Monitor regsvr32.exe and rundll32.exe activity

Hi,
Is there any way to configure Defense + Hips to alert me on regsvr32.exe and rundll32.exe activity? I’m running the Hips setting on Safe Mode at present with rules added for those two executes but I’m receiving no notifications at all. I’ve tried Paranoid Mode but still nothing (except for every other executable on my system which eventually drives you crazy…:)). I’ve changed the explorer.exe rule from Allowed to Custom but have only received one popup notification.

Using EXE Radar Pro I receive rundll32 notifications frequently. BTW, you can’t use EXE Radar Pro and Comodo CFW 6 together. I suspect a driver conflict.

This is on Win 8 Pro 64 bit.

Any suggestions?

Thanks. :).

Trespasser

Rundll usage was monitored in later versions of CIS 5.x, s presumably in 6.x. Though 6.x dll functionality is still stabilising so I’m not wholly sure.

Registry protection works by preventing access to sensitive keys for unknown files

Both can be explicitly monitored using a program-specific HIPS rule if you turn HIPS on. I think you could use Safe mode and over-ride the usual allow for trusted program files with a specific rule high up the rules list, but I have not tried in CIS 6.0. Do tell me if you try it.

Best wishes

Mouse

Oh just to say intervening at this fairly deep level in the OS, some things may stop functioning, so you need to know how to gt yourself out of trouble! Take a restore pot first at least.

Thanks mouse1 for the reply. :).

Mouse quote:
“I think you could use Safe mode and over-ride the usual allow for trusted program files with a specific rule high up the rules list”

Can you give me the example of the specific rule you mentioned? Thanks if you can.

I moved cmd.exe, regsvr32.exe, and rundll32.exe (both System32 and SysWOW64 folders) to the very top of my rules list but still no popup notifications about their activity. BTW, I’m now running in Paranoid Mode…no change.

Also, what is the significance of where a rule is on the list (since you can obviously move their position)? Does it effect how the rule functions as to where it is on the list?

Thanks again for the reply. Much appreciated.

Best regards,

Bob