Discussion in 'ProcessGuard' started by Rmus, May 30, 2005.
I notice that many users of PG give rundll.exe permission to run once. Why is this?
Hi Rich, Their is a risk. RunDLL32.exe is in itself harmless it as a system file. Malware/badly coded programs/etc. can use RunDLL32 to open popups, run keyloggers, etc.that some types of malware could use the rundll32 for installing malware if it is given permit always
If you get an unexpected request from an unknown program, either ask here or google for further information on the unknown program.
OK, thanks. I posted a few questions in another thread when I was looking for information on various anti-exe programs, but didn't see anything specific to this.
Since most of these types of programs create a white list, I don't understand why you would worry about rundll.exe opening any malware, because no malware could ever install since it wasn't on the white list. At least that was my understanding of how PG works, but I may be wrong.
Yes Rich, Processguard does check all .exe start ups and also any changes but I suppose there is a chance that one could inadvertently allow an .exe to install malware that may install another process or form of injection that is invoked by rundll32 say after a reboot. Hopefully DCS or a malware expert can describe a mechanism better than I.
Thanks, Pilli. I think this is one good reason to have a lockdown program as the last line of defense, such as ShadowUser or Deep Freeze: upon reboot, any inadvertent installation would be removed.
As a matter of fact, since you bring up injection, I did write another company, and I'll share his response, if you'll accept it just in the interest of adding to the discussion, since it's a different company.
My question was about Alternate Data Streams injection, but it can really apply to all types of injection where a file is altered:
Answer = Yes, when installing Anti-Executable or by turning it on, we build a hash key of every executable including dlls installed at that point. If an executable is used by ADS to inject anything into another file, Anti-Executable will stop it. If by any means, it does get through, then since the data in the whitelist is not the same, it will recognize it as an unauthorized executable and not run.
I just assumed PG did the same thing, so that once your whitelist is created, you don't really have to worry about it.
When giving permission to install something, of course, this is a different scenario.
Yes, PG does create an MD5 hash for every .exe that is on it's list.
With the four General protection tabs enabled you also effectively:
Protect Physical Memory
Block Global Hooks
Block Rootkit/Driver/Service Installation
Block Registry DLL Injection
Regarding Add-Streams this link may help: http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams.
Thanks for the clarification, and the link - very informative.
Separate names with a comma.