Jump to content

Behavior Blocker is blocking rundll32.exe


Recommended Posts

One of our clients in a workspace has been receiving behavior blocks for rundll32.exe. I can't figure out what's causing it to run in the first place. 
 
How do I use Emsisoft Management Console to find the installer that's triggering these rundll32 alerts?

Incident for TMP 01.PNG

Link to comment
Share on other sites

  • justinploof changed the title to Behavior Blocker is blocking rundll32.exe

I've no idea from an EAM point of view, but it's possible to turn on auditing (in eventlogs) of process creation (and termination), and once you have process creation being logged you can turn on logging of the command lines used to start processes.  Process creation logging might be enough (as it'll show who's issuing the command, I think).  For auditing process creation etc the 'proper' way to do it is via gpedit, but you can also do it from an elevated cmd prompt using the "auditpol" command, as follows (as used by me on W8.1 but I exepct it'll work for W10 too):

Auditpol.exe /set /subcategory:"process creation" /success:enable
Auditpol.exe /set /subcategory:"process creation" /failure:enable

- under Win 8.1, these commands turned on eventlogging of successful & failed process creates


Auditpol.exe /set /subcategory:"process termination" /success:enable
Auditpol.exe /set /subcategory:"process termination" /failure:enable

- under Win 8.1, these commands turned on eventlogging of successful & failed process terminations.

Before and after issuing those you can see what's turned on/off by: auditpol /get /category:*

I'd advise you to read the help shown from (first): auditpol /?    and then auditpol /list /?   and   auditpol /get /? 
and auditpol /set /?  etc first.

The eventlog records are placed in the Security log and you can expect there to be lots of them.  I don't know if you have to reboot to get the change to take effect.

For commandline logging (which is a security risk because some commands contain passwords, and might not be suitable for a corporate environment), from my notes a few years back:

[Using the (excellent) tool at: http://gpsearch.azurewebsites.net/#10674 I was able to find info on how the command-line flagging ie enabled.  It says

  System
     Auditing
        Include command line in process creation events

        HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

        Value: ProcessCreationIncludeCmdLine_Enabled

Googling told me that that value needs to be a DWORD set to 1.]

 

I don't know if that helps.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...