Show what application is changing the System Proxy?

GlassWire Help
8

The main issue, which is the reason for this topic, is that users of GlassWire cannot tell what has changed the system proxy. How do we know if it is malware or not? Although I’m no expert and I’ve never used a proxy in Windows, on several occasions I have repaired proxy settings that were changed by malware.

I’d like to see this feature in GlassWire but I don’t expect that this is a trivial enhancement. The rest of the post is just my thoughts on two points: how do I find out what changed the proxy settings and what proxy settings are we interested in?

How do users find what process made the change?

Most users who get the GlassWire alert won’t know how to find out what has happened and I’m not sure that there is a non-programmatic way to do this as I only know how to find the current settings:

  • I know that I can use netsh to see the system proxy settings for the current user but what if the LOCAL SYSTEM user is affected?
C:\Users\Me>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).
  • But I’m not sure if I can see the per application proxy settings except in the application or registry. I do know that I can view web browser settings/options but many users won’t know how to do this.
  • AFAIK, there is no Windows event that is logged. I also searched Windows Security Log Encyclopedia
  • A quick web search shows that most suggestions involve monitoring the Internet settings in the registry.

Which proxy settings are important?

These are the proxy settings that I’m aware of:

  • Current user which is I think what the GlassWire alert is for. This is a target for malware.
    e.g. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

  • LOCAL SYSTEM user which is at least as important but I’m not sure if it is covered by the GlassWire alert. I’m not sure if malware target this setting.
    e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

  • Per application settings aren’t the system proxy but they can default to using it. This is mainly web browsers which are a target for malware.

  • I wonder if Windows apps, as opposed to Windows desktop apps, might complicate the situation. Most will only run on public networks so on private networks the “private” proxy have to be overridden e.g using Network Isolation settings.
    Example of the private network issue https://blogs.technet.microsoft.com/askperf/2014/02/18/network-isolation-of-windows-modern-apps-how-apps-work-with-akamai-internet-caching-servers-in-windows-88-1/
    Settings Network Isolation | Windows security encyclopedia