Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator
This shows up in the logs of Firewall hardening:
Code:
Event[0]:
Local Time:  2020/09/09 15:17:23
ProcessId:  1660
Application:  C:\windows\system32\rundll32.exe
Direction:  Outbound
SourceAddress:  (deleted)
SourcePort:  56459
DestAddress:  51.124.78.146
DestPort:  443
Protocol:  6
FilterRTID:  71403
LayerName:  %%14611
LayerRTID:  48
Can somebody tell me what it is?
Is it okay to be blocked or should I unblock it?
The IP seems to be for settings-win.data.microsoft.com according to this site:
 

Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator

Andy Ful

Level 63
Verified
Trusted
Content Creator
I can also confirm this and e.g. svchost entries blocked by recommend H_C firewall settings.
@Andy Ful what is your opinion about?
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)
 

ErzCrz

Level 7
Verified
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)

As it's in windows\system32 it's a safe process. I usually get these after reboots, something to do with shared dlls I think :)
 

security123

Level 26
Verified
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)
Here my H_C firewall log:
(i also don't use any custom firewall rule)
Log.txt
 

Attachments

  • Log.txt
    39 KB · Views: 67

Andy Ful

Level 63
Verified
Trusted
Content Creator
Here my H_C firewall log:
(i also don't use any custom firewall rule)
Log.txt
I found this IP (51.124.78.146) on the list of WindowsSpyBlocker:
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt

It seems to be related to sending some telemetry:
"The new Windows service increases the amount of diagnostic data that CEIP can collect, and it collects data for third-party applications using the Application Insights service. Application Insights lets developers track performance issues, crashes, and other problems within their applications.

The data is sent to two hard-coded addresses: vortex-win.data.microsoft.com and settings-win.data.microsoft.com.
"

Microsoft information:
" IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data "
https://docs.microsoft.com/en-us/wi...-windows-diagnostic-data-in-your-organization
https://support.microsoft.com/en-us...-customer-experience-and-diagnostic-telemetry

Some people think that it can be safely blocked:
https://www.reddit.com/r/pihole/comments/gfqtuq/should_i_block_settingswindatamicrosoftcom/
https://www.reddit.com/r/privacytoo...omplete_list_of_windows_10_telemetry_blocked/

Post edited
Added the link to www.infoworld.com.
 
Last edited:

ErzCrz

Level 7
Verified

Ah ok, looks like connected to the feedback settings then. I had it setup to send optional stuff and always send. Set that a long time ago, just tweaked it to send "required" and to "Never" ask for feedback. We'll see if I still get the same events.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Thanks! According to your link it is used for:

So, I have removed the block for rundll32.exe from the Recommended H_C settings.
These events are probably related to scheduled tasks under "Application Experience" that use rundll32.exe (PcaPatchDbTask and StartupAppTask).
Some other telemetry will also be blocked like under the Autochk tab the scheduled task Proxy.
 
Last edited:

security123

Level 26
Verified
I found this IP (51.124.78.146) on the list of WindowsSpyBlocker:
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt

It seems to be related to sending some telemetry:
"The new Windows service increases the amount of diagnostic data that CEIP can collect, and it collects data for third-party applications using the Application Insights service. Application Insights lets developers track performance issues, crashes, and other problems within their applications.

The data is sent to two hard-coded addresses: vortex-win.data.microsoft.com and settings-win.data.microsoft.com.
"

Microsoft information:
" IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data "
https://docs.microsoft.com/en-us/wi...-windows-diagnostic-data-in-your-organization
https://support.microsoft.com/en-us...-customer-experience-and-diagnostic-telemetry

Some people think that it can be safely blocked:
https://www.reddit.com/r/pihole/comments/gfqtuq/should_i_block_settingswindatamicrosoftcom/
https://www.reddit.com/r/privacytoo...omplete_list_of_windows_10_telemetry_blocked/

Post edited
Added the link to www.infoworld.com.
Thanks.
But I wonder why its get blocked as I don't block telemetry, services or tasks.
I also set telemetry to full aka optional.

