Microsoft's security software modifies HOSTS file

Windows 8, set for release on 26 October, automatically deletes entries in the HOSTS file for specific domains. Try, for example, to prevent attempts to access Facebook.com, Twitter.com or ad servers such as ad.doubleclick.net by rerouting them to 127.0.0.1 by adding entries to the HOSTS file and the relevant entries will soon disappear from the HOSTS file as if by magic, leaving nothing but an empty line. The effect does not occur for other domains, such as The H's sister site heise.de, however.

The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender's history, accessed from the start menu by entering "Defender" and clicking on the history tab. Defender is convinced it's uncovered a potentially malicious modification of the HOSTS file and thus records 'SettingsModifier:Win32/PossibleHostsFileHijack'. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.