Defense Plus blocking files I've marked as trusted!

Hello,

Defense Plus in “Clean PC mode” keeps blocking LWEmon.exe of Logitech eventhough I’ve marked as trusted and given it full priviledges. Rundll32.exe has the same problem. Both files are in the locations they’re supposed to be…so I don’t suspect any malware as this is a new installation.

“Defense + has blocked 475 suspicious attempts”… and counting (are these files really being blocked or just logged)

Also, everytime I restart its puts Avast in the folder for reviewing, I then move it to “my safe files”, and sure enough its back at every restart!

Any hellp would be greatly apprecaited

Runing Windows 7 x64 Home Premium

Thanks

Sorry if I posted this twice, I got kicked off and had to rewrite :stuck_out_tongue:

Anybody…anybody???

Well, its still puts the same three files for review that I put in my own safe files. One of them is Avast4\DATA\clnr0.dll Is this some kind of conflict with Avast? I’ve submitted it to Comodo, it then marks it as Trusted, and sure enough its back in for review at next startup. Why???

What does it actually DO to put files in “'my own safe files” if it just keeps blocking them!??

I’ve tried all the hints in this forum for rundll32.exe and it still is showing up as, Action “block hook”, constantly!

Rundll32.exe seems to be a problem a lot are having…

Please help :frowning:

Hallo Innit,
welcome to these forums :),

My Pending Files will list any executable which is created anew, modified or moved.
In CleanPC mode the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

It looks like that Avast4\DATA\clnr0.dll is rewritten during every VPS update and this will cause it to be repeatedly added to Pending Files list even after being removed.

Yes, all three files are extracted from 400.vps (the avast virus database) at the time of loading. They basically change (=get overwritten) during every VPS update.

Setting D+ in Safe mode will disable the Pending list feature (used only by CleanPC mode)

The block hook action type ought to be the result of an application policy Protection setting which got its Windows/WinEvent Hooks radio button set to Yes. Probably it is related to some change to the protection settings of rundll32.exe policy (btw is the target some DLL file or some other application?).

Not sure about LWEmon.exe but maybe a full D+ log (or a screenshoot that include the action type and both application and target names) could provide some more clues (Exporting Log Files to HTML)

[attachment deleted by admin]

Hi Endymion,

Thanks for your reply :slight_smile:

I’ll go ahead and try Safe mode, that makes sense.

Rundll32.exe is trying to block hook on the Target C:\Windows\System32\dwmapi.dll

I changed the following according to an earlier post:

Control Panel->Administrative Tools->Computer Management->Task Scheduler->Task Schedular Library->Microsoft->Windows->

Highlight “Application Experience” you should have AIT Agent and ProgramDataUpdater at the top. Right click on ProgramDataUpdater and select Disable

That must be then like you said an application policy Protection setting that was changed in doing the above. I think?

Should I then change the protection setting Windows/WinEvent Hooks to “Yes” in dwmapi.dll?

Thanks again for your help

Innit

Oh and I checked in Defense+ >Computer Security Policy and there is no entry for C:\Windows\System32\dwmapi.dll. Should I then create a Custom Policy for it and enable Windows/WinEvent Hooks?

Then it looks like some changes were applied to rundll32.exe Protection settings which defaults to No.
Don’t you remember making any?

I don’t think I did make changes but since I’ve been trying everything I might have.

Rundll32.exe is present in “Computer Security Policy”

“Use a Custom Policy” is selected

Access Rights are all Allow except Run an executable is set to “ask”

Protection Settings are all “Yes”

The one in particular related to Block hook events is Windows/WinEvent Hooks Protection settings set to Yes like in the earlier screenshot I posted

All “Yes” like you just mentioned ought to trigger those Block hook events in Defense+ logs whereas setting also other Protection settings to Yes is likely to trigger additional related events in Defense+ Logs.


Please set the options of the corresponding Rundll32 policy dialogs to match these screenshots

[attachment deleted by admin]