How to check for malicious Proxy Auto-Config files in Windows

Martin Brinkmann
Mar 14, 2014
Windows, Windows software

Internet banking credentials are a high-value target for online criminals. Common attack forms that try to steal credentials or at least information are man-in-the-middle attacks and trojans that are have been designed specifically to capture credentials related to financial services and websites.

Microsoft released a warning back in February 2014 about malicious Proxy Auto-Config (PAC) redirects that can be used for that purpose as well.

A PAC file is used to select proxy servers or direct connections based on web addresses that you open in the web browser. These type of files are mostly used in corporate environments and here especially on mobile devices such as laptops.

PAC files are supported by all modern web browsers and can be loaded like other proxy servers in the network settings.

pac file windows

Malicious PAC files are used to redirect Internet users when they try to open sites of interest. The browser is automatically rerouted to a fake website that looks like the original site. Any information or credentials the user enters on this site are stolen and may be used for malicious activities or to steal online accounts.

Users can be infected through various means, from drive-by attacks and malware to local attacks that plant the PAC file directly on the system.

According to Microsoft's study, malicious PAC files are predominantly used in Brazil, Russia, the UK and Australia.

While many attacks target banking websites, Microsoft notes that other services are also targeted, including other payment providers, email providers, or social networking sites.

Find out if (malicious) PAC files are loaded on your system

Depending on which web browser you are using, you find the PAC files listed in a different location and menu.

Internet Explorer and browsers that use IE network settings (like Google Chrome)

Note: You can configure from within Chrome's settings, but you will be redirected to the Internet Options when you do.

  1. Open Internet Explorer on your computer.
  2. Tap on the Alt-key to bring up the menu bar if it is not displayed.
  3. Select Tools > Internet Options from the menu.
  4. Switch to the connections tab.
  5. Click on LAN settings.
  6. Check the "Use automatic configuration script" option. If it is enabled and if a PAC file is listed here, it is being used.
  7. To remove it, simply uncheck the box or delete it there. Do this only if you are certain that it is malicious.

The Firefox web browser


  1. Open the Firefox web browser.
  2. Tap on the Alt-key to bring up the menu bar.
  3. Select Tools > Options > Advanced > Network.
  4. Click on the Settings button next to Connections.
  5. Verify that the "automatic proxy configuration url" is not selected.

Use a third party program

Phrozensoft has published the Auto Config Risk Protector application for Windows today which checks Internet Explorer's proxy settings for you to notify you when a PAC file is being used.

proxy auto config risk protector

Simply run the program and click on the scan button afterwards. The application will either report that there is no PAC file in use, or that it has found one. If that is the case, the address of it is displayed to you with options to keep it or remove it instead.



Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anonymous said on March 9, 2023 at 1:52 pm

    Does it come back after every “moment” update?

  2. Baloney said on March 9, 2023 at 2:23 pm

    Yeah right.. Like this is going to stop defender from running =) This is comedy gold right here.

  3. Anonymous said on March 9, 2023 at 3:25 pm

    no ‘about the author’ paragraph?

  4. Gregory said on March 9, 2023 at 4:19 pm

    For permanent disable defender is if removed complete from system no just change permission folder.

    Just this is joke.

  5. moi said on March 9, 2023 at 5:57 pm

    simpler, load Autoruns (SysInternals)
    – filter “Defender”
    – untag all entries
    – reboot
    nothing has changed since my 1st modification years ago

  6. John G. said on March 9, 2023 at 6:32 pm

    I wouldn’t disable Defender imho, it has too many hidden roots inside Windows itself. One time I tried to uninstall it using brute force scripts and then the Onedrive feature stopped working definitely. A reinstallation was needed and since those times I prefer to maintain Defender untouched. It’s a better method to install another antivirus and it will disable Defender in a safer and easier mode (e.g., Avast is the best in this way, and also Panda Cloud Free is good too).

  7. boris said on March 10, 2023 at 12:19 am

    You can not stop defender from running in background or remove it without some penalty. All you can do is to limit telemetry.

    1. TelV said on March 10, 2023 at 4:52 pm


      It’s probably Smartscreen which is preventing WD from being disabled. Get rid of that and the problem should be solved:

  8. hoho said on March 10, 2023 at 1:47 pm

    Remove Windows and go for Linux.

    1. basingstoke said on March 10, 2023 at 2:51 pm

      Linux sucks dude. Besides it’s not comparable to Windows, these OSes are in different classes entirely.

      1. Derp said on March 10, 2023 at 4:36 pm

        I use Linux as my daily driver. It’s far more stable than Windows. When’s the last time you used Linux, 2010?

      2. Bromosexual said on March 11, 2023 at 2:04 am


        You’re right, dude. Bro, linux is just a bunch of code that starts before the OS, dude. Brobrodude, that shit ain’t even got emojis, dudebrodudeman! Dudebro, it’s no way near as cool as Windows with its hardcoded abilities to make money off the user, bro. Yo brodude man, you’re the coolest dude ever man, bro. Dude.

      3. basingstoke said on August 16, 2023 at 7:20 pm

        Lol what? Windows 7 doesn’t come with any Emojis

  9. TelV said on March 10, 2023 at 4:46 pm

    Download Autoruns and remove the checkmark from Windows Defender. It doesn’t remove it, but it will never run.

  10. Simon said on March 10, 2023 at 8:37 pm

    Just use “Defender Control”:

    Per this video,
    it also works on Windows 11 too…

  11. Someone said on March 10, 2023 at 9:26 pm

    Win Defender, is completly the most succesful free-built in antivirus of Microsoft. Really nice product. Saved my ass a lot of times. Has updated malware database, completly strong defence
    from whatever smart screen disables. Or if you want better and more upgrated (paid) program,
    you can go further. But defender is always on your side.

  12. CalixtoWVR1 said on March 10, 2023 at 10:03 pm

    Why would one disable Windows (or Microsoft) Defender in the first place?. I consider this to be playing with fire big time. Everybody knows that if one is using another A-V, Defender will be disabled on its own and won’t be in one’s way.

  13. Ed D said on March 10, 2023 at 11:09 pm

    Why would I want to disable Windows Defender in the first place? It’s a great anti virus in my opinion. Been using it since Windows 8 and and never had a problem or a virus. Why mess with a good thing, if it ain’t broke don’t fix it.

  14. owl said on August 17, 2023 at 1:57 am

    How a ridiculous article!
    I am thoroughly stunned.

    Why Should You Disable First-Party Windows Defender?
    I can only think that it is “malice or perversely intention (want you to buy a third-party AV where you can expect a back margin)” to guide invalidation without showing the premise.
    No sane company will use third-party closed source programs (such as AV).

    As I thought, “Ghacks Technology News” seems to be coming to downfall.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.