AppGuard Beta is Live (64 Bit, MemoryGuard) [Archive]

Greg S

July 8th, 2010, 06:20 PM

-{ Quote: "MemoryGuard, as it is now, is not user-configurable, other than on-off (suspend).

Question to folk observing these unexpected blocks, are you also observing lost functionality?

Eirik" }-
Yes, I'm losing functionality on three things so far. I'm getting messages on a few others but as far as I know, they are working fine. Is the Suspend option when checked, limited to the time configured just like it is when suspending from the context menu? I was under the impression that it is but am getting the feeling that it's not from what you are saying. It seems to me that you're implying that it's disabled until re-enabled. I could be wrong as I usually am but I hope I'm not and here's why. If the checked suspension is hinged on the time limit then here is what's going to be the big drawback of this MemoryGuard for those who lose functionality, especially if there are no exceptions <--> If AppGuard kicks in first at startup/bootup before the apps that are losing there functions, then in my opinion it's a no go. See my point. There's no way to gain the functions back outside of killing the process and restarting the app that it's associated with.

Also, if there's no way of allowing exceptions and if there's not going to be a problem getting these every click in IE "07/08/10 18:31:48 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>"
Then there has to be a way to selectively disable the blinking icon for this. I'm not talking about disabling the blinking icon globally but for a specific process and guard. In this example IE blocking IE with Memory Guard enabled. Somehow I feel this can't be done which is going to make the blinking icon more of a nuisance not to mention scare the average user to death with all this blinking going on. If it's an acceptable practice of AG and it's not going to hurt the system in any way, then why have the tray icon blink? Just report it to the Event Viewer or Status Panel tab in AG or is the Blinking icon, Event Viewer and Status Panel tab so tightly connected that losing the blinking icon breaks the other two?

I guess one can assume that all this memory guard blocking of MS processes will not degrade the condition of day to day operations?

07/08/10 17:49:46 Prevented <Console Window Host> from writing to memory of <AppID Certificate Store Verification Task>.
07/08/10 19:19:37 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft® Volume Shadow Copy Service>.
07/08/10 19:19:37 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft® Volume Shadow Copy Service>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft Windows Search Indexer>.
07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft Windows Search Indexer>.
07/08/10 19:19:33 Prevented <Console Window Host> from writing to memory of <MUI Language pack cleanup>.
07/08/10 20:45:12 Prevented <avast! Service> from writing to memory of <avast.setup>.
07/08/10 20:45:12 Prevented <avast! Service> from writing to memory of <avast.setup>.
07/08/10 20:45:11 Prevented <avast! Service> from writing to memory of <avast.setup>.
07/08/10 20:45:11 Prevented <avast! Service> from writing to memory of <avast.setup>.

The last four above cause Avast not to update meaning it can't auto update. I can supspend MG and do it manually I reckon.

I have to ask the question which is similar to one I've asked in the past about Privacy Mode. If all these alerts are generic and apps shouldn't or probably in most cases will not lose functionality, then couldn't the same thing happen with a bad app? Somehow I vision
Prevented <BadAppMemoryDevil.exe> from writing to memory of <whatever.exe> and it not losing any functionality as well which may be ok because I really can't comprehend what it's actually blocking with these alerts.

-{ Quote: "
Also in the beta, one can customize AppGuard policies such that one can add an exception rule that allows a guarded application to write to a specific file, whereas before this one could only define a directory.
" }-
-{ Quote: "Sounds interesting
Is this done by manual edits of the xml policy or will the UI provide this capability?" }-
-{ Quote: "GUI dialog" }-

Where is it? Lol, nevermind it works as intended. I was looking for something different in the GUI. I just hadn't clicked as far as a file.

Eirik

July 9th, 2010, 10:43 AM

-{ Quote: "Where is it? Lol, nevermind it works as intended. I was looking for something different in the GUI. I just hadn't clicked as far as a file." }-

I saw your updated post just as I was starting this post to include screenshots.

To allow 'guarded applications' to perform write operations to a specific file, one must navigate to the exception folders (& files) button and you'd see this window:

219814

Then navigate to the file you wish to specify (some folk have mentioned the one shown below):

219815

Note, these exceptions apply to ALL guarded applications. For now, we're not supporting application-specific exceptions in the interests of simplicity for the end-user.

