Block DLL files/appinit_dlls

can someone shed some light on what this feature does? i didn't see any explanation of it in the help files. could enabling this feature (in protection options)cause any conflicts, like when installing programs or windows updates? incidentally, i have always enabled this feature, "block dll files from being added to app_init_dlls regkey", but i don't know what it is. thanks

 

Hi Redwolfe_98, I believe this is roughly how it works but you will have to wait for DCS to get a proper description
If a malicious programme tries to create a registry entry Appinit - Application Initiation for an injected .dll (one associated with a listed Application) PG will block the attempt thus renedering the malware unstartable.

You are correct in saying there is no direct reference to this feature in the help file.

HTH a little. Pilli

 

If i remember right, all DLL added to this registry area are loaded by every application starting, making this a great opportunity for malware/trojans to load inside trusted apps without any security software notice it, because it's the app itself which load the DLL.

By blocking this, PG ensure your applications integrity

 

Heres Adware which uses this method
http://www.sarc.com/avcenter/venc/data/trojan.bookmarker.html


When the Msconfd.dll file is loaded, it does the following:

Adds the value:

"AppInit_DLLs"="msconfd.dll"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

so that the .dll file is loaded each time you start Windows NT/2000/XP.