You can run any app on Windows machines by exploiting this security flaw (website)
How do you block Regsvr32.exe/Regsvr64.exe using windows firewall?
I figured out how to create custom rule to block it. My question is do you create rules for both inbound & outbound connection?
If exist where is Regsvr64.exe located on windows 7, 8, or 10?
I don't use Wimdows Firewall do I don't know how to use it.
RE: regsvr64.exe - I don't see it on my 64bit machine.
VoodooShield blocks regsvr32 by default and there's no option to block regsvr64 so I guess that it doesn't exist.
EDIT:
Found these paths to block:
Block %systemroot%\System32\regsvr32.exe and %systemroot%\SysWoW64\regsvr32.exe from network access
Note: SysWoW64\regsvr32.exe on a 64bit machine.
Maybe someone who uses Windows Firewall can post the solution?
Last edited by Callender; 25 Apr 2016 at 12:03. Reason: add info
Okay it looks like only outbound connections need to be blocked as the exploit will attempt to connect to a URL.
The Powershell command to create a new rule should be:
New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
and for 64bit:
New-NetFirewallRule -DisplayName "Block Regsvr32" -Program "%SystemRoot%\SysWOW64\regsvr32.exe" -Direction Outbound -Action Block
If you plan on upgrading to Windows 10 you'll need to use full paths:
"C:\Windows\System32" and "C:\Windows\SysWow64" instead of "%SystemRoot%\System32\" and "%SystemRoot%\SysWOW64\"
I've blocked regsvr32.exe in my firewall anyway. (Even though it's already blocked from running by VoodooShield)
Thanks for posting! :)
I also couldn't find a regsvr64.exe on my system, same as Callender I just have regsvr32.exe in those two locations.
Blocked using Comodo!
Quote