Cheers,

Eirik

PS Sorry about the white space in the graphics.

Greg S

July 9th, 2010, 05:37 PM

-{ Quote: "

Note, these exceptions apply to ALL guarded applications. For now, we're not supporting application-specific exceptions in the interests of simplicity for the end-user.

Cheers,

Eirik

" }-
Hmm, I thought it would be application specific. With that in mind and losing functions for some apps as well as Avast not being able to update to due Memory Guard and in addition to the constant blinking tray icon, I'm gonna have to be left behind on this one and stick with the last Release version of AG. I really hate having to do that too.

TheIgster

July 11th, 2010, 12:15 AM

So I downloaded this and was thinking about trying it later tonight? General thoughts on those who have tried it so far? Yes, no?

Edit: Wow, no responses...that can't be a good sign.

tonyf1971

July 12th, 2010, 12:42 PM

-{ Quote: "So I downloaded this and was thinking about trying it later tonight? General thoughts on those who have tried it so far? Yes, no?

Edit: Wow, no responses...that can't be a good sign." }-

So far the only issue I have is with Memory Guard and some performance issues with Guarded apps, but this will depend on your setup apps used etc

it does have potential, but it is a Beta will continue to test.

1000db

July 12th, 2010, 07:20 PM

I've had issues with Chrome, Iron, & Application Host Service. I think once they get MG more refined and default exceptions in place, it will be good. The Install Protection works as advertised though.

smith2006

July 12th, 2010, 11:26 PM

Any idea where the log file is kept? Or the user must collect manually?

I notice after a reboot, events listed under AppGuard GUI are gone.

Thanks.

-{ Quote: "Submit at least one week's worth of AppGuard Event Logs" }-

tonyf1971

July 13th, 2010, 02:47 AM

-{ Quote: "Any idea where the log file is kept? Or the user must collect manually?

I notice after a reboot, events listed under AppGuard GUI are gone.

Thanks." }-

they are viewed under the windows event logs, for ease of use I would create a custom view/log for appguard

Eirik

July 14th, 2010, 01:45 PM

Many thanks to 1000db for his excellent product suggestions and event log data. One of the main reasons for this beta is to discover all of the different but legit code injection activities on a wide variety of hosts. His logs featured many. This helps improve MemoryGuard.

Cheers,

Eirik

Eirik

July 16th, 2010, 09:29 AM

Hi All,

I'd like to ask all beta participants to send in event logs. They enable us to substantially improve MemoryGuard.

Thanks

Eirik

smith2006

July 16th, 2010, 10:11 PM

-{ Quote: "they are viewed under the windows event logs, for ease of use I would create a custom view/log for appguard" }-

Thanks Tony. :thumb:

smith2006

July 16th, 2010, 10:15 PM

-{ Quote: "Hi All,

I'd like to ask all beta participants to send in event logs. They enable us to substantially improve MemoryGuard.

Thanks

Eirik" }-

Hello Eirik,

When is the cut off date for this beta? End of July?

I could only submit mine next Tuesday or Wednesday.

I will only have at least one week's worth of AppGuard Event Logs by then.

Thanks.

Eirik

July 18th, 2010, 11:13 AM

-{ Quote: "Hello Eirik,

When is the cut off date for this beta? End of July?" }-

Originally, end of July. We may extend, possibly release another beta build, all to refine MemoryGuard. I'll meet with engineering Mon/Tues to discuss.

Cheers

Eirik

1000db

July 18th, 2010, 04:09 PM

Would it be possible to have the beta periodically submit to BRN the requested data from the event logs or a manual submission function? Even though AG doesn't require updates it could submit info similar to MSE.

jmonge

July 18th, 2010, 04:51 PM

will AppGuard with the new memortyguard be supprting xp2 32 bits to or only 64 bits?

Greg S

July 18th, 2010, 05:50 PM

-{ Quote: "will AppGuard with the new memortyguard be supprting xp2 32 bits to or only 64 bits?" }-
-{ Quote: "Hi All,

This beta does not work on any version Win XP. The reason for that is primarily MemoryGuard. We've got some R&D underway seeking a practical means to do MemoryGuard in WinXP. Unfortunately, it probably won't bear fruit. One hopes!

