Hard_Configurator - Windows Hardening Configurator

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
This shows up in the logs of Firewall hardening:
Code: 
Event[0]:
Local Time:  2020/09/09 15:17:23
ProcessId:  1660
Application:  C:\windows\system32\rundll32.exe
Direction:  Outbound
SourceAddress:  (deleted)
SourcePort:  56459
DestAddress:  51.124.78.146
DestPort:  443
Protocol:  6
FilterRTID:  71403
LayerName:  %%14611
LayerRTID:  48
Can somebody tell me what it is?
Is it okay to be blocked or should I unblock it?
The IP seems to be for settings-win.data.microsoft.com according to this site:

settings-win.data.microsoft.com - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs
urlscan.io urlscan.io
 
  • Like
Reactions: Protomartyr, plat, Andy Ful and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
  • Like
Reactions: Protomartyr, harlan4096, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
security123 said:
I can also confirm this and e.g. svchost entries blocked by recommend H_C firewall settings.
@Andy Ful what is your opinion about?
Click to expand...
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)
 
  • Like
  • Thanks
  • +Reputation
Reactions: Protomartyr, Mercenary, ErzCrz and 5 others
ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,157
Andy Ful said:
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)
Click to expand...

As it's in windows\system32 it's a safe process. I usually get these after reboots, something to do with shared dlls I think :)
 
  • Like
Reactions: Andy Ful, Protomartyr, ForgottenSeer 85179 and 1 other person
F

ForgottenSeer 85179

Andy Ful said:
Interesting - I did not have any event of rundll32.exe blocked. It has to be a rare block event.:unsure:
Svchost is not blocked by any predefined settings of FirewallHardening (svchost.exe is not on the block list). They are in the log because the log shows all outbound connections blocked by Windows Firewall (most of them are not from FirewallHardening).(y)
Click to expand...
Here my H_C firewall log:
(i also don't use any custom firewall rule)
Log.txt
 

Attachments

  • Log.txt
    39 KB · Views: 461
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, Andy Ful and Protomartyr
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
security123 said:
Here my H_C firewall log:
(i also don't use any custom firewall rule)
Log.txt
Click to expand...
I found this IP (51.124.78.146) on the list of WindowsSpyBlocker:
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt

It seems to be related to sending some telemetry:
"The new Windows service increases the amount of diagnostic data that CEIP can collect, and it collects data for third-party applications using the Application Insights service. Application Insights lets developers track performance issues, crashes, and other problems within their applications.

The data is sent to two hard-coded addresses: vortex-win.data.microsoft.com and settings-win.data.microsoft.com. "

Windows 7, 8, and 10: Now all collecting user data for Microsoft

Uncomfortable with Windows 10 slurping personal data? Too bad -- Microsoft rolls out similar snooping capabilities to Windows 7, Windows 8
www.infoworld.com www.infoworld.com

Microsoft information:
" IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data "
https://docs.microsoft.com/en-us/wi...-windows-diagnostic-data-in-your-organization
https://support.microsoft.com/en-us...-customer-experience-and-diagnostic-telemetry

Some people think that it can be safely blocked:
https://www.reddit.com/r/pihole/comments/gfqtuq/should_i_block_settingswindatamicrosoftcom/
https://www.reddit.com/r/privacytoo...omplete_list_of_windows_10_telemetry_blocked/

Post edited
Added the link to www.infoworld.com.
 
Last edited:
  • Like
  • +Reputation
Reactions: Protomartyr, Gandalf_The_Grey, harlan4096 and 2 others
ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,157
Andy Ful said:
I found this IP (51.124.78.146) on the list of WindowsSpyBlocker:
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt

It seems to be related to sending diagnostic data:
https://www.reddit.com/r/pihole/comments/gfqtuq/should_i_block_settingswindatamicrosoftcom/
https://www.reddit.com/r/privacytoo...omplete_list_of_windows_10_telemetry_blocked/
Click to expand...

Ah ok, looks like connected to the feedback settings then. I had it setup to send optional stuff and always send. Set that a long time ago, just tweaked it to send "required" and to "Never" ask for feedback. We'll see if I still get the same events.
 
  • Like
Reactions: Protomartyr, Gandalf_The_Grey, harlan4096 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Gandalf_The_Grey said:
Thanks! According to your link it is used for:

So, I have removed the block for rundll32.exe from the Recommended H_C settings.
Click to expand...
These events are probably related to scheduled tasks under "Application Experience" that use rundll32.exe (PcaPatchDbTask and StartupAppTask).
Some other telemetry will also be blocked like under the Autochk tab the scheduled task Proxy.
 
Last edited:
  • Like
Reactions: Protomartyr, ErzCrz, Gandalf_The_Grey and 1 other person
F

ForgottenSeer 85179

Andy Ful said:
I found this IP (51.124.78.146) on the list of WindowsSpyBlocker:
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt

It seems to be related to sending some telemetry:
"The new Windows service increases the amount of diagnostic data that CEIP can collect, and it collects data for third-party applications using the Application Insights service. Application Insights lets developers track performance issues, crashes, and other problems within their applications.

