How to check for malicious Proxy Auto-Config files in Windows

Martin Brinkmann
Mar 14, 2014
Windows, Windows software

Internet banking credentials are a high-value target for online criminals. Common attack forms that try to steal credentials or at least information are man-in-the-middle attacks and trojans that are have been designed specifically to capture credentials related to financial services and websites.

Microsoft released a warning back in February 2014 about malicious Proxy Auto-Config (PAC) redirects that can be used for that purpose as well.

A PAC file is used to select proxy servers or direct connections based on web addresses that you open in the web browser. These type of files are mostly used in corporate environments and here especially on mobile devices such as laptops.

PAC files are supported by all modern web browsers and can be loaded like other proxy servers in the network settings.

pac file windows

Malicious PAC files are used to redirect Internet users when they try to open sites of interest. The browser is automatically rerouted to a fake website that looks like the original site. Any information or credentials the user enters on this site are stolen and may be used for malicious activities or to steal online accounts.

Users can be infected through various means, from drive-by attacks and malware to local attacks that plant the PAC file directly on the system.

According to Microsoft's study, malicious PAC files are predominantly used in Brazil, Russia, the UK and Australia.

While many attacks target banking websites, Microsoft notes that other services are also targeted, including other payment providers, email providers, or social networking sites.

Find out if (malicious) PAC files are loaded on your system

Depending on which web browser you are using, you find the PAC files listed in a different location and menu.

Internet Explorer and browsers that use IE network settings (like Google Chrome)

Note: You can configure from within Chrome's settings, but you will be redirected to the Internet Options when you do.

  1. Open Internet Explorer on your computer.
  2. Tap on the Alt-key to bring up the menu bar if it is not displayed.
  3. Select Tools > Internet Options from the menu.
  4. Switch to the connections tab.
  5. Click on LAN settings.
  6. Check the "Use automatic configuration script" option. If it is enabled and if a PAC file is listed here, it is being used.
  7. To remove it, simply uncheck the box or delete it there. Do this only if you are certain that it is malicious.

The Firefox web browser


  1. Open the Firefox web browser.
  2. Tap on the Alt-key to bring up the menu bar.
  3. Select Tools > Options > Advanced > Network.
  4. Click on the Settings button next to Connections.
  5. Verify that the "automatic proxy configuration url" is not selected.

Use a third party program

Phrozensoft has published the Auto Config Risk Protector application for Windows today which checks Internet Explorer's proxy settings for you to notify you when a PAC file is being used.

proxy auto config risk protector

Simply run the program and click on the scan button afterwards. The application will either report that there is no PAC file in use, or that it has found one. If that is the case, the address of it is displayed to you with options to keep it or remove it instead.



Tutorials & Tips

Previous Post: «
Next Post: «


  1. Simptreat said on March 20, 2020 at 10:32 pm

    An attacker could develop an application that will listen to the UDP 137 port and answer to all WPAD queries with the address of the attacker s webserver. The webserver, in turn, could provide a malicious PAC file that directs victim browsers to use specific proxy servers to connect to websites of interest to the attacker.

  2. Patrick said on March 15, 2014 at 3:38 pm

    Mini toolbox By Farbar will do the same thing.

    MiniToolBox detects Internet connection issues due to broken or hijacked LSP, proxy settings, and problems with network adapters. It can also be used to detecte search redirections and router hijackings.

    The tool has some additional feature like flushing DNS cache, listing installed programs, listing devices in the Devices Manager, enumerating the last 10 Event Viewer errors, enumerating drives, and content of Hosts file.

  3. ilev said on March 15, 2014 at 7:50 am


  4. Dante said on March 14, 2014 at 11:13 pm

    Comodo’s free firewall have a feature that routes your traffic through their own ip table. Of course, there is a privacy concern there. But it does stop these kind of hacks.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.