RunDLL32 can load DLLs without triggering Run an executable alerts - CIS 3.13.121240.574

OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs.
CIS Version: 3.13.121240.574
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode

The latest version 3.13.121240.574 won’t trigger Run an executable types/dll alerts anymore when rundll32.exe is used to launch a DLL.

This differs from CIS 3.12.111745.560 and previous versions, which alerts when Rundll32.exe load a DLL even using “Comodo - Internet Security” configuration defaults (image execution control disabled).

Such Rundll32 alerts triggered when a DLL is loaded provided a way to prevent the execution of the code contained in such DLL and a chance to have D+ heuristic Severity rating displayed on the alert to warn about eventual malicious behavior.

It is possible to reproduce a Rundll32 based DLL-execution scenario for testing:

A clean 3.12 install will enable D+ to trap those dlls whereas installing 3.13 again will not.

Related topic: Autorun viruses Versus Comodo’s Safe mode (a malicious DLL virus sample was tested with 3.13 and screen-shots were posted there as well)

Issue reconfirmed testing CIS 3.13.126709.581 on an XP32 setup.

Issue reconfirmed testing CIS 3.14.129887.586 on an XP32 setup.

Virus mentioned in that thread will destruct system silently (if Defense+ in Safe Mode) if it manages to start, for example like this:


[autorun]
Open=Rundll32.exe .\RECYCLER\pLElVwkIV.dll,Setup

Defense+ will learn: mmc.exe activities despite mmc.exe was called by virus instructions with aim to perform malicious actions (denying System Restore tool, denying regedit.exe). Same for cmd.exe (IIRC). Etc.

…unless *.dll entry is added to ImageExecutionControlSettings. Only then there is an alert “rundll32.exe tries to execute pLElVwkIV.dll”.

Issue reconfirmed testing CIS 3.14.130099.587 on an XP32 setup.