Allow rundll32.exe?

Hikari · March 27, 2017, 7:50pm

This is troubling. What policy should I use for rundll32.exe?

I’m sure it’s not a virus, it’s probably some dll trying to do its thing. But I’m unable to know which one it is and what it wanna do.

I wanna be very strict on allowing anything reaching out, and only wanna allow it when I know what it’s doing. I don’t see any dll that should need to access internet. runll32.exe should also be used as a means of surpassing firewall and contacting home anonymously. But, what if it’s something needed and blocking it leads to some software strange behavior?

For now I blocked without making CIS remember this decision.

What do you guys do?

qmarius · March 28, 2017, 6:57am

You could use Process Monitor.

Hikari · March 28, 2017, 8:32pm

I understand there are ways to see dlls that are being loaded by a process.

The issue here is that if I allow it to reach out, I’ll allow all dlls to do so and any possible future dll that may be installed to do so too.

DecimaTech · March 28, 2017, 10:13pm

What OS are you using and version of CIS? You shouldn’t be getting alerts from rundll32 as it is a trusted application and when a dll is executed via rundll32, the name of that dll would be the source of the request, again only if the dll is unknown. Unless of course you set the firewall to custom ruleset.

qmarius · March 29, 2017, 7:27am

First of all, you should check if it’s a legitimate DLL & RunDLL32 is digitally signed by Microsoft.

shmu26 · April 13, 2018, 7:07am

Rundll32.exe does not actually have a digital signature, although it is published by Microsoft, and it is obviously a basic component of Windows. And it is commonly abused by malware.

I am running windows 10 x64, I put comodo firewall into proactive mode, and set HIPS to paranoid. Surprising to me, I did not see prompts from rundll32, although it surely has run many times, and there are no rules for it in HIPS.

Then I set the two rundll32 processes to “unrecognized”, and I saw a few prompts, but it was very few. I know it is running more than that.
Why don’t I see Comodo prompts from rundll32? When I run an anti-exe program, I see many more prompts from rundll32.

DecimaTech · April 13, 2018, 1:48pm

Rundll32.exe is in fact signed with a digital signature, you can use sigcheck from sysinternals to verify. Rundll32 is used to execute dll files so you shouldn’t get alerts from rundll32 but the actual dll performing the action, unless rundll32 is being run without executing a dll.

shmu26 · April 13, 2018, 2:45pm

Thanks. That’s what I figured, the prompt is for the dll itself, not for rundll32.
But about the sig, all I have to do is a right-click on the file to know whether it has a sig or not, I don’t need to run a command-line utility. Just look at my screenshot, please.
sigcheck has a sig, and rundll32 does not.

qmarius · April 13, 2018, 4:01pm

Windows Explorer will display tab only if the signature is in the executable. Mentioned signature is in a security catalog.

[b]sigcheck.exe -i c:\Windows\System32\rundll32.exe[/b]
Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\rundll32.exe:
Verified: Signed
Link date: 6:03 PM 3/30/2017
Signing date: 7:10 PM 4/2/2018
[b]Catalog: C:\Windows\system32\CatRoot[/b]{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\Package_576_for_KB4093118~31bf3856ad364e35~amd64~~6.1.1.4.cat
Signers:
Microsoft Windows
Cert Status: Valid
Valid Usage: NT5 Crypto, Code Signing
Cert Issuer: Microsoft Windows Verification PCA
Serial Number: 33 00 00 00 54 51 4C 85 3E AD 08 70 67 00 01 00
00 00 54
Thumbprint: 4181158E3519BDCD7FF623A3C118B31F7D32C0EE
Algorithm: sha1RSA
Valid from: 8:34 PM 10/5/2017
Valid to: 8:34 PM 10/5/2018
Microsoft Windows Verification PCA
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority
Serial Number: 61 0A 59 2B 00 00 00 00 00 3B
Thumbprint: A5EEF4E193075BD3C271793C950729360059593A
Algorithm: sha1RSA
Valid from: 2:24 AM 2/12/2016
Valid to: 2:28 AM 5/10/2021
Microsoft Root Certificate Authority
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority
Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072
Algorithm: sha1RSA
Valid from: 2:19 AM 5/10/2001
Valid to: 2:28 AM 5/10/2021
Counter Signers:
Microsoft Time-Stamp Service
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Time-Stamp PCA
Serial Number: 33 00 00 00 BA 6A 36 DE 1A AD BD 3C 1F 00 00 00
00 00 BA
Thumbprint: 2B8700A86F5BBC73487A64E35DAB0EF1787A3130
Algorithm: sha1RSA
Valid from: 8:58 PM 9/7/2016
Valid to: 8:58 PM 9/7/2018
Microsoft Time-Stamp PCA
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Root Certificate Authority
Serial Number: 61 16 68 34 00 00 00 00 00 1C
Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF
Algorithm: sha1RSA
Valid from: 3:53 PM 4/3/2007
Valid to: 4:03 PM 4/3/2021
Microsoft Root Certificate Authority
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority
Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072
Algorithm: sha1RSA
Valid from: 2:19 AM 5/10/2001
Valid to: 2:28 AM 5/10/2021
Company: Microsoft Corporation
Description: Windows host process (Rundll32)
Product: Microsoft« Windows« Operating System
Prod version: 6.1.7601.23755
File version: 6.1.7601.23755 (win7sp1_ldr.170330-0600)
MachineType: 64-bit

DecimaTech · April 13, 2018, 5:45pm

And if you don’t want to use a command line tool, virustotal will provide details if a file is signed under the details tab. VirusTotal

shmu26 · April 14, 2018, 5:44pm

Thanks, I had no idea about that.
Can Comodo see this kind of sig?

qmarius · April 14, 2018, 7:42pm

Yep.

shmu26 · April 14, 2018, 8:54pm

So is this security catalog basically a list of windows components and their respective hashes, or what?

DecimaTech · April 14, 2018, 9:18pm

yep Catalog Files and Digital Signatures - Windows drivers | Microsoft Learn

shmu26 · July 17, 2018, 1:43pm

Related to this: If I remember correctly, the file list used to contain dll files. I don’t see them there anymore. Has something changed in regards to monitoring dll files?
Perhaps they are monitored only by the HIPS module, and not by other modules, so I won’t see dlls in the list unless I enable HIPS?

DecimaTech · July 17, 2018, 3:14pm

Yes and no, I noticed that when HIPS is disabled and an unrecognized application tries to install a global hook of a dll while in containment, the dll file is listed in the file list. However, DINPUT.dll didn’t show up in the file list until an unknown application tried to load it as a global hook and I received a HIPS alert for it, but I have video games that I know use dinput but because they were rated trusted, I didn’t get an alert for it thus the dll didn’t show in the file list until the unknown tried to use it. Go figure.

Also there was a time when trust files installed by trusted installers would add dlls and other files to the file list upon running a trusted installer, now it doesn’t populate the file list anymore with those files until they are executed, mainly .exe files.