3 Replies Latest reply on Feb 26, 2009 2:03 PM by Grif

    Exception for rundll32.exe

    bhamill
      running VirusScan 8.5.0i, Access Protection set to "Common Maximum Protection." Very few exceptions added so far. But I've found that garden-variety WinXP users cannot add new network printers. Even yours truly as a local administrator can't add a new printer; error message is "The server for the (name of printer) does not have the correct driver installed. If you want to search for the driver, click OK. Otherwise click Cancel and contact your network administrator or OEM for the correct printer driver."

      Of course, the server has the right driver, I've checked it myself. The relevant lines from the Access Protection log say:

      2/23/2009 2:31:07 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\PCL5ERES.DLL Common Maximum Protection:Prevent creation of new executable files in the Windows folder Action blocked : Create

      2/23/2009 2:31:10 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\5044088\PCL5ERES.DLL Common Maximum Protection:Prevent creation of new executable files in the Windows folder Action blocked : Create


      So, if I understand this right, I need to push out an exception allowing spoolsv.exe and rundll32 to create new executable files in the Windows folder. But is that a good idea? Maybe spoolsv won't cause much trouble, but wouldn't allowing rundll32 to create files open up a security hole that virus/spyware could exploit?
        • 1. RE: Exception for rundll32.exe
          Your settings are different from mine.. Mine are set at default and the "Common Maximum Protection" settings only have ONE option CHECKED and even that is set to "Report" not "Block".. My only box checked is the "Prevent Launching of files from Downloaded Program Files". Maybe you need to loosen up some of your settings in that area.. UNCHECK ALL boxes EXCEPT the one I mentioned..

          With the "Prevent creation of new executable files in the Windows folder", you won't be able to add much of anything to the computer.

          It's your choice here but you're setting the computer so nothing will run effectively..

          Hope this helps.

          Grif
          • 2. well, yes, but...
            bhamill
            I know I could "fix" this by going back to the default options, but I have to wonder- what's the point of just monitoring those actions? I could monitor everything, block nothing, and then I would have paid for protection I'm not using. Some bozo user clicks on a link on a website and suddenly gets spyware installed; I'll get notified, and maybe get to that system in time to minimize damage, but I'd like to prevent damage before it happens. Doesn't make sense to me to do otherwise.

            Thanks for your reply, Grif. I guess I'd just like McAfee and/or Microsoft to do a better job of this; it's a very common task for users, and it shouldn't violate access protection, but it does. Grrrrr.
            • 3. RE: well, yes, but...
              Well, I guess I disagree.. You've done exactly what you want it to do. YOU have created the paraments which are causing the issue. You've changed the settings of McAfee so it prevents anything from functioning correctly. It's not McAfee that created the situation.. YOU have decided to change the default settings to something which is more strict,. Issues are bound to popup when you CHOOSE to make alterations. If you want it to function more normally, then change it to your preference..

              It's called "Common MAXIMUM Protection" for a reason.. Usually, such settings are used for those computers which are intended to be locked down for instructional uses where the the admin wants the user to have NO access to the computer other than specific modules on the machine. Although the option is available in "Access Protection", in normal situations, I've never heard of anyone locking down the Windows folder so new executables can not be created. It prevents almost anything from functioning normally, such as certain types of Windows Updates (which replace/create new executables frequently), it clearly stops printer drivers from being installed, many other items as well.

              It's your choice as how McAfee behaves.. Make it so.

              Hope this helps.

              Grif