Windows security thinks that hosts file is infected is this normal?

[ddddffffasdda]

It says SettingsModifier:Win32/PossibleHostsFileHijack

Affected items:
file: C:\Windows\System32\drivers\etc\hosts

[cptnbrando]

This is normal. ReviOS adds the following items to your hosts file, which lives at C:\Windows\System32\drivers\etc\hosts

These values block all connections to the listed URLs, making it impossible to connect to them from any app (unless you're a magical app like Windows Defender which sometimes bypasses the hosts file for updates it deems "critical")

0.0.0.0 browser.pipe.aria.microsoft.com
0.0.0.0 dmd.metaservices.microsoft.com
0.0.0.0 ris.api.iris.microsoft.com
0.0.0.0 teams.events.data.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telemetry.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 watson.events.data.microsoft.com
0.0.0.0 activity.windows.com
#0.0.0.0 browser.events.data.microsoft.com - breaks Visual Studio Download page
0.0.0.0 outlookads.live.com

Windows Error Reporting

https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-error-reporting-diagnostics-enablement-guidance#configure-network-endpoints-to-be-allowed

0.0.0.0 watson.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 umwatsonc.events.data.microsoft.com
0.0.0.0 ceuswatcab01.blob.core.windows.net
0.0.0.0 ceuswatcab02.blob.core.windows.net
0.0.0.0 eaus2watcab01.blob.core.windows.net
0.0.0.0 eaus2watcab02.blob.core.windows.net
0.0.0.0 weus2watcab01.blob.core.windows.net
0.0.0.0 weus2watcab02.blob.core.windows.net

DiagTrack/Telemetry

0.0.0.0 events-sandbox.data.microsoft.com
0.0.0.0 events.data.microsoft.com
0.0.0.0 v10.events.data.microsoft.com
0.0.0.0 v20.events.data.microsoft.com
0.0.0.0 v10c.events.data.microsoft.com
0.0.0.0 v10.vortex-win.data.microsoft.com
0.0.0.0 eu-v10.events.data.microsoft.com
0.0.0.0 eu-v20.events.data.microsoft.com
0.0.0.0 au.vortex-win.data.microsoft.com
0.0.0.0 au-v10.events.data.microsoft.com
0.0.0.0 au-v20.events.data.microsoft.com
0.0.0.0 uk.vortex-win.data.microsoft.com
0.0.0.0 uk-v20.events.data.microsoft.com
0.0.0.0 us-v10.events.data.microsoft.com
0.0.0.0 us-v20.events.data.microsoft.com
0.0.0.0 us4-v20.events.data.microsoft.com
0.0.0.0 us5-v20.events.data.microsoft.com
0.0.0.0 pipe.dev.trafficmanager.net
0.0.0.0 in-v10.events.data.microsoft.com
0.0.0.0 in-v20.events.data.microsoft.com
0.0.0.0 jp-v10.events.data.microsoft.com
0.0.0.0 jp-v20.events.data.microsoft.com

Brave

0.0.0.0 p3a.brave.com
0.0.0.0 p2a.brave.com
0.0.0.0 p3a-json.brave.com
0.0.0.0 p2a-json.brave.com

0.0.0.0 laptop-updates.brave.com

0.0.0.0 variations.brave.com

0.0.0.0 cr.brave.com
0.0.0.0 star-randsrv.bsg.brave.com

Visual Studio / VSCode

0.0.0.0 vortex.data.microsoft.com
0.0.0.0 dc.services.visualstudio.com
0.0.0.0 visualstudio-devdiv-c2s.msedge.net
0.0.0.0 az667904.vo.msecnd.net
0.0.0.0 scus-breeziest-in.cloudapp.net
0.0.0.0 nw-umwatson.events.data.microsoft.com
0.0.0.0 mobile.events.data.microsoft.com

It may add or not add some of these depending on the apps you choose, like I chose Brave and not Firefox.

[HarryVasanth]

As @cptnbrando mentioned, this is completely normal and is a false positive.

ReviOS intentionally modifies your system's hosts file to enhance privacy. It does this by routing various telemetry, tracking, and diagnostic endpoints (from Microsoft, Windows Error Reporting, Brave, Visual Studio, etc.) to the 0.0.0.0 IP address, which effectively blocks your system from communicating with them.

Tip

Because malicious software also frequently modifies the hosts file to redirect web traffic, Windows Defender flags any unexpected changes to this file as a SettingsModifier:Win32/PossibleHostsFileHijack as a precaution.

In the context of the ReviOS playbook, this modification is intentional and perfectly safe. You can safely allow or ignore this warning in Windows Defender.