Let's consider this scenario:
- There's some X software downloaded from the internet with one .exe file and several .dll files.
- The .exe file is prevented from accessing the Internet by using Windows Firewall.
- One of the program's .dll files is infected by malware.
By blocking the .exe file, is the executable code it calls from the .dll files also blocked? Or should I manually block every single file that looks like it has executable content? More generally, how does Windows Firewall work in cases like theses?
Thanks!
Best Answer
When Windows runs an executable, it may import some .DLL's. It may also import .DLL's later.
When you block an executable, you prevent it from importing any .DLL's that it would normally import.
HOWEVER, you do NOT prevent other applications from importing those .DLL's.
Some applications come with their own .DLL's, some instal shared .DLLs, and Windows has a plethora of .DLLs it makes available to any .exe as part of the Windows API.
Also, it is possible for a .DLL to practically be an executable and invokeable with
rundll32.exe
or through some other mechanism of the Windows API.If you are whitelisting .exe's, you should whitelist .DLL's as well.