What is up with these odd connection GlassWire is making? This is a snapshot from Windows Resource Monitor.
My first thought was that this is a phishing attempt to get people to check out the site. But maybe there is some software masquerading as GlassWire.
Here’s three reasons why I think that:
- I’ve only every seen GlassWire software communicate with sites like www.glasswire.com and activate.glasswire.com.
- The site is flagged as a phishing site by some security scanners at virustotal.com flag. At present it’s only BitDefender and Websense ThreatSeeker but these warnings have been there for months:
- The content of the screenshot shows all three processes communicating with a website. The Idle Monitor, for example, would never need to do that. Which makes me think the website URL has been pasted into the screenshot.\
@bfsinpdx I’ve flagged this as spam. While I could be wrong, it is better to err on the side of caution.
I am very skeptical of other software masquerading as GlassWire, as GlassWire is running. I keep a very clean system and don’t put myself in to too much danger. I got a prompt that a new version of GlassWire was released and upgraded about 1 week ago.
@bfsinpdx GlassWire doesn’t communicate with this host itself, but perhaps the way Windows Resource Monitor works with the API we use somehow makes it look this way. I’ll discuss with the dev team, thank you for your report.
Please check your hosts file and see if you see anything there unusual.
I hadn’t thought of antivirus/ad-blocking software creating an entry in the hosts file to block that website by redirecting it to the localhost. That is so old school - I haven’t seen that for years.
@bfsinpdx, there’s an example in the article Ken_GlassWire refers to: https://en.wikipedia.org/wiki/Hosts_(file)#Extended_applications under the heading Internet resource blocking. There would then be an entry in your hosts file like this: