Block DLL files/appinit_dlls

Discussion in 'ProcessGuard' started by redwolfe_98, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    can someone shed some light on what this feature does? i didn't see any explanation of it in the help files. could enabling this feature (in protection options)cause any conflicts, like when installing programs or windows updates? incidentally, i have always enabled this feature, "block dll files from being added to app_init_dlls regkey", but i don't know what it is. thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Redwolfe_98, I believe this is roughly how it works but you will have to wait for DCS to get a proper description :)
    If a malicious programme tries to create a registry entry Appinit - Application Initiation for an injected .dll (one associated with a listed Application) PG will block the attempt thus renedering the malware unstartable.

    You are correct in saying there is no direct reference to this feature in the help file.

    HTH a little. Pilli
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    If i remember right, all DLL added to this registry area are loaded by every application starting, making this a great opportunity for malware/trojans to load inside trusted apps without any security software notice it, because it's the app itself which load the DLL.

    By blocking this, PG ensure your applications integrity :)
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Heres Adware which uses this method
    http://www.sarc.com/avcenter/venc/data/trojan.bookmarker.html


    When the Msconfd.dll file is loaded, it does the following:

    Adds the value:

    "AppInit_DLLs"="msconfd.dll"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    so that the .dll file is loaded each time you start Windows NT/2000/XP.
     
Thread Status:
Not open for further replies.