Rundll32.exe - To Permit or not?

Discussion in 'ProcessGuard' started by TopperID, Dec 20, 2004.

Thread Status:
Not open for further replies.
  1. Dieter Bressem

    Dieter Bressem Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    36
    Location:
    Germany
    Thanks - excellent tip !

    Hi gottadoit,

    indeed, I was shocked when I saw that the registry has been modified by an malicous program 3 days (!) ago and no security component on my comp did detect the change immidiatley. (and I thought that I am safe !)
    Last week I asked some friends for an "registry tracker" to show an alert in time. But they all said that there is no such program available.
    I just downloaded and installed the RegWatcher.
    Thanks for your excellent advice.

    Dieter
     
  2. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I, too, want to support this approach. It sounds simple, secure and effective.
     
  3. ChuckO

    ChuckO Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    1
  4. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Thanks ChuckO, and welcome to Wilders.
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Wayne/Gavin,
    After a recent flurry of rundll prompts I was reminded of this thread and I was wondering if you had considered if or when these requests might get incorporated into PG ?

    Thanks
     
  6. Andreika

    Andreika Guest

    The great solution to this problem was already proposed - add one more option to the execute permission dialog, like:
    " [ ] For these parameters only"
    And make it checked as default for rundll32. It's not that hard to add this feature for the next version of PG, I hope.
    So it would be easy to permit or deny only needed rundll32 commands (also checking "always perform this action"). And perhaps it could be useful for other programs too...
     
  7. Shrek

    Shrek Guest

    RUNDLL32 does not normally appear in the Task List in Windows. It tends to appear only when you are already having problems of some sort with your PC, or a particular DLL is either misbehaving, is buggy, or is having problems, such as a Control Panel applet hanging for example. If you see RUNDLL32 in your Task List persistently then you should be [slightly] worried.

    RUNDLL32 in your Task List (as opposed to in your Startups) can sometimes be one of the W32.Miroot.Worm / W32/Legemer.Worm / W32.HLLW.Sanker viruses (or another virus).

    http://www.answersthatwork.com/
     
  8. Shamunda

    Shamunda Guest

    Shrek I'm not sure if that's entirely true. I have fresh installs of windows on test systems completely isolated from any network what-so-ever (these systems are used for making images), and if I open task manager the list is empty.

    However if I open the "Process" list I always see one instance of RunDLL32 running. I'm fairly certain these systems are not compromised. These systems have a clean base of windows xp/2003, an antivirus solution, and PG unless it's PG or the AV soltuion using the RunDLL32 but other than that there's nothing else.

    Perhaps it's possible there is something rogue on the system but after reading you post I have put these systems through complete audits and haven't found anything that's malicious.

    As far as something hanging on the system, that's possible but i'm not getting any evidence to such an issue. There isn't anything installed except for the above mentioned and those are working as far as I can tell.

    Could you point me to the article of where you recieved your information so I can cover all bases?

    Thanks.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    As a result of this thread, I long ago set Rundll32.exe to permit once; and to avoid the annoyance of 2 PG pop-ups every bootup, I also removed the following from my auto-start line-up:-

    [NvCplDaemon] RUNDLL32.EXE

    [NVIEW] rundll32.exe nview.dll,nViewLoadHook

    I don't seem to have Rundll32.exe in my TM running processes; so why not check on your auto-starts?
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I have Rundll32.exe two times in my Task Manager and always have since I got this computer two years ago. So, I seriously doubt that the computer is compromised. I don't have any evidence of anything hanging either.
     
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Wayne/Gavin,
    Its been a little while since I asked and I am not asking you to commit to doing it I was just wondering if this had been considered and if so is it likely be in a subsequent round of updates.

    Gavin mentioned in another thread that more updates are planned, hence the question

    Thanks
     
    Last edited: Dec 2, 2005
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'd like to second this - from a security standpoint it should be the most important issue to address, but in a way that allows generic coverage of similar processes (svchost, javaw, cmd, etc).
     
  13. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    I agree.

    I'm sure that it's much more complicated than the following suggestion, but I'm posting it since I haven't seen anyone mention it at this level of detail. Consider the following example:

    "Malware Program" calls Program X which calls Program Y which calls any of rundll.exe, cmd.exe, taskmgr.exe, etc.

    In that situation, I wonder if it's possible (and good) if PG would check the terminate permissions of every program in the process chain and deny the request if any of the programs does not have terminate permission. It seems that this kind of logic could simplify PG's configuration and operation, and increase its security.

    This idea could be extended to permissions other than termination (e.g. accessing physical memory).

    I think that the problem with the current workaround ("Allow Once"), besides being inconvenient, is ineffective in the case of running a new program for the first time on the computer. For example, I download a shareware program. Even if I spend a lot of time researching it, there's no guarantee that it's not malware -- I simply cannot know 100%. In this case, it doesn't matter if I use "Allow Once" or "Allow Always" because I'm going to allow it. The only way to protect myself seems to be if PG checks all the parent processes for individual permissions such as termination. This would provide much more control and safety in this situation.

    Regarding the feature request to check the arguments to rundll.exe, I think that that only addresses one part of the much larger problem. Also, it could be tedious to maintain the list of allowed arguments (at least for me).

    I agree with Paranoid2000 that it would be nice to have a single solution for everything:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.