Let's consider this scenario:
- There's some X software downloaded from the internet with one .exe file and several .dll files.
- The .exe file is prevented from accessing the Internet by using Windows Firewall.
- One of the program's .dll files is infected by malware.
By blocking the .exe file, is the executable code it calls from the .dll files also blocked? Or should I manually block every single file that looks like it has executable content? More generally, how does Windows Firewall work in cases like theses?
Thanks!
44 Answers
When Windows runs an executable, it may import some .DLL's. It may also import .DLL's later.
When you block an executable, you prevent it from importing any .DLL's that it would normally import.
HOWEVER, you do NOT prevent other applications from importing those .DLL's.
Some applications come with their own .DLL's, some instal shared .DLLs, and Windows has a plethora of .DLLs it makes available to any .exe as part of the Windows API.
Also, it is possible for a .DLL to practically be an executable and invokeable with rundll32.exe or through some other mechanism of the Windows API.
If you are whitelisting .exe's, you should whitelist .DLL's as well.
2The libraries are shared, as they are dynamically linked. If this was the case, blocking an application might actually cause issues with other parts of the system. You are simply blocking the executable itself from being run, and thus any malicious code from that vector point.
YES!
The .dll files are just a set of functions that need to be called by an .exe to work.
1I use a program called Folder Firewall Blocker, it blocks dll's and exe's. You can pull up what it blocked in the default windows firewall advanced security window, blocks inbound and outbound, you can always delete the rules/dll's/exe's that you're not too concerned about.