installed WIN DEFEMDER now notice "RUN DLL AS APP" in ZoneAlarm

[Guest]

Others as well have confirmed that once Windows Defender is installed a new
entry in ZoneAlarm (in my case ZA v6.1.744.001) appears out of nowhere which
reads "run dll as app" and the item points to the legitimate WINXP SP2 H.E.
file, \Windows\System32\rundll32.exe - but no other info is provided. My
security induced paranoia caused me to react by deleting the entry
immediately despite the protests from ZoneAlarm (surely you will die for
doing this, blah, blah, blah).
Does anyone have a clue why the latest version of Windows Defender might
place an entry or arrange to have placed on its behalf an entry as mysterious
as this one?
If it is essential will Windows Defender as for firewall permission again
for this entry or have I permanently deterred one of its functions by
deleting the item from Zone Alarm?

 

[Guest]

Just a clarification. It has come to my attention that "RUN DLL AS AN APP"
points to a legitimate Windows file, \Windows\System32\rundll32.exe. Further
I have discovered that Zone Alarm has classified this particular file as safe
by default and will configure it automatically to access the Trusted/Internet
zones when a core component of Windows requires access. So my guess at this
point is that during the installation process of Windows Defender there must
have been some need for the rundll32.exe to have "access" and it was swiftly
granted access. I don't particular like the arrangement but there's not a
whole lot I can do about it that makes sense. MY REAL QUESTION of course is
whether this was a one time event and can I now return the rundll32.exe item
to ASK BEFORE ACCESS in all zones or will that somehow disrupt some
component of Windows Defender. I may just have to experiment. Thanks.

 

[Bill Sanderson]

I'll be interested in the result of your experiments. If you want to test
further, I have some thoughts about what might be happening, but no clear
answers:

They are pretty vague, though!

Windows Defender has a command-line app, mpcmdrun, which is responsible for
updating definitions, and running scheduled scans. I'm not sure whether it
schedules the scans or whether one of the main processes does that task.
Re-scheduling the scheduled scan task happens at each startup--so that's one
thing you could look for--it is a hidden task run by the standard Windows
Scheduled tasks facility--you can SHOW hidden tasks by one of the menu
options in the scheduled tasks applet in control panel. If you have left
the default setting (I think)--to update definitions before running a
scheduled task, the scheduled task would need access to the Internet to
perform that operation--or, at least---Microsofts update servers. The more
I think about this, I suspect this is likely what is happening--I would
guess that the scheduled tasks are running under one and probably two of the
SVCHOST processes that are running--one which has Internet access, and
another that does not, perhaps.

I'm not sure how to test this hypothesis. I suppose that if you block the
access, and wait long enough, you would find that the definitions are not
updated before a scheduled scan runs. However, they can also be updated by
AutoUpdate, by a manual run of Windows Update or Microsoft Update, or by
hitting the button in Help in Windows Defender--all of which would probably
work around that firewall setting.

I understand your interest in knowing what's going on here--but I suspect it
isn't going to be easy. Perhaps some other apps like process monitor from
sysinternals would give some picture of what is happening at the time this
opening is being made in the firewall? Or, does the firewall itself have
some tracing or logging mode that would give more information? Knowing the
name of the .dll file which is being invoked by this instance of rundll is
what I would want--and this may simply not be possible.

--

 

[Guest]

Thank you for your thoughtful response. Let me point out a few other
anomalies (they are anomalies to me anyhow):

Latest WIN Defender on WINXP SP2 H.E.

I'm having a hard time getting acquainted with Windows Defender's methods.

1.) I run primarily in a limited user account
2.) WIN DEFENDER scans right on schedule from this account. Cool.
3.) Received first actual visual alert on systray about a U.S. Robotics
modem driver. There should have been a way for me to Apply my decision
(permit/deny) but the button was grayed out (I was in limited user account).
What gives?
4.) I notice I have several entries in eventvwr (#3004) which isn't uncommon
I realize. But I think it's counter-productive to restrict these notices to
the evenvwr - why aren't I getting them on the systray icon? None of the
items is classified and I do have the alert option enabled: "Software that
has not yet been classified"
Yet most of the alerts are hitting the eventvwr and not the systray.
5.) I joined the Advanced membership for Spynet based on reliable
recommendations. Yet my early experience is somewhat lackluster. Where's the
beef?
6.) Yes, I do have Admin options checked both.

Finally, for those alerts already restricted to the eventvwr, how and when
can I attend to them now? All of them are unclassified but absolutely safe.
Thanks.