first, thanks to dcs for pg3, it is working fine on my computer.. i would like advice about settings in pg3.. should i add "rundll32.exe" to pg3's "protection"? and if so, what should the settings be? i am aware that there are some default settings.. besides those, what should i have, if anyone can tell me? i want specifics like "allow global hooks", "allow termination of protected processes".. or "don't add rundll32.exe to pg's protection".. while i am here, what are the default settings for "svchost.exe"? i want to make sure that i have the default settings without restoring the defaults and having to redo everything.. thanks
hmmm. rundll is a difficult case. It's just a launcher (as you might know, dll files contain executable code, but they are not executed themselves, but loaded into applications that need their functions; so, if you want to execute one of the functions (f.ex. system functions like shutdown, dial-in etc.) without an "app around it", you use rundll32.exe and tell it which function out of which dll file is to be executed; then rundll loads that module, executed the specified function and terminates when the function is done.). But the function that will be launched by it will inherit rundll's privileges. So, it can be anything - and require anything. If rundll is used to call a legitimate task-manager-like function in some dll, then rundll32 should better have terminate privileges. If rundll is used to call a malware dll, it shouldn't have those privs. If rundll is used to call a keyboard handler, then it should get "allow global hooks" privileges, if it is used to call a malware keyboard logger, then it shouldn't. Of course the problem is that you do not know beforehand what is going to call rundll. Thus, my suggestion would be not to give it any allowances. Unless, that is, you know that some of your legitimate *important* applications use it and don't work without it. (But not giving it those privileges and just watching the log is the best way to find this out.) As far as protection is concerned - why would anyone want to attack it? Unless, again, some of your *important* apps use it. Say you have a trojan that wants to mess with the dialin routine. It can either patch the dll where that routine is stored in, or it can sit and wait until rundll loads the routine and then patch rundll's memory. So, protecting it does something. The question is only - would a trojan want to mess with the dialin routine in the first place? and even if it would, wouldn't it probably take other approaches? (Replacing the dll target altogether, using rundll to run its own dll as well, patching the LSP stack, ...) OTOH, what does it hurt to include it and protect it from modification and termination? nothing. I would include it in the protection list and protect it from mod/term, but nothing more. And I would suggest trying to get a picture of how often it is called, and on which occasions. Then maybe you can drop it again from the list. (Or, although it's unlikely, grant it more extensive privileges.) HTH, Andreas
Hi Redwolf, To add to Andreas's post, I have the following settings for rundll32.exe and SVChosts.exe on a Windows XP SP2 box. "Protect Application from": Termination Modification "Authorize this application to": Modify protected applications Read from protected applications. SVChost.exe Same as above but with: "Other options for this application": Access physical memory HTH Pilli
I've had alerts for rundll32.exe concerning "access physical memory" and had to permit this. I don't remember which program on my system required it.
Hi siliconman01, I have had no alerts regarding rundll32, though I sometimes get one or two alerts from various listed programs when they first start but I put this down to them thinking they may need to do the action without actually doing it, so I ignore them. If a program is persistant or I notice something not working correctly then I will give the program the necessary allows, as long as I trust it Pilli