If you enable the IPS feature, this alert automatically appears if Host Intrusion Prevention detects an application on your computer sending out spoofed network traffic. This means that the application is trying to make it seem like traffic from your computer actually comes from a different computer. It does this by changing the IP address in the outgoing packets. Spoofing is always suspicious activity. If you see this dialog box, immediately investigate the application that sent the spoofed traffic.
The Spoof Detected Alert dialog box is very similar to the firewall feature’s Learn Mode alert. It displays information about the intercepted traffic on two tabs — the Application Information tab, and the Connection Information tab.
The Application Information tab displays:
The Connection Information tab provides further networking information. In particular, Local Address shows the IP address that the application is pretending to have, while Remote Address shows your actual IP address.
When Host Intrusion Prevention detects spoofed network traffic, it tries to block both the traffic and the application that generated it. It does this by adding a new rule to the end of the firewall rule list. This Block spoofing attacker rule specifically blocks all traffic created by the suspicious application, unless another rule in the rule list overrides it.