Cheers,

Eirik" }-.....

Eirik

July 18th, 2010, 06:37 PM

-{ Quote: "Would it be possible to have the beta periodically submit to BRN the requested data from the event logs or a manual submission function? Even though AG doesn't require updates it could submit info similar to MSE." }-

Yes, this is on our master requirements list but hasn't yet made a sprint list. Maybe 2.1 release.

Eirik

July 19th, 2010, 11:10 AM

I checked out this thread suspecting from the title that there might be code injection involved. It seems I was correct. Apparently, this is an example of an attack that the MemoryGuard feature would block. A poster characterized this as injecting data into the spoolsv.exe process. However, I believe he meant code injection. Of course, I could be mistaken.

http://www.wilderssecurity.com/showthread.php?t=277316

(I'm uncomfortable posting in a thread titled with another vendor's brand)

We have some more work to do on MemoryGuard in terms of exceptions for legit code injections. I very much appreciate the event logs that folk have submitted. These will help us improve MemoryGuard.

I'm curious if any AppGuard beta folk have experimented with the little nasty in the above thread. Please note, when testing nasties, something can go wrong, be careful, and better yet, don't use a production system.

Cheers,

Eirik

1000db

July 19th, 2010, 03:05 PM

Wouldn't the execution of the original malware file have been blocked by the anti-executable function of AG before MG ever got a chance to prevent the injection?

Eirik

July 19th, 2010, 06:08 PM

-{ Quote: "Wouldn't the execution of the original malware file have been blocked by the anti-executable function of AG before MG ever got a chance to prevent the injection?" }-

Yes. Sometimes the post I envision in my head doesn't completely make it to the post. I meant to suggest that one suspend drive-by protection so that MemoryGuard could take a crack at it. Nice catch!

Cheers

Eirik

1000db

July 20th, 2010, 08:15 AM

Check out this post:

http://www.wilderssecurity.com/showpost.php?p=1711135&postcount=1

If someone has access to it, they should test MG against this piece of malware as MG seems to designed to prevent this exact thing.

ace55

July 20th, 2010, 08:18 PM

-{ Quote: "Check out this post:

http://www.wilderssecurity.com/showpost.php?p=1711135&postcount=1

If someone has access to it, they should test MG against this piece of malware as MG seems to designed to prevent this exact thing." }-

How so? I have not seen any mention of this malware creating remote threads in the address space of another process.

1000db

July 20th, 2010, 10:10 PM

-{ Quote: "How so? I have not seen any mention of this malware creating remote threads in the address space of another process." }-

It tries to inject code into other processes by using a pair of drivers that it installs.

-{ Quote: "Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself." }-

However, if I understand correctly, AG would have to be set to allow program launches, but maybe not since it's a vulnerability. In that case MemoryGuard should block the code injection.

-{ Quote: "So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.
" }-

Eirik

July 21st, 2010, 04:31 PM

Hi All,

We're going to release another beta at the end of this month. It will include other new features scheduled for version 2.0. The second beta, like the first, is not to be considered production-ready. Though for the most part its been pretty stable. There have been a few reports that we're still investigating.

MemoryGuard will be turned off by default in beta2 but users will have the option of enabling/disabling it at their pleasure. This is because, as many observed, the current implementation generates too much noise. The 2.0 release in August (possibly in September) will incorporate refinements gleaned from the data gathered during the beta. We cannot work these into a build in time for the second beta. But, the lessons learned seem quite straightforward. In beta 2, with respect to MemoryGuard, we're looking for any other unforeseen issues. The refined MemoryGuard will be turned on by default with release 2.0.

Many thanks to all beta participants. The data and observations you shared with us has been very helpful. Its been a pleasure sending out free license codes, though I wish I had an automated system for doing so. :wacko:

Cheers,

Eirik

Greg S

July 21st, 2010, 04:47 PM

-{ Quote: "

MemoryGuard will be turned off by default in beta2 but users will have the option of enabling/disabling it at their pleasure. This is because, as many observed, the current implementation generates too much noise.

