Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

rundll32

rundll32

Postby Chrysalis » Tue May 31, 2011 4:57 pm

Hi.

I need help on what to do with this.

windows host process (rundll32)

I think starting from about 2-3 weeks ago this wants access to the internet, I allowed the first ip it asked for as was logging again and again every 3 second strying really hard. I did of course also virus scan online and offline and clean.

I then checked the windows7firewallcontrol again and I see now 210658 attempts accessing the internet this time another microsoft ip. 65.55.162.27

What seems unusual is how frequent it is.

some log examples.

26/05/2011|03:47:06|IPv4 TCP 65.55.162.27:443(61705)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe
26/05/2011|03:47:06|IPv4 TCP 65.55.162.27:443(61706)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe
26/05/2011|03:47:06|IPv4 TCP 65.55.162.27:443(61707)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe
26/05/2011|03:47:09|IPv4 TCP 65.55.162.27:443(61708)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe
26/05/2011|03:47:09|IPv4 TCP 65.55.162.27:443(61709)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe
26/05/2011|03:47:09|IPv4 TCP 65.55.162.27:443(61710)|Windows host process (Rundll32)|Microsoft1 Outgoing|C:\windows\syswow64\rundll32.exe

Is this legitimate and if yes what is suggestion for safe zone for this service?
Chrysalis
 
Posts: 6
Joined: Thu Apr 14, 2011 5:25 am

Re: rundll32

Postby VistaFirewallControl » Wed Jun 01, 2011 9:45 am

The answer would be ambiguous…
Obviously the application reports (acquires) something from (to) Microsoft.
We would hardly be able to realize a genuine purpose of the activity, without a context at least.
Anyway the application behavior is known to the developers only in full.
Probably the developers treat the (blocked) activity as required and make multiple attempts.
The frequency itself is hardly sign of a problem….

Process Explorer (ask google) can be used to reveal the full command line of rundll. The command line includes the DLL name launched by rundll process.

The key questions are
- Does your security policy allow something to be reported to (or acquired from) Microsoft?
- Are there any noticeable negative consequences of the activity blocked?

If the answers NO+NO, the activity may be kept blocked, otherwise enabled
VistaFirewallControl
Site Admin
 
Posts: 962
Joined: Fri Mar 27, 2009 11:25 am


Return to My App is blocked, What to do

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred