I noticed that there seems to be a error in the guard32.dll and guard64.dll registry entries.
http://img547.imageshack.us/img547/818/sshot12w.png
Version 5.3.43550.1216
Windows 7 64bit
And there are also previously unseen firewall alerts
Hello thommh,
Can you also make a screenshot of the Defense+ Events?
Its possible that CIS is blocking AutoRuns from accessing certain areas on your machine.
Can you explain a bit more about your second issue?
Thanks
Jake
Defense+ is disabled as I am not using it atm.
Ok; Is Image Execution Control Disabled as well? and as well as the sandbox?
Jake
Execution Control is enabled, Sandbox disabled.
Hello; I’m back with more info
This may help; these guardxx.dll are apart of CIS;
For your firewall event, Can you go to CIS > Firewall > Firewall Events > Post Screen shot of this window and upload here,
Hope this helps
Jake
Hi guy’s,
Issue 1 is probably caused by something else as there is a “space” between the Chinese (?) char and the guard32/64.dll’s those entries where already present during install of CIS.
One can have multiple entries on AppInit_DLLs seperated by “space”.
If you don’t trust it try to uninstall CIS and see if Chinese char is still there, if so you need to edit your registry to remove them manually, search for AppInit_Dlls and you should be able to find them.
Issue 2 is due to IPv6 support in this version, the alert is for “localhost” ::1, similar to IPv4 127.0.0.1
As this is a firewall alert it can’t be related to guard32/64.dll cause that’s used for D+
Thank you for your help.
I ended up editing out the space and chinese character in the registry, dunno where it came from.
Are there any good sources for me to cross-reference ipv6 addresses?