Recently, my machine has been receiving a system WinHTTP proxy and I can’t figure out where it’s getting it from. I don’t believe it’s DHCP, because none of the machines on the same network has been getting the system proxy. Glasswire picks up that the System Proxy has been changed, which is great, but I don’t know whether it’s an app or something that could be changing it.
Are there any Glasswire detailed logs that I can look into and can the app include specific details about what changed the System Proxy?
When there is a proxy connection there is an actual local OS change that takes place, so these alerts should actually be very accurate. It’s not like a traffic detection or something like that, which of course detecting traffic types is complex and can sometimes be wrong.
The main issue, which is the reason for this topic, is that users of GlassWire cannot tell what has changed the system proxy. How do we know if it is malware or not? Although I’m no expert and I’ve never used a proxy in Windows, on several occasions I have repaired proxy settings that were changed by malware.
I’d like to see this feature in GlassWire but I don’t expect that this is a trivial enhancement. The rest of the post is just my thoughts on two points: how do I find out what changed the proxy settings and what proxy settings are we interested in?
How do users find what process made the change?
Most users who get the GlassWire alert won’t know how to find out what has happened and I’m not sure that there is a non-programmatic way to do this as I only know how to find the current settings:
I know that I can use netsh to see the system proxy settings for the current user but what if the LOCAL SYSTEM user is affected?
C:\Users\Me>netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).
But I’m not sure if I can see the per application proxy settings except in the application or registry. I do know that I can view web browser settings/options but many users won’t know how to do this.
A quick web search shows that most suggestions involve monitoring the Internet settings in the registry.
Which proxy settings are important?
These are the proxy settings that I’m aware of:
Current user which is I think what the GlassWire alert is for. This is a target for malware.
e.g. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
LOCAL SYSTEM user which is at least as important but I’m not sure if it is covered by the GlassWire alert. I’m not sure if malware target this setting.
e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Per application settings aren’t the system proxy but they can default to using it. This is mainly web browsers which are a target for malware.
I should have also mentioned that the GlassWire team also discussed if GlassWire could have the ability to see who or what made the proxy change on the OS side. The answer seems to be that we can’t do it, or we don’t know how to do it yet.
If someone has some ideas on how it might work technically, or if they know another app that has this ability we’d love to check it out.
Glasswire is accurate in picking up system proxy changes. As Remah has mentioned, you can check the system proxy by using netsh winhttp show proxy.
What I would like to know is exactly what caused the system proxy to change. Is it a script? Is it a malware or a program? I don’t have any info or visibility on this, nothing found in event viewer logs and I can’t trace anything back to what originally caused the setting to change.
So I was hoping that Glasswire would be able to fill this void.
Just an idea, Glasswire can save the proxy settings and once it changes it can enable the user to view the old and new settings - that might help him realise what happened, also it can let the user with a click of a button to change the settings back to the previous state (before the update happened)