We often receive questions related to the Proxy/VPN category seen in Threat Lists and Policy Risk Thresholds. For example:
"I am looking for some clarification on how the Proxy/VPN category works. We have tested a couple of NordVPN sites but the connection is allowed, so what drives the determination that an IP should be blocked for this reason?"
We map the Webroot category "Proxy" and the Proofpoint categories "Proxy" and "Proxy Host" to our overarching category Proxy/VPN.
We document this on page 4 of our Default Lists customer facing documentation.
Basically, we are blocking things that Webroot and Proofpoint (if a customer has purchased our Proofpoint add-on) mark as *malicious* Proxy services on known malicious IPs. We don't block good/normal proxy services (obviously).
If a customer wants to block specific VPN services, they are encouraged to create and appropriately enable a manual Denied List to map those services.