If you block an .exe file in Windows Firewall, are you also blocking the .dll files it uses or it needs to be done separatly?

Let's consider this scenario:

There's some X software downloaded from the internet with one .exe file and several .dll files.
The .exe file is prevented from accessing the Internet by using Windows Firewall.
One of the program's .dll files is infected by malware.

By blocking the .exe file, is the executable code it calls from the .dll files also blocked? Or should I manually block every single file that looks like it has executable content? More generally, how does Windows Firewall work in cases like theses?

Thanks!

s_a

Posted 2014-03-29T15:18:11.960

Reputation: 1 710

1good question, buddy – kmonsoor – 2014-03-29T15:25:42.257

This an actual problem you have or entirely a "what if" question? – Ramhound – 2014-03-29T15:39:43.900

Actual problem; malware usually disguises itself in .dll files and not the main executable. Do a google search for ".dll site:virustotal.com". Tons of cases.

In particular I'm asking because the latest time I came across this I needed to use some abandoned freeware tool even if, as it appears to be, it was being served by its website infected: VirusTotal said one .dll had malware (not unanimously). I have a machine I don't care about being infected that I can run that tool on, but I don't want the malware talking to its creator.

But I'd also like to know how Windows Firewall works in general – s_a – 2014-03-29T15:50:09.617

I don't think it would block the .dlls. A lot of applications use shared libraries in Windows, even viruses, so blocking any .dlls the virus references would cause problems (and how would Windows firewall know what to block right off the bat also?). Windows firewall most likely just blocks the activity from the .exe specified. – MaQleod – 2014-03-29T17:44:30.287

Answers

When Windows runs an executable, it may import some .DLL's. It may also import .DLL's later.

When you block an executable, you prevent it from importing any .DLL's that it would normally import.

HOWEVER, you do NOT prevent other applications from importing those .DLL's.

Some applications come with their own .DLL's, some instal shared .DLLs, and Windows has a plethora of .DLLs it makes available to any .exe as part of the Windows API.

Also, it is possible for a .DLL to practically be an executable and invokeable with rundll32.exe or through some other mechanism of the Windows API.

If you are whitelisting .exe's, you should whitelist .DLL's as well.

LawrenceC

Posted 2014-03-29T15:18:11.960

Reputation: 63 487

One question, when you say "when you block an executable, you prevent it from importing any .DLL's that it would normally import", are you talking about Windows Firewall? I don't understand how blocking internet connections would cause a .DLL not to be imported. Shouldn't that render most programs unable to work? I'm talking about the equivalent to the "Allow X program to communicate on these networks" dialog: http://static.arstechnica.com/7000_7100_windows_firewall2.png

– s_a – 2014-03-31T23:36:59.610

I wasn't specifically talking about Windows Firewall, sorry. When an .exe imports a .dll, it's still the same .exe, so for anything that works on the process or application level, i.e. Windows Firewall, blocking the .exe should be enough to ensure any .dll's it would import would be blocked as well. – LawrenceC – 2014-04-01T01:36:59.320

The libraries are shared, as they are dynamically linked. If this was the case, blocking an application might actually cause issues with other parts of the system. You are simply blocking the executable itself from being run, and thus any malicious code from that vector point.

Vaughan Hilts

Posted 2014-03-29T15:18:11.960

Reputation: 67

-1

I use a program called Folder Firewall Blocker, it blocks dll's and exe's. You can pull up what it blocked in the default windows firewall advanced security window, blocks inbound and outbound, you can always delete the rules/dll's/exe's that you're not too concerned about.

guest

Posted 2014-03-29T15:18:11.960

Reputation: 1

-1

YES!

The .dll files are just a set of functions that need to be called by an .exe to work.

max789

Posted 2014-03-29T15:18:11.960

Reputation: 1

1Could you please elaborate or provide a link? Thanks a lot for answering! – s_a – 2014-03-29T15:30:03.353