The Proxy auto-discovery configuration Insecure Systems finding indicates that the IP address is configured for proxy configuration. The communication was detected via sinkholing, so the communication was with an abandoned or expired domain not owned by your company through the Web Proxy Auto-Discovery Protocol (WPAD) indicating that it reached out externally and allows malicious actors to eavesdrop on the communication. Otherwise, the WPAD is safe to use on properly secured domains.
Proxy Auto-Configuration (PAC) text files with JavaScript functions specifying the proxy server and when to forward traffic to it.
How to Locate the Proxy and Remediate
Refer to the following information within the Details tab of the Insecure Systems finding details sheet to search tier web traffic logs, locate the system using the proxy, and then disable or update the proxy auto-discovery configuration:
-
Path Info= The contacted URL. -
Source IP= The source IP address. -
Source Port= The source port number. -
Representative Event Timestamp= The date and time (UTC) when the finding was observed. -
Server Name= The domain name of the affected server. It is known to be a command and control server, sinkhole, or is hosting adware. -
User-agent= The user’s browser details.
- November 8, 2024: Corrected location of the finding details.
- November 7, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.