Defence+ and dll files

If I have c:\users* in blocked applications will this include dll files in the users directory or is it just the applications (*.exe) that are blocked?


[Topic Closed: If issue returns PM an online mod to open]

Don’t know exactly if independent dlls can be blocked in your case with default settings of D+, but here is some variant to try if they cant be blocked:

GUI->defense+ ->advanced->image execution control settings->change image execution control level to aggressive and replace entry *.exe by group executables under same settings dialog.

Should warn that you will have a great amount of alerts if D+ in paranoid mode, however in other modes you should be ok.

In this case independent dlls (executed without assistance of *.exe) should be definitely blocked.

I wan’t to block dll file run by an exe so I don’t think this would work. (If it did it would cause far, far too many pop-ups). I want to stop anything from running a trusted application and tricking it into using a dll from the wrong place.

I think Comodo desperately needs to control this like dll files and vbs scripts based on their location. It needs to be able to block all dll and scripts arguments where the dll or script is under c:\users (or c:\documents and settings) and other selected locations. This would help protect against rundll32 launching malware (assuming you don’t run as administrator). Another possibility would be the option to block all dll and script files not in Comodo’s safe file list. I would trust this less as I don’t know what is on the safe list.

I have tried this and it appears to to what I want. I got loads of pop-ups for all dll files. I added rules for all applications to allow dll files under windows and program files and it is useable now.

Is this really blocking all dll files from other locations? Does anyone know?

Sure it is. All system is affected by those settings.

Thank you for your help. This is looking good.

I have set image execution control to aggressive and added all executables (plus a few more) to files to check.

I now have a rule for all applications to block c:\users* d:* and E:*

I have a rule below for save programs (c:\program files* and c:\windows*) to run c:\windows*.dll and c:\program files*.dll to prevent pop-up overload.

This should stop limited users running any unauthorized applications including most malware and not require them to block anything when it does pop up.

Everything appears to work but I get a few strange pop-ups now such as permission for firefox.exe to run firefox.exe. I assume this is the program running the prefetch copy.