I keep getting prompts for these but given I have no idea what is sourcing these prompts I have been denying the vast majority of them, destination ip is usually akamai or cachefly cdn, I have had one or two also for cloudflare cdn which doesnt help much. thoughts?
all are common data delivery, nothing bad. https://de.wikipedia.org/wiki/Content_Delivery_Network if you consider adware working on your pc use adwcleaner.
If they are ligit IP's, then some product/s "might" be trying to update themselves automatically. Both those .exe's can be used in the install process, but IMO they should Not require www access ! I would block ALL such attempts. Malware etc often uses those .exe's. Next time you notice it happening, run Process Explorer etc & try to discover what App etc is invoking those .exe's
You need to determine which parent process is triggering runonce.exe and rundll32.exe, particularly since this appears to be a new behaviour that you are seeing on your machine.
thats the problem how is it determined? I ended up allowing runonce.exe as so much software now days only checks for updates on a bootup, instead of on the scheduler they rely on it, and sure enough I was blocking the java updater. I am not going to give run32dll * access to internet tho. That one when I can find the owner of the ip's is usually microsoft calling home. Also to add its not really new, its just something I havent put much time into so have been ignoring.
my firewall offers a special rundll32 rule for TCP port 80, TCP port 443 and UDP port 53 (HTTP/HTTPS/DNS). i think it an determine rundll32 processes and flag it like that. java update programs are: jusched.exe, jucheck.exe and jaureg.exe C:\Program Files\Common Files\Java\Java Update querying all auto start sections: https://technet.microsoft.com/de-de/sysinternals/bb963902.aspx
yeah but the problem was jusched was nowhere to be seen in the firewall log, it was simply runonce.exe.
i already recommended you to use autoruns? use it please instead another guessing: http://searchtasks.answersthatwork.com/tasklist.php?File=RunOnce
its all in the tabs - description, publisher, path you have to provide informations maybe as images. runonce is part of "Logon"