Show what application is changing the System Proxy?

Recently, my machine has been receiving a system WinHTTP proxy and I can’t figure out where it’s getting it from. I don’t believe it’s DHCP, because none of the machines on the same network has been getting the system proxy. Glasswire picks up that the System Proxy has been changed, which is great, but I don’t know whether it’s an app or something that could be changing it.

Are there any Glasswire detailed logs that I can look into and can the app include specific details about what changed the System Proxy?

1 Like

I asked our team and unfortunately we don’t log what changes the system proxy, but I can see how that can be useful as a future feature.

1 Like

Hi Ken,

How does Glasswire monitor system proxy changes? Because the only way I found out about it was through the Glasswire’s Alerts tab.

1 Like

@Ricky

That’s an interesting question. One of our first downloaders found malware their antivirus missed through the GlassWire Proxy detection.
https://blog.glasswire.com/2014/09/16/glasswire-visualizes-malware/

We use a Windows API to detect proxy activity. Do you think it’s not accurate? Please post more details or email us and we can help. https://www.glasswire.com/contact/

I’d definitely like to see what is changing the system proxy.

Sometimes we know what it is, e.g.

But more often, we can’t tell if the notification is reliable or not, e.g.

1 Like

I discussed with our team.

When there is a proxy connection there is an actual local OS change that takes place, so these alerts should actually be very accurate. It’s not like a traffic detection or something like that, which of course detecting traffic types is complex and can sometimes be wrong.

The main issue, which is the reason for this topic, is that users of GlassWire cannot tell what has changed the system proxy. How do we know if it is malware or not? Although I’m no expert and I’ve never used a proxy in Windows, on several occasions I have repaired proxy settings that were changed by malware.

I’d like to see this feature in GlassWire but I don’t expect that this is a trivial enhancement. The rest of the post is just my thoughts on two points: how do I find out what changed the proxy settings and what proxy settings are we interested in?

How do users find what process made the change?

Most users who get the GlassWire alert won’t know how to find out what has happened and I’m not sure that there is a non-programmatic way to do this as I only know how to find the current settings:

  • I know that I can use netsh to see the system proxy settings for the current user but what if the LOCAL SYSTEM user is affected?
C:\Users\Me>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).
  • But I’m not sure if I can see the per application proxy settings except in the application or registry. I do know that I can view web browser settings/options but many users won’t know how to do this.
  • AFAIK, there is no Windows event that is logged. I also searched Windows Security Log Encyclopedia
  • A quick web search shows that most suggestions involve monitoring the Internet settings in the registry.

Which proxy settings are important?

These are the proxy settings that I’m aware of:

  • Current user which is I think what the GlassWire alert is for. This is a target for malware.
    e.g. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

  • LOCAL SYSTEM user which is at least as important but I’m not sure if it is covered by the GlassWire alert. I’m not sure if malware target this setting.
    e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

  • Per application settings aren’t the system proxy but they can default to using it. This is mainly web browsers which are a target for malware.

  • I wonder if Windows apps, as opposed to Windows desktop apps, might complicate the situation. Most will only run on public networks so on private networks the “private” proxy have to be overridden e.g using Network Isolation settings.
    Example of the private network issue https://blogs.technet.microsoft.com/askperf/2014/02/18/network-isolation-of-windows-modern-apps-how-apps-work-with-akamai-internet-caching-servers-in-windows-88-1/
    Settings Network Isolation | Windows security encyclopedia

@Remah

Thanks so much for these extra details!

I should have also mentioned that the GlassWire team also discussed if GlassWire could have the ability to see who or what made the proxy change on the OS side. The answer seems to be that we can’t do it, or we don’t know how to do it yet.

If someone has some ideas on how it might work technically, or if they know another app that has this ability we’d love to check it out.

Hi Ken,

Glasswire is accurate in picking up system proxy changes. As Remah has mentioned, you can check the system proxy by using netsh winhttp show proxy.

What I would like to know is exactly what caused the system proxy to change. Is it a script? Is it a malware or a program? I don’t have any info or visibility on this, nothing found in event viewer logs and I can’t trace anything back to what originally caused the setting to change.

So I was hoping that Glasswire would be able to fill this void.

Just an idea, Glasswire can save the proxy settings and once it changes it can enable the user to view the old and new settings - that might help him realise what happened, also it can let the user with a click of a button to change the settings back to the previous state (before the update happened) :slight_smile:

2 Likes

Cool idea! I will mention this to our team and see if we can collect that data easily.

1 Like

By the way, I know that Glasswire also collects and shows the new and old DNS servers when the DNS server changes, you can also implement the “Go back” button there as well :slight_smile:

2 Likes