NIS 2010 17.8.0.5

Vista Home Premium 32bit with Vista SP 2

Single Desktop computer connected to DSL modem

Not looking at logs daily, but did notice this entry yesterday (actually two entries) and raising a little concern for me

Firewall rules were automatically created for Windows host process (Rundll32)

one entry indicated outbound TCP and the other outbound UDP

The "rule" did not indicate where it was connecting too, like what web address, nor didi it indicate what dll item was being run

would this instance of rundll32 accessing the internet be related to the 2 instances of rundll32.exe I show in task manager?

When I open task manager, under the process tab, it shows two instances of

rundll32.exe

Under user name, one has "my-PC" and then the other shows user name as "system"

I opened checked the command line and this is what I see for each

rundll32.exe    SYSTEM

C:\Windows\System32\rundll32.exe C:\Windows\system32\NVSVC.DLL,nvsvcInitialize

rundll32.exe   MY-PC

C:\Windows\System32\rundll32.exe C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

So as I ask,

1.would the instances of  rundll32.exe accessing the internet be one of these two rundll32.exe entries? 

2. Or COULD another rundll32.exe have been created ? 

3.Why was it accessing the internet? 

4. Was some other dll item accessing the internet?

5. How could I tell if it was a malicious dll item?

Hi Calls,

This is perfectly normal and shows up in my history logs as well. Rundll is used by other services and programs on your computer. In and of itself rundll would not need to access the internet but other programs which utilize rundll might well require internet access.

As we have mentioned before I think you are delving into cryptic Historical entries which will only serve to cause you undue concern.

If NIS reports everything is secure and you are not having "actual" problems you would do yourself a good service by not asking for concern by digging so deep into the history log.

Hope this helps.

Best wishes.

Allen

Some things, like W32time, if I remeber correctly,  require rundll to allow them access to the net to perform their function.  In this case, time synch. It is the path that is important.

Hi calls,

What are the odds?  I happened to find an online article that explains rundll.32 and illustrates the concept with screenshots of the same two Nvidia files that you mention!  If Norton is allowing the internet communication, then it is not malicious.  The questions that you pose can certainly be researched online if you are interested in how things work.  But the whole point of the Norton Smart Firewall is that you do not have to have answers to these questions in order to be safe, because the firewall is making the decisions for you based on information that most users would not be expected to know.   To get answers about the nature of the internet access requests you might put your questions to Nvidia, as they would be more knowledgeable about the need for online access for their products.

http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

Hi Calls,

Really though, the point is to let NIS do its job and not look for trouble in the history logs. NIS will alert you if there is a problem.

Best wishes.

Allen

Thanks all.

For those who remember back before I installed NIS 2010, I was concerned about setting firewall rules etc etc

I have to say now that I really don't mess with it. Look at it, Yes. But mess with it, no.

Still have a little bit o'question if all don't mind

But just out of curiosity, when there is an entry that says

Firewall rules were automatically created for Windows host process (Rundll32)

1. Is that one of the two rundll32.exe that show in my Windows Task Manager?

2.Is it running one of the noted items (as I indicated in OP)?

3. Or is it another instamce of rundll32.exe created to run something else?

4. So if it is another instance of rundll32.exe, then how does one find out what was run?

Firewall rules are more general than what you are imagining.  Because Microsoft chose to have many, many applications and services run by .dll's, one firewall rule can allow any number of instances of rundll.  In Win 7 that chore seems to be taken by svchost.

The link provided by SendOfJive is a very good explanation, and amazingly enough deals with the same files you are curious about.

Read it thoroughly.

Actually, the files are cool. Not worried about those.

More curious as to what dll was being run when the firewall rule was created for rundll32.exe

As I said there are 2 instances of rundll32.exe in my Windows Task Manager. My undrestanding is that is common.

1.But when the firewall log indicated firewall rules created for rundll32.exe, was it referring to one of the two instances that show in task manager?

2. Would a 3rd o instance of rundll32.exe run and then stop?

3. Lastly, how could I see what dll was run on that particular instance that created a firewall rule?

Just don want something malicious , some malicious dll being run.

1.  Not necessarily.  Firewall rule was created to allow rundll to run any dll it needs.  You happened to notice those.  Without the firewall rule they would not be there at all, but the system could have required the rule to run any dll.  You are likely to find dll's in the taskmanager any time. 

2.  As I understand it, there should be two instances, one for user and one for system, as the link to How-to-Geek clearly shows.  Either instance can run multiple .dll's.  here may only be two visible instances of rundll32, but you have to see what it is running.

3.  You can't.  There might be something in event viewer for that time period, otherwise, it is a Windows use of rundll32, not Norton.  Norton does not log what rundll does.

4.  As long as it is running from Windows\System32 it is not a threat.  If it is running from somewhere else, it is.