The data is sent to two hard-coded addresses: vortex-win.data.microsoft.com and settings-win.data.microsoft.com. "

Windows 7, 8, and 10: Now all collecting user data for Microsoft

Uncomfortable with Windows 10 slurping personal data? Too bad -- Microsoft rolls out similar snooping capabilities to Windows 7, Windows 8
www.infoworld.com www.infoworld.com

Microsoft information:
" IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data "
https://docs.microsoft.com/en-us/wi...-windows-diagnostic-data-in-your-organization
https://support.microsoft.com/en-us...-customer-experience-and-diagnostic-telemetry

Some people think that it can be safely blocked:
https://www.reddit.com/r/pihole/comments/gfqtuq/should_i_block_settingswindatamicrosoftcom/
https://www.reddit.com/r/privacytoo...omplete_list_of_windows_10_telemetry_blocked/

Post edited
Added the link to www.infoworld.com.
Click to expand...
Thanks.
But I wonder why its get blocked as I don't block telemetry, services or tasks.
I also set telemetry to full aka optional.

Also no "Anti-Spy" tools are used.
 
  • Like
  • +Reputation
Reactions: Protomartyr, silversurfer, mkoundo and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
security123 said:
Thanks.
But I wonder why its get blocked as I don't block telemetry, services or tasks.
I also set telemetry to full aka optional.

Also no "Anti-Spy" tools are used.
Click to expand...
Gandalf_The_Grey said:
Same here.
Click to expand...
I am not sure if I understand well your posts. These tasks use rundll32.exe by command line to get and upload the telemetry. So they will run but the outbound connection will be blocked anyway by the FirewallHardening rule for rundll32.exe.(y)
 
  • Like
Reactions: Protomartyr, silversurfer, ForgottenSeer 85179 and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
I am not sure if I understand well your posts. These tasks use rundll32.exe by command line to get and upload the telemetry. So they will run but the outbound connection will be blocked anyway by the FirewallHardening rule for rundll32.exe.(y)
Click to expand...
The question is why it is blocked when we (in current config) don't block telemetry?
 
  • Like
Reactions: Protomartyr, silversurfer, ForgottenSeer 85179 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Gandalf_The_Grey said:
The question is why it is blocked when we (in current config) don't block telemetry?
Click to expand...
Ha, ha. I have just tried to answer exactly this question and have no idea what is wrong with my explanation (probably my poor English).:)

Unblocked telemetry ---> Some telemetry tasks run rundll32.exe to start ----> execution of runndll32.exe is not blocked ---> the task can gather the telemetry ---> outbound connection of rundll32.exe is blocked by FH rule ----> the user can see the event in the Log

Edit
For example, one of the telemetry scheduled tasks is PcaPatchSdbTask which is started by the command-line (the execution of rundll32.exe is not blocked, only outbound connection):
%windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask

So, the telemetry tasks are still running, but some of them cannot send information to Microsoft, due to FirewallHardening rules (for rundll32.exe) in Windows Firewall.

Post edited to make it easier to understand.
 
Last edited:
  • Like
  • Thanks
Reactions: Protomartyr, silversurfer, ForgottenSeer 85179 and 4 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
Ha, ha. I have just tried to answer exactly this question and have no idea what is wrong with my explanation (probably my poor English).:)

Unblocked telemetry ---> Some telemetry tasks run rundll32.exe to start ----> execution of runndll32.exe is not blocked ---> the task can gather the telemetry ---> outbound connection of rundll32.exe is blocked by FH rule ----> the user can see the event in the Log

Edit
For example, one of the telemetry scheduled tasks is PcaPatchSdbTask which is started by the command-line (the execution of rundll32.exe is not blocked, only outbound connection):
%windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask

So, the telemetry tasks are still running, but some of them cannot send information to Microsoft, due to FirewallHardening rules (for rundll32.exe) in Windows Firewall.

Post edited to make it easier to understand.
Click to expand...
And my English is also from high school, many, many, many years ago... :D

I understand that the outbound connection is being blocked.
Of course, I can unblock it by deleting the block rule in FirewallHardening.
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
 
  • Like
Reactions: Protomartyr, Step 1, Andy Ful and 3 others
silversurfer

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
Gandalf_The_Grey said:
I understand that the outbound connection is being blocked.
Of course, I can unblock it by deleting the block rule in FirewallHardening.
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
Click to expand...
"rundll32.exe" is just one of the most used "LOLbins"
I would keep it being blocked by Firewall-Hardening, unless it's causing major issues on your system/device...

lolbas-project.github.io

Rundll32 on LOLBAS

Rundll32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
lolbas-project.github.io lolbas-project.github.io

Curl.exe is the new rundll32.exe — LOLbin

#Notes: LOLbin — Curl.exe
medium.com medium.com
 
  • Like
  • Thanks
Reactions: Protomartyr, ForgottenSeer 85179, mkoundo and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Gandalf_The_Grey said:
...
Why have you chosen to block rundll32.exe in the recommended rules?
In other words, is unblocking rundll32.exe a wise thing to do?
Click to expand...
I chose some of the firewall rules as "Recommended H_C" when:
  1. The LOLBins were used in the wild for downloading malware from the Internet.
  2. These firewall rules mostly do not cause any issues for home users.
But, all FirewallHardening rules are just in case (another small brick in the security wall). You can remove any of them if you want.
Anyway, in your case, the rule for rundll32.exe does not do anything wrong - many users would even say that it is helpful. :)(y)
 
  • Like
  • +Reputation
  • Thanks
Reactions: Protomartyr, jerzy601, ErzCrz and 5 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
I had an update from Tom Tom Home blocked:
De beheerder heeft de toegang tot C:\Users\gandalf\AppData\Local\TomTom\HOME3\Updates\InstallerUpdater.lnk beperkt doordat het niveau van het standaardsoftwarerestrictiebeleid is aangepast.
Click to expand...
The only option to perform this update was switching off Default Deny.
Whitelisting didn't work for me.
How do I whitelist this?
 
  • Like
Reactions: Protomartyr, silversurfer and harlan4096

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,419
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,091
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top