Settings Help

Discussion in 'ProcessGuard' started by redwolfe_98, Oct 7, 2004.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    first, thanks to dcs for pg3, it is working fine on my computer.. i would like advice about settings in pg3.. should i add "rundll32.exe" to pg3's "protection"? and if so, what should the settings be? i am aware that there are some default settings.. besides those, what should i have, if anyone can tell me? i want specifics like "allow global hooks", "allow termination of protected processes".. or "don't add rundll32.exe to pg's protection"..

    while i am here, what are the default settings for "svchost.exe"? i want to make sure that i have the default settings without restoring the defaults and having to redo everything.. thanks
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    hmmm. rundll is a difficult case. It's just a launcher (as you might know, dll files contain executable code, but they are not executed themselves, but loaded into applications that need their functions; so, if you want to execute one of the functions (f.ex. system functions like shutdown, dial-in etc.) without an "app around it", you use rundll32.exe and tell it which function out of which dll file is to be executed; then rundll loads that module, executed the specified function and terminates when the function is done.). But the function that will be launched by it will inherit rundll's privileges.
    So, it can be anything - and require anything. If rundll is used to call a legitimate task-manager-like function in some dll, then rundll32 should better have terminate privileges. If rundll is used to call a malware dll, it shouldn't have those privs. If rundll is used to call a keyboard handler, then it should get "allow global hooks" privileges, if it is used to call a malware keyboard logger, then it shouldn't. Of course the problem is that you do not know beforehand what is going to call rundll.

    Thus, my suggestion would be not to give it any allowances. Unless, that is, you know that some of your legitimate *important* applications use it and don't work without it. (But not giving it those privileges and just watching the log is the best way to find this out.)

    As far as protection is concerned - why would anyone want to attack it? Unless, again, some of your *important* apps use it. Say you have a trojan that wants to mess with the dialin routine. It can either patch the dll where that routine is stored in, or it can sit and wait until rundll loads the routine and then patch rundll's memory. So, protecting it does something. The question is only - would a trojan want to mess with the dialin routine in the first place? and even if it would, wouldn't it probably take other approaches? (Replacing the dll target altogether, using rundll to run its own dll as well, patching the LSP stack, ...)
    OTOH, what does it hurt to include it and protect it from modification and termination? nothing.

    I would include it in the protection list and protect it from mod/term, but nothing more. And I would suggest trying to get a picture of how often it is called, and on which occasions. Then maybe you can drop it again from the list. (Or, although it's unlikely, grant it more extensive privileges.)

    HTH,
    Andreas
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Redwolf, To add to Andreas's post, I have the following settings for rundll32.exe and SVChosts.exe on a Windows XP SP2 box.

    "Protect Application from":
    Termination
    Modification

    "Authorize this application to":
    Modify protected applications
    Read from protected applications.

    SVChost.exe
    Same as above but with:
    "Other options for this application":
    Access physical memory

    HTH Pilli
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks.. :)
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I've had alerts for rundll32.exe concerning "access physical memory" and had to permit this. I don't remember which program on my system required it.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi siliconman01, I have had no alerts regarding rundll32, though I sometimes get one or two alerts from various listed programs when they first start but I put this down to them thinking they may need to do the action without actually doing it, so I ignore them.
    If a program is persistant or I notice something not working correctly then I will give the program the necessary allows, as long as I trust it :)

    Pilli
     
Thread Status:
Not open for further replies.