Fixing Malware Detection Alerts From WPAD.dat

 

Web Proxy Auto-Discovery (WPAD) is a protocol that makes sure all devices within a network use the same web proxy configuration without administrators having to perform manual configuration on each end-point device. When enabled, WPAD searches for a Proxy Auto-Configuration (PAC) file and applies the configuration to all devices automatically.

This automatic discovery of the PAC file eases the configuration process significantly. However, it also bears security risks as attackers can create a malicious service that responds to the request made by WPAD to a proxy, impersonating that proxy.

In the event you receive constant notifications for malware detections of the wpad.dat file in your Cloud Console, consider the following steps to resolve the issue:

• Disable automatic proxy discovery/configuration in browsers and operating systems unless those systems will only be used on internal networks
• Use a registered and fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace
• Use an internal TLD that is under your control and restricted from registration with the new gTLD program
  • There is no assurance that the current list of “Reserved Names” from the new gTLD Applicant Guidebook (AGB) will remain reserved with subsequent rounds of new gTLDs (see here).
• Configure internal DNS servers to respond authoritatively to internal TLD queries
• Configure firewalls and proxies to log and block outbound requests for wpad.dat files
• Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.
• File a report with ICANN if your system is suffering demonstrable severe harm due to name collision by visiting https://forms.icann.org/en/help/name-collision/report-problems.

If you still need assistance with the issue, please contact AVG Technical Support.