Also no "Anti-Spy" tools are used.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Thanks.
But I wonder why its get blocked as I don't block telemetry, services or tasks.
I also set telemetry to full aka optional.

Also no "Anti-Spy" tools are used.
Same here.
I am not sure if I understand well your posts. These tasks use rundll32.exe by command line to get and upload the telemetry. So they will run but the outbound connection will be blocked anyway by the FirewallHardening rule for rundll32.exe.(y)
 

Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator
I am not sure if I understand well your posts. These tasks use rundll32.exe by command line to get and upload the telemetry. So they will run but the outbound connection will be blocked anyway by the FirewallHardening rule for rundll32.exe.(y)
The question is why it is blocked when we (in current config) don't block telemetry?
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
The question is why it is blocked when we (in current config) don't block telemetry?
Ha, ha. I have just tried to answer exactly this question and have no idea what is wrong with my explanation (probably my poor English).:)

Unblocked telemetry ---> Some telemetry tasks run rundll32.exe to start ----> execution of runndll32.exe is not blocked ---> the task can gather the telemetry ---> outbound connection of rundll32.exe is blocked by FH rule ----> the user can see the event in the Log

Edit
For example, one of the telemetry scheduled tasks is PcaPatchSdbTask which is started by the command-line (the execution of rundll32.exe is not blocked, only outbound connection):
%windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask

So, the telemetry tasks are still running, but some of them cannot send information to Microsoft, due to FirewallHardening rules (for rundll32.exe) in Windows Firewall.

Post edited to make it easier to understand.
 
Last edited:

Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator
Ha, ha. I have just tried to answer exactly this question and have no idea what is wrong with my explanation (probably my poor English).:)

Unblocked telemetry ---> Some telemetry tasks run rundll32.exe to start ----> execution of runndll32.exe is not blocked ---> the task can gather the telemetry ---> outbound connection of rundll32.exe is blocked by FH rule ----> the user can see the event in the Log

Edit
For example, one of the telemetry scheduled tasks is PcaPatchSdbTask which is started by the command-line (the execution of rundll32.exe is not blocked, only outbound connection):
%windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask

So, the telemetry tasks are still running, but some of them cannot send information to Microsoft, due to FirewallHardening rules (for rundll32.exe) in Windows Firewall.

Post edited to make it easier to understand.
And my English is also from high school, many, many, many years ago... :D

I understand that the outbound connection is being blocked.
Of course, I can unblock it by deleting the block rule in FirewallHardening.
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
 

silversurfer

Level 64
Verified
Trusted
Content Creator
Malware Hunter
I understand that the outbound connection is being blocked.
Of course, I can unblock it by deleting the block rule in FirewallHardening.
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
"rundll32.exe" is just one of the most used "LOLbins"
I would keep it being blocked by Firewall-Hardening, unless it's causing major issues on your system/device...

 

Andy Ful

Level 63
Verified
Trusted
Content Creator
...
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
I chose some of the firewall rules as "Recommended H_C" when:
  1. The LOLBins were used in the wild for downloading malware from the Internet.
  2. These firewall rules mostly do not cause any issues for home users.
But, all FirewallHardening rules are just in case (another small brick in the security wall). You can remove any of them if you want.
Anyway, in your case, the rule for rundll32.exe does not do anything wrong - many users would even say that it is helpful. :)(y)
 

Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator
I had an update from Tom Tom Home blocked:
De beheerder heeft de toegang tot C:\Users\gandalf\AppData\Local\TomTom\HOME3\Updates\InstallerUpdater.lnk beperkt doordat het niveau van het standaardsoftwarerestrictiebeleid is aangepast.
The only option to perform this update was switching off Default Deny.
Whitelisting didn't work for me.
How do I whitelist this?
 
Top