Solved

host file becomes empty

Posted on 2016-09-25
18
56 Views
Last Modified: 2016-09-25
Hi all,

We have some Windows 7 pro users , we use Symantac for antivirus

From time to times, the hosts file becomes empty! and this problem happens randomly from any user.
Can you please tell me how to fix this as it seems not clear where the issue coming from.
thanks!
Huy
0
Comment
Question by:operuac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 2
  • +3
18 Comments
 
LVL 94

Expert Comment

by:John Hurst
ID: 41815201
First, the file is normally empty except for comments. Is that the state?
Second, to edit, the editor (Notepad, say) must use Run as Administrator for changes to stick. is this happening?
0
 

Author Comment

by:operuac
ID: 41815205
Hi

our company use hosts file to resolve many FQDNs instead of DNS server
and for some unknown reason, it get wiped out randomly and we seem can narrow down the issue yet
it is not about if we could edit it or not, we know we have to run as administator to save it.

thanks
Huy
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 41815215
The only other reason I have seen for tampering with the HOSTS file is malware. So try scanning for viruses and malware.

We use HOSTS files as well and have not seen them disappear on us.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:operuac
ID: 41815300
no indication of any malware, i still want to get to the bottom of this issue as i cant narrow it down just yet.
0
 

Expert Comment

by:chris-ce
ID: 41815313
Do you use a Cisco AnyConnect VPN client or some other type of VPN software? If so, those have been known to make hosts file modifications when systems are rebooted or the VPN client is stopped and restarted.

There are also 3rd party malware/spyware scanners that detect changes to your hosts file and can revert it back to a previous condition.
0
 

Author Comment

by:operuac
ID: 41815321
we dont use that Cisco VPN client here,

I really want to narrow down to the cause of this problem as it is becoming bigger and bigger as we have hundreds of users out there and this problem randomly happens on any user.
please let me know how you debug this issue?
thanks
Huy
0
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41815328
I'd consider a different approach......

Rather than rely on the Hosts file, why not put the entries in your local DNS server?
0
 
LVL 27

Expert Comment

by:Dr. Klahn
ID: 41815334
we use Symantac for antivirus

Well, I'd start by looking there.  I have not yet seen a system with Norton / Symantec on it that works right, and it hooks into all sorts of places in the system where it should not.  I would not be surprised to find that when hosts is updated or modified, Symantec regards it as virus activity and deletes it.
0
 

Author Comment

by:operuac
ID: 41815339
@CompProbSolv : we have a very complex DNS setup here for both Internal and DMZ network and somehow it causes bigger issues if i move all the hosts from hosts file to Internal DNS server

@Dr.Klahn,

that was the first thing i looked at it- Symantec, i even logged a tach support call with Symantec, no luck

but i still thinking somewhere along that line.
0
 
LVL 27

Expert Comment

by:Dr. Klahn
ID: 41815344
Possibility:  Take ten systems chosen randomly, remove Symantec (this is harder than it sounds, requires special software), install a different antivirus such as AVG Free version.  Monitor those systems to see if the problem occurs there.  Depending on how often it occurs, it might take some time to be confident that this is, or is not, the issue.

hosts should already be set to readonly.  If it is not, set it so.  That may narrow down the field of view to those processes having sufficient privileges to override file protection.
0
 

Author Comment

by:operuac
ID: 41815349
to prove Symantec is the cause is not that easy as i got Symantec tech support on this call and they did not find anything to do with their product?! i still dont believe them yet! that is why i am asking you guys now...
tell me how you debug this if you think it is most likely Symantec is the cause?

or tell me how to prove it has nothing to do with Symantec?
thanks!
Huy
0
 

Author Comment

by:operuac
ID: 41815355
@Dr. Klahn,

yes, in Symantec console settings, there is an option set to :"not to overwrite the hosts file"
and we have to use this as a work around solution, but as i said, we will have to update the hosts file often to add more hosts so we kind of off and on .
as soon as i turn off the option above, the hosts file get empty.
but still cant prove it is Symantec causing the issue.
0
 
LVL 27

Expert Comment

by:Dr. Klahn
ID: 41815360
as soon as i turn off the option above, the hosts file get empty.
but still cant prove it is Symantec causing the issue.


Well, of course I don't know what level of proof your manager requires for this issue; but I would have to say that you've demonstrated that the problem can be turned on and off with the Symantec setting, and it follows logically that Symantec is the cause.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41815363
Since Avast locks my 'hosts' file, I started using 'LMHOSTS' for the same purpose.  It's in the same directory as 'hosts' and seems to be ignored by the security programs.  It's enabled by default apparently on XP and Windows 7.  It's on the Advanced TCP/IP window under WINS.
1
 

Author Comment

by:operuac
ID: 41815375
@Dave, i prefered not to use LMHOSTS, thanks anyway!

@Dr. Klahn,
My reason is : Symantec is the person who unlock the door (turn off the option "not to overwrite the hosts file") does not mean Symantec goes inside the house and stealing things(empting the hosts file), could be someone else...
once you unlock the hosts file, any process including malware can go there and empty the file, not just Symantec process, this is where i require proof.
0
 
LVL 27

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 41815392
Well, you can get absolute proof - but it is a tedious process, it'll chew up a lot of the CPU and disk, and due to the disk requirements it may not run long enough to catch the culprit.

Install Microsoft Process Monitor, watch for the operation SetDispositionInformationFile, Result SUCCESS, detail Delete: True.  Then search those results for the hosts file.
0
 

Author Comment

by:operuac
ID: 41815417
@Dr. Klahn

the above instruction was the one i am looking for, the challenge is to pick the right desktop to install as i said, i have hundreds of desktops and it happens randomly, it could be months until i am lucky enough to have it happens on the desktop that i am monitoring....
anyway, it is a good recommendation there, i will give it a go. thank you!
0
 

Author Closing Comment

by:operuac
ID: 41815419
Very good answer! thanks a lot for your time!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question