NoVirusThanks OSArmor

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
Been playing around with OSArmor. Interesting software. Gotta say I'm not a fan of the need to manually enter data for exclusions, it would be nice if I could just right-click on some sort of blocked process log and create excepts with a couple clicks. I wouldn't think that would be hard to implement, and don't see a benefit in copy/pasting line by line.
I'm not sure exactly what you mean, but one can 'Add to exclusions' directly from a block alert.
The logs are there in text format, perhaps they can devise a simple way of transferring an event from there to exclusions.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
@NoVirusThanks

Got an interesting block this morning out of the blue, no new software has been installed in about a week:

Date/Time: 5/3/2021 10:26:35 AM
Process: [16776]C:\Windows\System32\rundll32.exe
Process MD5 Hash: EF3179D498793BF4234F708D3BE28633
Parent: [12664]C:\Windows\System32\dllhost.exe
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: "C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
@NoVirusThanks

Got an interesting block this morning out of the blue, no new software has been installed in about a week:

Date/Time: 5/3/2021 10:26:35 AM
Process: [16776]C:\Windows\System32\rundll32.exe
Process MD5 Hash: EF3179D498793BF4234F708D3BE28633
Parent: [12664]C:\Windows\System32\dllhost.exe
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: "C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
Actually I got a second identical one of these blocks last night. Just was checking the logs to look at this again. Very odd, may retrace my steps of what I may have had running.
 

itman71

New Member
Nov 18, 2019
8
Actually I got a second identical one of these blocks last night. Just was checking the logs to look at this again. Very odd, may retrace my steps of what I may have had running.
Here's a thread on the behavior: What is this RunDll32 instance running? . One of the triggers for it as I noted is:
I saw this process on Windows 10, processing User Tiles - more commonly known as User Account Pictures. Possibly it is used to process other types of untrusted user data; I don't know.
Also appears youtube video playing in certain instances can trigger it.

Really looks like a OSA FP to me and it should probably be excluded.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Here's a thread on the behavior: What is this RunDll32 instance running? . One of the triggers for it as I noted is:

Also appears youtube video playing in certain instances can trigger it.

Really looks like a OSA FP to me and it should probably be excluded.
I was changing a bunch of accounts to a different email address, including my M$ account. I bet that’s what triggered it.
 
Last edited:

itman71

New Member
Nov 18, 2019
8
I have an idea why OSA is triggering on execution of C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.

This is actually Windows Shell Experience Host and it is a "darling" of malware developers. I also believe a recent Win 10 update or the like may have borked how this process runs. It normally runs at Win startup time and then shortly is suspended. What I have recently observed is that this process was not running after system startup. It appears that anything that requires Windows Shell Experience Host use will cause the suspended instance to start and execute. When OSA detects a stand-alone instance of Windows Shell Experience Host attempting to start and execute, it detects it as malicious.

I have been also having recent issues with Win Store abnormally terminating shortly after Win 10 startup. It also might be somehow related to this. Yesterday, I ran wsreset.exe to attempt to fix the Win Store issue. It stopped the unexpended abending of it but it appeared a portion was still borked as evidenced by lack of any update connections from it.

This morning at first system startup time, I was greeted with a black screen. Hit the case power button to force a cold boot. This time system booted fine, Windows Shell Experience Host started and suspended as expected, and Win Store now shows update connections. Go figure ......................
 

itman71

New Member
Nov 18, 2019
8
An update on OSA is triggering on execution of C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.

I can now update my Win 10 lock screen picture w/o OSA triggering the above. So as far as I am concerned, this was related to something "hosed" in regards to Windows Shell Experience Host.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
Latest test in the Hub with Sophos also shows that rundll32 can be abused by malware. Thats why OSA and FirewallHardening by Andy have it in the LOLBin rules.

Dynamic 2.png
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
What was triggering this rundll32 activity was O&O Shutup10 Win 10 SpotLight blocking setting. That has to be disabled when changing your lockscreen pic. to avoid the rundll32 activity.
I don’t use Shutup10 so I’m fairly certain mine was related to the change of my email address for my M$ account since it occurred a few minutes after I changed it online, probably when it synced, and then once later after rebooting and logging in the first time after the change. Nothing in the logs since.
 
  • Like
Reactions: Nevi and Cortex

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top