/etc/hosts gets over written
Solution 1:
As a tool to help you find the culprit, here is a dtrace oneliner which prints the pid and name of any process which opens a file for writing, together with the filename:
dtrace -qn 'syscall::open*:entry /arg1&3/ { printf("%d %s %s\n", pid, execname, copyinstr(arg0)); }'
It needs to be run as root (e.g., with sudo). Pipe it into grep hosts
to avoid drowning in output and missing what you are looking for:
sudo dtrace -qn 'syscall::open*:entry /arg1&3/ { printf("%d %s %s\n", pid, execname, copyinstr(arg0)); }' | grep hosts
Hopefully, this will tell you what process is overwriting the file. Just let it run in a terminal window until it triggers.
Solution 2:
For me it's in the file
/etc/pulse-hosts.bak
You have to edit this file to customize your hosts directives
When you are going to reconnect/connect using the Pulse Secure VPN, it's going to merge the directives from the
/etc/pulse-hosts.bak
with the content from Pulse directives and creates the
/etc/hosts
2018 Update
With the newer version of Pulse Secure you have to exit the program first (check your active process).
Modify your host (/etc/hosts) and then restart Pulse Secure.