Blocked by BitDefender

[ZenRevision]

In both versions, running install.bat works fine, but running startup.bat causes BitDefender to block both rundll32.exe and dwm.exe.

DWMBlurGlass was also initially blocked by BitDefender, however simply whitelisting the DWMBlurGlass directory allowed it to run just fine.

With OpenGlass, neither of the blocked files are located in the OpenGlass directory though, but rather in C:\Windows\System32 which I won't whitelist because that is a system directory that malware can potentially occupy. rundll32.exe is also an executable which is often leveraged by malware to launch suspicious processes, so I don't think it is reasonable to outright whitelist rundll32.exe either.

I'm guessing this is likely a false positive, but unfortunately this seems to be somewhat problematic to work around. Any suggestions?

I'm not a big fan of BitDefender, but Kaspersky, which suffered from far fewer false positives, disabled my account, since they got banned for use by US citizens. I have not found any other equally effective and reasonably performant AV yet, so for the time being I'm kind of stuck with BitDefender.

[ALTaleX531]

I don't know how to help you as I personally don't have this problem with Microsoft Defender. I will pin this issue and see if anyone in the community has any suggestions.

[ALTaleX531]

Moved to discussion as not an OpenGlass bug or feature request.

[ZenRevision]

This is what's triggering BitDefender:

rundll32.exe:
C:\Windows\System32
(Command line parameters: "C:\Windows\System32\rundll32.exe" "C:\Utilities
\OpenGlass_v1.2.1\OpenGlass.dll",Main /startup)

Basically the same result with the legacy version as well.
Whitelisting the OpenGlass.dll, startup.bat, and the entire OpenGlass directory is ineffective here.

It seems like BitDefender doesn't like the way that .dll is being loaded. Is it possible to have an executable that can reside in the OpenGlass directory to load the OpenGlass.dll? Perhaps then whitelisting the directory could workaround this issue. The problem here is that in order to make an exception for OpenGlass as it is now, it seems that it would have to be an excessively broad exception, which could potentially leave the system unprotected against various known malware.

DWMBlurGlass

• Also triggers BitDefender.
• However whitelisting its directory effectively works around the problem.
• DWMBlurGlass loads its .dll via an executable residing within its own directory, so perhaps that is why whitelisting its directory, containing both it's .exe and .dll files, effectively works around the problem.

ExplorerBlurMica

• Works without issue.
• Does not trigger BitDefender, so does not require whitelisting.
• ExplorerBlurMica is not using rundll32, but rather regsvr32 and the .cmd file it uses actively requests admin.
• Given that I was running OpenGlass' startup.bat as admin anyway, it seems unlikely that ExplorerBlurGlass explicitly requesting admin within it's .cmd file would be what is making the difference here.
• Seems more likely to me that the way it's loading its .dll via regsvr32 just appears more innocuous to BitDefender.

ExplorerBlurMica's register.cmd & uninstall.cmd files for reference:

register.cmd

@echo off

title Asking for administrator access
mode CON COLS=37 LINES=3
color F0
echo :::::::::::::::::::::::::::::::::::::
echo :: Requesting administrator access ::
echo :::::::::::::::::::::::::::::::::::::
cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || (  cmd /u /c echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && ""%~s0"" %Apply%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )
color
cls

title Applying
call :isAdmin
if %errorlevel% == 0 (
   echo Applying effects
   regsvr32 "%~dp0ExplorerBlurMica.dll"
   echo.
) else (
   echo Please run as Administrator
)

echo Restarting explorer
taskkill /F /IM explorer.exe >nul
start explorer.exe
echo .
echo title Success
echo Changes applied successfully
echo You can now close this window, it will close automatically in 5 seconds
timeout /t 5 >nul
exit /b 0

:isAdmin
fsutil dirty query %systemdrive% >nul
exit /b %errorlevel%

uninstall.cmd

@echo off

title Asking for administrator access
mode CON COLS=37 LINES=3
color F0
echo :::::::::::::::::::::::::::::::::::::
echo :: Requesting administrator access ::
echo :::::::::::::::::::::::::::::::::::::
cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || (  cmd /u /c echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && ""%~s0"" %Apply%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )
color
cls

title Uninstalling
call :isAdmin
if %errorlevel% == 0 (
   regsvr32 /u "%~dp0ExplorerBlurMica.dll"
   echo.
) else (
   echo Please run as Administrator
)

echo Restarting explorer
taskkill /F /IM explorer.exe >nul
start explorer.exe
echo .
echo title Success
echo Changes applied successfully
echo You can now close this window, it will close automatically in 5 seconds
timeout /t 5 >nul
exit /b 0

:isAdmin
fsutil dirty query %systemdrive% >nul
exit /b %errorlevel%

[Koli0842]

I am facing the same issue now, have you find any solutions for this? Adding C:\Windows\System32\mshta.exe and the OpenGlass folder prevents further detections on my machine, but I still have a "file not found" for rundll32.exe (it's there). I might check after a reboot, maybe quarantaining locked the file somehow

[ALTaleX531]

OpenGlass v2 runs its service process using dllhost.exe, while mshta.exe is only used for administrator elevation. The rundll32.exe handles installation and uninstallation, and starting or stopping the service can alternatively be managed via Task Scheduler.

This means that ensuring the OpenGlass service running through dllhost.exe is whitelisted is sufficient, while all other operations only need to be permitted during their execution. If your antivirus software does not provide this functionality, I recommend switching back to Microsoft Defender, which at least does not produce false positives about OpenGlass. Alternatively, you may consider using DWMBlurGlass instead of OpenGlass.