Solved

host file becomes empty

Posted on 2016-09-25
18
48 Views
Last Modified: 2016-09-25
Hi all,

We have some Windows 7 pro users , we use Symantac for antivirus

From time to times, the hosts file becomes empty! and this problem happens randomly from any user.
Can you please tell me how to fix this as it seems not clear where the issue coming from.
thanks!
Huy
0
Comment
Question by:operuac
  • 9
  • 4
  • 2
  • +3
18 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41815201
First, the file is normally empty except for comments. Is that the state?
Second, to edit, the editor (Notepad, say) must use Run as Administrator for changes to stick. is this happening?
0
 

Author Comment

by:operuac
ID: 41815205
Hi

our company use hosts file to resolve many FQDNs instead of DNS server
and for some unknown reason, it get wiped out randomly and we seem can narrow down the issue yet
it is not about if we could edit it or not, we know we have to run as administator to save it.

thanks
Huy
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41815215
The only other reason I have seen for tampering with the HOSTS file is malware. So try scanning for viruses and malware.

We use HOSTS files as well and have not seen them disappear on us.
0
 

Author Comment

by:operuac
ID: 41815300
no indication of any malware, i still want to get to the bottom of this issue as i cant narrow it down just yet.
0
 

Expert Comment

by:chris-ce
ID: 41815313
Do you use a Cisco AnyConnect VPN client or some other type of VPN software? If so, those have been known to make hosts file modifications when systems are rebooted or the VPN client is stopped and restarted.

There are also 3rd party malware/spyware scanners that detect changes to your hosts file and can revert it back to a previous condition.
0
 

Author Comment

by:operuac
ID: 41815321
we dont use that Cisco VPN client here,

I really want to narrow down to the cause of this problem as it is becoming bigger and bigger as we have hundreds of users out there and this problem randomly happens on any user.
please let me know how you debug this issue?
thanks
Huy
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 41815328
I'd consider a different approach......

Rather than rely on the Hosts file, why not put the entries in your local DNS server?
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41815334
we use Symantac for antivirus

Well, I'd start by looking there.  I have not yet seen a system with Norton / Symantec on it that works right, and it hooks into all sorts of places in the system where it should not.  I would not be surprised to find that when hosts is updated or modified, Symantec regards it as virus activity and deletes it.
0
 

Author Comment

by:operuac
ID: 41815339
@CompProbSolv : we have a very complex DNS setup here for both Internal and DMZ network and somehow it causes bigger issues if i move all the hosts from hosts file to Internal DNS server

@Dr.Klahn,

that was the first thing i looked at it- Symantec, i even logged a tach support call with Symantec, no luck

but i still thinking somewhere along that line.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41815344
Possibility:  Take ten systems chosen randomly, remove Symantec (this is harder than it sounds, requires special software), install a different antivirus such as AVG Free version.  Monitor those systems to see if the problem occurs there.  Depending on how often it occurs, it might take some time to be confident that this is, or is not, the issue.

hosts should already be set to readonly.  If it is not, set it so.  That may narrow down the field of view to those processes having sufficient privileges to override file protection.
0
 

Author Comment

by:operuac
ID: 41815349
to prove Symantec is the cause is not that easy as i got Symantec tech support on this call and they did not find anything to do with their product?! i still dont believe them yet! that is why i am asking you guys now...
tell me how you debug this if you think it is most likely Symantec is the cause?

or tell me how to prove it has nothing to do with Symantec?
thanks!
Huy
0
 

Author Comment

by:operuac
ID: 41815355
@Dr. Klahn,

yes, in Symantec console settings, there is an option set to :"not to overwrite the hosts file"
and we have to use this as a work around solution, but as i said, we will have to update the hosts file often to add more hosts so we kind of off and on .
as soon as i turn off the option above, the hosts file get empty.
but still cant prove it is Symantec causing the issue.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41815360
as soon as i turn off the option above, the hosts file get empty.
but still cant prove it is Symantec causing the issue.


Well, of course I don't know what level of proof your manager requires for this issue; but I would have to say that you've demonstrated that the problem can be turned on and off with the Symantec setting, and it follows logically that Symantec is the cause.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41815363
Since Avast locks my 'hosts' file, I started using 'LMHOSTS' for the same purpose.  It's in the same directory as 'hosts' and seems to be ignored by the security programs.  It's enabled by default apparently on XP and Windows 7.  It's on the Advanced TCP/IP window under WINS.
1
 

Author Comment

by:operuac
ID: 41815375
@Dave, i prefered not to use LMHOSTS, thanks anyway!

@Dr. Klahn,
My reason is : Symantec is the person who unlock the door (turn off the option "not to overwrite the hosts file") does not mean Symantec goes inside the house and stealing things(empting the hosts file), could be someone else...
once you unlock the hosts file, any process including malware can go there and empty the file, not just Symantec process, this is where i require proof.
0
 
LVL 23

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 41815392
Well, you can get absolute proof - but it is a tedious process, it'll chew up a lot of the CPU and disk, and due to the disk requirements it may not run long enough to catch the culprit.

Install Microsoft Process Monitor, watch for the operation SetDispositionInformationFile, Result SUCCESS, detail Delete: True.  Then search those results for the hosts file.
0
 

Author Comment

by:operuac
ID: 41815417
@Dr. Klahn

the above instruction was the one i am looking for, the challenge is to pick the right desktop to install as i said, i have hundreds of desktops and it happens randomly, it could be months until i am lucky enough to have it happens on the desktop that i am monitoring....
anyway, it is a good recommendation there, i will give it a go. thank you!
0
 

Author Closing Comment

by:operuac
ID: 41815419
Very good answer! thanks a lot for your time!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now