Firewall decisions runonce and rundll32

Discussion in 'other anti-malware software' started by chrcol, Jul 16, 2016.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    I keep getting prompts for these but given I have no idea what is sourcing these prompts I have been denying the vast majority of them, destination ip is usually akamai or cachefly cdn, I have had one or two also for cloudflare cdn which doesnt help much.

    thoughts?
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    so those providers have never been used by malware?
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    If they are ligit IP's, then some product/s "might" be trying to update themselves automatically. Both those .exe's can be used in the install process, but IMO they should Not require www access ! I would block ALL such attempts. Malware etc often uses those .exe's.

    Next time you notice it happening, run Process Explorer etc & try to discover what App etc is invoking those .exe's
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    You need to determine which parent process is triggering runonce.exe and rundll32.exe, particularly since this appears to be a new behaviour that you are seeing on your machine.
     
  6. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    thats the problem how is it determined?

    I ended up allowing runonce.exe as so much software now days only checks for updates on a bootup, instead of on the scheduler they rely on it, and sure enough I was blocking the java updater.

    I am not going to give run32dll * access to internet tho. That one when I can find the owner of the ip's is usually microsoft calling home.

    Also to add its not really new, its just something I havent put much time into so have been ignoring.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    my firewall offers a special rundll32 rule for TCP port 80, TCP port 443 and UDP port 53 (HTTP/HTTPS/DNS).

    i think it an determine rundll32 processes and flag it like that.

    java update programs are: jusched.exe, jucheck.exe and jaureg.exe
    C:\Program Files\Common Files\Java\Java Update

    querying all auto start sections:
    https://technet.microsoft.com/de-de/sysinternals/bb963902.aspx
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    yeah but the problem was jusched was nowhere to be seen in the firewall log, it was simply runonce.exe.
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    I use autoruns. But there is many things that run on boot, so I would still be guessing.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    its all in the tabs - description, publisher, path
    you have to provide informations maybe as images.

    runonce is part of "Logon"