Bug: "Hosts file" blocked domain names keep changing under "apps"

I notice the domain name changes multiple times, sometimes within the same session, without rebooting the computer, and other times when rebooting the computer, for domains that are blocked by a hosts file. Identical domain blocked host names are displayed under multiple apps… so it is impossible to know what domain the app was trying to call home to.

Is there any way for glasswire to note the original domain?

For example, it erroneously claims windows firewall control was connecting to an nvidia domain, previously in the same place, the domain was mtalk . google . com

Just to clarify, upon reboot it will show a different domain in place of nvidias domain. So one cannot determine what potentially malicious domain was calling home.

Perhaps glasswire is attributing the most recent domain blocked by the hosts file via the IP address associated with the host file, eg. 0.0.0.0. I would like to see glasswire keep track of host blocked domains properly, then people will have an idea of what was trying to call home to a malicious domain, without it actually calling home.

Example #4, the domain changed yet again for Ucheck from service.gfe.nvidia.com to the cloudfront domain, please fix this.

@zatz

If you go to our top left menu and choose “About” what version of GlassWire do you have?

If you go to our settings (top left menu) is “Look up dns” checked? I’d leave it unchecked if possible. Please confirm your settings there, it will help me diagnose the issue.

Mainly I need to know what version of GlassWire you have. Then I can share this info with our team and they can suggest how this could be possible. Do you use any unusual network-wide monitoring software or blocking services?

1 Like

2.2.201, what you will find is that glasswire records the original domain that was blocked initially, but then if another domain in the same or another app points to the same host blocked IP, ex 0.0.0.0, or 192.168.50.2, then the displayed domain name will rotate and change to the last known blocked domain associated with the IP address, globally under every app and list in glasswire.

I use WFC (frontend GUI for windows firewall) and glasswire at the same time;

I do not have any of those options enabled, its just a standard setup.

Patch My PC does not connect to nvidia telemetry generally, you will see the ip to the domain points to 192.168.50.2, the hosts block on my router its technically no different than using a windows hosts file. I don’t know what its trying to call home to thanks to the buggy interface in glasswire

Given glasswire changes the domain dynamically according to the ip, this would also then happen to domains hosted on the same server; which is why if you visit www.timesofisrael.com after you run a windows update, glasswire would erroneously show svchosts.exe pointing to timesofisrael.com, because they are often both hosted on the same IP, intermittently

Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 query[A] ctldl.windowsupdate.com from 192.168.50.241
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 forwarded ctldl.windowsupdate.com to 127.0.1.1
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 reply ctldl.windowsupdate.com is <CNAME>
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 reply audownload.windowsupdate.nsatc.net is <CNAME>
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 reply au.download.windowsupdate.com.hwcdn.net is <CNAME>
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 reply cds.d2s7q6s2.hwcdn.net is 205.185.216.10
Jun  3 03:43:07 dnsmasq[5353]: 345 192.168.50.241/61534 reply cds.d2s7q6s2.hwcdn.net is 205.185.216.42

Jun  4 23:21:25 dnsmasq[7396]: 11517 192.168.50.241/54706 query[A] timesofisrael.com from 192.168.50.241
Jun  4 23:21:25 dnsmasq[7396]: 11517 192.168.50.241/54706 forwarded timesofisrael.com to 127.0.1.1
Jun  4 23:21:26 dnsmasq[7396]: 11518 192.168.50.241/54707 reply timesofisrael.com is 205.185.216.10
Jun  4 23:21:26 dnsmasq[7396]: 11518 192.168.50.241/54707 reply timesofisrael.com is 205.185.216.42

Jun  2 00:21:25 dnsmasq[10930]: query[A] dl.delivery.mp.microsoft.com from 192.168.50.241
Jun  2 00:21:25 dnsmasq[10930]: cached dl.delivery.mp.microsoft.com is <CNAME>
Jun  2 00:21:25 dnsmasq[10930]: cached 2-01-3cf7-000c.cdx.cedexis.net is <CNAME>
Jun  2 00:21:25 dnsmasq[10930]: cached cds.p9u4n2q3.hwcdn.net is 205.185.216.42
Jun  2 00:21:25 dnsmasq[10930]: cached cds.p9u4n2q3.hwcdn.net is 205.185.216.10

My initial thought was, wow, I didn’t realize moosad was so clever… my pc must be compromised. It took me a bit of trial and error until I realized what was really going on.

@zatz

This should be solved now. The solution is here with our latest update. Thanks for your report!

1 Like