This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Archive
- Request: Identify computers which have browser pro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 07:36 PM
I have performed a search for this topic on this site with no true success.
I've had some infected computers that were cleaned...yet the cleaning process did not detect nor reset the browser proxy settings that were set to 127.0.0.1. Yes....I know this is bad.
Goal: Using Lansweeper, display know computers that have a browser with this (or any..but distinguished)proxy setting. This could help identify infected computers that have yet to cause the user enough grief to contact IT Department.
Issues I suspect that need to be considered:
- Browsers could be IE (6 through 8), Firefox, Chrome
- Setting may be linked to the current user
Preventing Proxy Changes with GPO may be worth considering. However, there are some limited conditions here in which some users have legitimate purpose for the change.
Similarily, if there are other valuable checks to detect the possible hole/tunnel in the routes...I welcome your response. For instance, the existance of any type of vpn tunneling protocol/configuration detected or file replication technology such as MS Live Sync (yes I know the SW inventory hits that specific one).
I've had some infected computers that were cleaned...yet the cleaning process did not detect nor reset the browser proxy settings that were set to 127.0.0.1. Yes....I know this is bad.
Goal: Using Lansweeper, display know computers that have a browser with this (or any..but distinguished)proxy setting. This could help identify infected computers that have yet to cause the user enough grief to contact IT Department.
Issues I suspect that need to be considered:
- Browsers could be IE (6 through 8), Firefox, Chrome
- Setting may be linked to the current user
Preventing Proxy Changes with GPO may be worth considering. However, there are some limited conditions here in which some users have legitimate purpose for the change.
Similarily, if there are other valuable checks to detect the possible hole/tunnel in the routes...I welcome your response. For instance, the existance of any type of vpn tunneling protocol/configuration detected or file replication technology such as MS Live Sync (yes I know the SW inventory hits that specific one).
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 09:19 PM
You won't be able to scan the HKEY_CURRENT_USER key with registry scanning.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 08:57 PM
Mozilla settings look to be stored in a file called prefs.js.
On my system it was located here:C:\Users\MYUSERNAME\Application Data\Mozilla\Firefox\Profiles\a68dhkmj.default\prefs.js.
The profile directory name (a68dhkmj.default) appears to be unique and maybe randomly generated.
A profile for the current user can be accessed here: "%APPDATA%\Mozilla\"
Accessing "%APPDATA%\Mozilla\" resulted in the profile being found in the subdirectory: Firefox\Profiles\a68dhkmj.default
The file "profiles.ini" exists in the directory Roaming\Mozilla\Firefox. It contains the lines:
Name=default
IsRelative=1
Path=Profiles/a68dhkmj.default
Within the file: prefs.js is the following line:
user_pref("network.proxy.http", "127.0.0.1");
XXXXXXXXXXXXXX
IE appears to store the proxy settings in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80
AND
HKEY_USERS\S-1-5-21-1993962763-1123\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80[size=8][/size]
On my system it was located here:C:\Users\MYUSERNAME\Application Data\Mozilla\Firefox\Profiles\a68dhkmj.default\prefs.js.
The profile directory name (a68dhkmj.default) appears to be unique and maybe randomly generated.
A profile for the current user can be accessed here: "%APPDATA%\Mozilla\"
Accessing "%APPDATA%\Mozilla\" resulted in the profile being found in the subdirectory: Firefox\Profiles\a68dhkmj.default
The file "profiles.ini" exists in the directory Roaming\Mozilla\Firefox. It contains the lines:
Name=default
IsRelative=1
Path=Profiles/a68dhkmj.default
Within the file: prefs.js is the following line:
user_pref("network.proxy.http", "127.0.0.1");
XXXXXXXXXXXXXX
IE appears to store the proxy settings in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80
AND
HKEY_USERS\S-1-5-21-1993962763-1123\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80[size=8][/size]
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Excluding AWS EC2 Assets from scans On Prem Server in General Discussions
- Workstations with No Biometric Hardware Report in Reports & Analytics
- New preview capability - Track your hard-to-reach assets using IT Agent, the future of LsAgent in Product Discussions
- Spring 2023 Launch Product Update in Product Announcements
- Active computer path (particular servers in OU) as scanning target with mapped credentials in General Discussions
