NoVirusThanks OSArmor

paulderdash

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
SomeRandomCat said:
Been playing around with OSArmor. Interesting software. Gotta say I'm not a fan of the need to manually enter data for exclusions, it would be nice if I could just right-click on some sort of blocked process log and create excepts with a couple clicks. I wouldn't think that would be hard to implement, and don't see a benefit in copy/pasting line by line.
Click to expand...
I'm not sure exactly what you mean, but one can 'Add to exclusions' directly from a block alert.
The logs are there in text format, perhaps they can devise a simple way of transferring an event from there to exclusions.
 
  • Like
Reactions: wat0114, Cortex and Nevi
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
@NoVirusThanks

Got an interesting block this morning out of the blue, no new software has been installed in about a week:

Date/Time: 5/3/2021 10:26:35 AM
Process: [16776]C:\Windows\System32\rundll32.exe
Process MD5 Hash: EF3179D498793BF4234F708D3BE28633
Parent: [12664]C:\Windows\System32\dllhost.exe
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: "C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
 
  • Like
  • Wow
Reactions: Nevi, Kongo, plat and 1 other person
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
blackice said:
@NoVirusThanks

Got an interesting block this morning out of the blue, no new software has been installed in about a week:

Date/Time: 5/3/2021 10:26:35 AM
Process: [16776]C:\Windows\System32\rundll32.exe
Process MD5 Hash: EF3179D498793BF4234F708D3BE28633
Parent: [12664]C:\Windows\System32\dllhost.exe
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: "C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
Click to expand...
Actually I got a second identical one of these blocks last night. Just was checking the logs to look at this again. Very odd, may retrace my steps of what I may have had running.
 
  • Like
Reactions: Nevi, Cortex, Gandalf_The_Grey and 1 other person
I

itman71

New Member
Nov 18, 2019
8
blackice said:
Actually I got a second identical one of these blocks last night. Just was checking the logs to look at this again. Very odd, may retrace my steps of what I may have had running.
Click to expand...
Here's a thread on the behavior: What is this RunDll32 instance running? . One of the triggers for it as I noted is:
I saw this process on Windows 10, processing User Tiles - more commonly known as User Account Pictures. Possibly it is used to process other types of untrusted user data; I don't know.
Click to expand...
Also appears youtube video playing in certain instances can trigger it.

Really looks like a OSA FP to me and it should probably be excluded.
 
  • Like
Reactions: Nevi, Cortex and Kongo
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
itman71 said:
Here's a thread on the behavior: What is this RunDll32 instance running? . One of the triggers for it as I noted is:

Also appears youtube video playing in certain instances can trigger it.

Really looks like a OSA FP to me and it should probably be excluded.
Click to expand...
I was changing a bunch of accounts to a different email address, including my M$ account. I bet that’s what triggered it.
 
Last edited:
  • Like
Reactions: Nevi, Kongo and Divine_Barakah
I

itman71

New Member
Nov 18, 2019
8
I have an idea why OSA is triggering on execution of C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.

This is actually Windows Shell Experience Host and it is a "darling" of malware developers. I also believe a recent Win 10 update or the like may have borked how this process runs. It normally runs at Win startup time and then shortly is suspended. What I have recently observed is that this process was not running after system startup. It appears that anything that requires Windows Shell Experience Host use will cause the suspended instance to start and execute. When OSA detects a stand-alone instance of Windows Shell Experience Host attempting to start and execute, it detects it as malicious.

I have been also having recent issues with Win Store abnormally terminating shortly after Win 10 startup. It also might be somehow related to this. Yesterday, I ran wsreset.exe to attempt to fix the Win Store issue. It stopped the unexpended abending of it but it appeared a portion was still borked as evidenced by lack of any update connections from it.

This morning at first system startup time, I was greeted with a black screen. Hit the case power button to force a cold boot. This time system booted fine, Windows Shell Experience Host started and suspended as expected, and Win Store now shows update connections. Go figure ......................
 
  • Like
Reactions: Nevi, Cortex, Kongo and 2 others
I

itman71

New Member
Nov 18, 2019
8
An update on OSA is triggering on execution of C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.

I can now update my Win 10 lock screen picture w/o OSA triggering the above. So as far as I am concerned, this was related to something "hosed" in regards to Windows Shell Experience Host.
 
  • Like
Reactions: Zartarra, Nevi, Cortex and 3 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,585
Latest test in the Hub with Sophos also shows that rundll32 can be abused by malware. Thats why OSA and FirewallHardening by Andy have it in the LOLBin rules.

Dynamic 2.png
 
  • Like
Reactions: Zartarra, Nevi, Cortex and 3 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
itman71 said:
What was triggering this rundll32 activity was O&O Shutup10 Win 10 SpotLight blocking setting. That has to be disabled when changing your lockscreen pic. to avoid the rundll32 activity.
Click to expand...
I don’t use Shutup10 so I’m fairly certain mine was related to the change of my email address for my M$ account since it occurred a few minutes after I changed it online, probably when it synced, and then once later after rebooting and logging in the first time after the change. Nothing in the logs since.
 
  • Like
Reactions: Nevi and Cortex

Similar threads

way hodge
    • Like
    • HaHa
    • Wow
Advice Request TTB Internet Security [ Worst Antivirus Program for Mobile & Desktop ]
Replies
8
Views
681
Other security for Windows, Mac, Linux
cartaphilus
cartaphilus
Brownie2019
    • Like
New Update Avast One Basic It’s free
Replies
1
Views
365
Avast
Bot
Bot
D
    • Like
    • +Reputation
    • Love
For additional security/privacy: "MajorPrivacy" (upgraded from "PrivateWin10")
Replies
23
Views
1,843
System utilities
Digmor Crusher
Digmor Crusher

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top