Modification of the hosts file is detected, implementation of the modified hosts file is stalled, the modification to the hosts file is analyzed to determine if the modification is malicious, and if the modification is malicious, the hosts file is restored. In this manner, malicious modification of the hosts file is detected and prevented before the malicious modification is ever implemented.