Serious Discussion Windows Firewall Control block rule for a specific .exe is not (fully) taking affect // source of rundll32 outbound traffic

X195

Level 1
Thread author
Aug 31, 2023
17
Hello,

I've created an outbound block rule in WFC for a specific piece of software on my computer.

When I look at the connections log and look at the "recently allowed" connections there is a list of connections from this piece of software that have been allowed. In the "Program" column, it points to the .exe of the program which is the one that I have blocked in the rules panel.

Note: When I switch to "recently blocked" it shows a list of connections from this software that have been blocked, so it looks like some of the connections are being blocked and some are being allowed.

Can anybody suggest why all of the connections from this .exe are not being blocked?

----------

A second question is, I'm getting a lot of outbound rundll32.exe requests. As far as I understand this could be any application that generates these requests, so what's the best way to determine which application has requested to generate the the rundll32.exe outbound traffic? can I find this out from within WFC?

I would appreciate any support.

Thanks
 
  • Like
Reactions: simmerskool

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,628
Can anybody suggest why all of the connections from this .exe are not being blocked?
Comodo and Zone Alarm are the only firewalls that can block processes leaking through other processes. Standalone HIPS are no longer a thing, so that is pretty much it.
A second question is, I'm getting a lot of outbound rundll32.exe requests.
I have always blocked rundll32.exe outbound traffic without problems, but recently I have not received any. Probably because I have disabled a lot of default processes.
 
  • Like
Reactions: simmerskool

X195

Level 1
Thread author
Aug 31, 2023
17
Comodo and Zone Alarm are the only firewalls that can block processes leaking through other processes. Standalone HIPS are no longer a thing, so that is pretty much it.
Thanks, I'm not really aware whats HIPS are, does this mean that WFC is not a reliable option as a firewall If I want to block specific apps from communicating on the network?

I have always blocked rundll32.exe outbound traffic without problems, but recently I have not received any. Probably because I have disabled a lot of default processes.
Are you able to advise how to determine which application requested to generate the the rundll32.exe outbound traffic?

Many Thanks
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top