locked
Should I block rundll32.exe from accessing the internet? RRS feed

  • Question

  • I just installed LiveCare not too long ago, and was prompted by the Onecare Firewall is I want to block "Run a DLL as an App", location C:\Windows\system32\rundll32.exe.

    I'm pretty sure this is the legitamite windows file, and not some clone from a virus (recent scan came up clean).  However, I can't think of any good reason why rundll32.exe would need to access the internet.

    Thursday, May 29, 2008 12:48 AM

Answers

  • Rundll is being called by another process or program to access the Internet as it shouldn't be accessing it on its own. I would suggest blocking it and see if there are any adverse effects. If a program that you are legitimately using fails to work properly then, you can unblock rundll in the firewall settings within OneCare.

    -steve

     

    Thursday, May 29, 2008 4:06 PM
    Moderator

All replies

  • Rundll is being called by another process or program to access the Internet as it shouldn't be accessing it on its own. I would suggest blocking it and see if there are any adverse effects. If a program that you are legitimately using fails to work properly then, you can unblock rundll in the firewall settings within OneCare.

    -steve

     

    Thursday, May 29, 2008 4:06 PM
    Moderator
  • It happened to me too. I have blocked it with no ill-effects. If you ensure that onecare has loaded before any other service then this message shows up - makes me suspect a malware or rootkit. Scans are useless against many rootkits.

    Onecare is discontinues for Windows 7. The outbound firewall in Windows 7 will not let you block all programs (it blocks all services at the same time) making it more difficult to use as an outbound firewall with functionality as in onecare. The only other firewall that I can trust is checkpoint (zonealarm). Will Microsoft sell an outbound consumer firewall?
    Wednesday, December 2, 2009 3:11 AM
  • I am not aware of any plans for a a firewall such as in OneCare from Microsoft. The Windows Firewall can be configured for outbound protection, but certainly not easily.
    Here's one article that explains how: http://www.techtalkz.com/windows-7/515977-how-configure-windows-firewall-windows-7-a.html

    -steve
    ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~
    Wednesday, December 2, 2009 12:54 PM
    Moderator
  • Thanks for the response. I have tried to configure the windows 7 firewall to block outbound programs. On those screens at the link above, one can create a new outbound rule and it does have an option to block "all outbound programs and services". I created such a rule and then hope to unblock IE8 for example. However, that block of all "programs and services" results in internet access shutting down, even when I go and create an exception for IE. It is not possible under the options provided by Win7 to block only programs without blocking all services at the same time (if that is what is causing the problem).

    Do you or anyone know of a way or a manual/documentation that will explain how to create onecare like outbound functionality in Win7?

    I do not mind paying for zonealarm but it adds another security vulnerability since any software could have been compromised (including microsofts)
    Thursday, December 3, 2009 6:27 AM
  • Thanks for the response. I have tried to configure the windows 7 firewall to block outbound programs. On those screens at the link above, one can create a new outbound rule and it does have an option to block "all outbound programs and services". I created such a rule and then hope to unblock IE8 for example. However, that block of all "programs and services" results in internet access shutting down, even when I go and create an exception for IE. It is not possible under the options provided by Win7 to block only programs without blocking all services at the same time (if that is what is causing the problem).

    Do you or anyone know of a way or a manual/documentation that will explain how to create onecare like outbound functionality in Win7?

    I do not mind paying for zonealarm but it adds another security vulnerability since any software could have been compromised (including microsofts)

    You may want to look at this instead: http://www.sphinx-soft.com/Vista/index.html
     
    I personally have not tried it, nor do I intend to as I don't see any value in outbound filtering and blocking. However, when researching articles explaining how to enable filtering, I kept running into that software as a suggested way to manage the rules since doing so manually means that you need to set it up from scratch and the firewall will not alert you when something is being blocked.

    -steve
    ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~
    Thursday, December 3, 2009 1:40 PM
    Moderator
  • 1. Outbound filtering is critical. Malware is introduced by many means including at the source of manufacture itself (all laptops are now assembled in China for example). Once the malware is on the system Outbound filtering is the only way to prevent it from communicating with its masters and also downloading additional malware. Standard Windows Firewalls providing inbound filtering are not effective.

    2. spinx-soft.com - I know nothing about this software vendor and would not dream of downloading (even for a fee) and installing a firewall from these people. There is no assurance that the software is effective AND/OR that it comes with a malicious malware payload. 

    For commerical firewalls providing outbound filtering please consider: (1) Checkpoint systems (used by 98% of Fortune 500), (2) Norton Internet Security or 360, (3) Microsoft Forefront

    - MH
    ______________________________________
    ~ Serious Malware Hunter
    Friday, December 4, 2009 4:35 AM
  • For number 1, that's your opinion, which you are entitled to. You are absolutely correct that if malware is on the system already, it has access to call home and download additional malware. That's why antimalware software is critical. Of course, nothing is 100% effective. As I noted previously, outbound filtering is difficult to configure and nigh impossible for the average user. Firewalls such as the one in OneCare that attempt to simplify the process of allow/block without too much prompting and user interaction is still a pain for the average user.

    I included a disclaimer with the link to the site providing a tool to configure filtering in the Windows firewall. I noted that I have no experience with it. I did, however, find several references to the tool from other sites when searching for some easy to follow detailed instructions for configuring outbound filtering in the Windows firewall.

    The original question for this thread involved a prompt from the OneCare firewall. You stepped in to note that with OneCare being discontinued and asked if Microsoft was going to offer a firewall like the one in OneCare to consumers. The simple answer is - I am not aware of any plans to do so. And, I stand by my recommendation that the average user will be well served by the Windows firewall without enabling outbound filtering, coupled with a good antivirus/antispyware application (such as Microsoft Security Essentials), as long as Windows and installed programs are updated with the latest security patches *and* safe computing practices are followed. If a home user chooses to purchase Norton 360 or similar product that includes a firewall, and they don't blindly approve all requests for access (which most people do), that's great. Checkpoint and Forefront are not options for the average consumer.

    -steve
    ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~
    Friday, December 4, 2009 1:40 PM
    Moderator