Block DLL files/appinit_dlls

Discussion in 'ProcessGuard' started by redwolfe_98, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    can someone shed some light on what this feature does? i didn't see any explanation of it in the help files. could enabling this feature (in protection options)cause any conflicts, like when installing programs or windows updates? incidentally, i have always enabled this feature, "block dll files from being added to app_init_dlls regkey", but i don't know what it is. thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Redwolfe_98, I believe this is roughly how it works but you will have to wait for DCS to get a proper description :)
    If a malicious programme tries to create a registry entry Appinit - Application Initiation for an injected .dll (one associated with a listed Application) PG will block the attempt thus renedering the malware unstartable.

    You are correct in saying there is no direct reference to this feature in the help file.

    HTH a little. Pilli
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    If i remember right, all DLL added to this registry area are loaded by every application starting, making this a great opportunity for malware/trojans to load inside trusted apps without any security software notice it, because it's the app itself which load the DLL.

    By blocking this, PG ensure your applications integrity :)
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Heres Adware which uses this method
    http://www.sarc.com/avcenter/venc/data/trojan.bookmarker.html


    When the Msconfd.dll file is loaded, it does the following:

    Adds the value:

    "AppInit_DLLs"="msconfd.dll"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    so that the .dll file is loaded each time you start Windows NT/2000/XP.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.