Hello, I would like to know if is there a way to restrict which file extensions can be executed by rundll32.exe. Problem: I began to find viruses here in Brazil that use rundll32.exe to be launched. They do that to avoid virus scanners that are looking at file extensions. For example: I found viruses with .vmx, .x, .tr, .hhk, etc (random) that were executed with rundll32.dll. I opened the files in an hex editor and confirmed that they were indeed .exe files (exe header was found). It is quite common for AVs to skip non executable files in order to avoid scanning data files, such as those of a ERP system. If I could restrict rundll32 to run only the well known exe types such as DLL, CPL and EXE, those would be scanned by the AV and the virus would be found. Thanks.

To prevent unwanted software and trojans/viruses from running, you should configure Software Restriction Policies. This part of computer policy is able to whitelist "legal" software and prevent anything else from running, including rundll calls and renamed executables. Launch GPEDIT.MSC, go to Computer Configuration -> Windows Settings -> Security Settings. Right-click Software Restriction Policies -> Create New Policies. Open Security Levels container and assign Disallowed level to be default for all executables. Double-click Enforcement and make sure All Software files are applied and All Users are protected, including Administrators. Double-click Designated File Types and remove LNK extension from the list to allow shortcuts to be run. (However, exe-files on which shortcuts are targetted, still being analyzed by SRP). Open Additional Rules container. By default, all programs from within Windows and Program Files folders are permitted to run. Add more paths like D:\Databases or \\Server\Data\POSDatabase\ or even executable hashes (even more secure!) to be Unrestricted from running. Create two reg-files and copy them to the Windows folder: SRP_Disable.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers] "DefaultLevel"=dword:00040000 SRP_Enable.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers] "DefaultLevel"=dword:00000000 Create shortcuts on your desktop to these reg-files. You will use them when installing software or to troubleshoot the system. Also, configure the following policy to make sure it is enforced every 90 minutes: Computer Configuration -> Administrative Templates -> System -> Group Policy Enable "Registry Policy Processing" option and check "Process even if the GPO have not changed." MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor

Thank you for the reply, it worked. :)