2

When trying to import photos from my phone, Windows' ransomware protection (controlled folder access) blocked rundll32.exe from writing to my Pictures photo.

Would it be OK to put rundll32.exe on the list of allowed apps, or is there (can there be) malware/ransomware that uses rundll32.exe to do its thing?

I don't know enough about what rundll32.exe can or can't do in order to sensibly judge the risks I'm taking by allowing it to write to the Users folders...

Tim Pietzcker
  • 2,670
  • 10
  • 43
  • 49
  • 1
    It's not clear from the Microsoft documentation I've been able to find what criteria controlled folder access uses to block something. When I've tried it it occasionally blocks hosting processes like this. Rundll32.exe will run any dll thats passed to it so it could be used by Malware. Here is an an example of ransomware using it https://isc.sans.edu/forums/diary/Malspam+pushing+Sigma+ransomware/23443 towards the end. – David Marshall Oct 07 '18 at 14:36
  • Tim - FYI.... https://support.microsoft.com/en-us/help/164787/info-windows-rundll-and-rundll32-interface for some correlated history and detail on the file. The basics should still apply I would think even if functionality has been extended. Quick look over https://www.dummies.com/computers/operating-systems/windows-xp-vista/understand-the-windows-process-rundll32-exe/ might be good detail for you as well. Just tossing you a couple quick reads on the process. – Vomit IT - Chunky Mess Style Oct 07 '18 at 20:07
  • 1
    Hm, so it seems that rundll32 is not safe to unblock...thanks! – Tim Pietzcker Oct 08 '18 at 11:54

0 Answers0