I don’t know if I’ve understood correct.
The first alert of D+ will be of explorer.exe to open rundll32.exe, then it depends from as you have configured rundll32… for this motive I put D+ in Paranoid Mode and configure rundll32.exe all on ask.
Maybe it worth to check by playing with **.inf. Thanks for idea.
Not sure what sequence explorer.exe <–> rundll32.exe or other, i plugged in my infected flash on W7 machine, which is not affected by such autorun problems, hence virus was unable to start.
Indeed, Paranoid mode is a solution, but it is not convinient/usable mode (imo).
Good if it is so. Worth to check.
Thanks for the links. It is probably best solution.
PS. I SAVED that virus (in encrypted archive). Willing to test? Not me, not now…
The best solution for this problem is surely that suggested by Endymion.
I use D+ in Paranoid Mode because for me it is good and I understand better thing happens in my PC… yes, perhaps are a little paranoiac ;D
Maybe I’m wrong, but since you say the rule for running executables is already on ask with the only exception being the one stated, wouldn’t D+ alert you to the file on the flash drive trying to be executed? Isn’t it saying that only files in the Windows directory are allowed to be run by rundll32 without producing an alert?
Theory. Question is How it works on practice ??? :-\
I couldn’t force that virus to TRY to instruct rundll32 to “setup” that dll :-X
How do you get that alert on your screenshot: setting Image Execution to Aggressive and adding *.dll to execution list? If these two requirements are not met than alert is not triggered?
I can check (running 3.13. .574) once i would know some portable exe (which i can download) tries to load dll with rundll32.
[PoC from Win7+Autorun article didn’t work for me, dropping error “…error during program’s initialization…”]
When I told you that the config you described in your first post should have been able to trap rundll32 DLLs I didn’t mention that even “Comodo - Internet Security” default configuration should have been able to (at least up to 3.12 I took that screenshot with).
It looks it was mentioned that rundll32 approach was going to change though I don’t know if the change I reproduced on my PC affects other users as well or even in that case if this change is actually the one implied in that rundll32 quote from CIS lead developer.
That appeared to work also in 3.13 though it will trigger for many other applications as well and not only rundll32. I didn’t test it properly but the overall behavior of such custom settings reminds me of CFP 2 component monitor (which IIRC defaulted to learn all), nevertheless CIS lead developer mentioned this is not really recommended/intended to be used in CIS 3
Too bad I was particularly interested in the result of that win7 autoelevation PoC
On the other hand there are few video-card/keyboard/mouse apps/brands that rely on rundll32 and launch their DLL at startup by modifying a protected registry entry (My videocard and mouse rely on such approach) anyway if you are willing to invoke rundll32 from the commandline there is an article that provide a DLL fit for this (the command line is mentioned in its How to Use paragraph):