something like PeerBlock can block them successfully (though only by IP). I've tried flushing the DNS cache through ipconfig, and disabled Firefox DNS cache as well. I've even tried restarting after hosts changes just in case. No matter what I do, as long as svchost.exe is allowed in the firewall (even just UDP port 53) the Microsoft sites will not be blocked. Every other non-Microsoft site is blocked/redirected properly. Anybody else have this problem, or is something overriding certain Microsoft host entries? [Edit: Yes, Microsoft hardcodes a list of domains into certain DLLs which cannot be blocked through the hosts file. The domains can be added to a 3rd-party software firewall, router firewall, or the DLLs themselves could possibly be patched — see below for more details.]
Were any of them Microsoft-owned domains? I route them to 0.0.0.0, which is quicker, but neither have any effect.
This is on purpose. They had to make sure malware couldn't block your system from getting updates and monthly malware scans.
Block the URL and addresses with your router. I do that to avoid editing the Hosts file on every PC that I own.
as if their updates could ever clean an already infected system it's just so they can keep up their spying
What's the workaround for this for users who know what they're doing (so malware threats aren't an issue, we just want MS sites blocked)?
I found 22 hardcoded domains in the DLL (can't list them here because I don't have enough posts), which is totally manageable in my router's firewall. Done and dusted. I might look at patching the DLL later. Thanks a lot!
Just recently observed connections to ctldl.windowsupdate[.]com even with it blocked in hosts. Any idea where that one's whitelisted? Because it's not in dnsapi.dll. In any case, another one added to the router firewall.
I think ctldl is certificate trust list (ctl) ctldl.windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl.cab Great job on all these posts by the way I'm trying to log every connection myself. I will also post my findings
I know what it is, but I'm curious to know where it's being whitelisted from (i.e., bypassing hosts file entries), similar to the dnsapi.dll list.
OK, so it seems those hosts are constantly resolving to different IPs and my router can't update them fast enough, so it's kinda like playing whac-a-mole in the firewall (one minute something's blocked, the next it's not, until it decides to resolve the new IPs). I see two options here: look into a better software firewall, though I really don't want all the extra bloat; or block by IP—tedious and time consuming, but doable I suppose. I don't know how surefire that method would be. For now I'm using Fiddler's host remapper to block them, and it's working perfectly, but that's not even the intended purpose of that program. If anybody has a better suggestion for a simple host blocker I'd like to hear it.