SymptomsSome antivirus products install a proxy service to protect against malicious web sites. To demonstrate this issue, create a policy rule to allow specific IP addresses through a web browser and block all other traffic, then add the rule to the appropriate rule set and subscribe a test device to it. An event in the client's debug log for the will show that the traffic is being sent to the loopback address.
Policy Open Policy for IEXPLORE.EXE co 943, Connect (remote 127.0.0.1:5152, local 0.0.0.0:0) now Block, rule: "web access white list".
There will be a process in the diagnostics log on the client for the web proxy application. For example:
TmProxy.exe (Manages the Trend Micro proxy. 50003.403): PASV 297 CS_OPEN PASSTHRU, 200 sockets listening (0 RPC) on 127.0.0.1:6999
Step by StepAdd the web proxy app to the policy rule condition. Alternatively, from within the antivirus program, either uninstall or disable the web proxy.
Note: Adding the loopback address to the allowed list of sites in the rule when using a web proxy in effect allows all web traffic, because all traffic is sent through these proxies via the loopback address, which would defeat the purpose of the restricted site policy rule.