rundll32.exe why is blocked by Defence+?

hi to everyone!
Could someone explain me why Defence+, every time I start my PC, blocks those applications?
My security level is set to “Safe mode”.

Thanks and bye,
Stefano.

[attachment deleted by admin]

Hi Stefano

Firstly, CIS will not willingly share its memory space with anything (no matter how politely or rudely it is asked or even if the process, in question, is defined as safe/trusted). This log entry is really informational & it doesn’t usually cause a problem with the memory-probing process. These are often processes that want to hook into CIS to offer extra functionality (usually right-click context menus & screen related functions). CIS will not allow any of this.

As far as processes go, RUNDLL32.EXE is a means to an end. As its name implies, it basically is used to run DLL’s that cannot be run directly. To know what this actually is, you’d need to run something like a HijackThis Log or Autoruns, to see what the calling parameters are on the RUNDLL32.EXE execution (ie. what DLL/CPL it is running).

Hi kail and thanks for your reply.
but I had a rules in my Security Policy about rundll32.exe. I just deleted it and I waited for an alert.
When I got it, I remembered like “trusted application”.
Did I make the right thing?

For the purposes of accessing CIS’s memory it will not make any difference (to CIS), it will still be blocked.

As for giving RUNDLL32 trusted status, you probably shouldn’t really do that. There’s no guarantee that RUNDLL32 will be run by a “friendly” process. You’re better off, IMO, leaving RUNDLL32 as it is and authorising each DLL/EXE that RUNDLL32 wants to run (these will be listed as “allowed” in Defense+ “Run as Executable”). This way if RUNDLL32 ever tries to run something unusual, you’ll at least get the chance to stop it.

edit

right kail and sorry for me late to answer you back!
for you should I leave it off and let ask it every time. Am I right?
I mean, you have no kinds of rule for it. it is right?

Not a problem. :slight_smile:

I have a RUNDLL32 rule & it has listed, under the Allowed tab on “Run an executable”, many DLL’s & some EXE’s that RUNDLL32 is allowed to run… or rather that I have previously allowed to run & have told CIS to “remember”.

If you don’t currently have a rule for RUNDLL32, then don’t worry… CIS will create the rule shortly after you allow RUNDLL32 to execute another program (DLL or EXE, in this case) for the first time. Following that, CIS will add any allowed program, that its told to “remember”, to RUNDLL32’s allowed tab under (Access Rights - Run an executable).

I hope that helps.

okay now I see you.
you gave to C:\WINDOWS\system32\rundll32 a custom policy and any time and *.exe or *.dll ask for an access you can decide if remember it or just allow once or deny.
So later they will be listed in the “Run an executable” of this custom policy. Am I right?
I tried to do that me too but in my case they are begin stored in the “Interprocess Memory access” it makes any difference?

Thanks a lot again for your help and sorry but I’m a newbie… :-[
Stefano.