This is troubling. What policy should I use for rundll32.exe?
I’m sure it’s not a virus, it’s probably some dll trying to do its thing. But I’m unable to know which one it is and what it wanna do.
I wanna be very strict on allowing anything reaching out, and only wanna allow it when I know what it’s doing. I don’t see any dll that should need to access internet. runll32.exe should also be used as a means of surpassing firewall and contacting home anonymously. But, what if it’s something needed and blocking it leads to some software strange behavior?
For now I blocked without making CIS remember this decision.
What OS are you using and version of CIS? You shouldn’t be getting alerts from rundll32 as it is a trusted application and when a dll is executed via rundll32, the name of that dll would be the source of the request, again only if the dll is unknown. Unless of course you set the firewall to custom ruleset.
Rundll32.exe does not actually have a digital signature, although it is published by Microsoft, and it is obviously a basic component of Windows. And it is commonly abused by malware.
I am running windows 10 x64, I put comodo firewall into proactive mode, and set HIPS to paranoid. Surprising to me, I did not see prompts from rundll32, although it surely has run many times, and there are no rules for it in HIPS.
Then I set the two rundll32 processes to “unrecognized”, and I saw a few prompts, but it was very few. I know it is running more than that.
Why don’t I see Comodo prompts from rundll32? When I run an anti-exe program, I see many more prompts from rundll32.
Rundll32.exe is in fact signed with a digital signature, you can use sigcheck from sysinternals to verify. Rundll32 is used to execute dll files so you shouldn’t get alerts from rundll32 but the actual dll performing the action, unless rundll32 is being run without executing a dll.
Thanks. That’s what I figured, the prompt is for the dll itself, not for rundll32.
But about the sig, all I have to do is a right-click on the file to know whether it has a sig or not, I don’t need to run a command-line utility. Just look at my screenshot, please.
sigcheck has a sig, and rundll32 does not.
Related to this: If I remember correctly, the file list used to contain dll files. I don’t see them there anymore. Has something changed in regards to monitoring dll files?
Perhaps they are monitored only by the HIPS module, and not by other modules, so I won’t see dlls in the list unless I enable HIPS?
Yes and no, I noticed that when HIPS is disabled and an unrecognized application tries to install a global hook of a dll while in containment, the dll file is listed in the file list. However, DINPUT.dll didn’t show up in the file list until an unknown application tried to load it as a global hook and I received a HIPS alert for it, but I have video games that I know use dinput but because they were rated trusted, I didn’t get an alert for it thus the dll didn’t show in the file list until the unknown tried to use it. Go figure.
Also there was a time when trust files installed by trusted installers would add dlls and other files to the file list upon running a trusted installer, now it doesn’t populate the file list anymore with those files until they are executed, mainly .exe files.