Eirik" }-
How are you turning it off? Can it be turned off in the present Beta without affecting the systray icon?

Eirik

July 21st, 2010, 05:44 PM

-{ Quote: "How are you turning it off? Can it be turned off in the present Beta without affecting the systray icon?" }-

Yes, but it involves a little XML tweaking.

Modify the default policy located at:

C:\ProgramData\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml

Edit it with something like notepad, search for:

<bPreventCodeInjection>

Change the value to false, save the change, and reboot. MemoryGuard is disabled.

Editing policy files like this can be unforgiving. Its always a good idea to make a copy and set it aside before making any changes. If something goes wrong, one can simply use the copy.

Cheers,

Eirik

Greg S

July 21st, 2010, 06:32 PM

-{ Quote: "Yes, but it involves a little XML tweaking.

Modify the default policy located at:

C:\ProgramData\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml

Edit it with something like notepad, search for:

<bPreventCodeInjection>

Change the value to false, save the change, and reboot. MemoryGuard is disabled.

Editing policy files like this can be unforgiving. Its always a good idea to make a copy and set it aside before making any changes. If something goes wrong, one can simply use the copy.

Cheers,

Eirik" }-
Thanks, I do have a backup of the policy. I did that some time back prior to removing the apps from it that I don't or never will use. Removing the unwanted cuts down on the unecessary roughness to the Event Viewer,lol.

Greg S

July 21st, 2010, 07:41 PM

OK, I wanted to try this again now that I have an option to turn off MG. Upon reboot after installation, the desktop want fully load. I get the taskbar, icons on desktop and a cursor that spins. No other functions. I had to kill the power. Check disk does it's thing on re-boot. After that all I get is black screen for a desktop. What do you need?

This command line you give me does not work
AppGuard6432Setup.exe /v “/L *v AppGuardInstall.log
I am in an Admin console and yes I am in the directory of the install file. I have re-booted into Safe Mode with networking, Event Viewer shows nothing in terms of an error for BRN but that all is enabled and OK. I'm sure you're busy so I'll have to bail out on this one too. Let me know about the command line above, I would love to try again but I need to know the correct syntax.

Eirik

July 22nd, 2010, 10:22 AM

Greg,

I'm sorry about the problem.

The command line instruction I provided was incorrect. It should be:

AppGuardSetup.exe /v"/L*v AppGuardInstall.log

In the string above, there should only be two spaces, after:
- AppGuardSetup.exe
- /v"/L*v

Sorry, the person that provided me this information has been forced to listen to 30 minutes of Yoko Ono music. We should probably reduce this to 5 or 10 minutes, though. HR says we may have a lawsuit on our hands for causing post-traumatic disorder, and this person is suddenly afraid of dogs and seals.;D

If this generated a Minidump file, that would tell us more.

To clarify:
- You did not get to do the XML tweak yet (i.e., AppGuard was utilizing an unaltered policy file when you observed the symptoms)
- AppGuard was no longer on your test PC, your observations resulted from installing it via the command line (incorrect one), or without the command line (incorrect one), then you tried it again with the command line (incorrect one)?

I'm passing this info to support.

Cheers,

Eirik

Greg S

July 22nd, 2010, 08:27 PM

-{ Quote: "

To clarify:
- You did not get to do the XML tweak yet (i.e., AppGuard was utilizing an unaltered policy file when you observed the symptoms)
- AppGuard was no longer on your test PC, your observations resulted from installing it via the command line (incorrect one), or without the command line (incorrect one), then you tried it again with the command line (incorrect one)?

I'm passing this info to support.

Cheers,

Eirik" }-
Yucko Ono music, at least that was more humane than having to stare at a picture of her for 30 minutes. Please give my respects and condolences to that person.

No, tweak was not done. Kinda pointless since all functions were lost to desktop etc.. which is strange considering Event Viewer for that time frame gave me an A+ on AG. I viewed Event Viewer from Safe Mode w/net support.

No command line. The install file was launched from USB HD whilst AG had all protections suspended.

Yes, I did try again to launch setup whilst in Safe Mode by using the Yoko Ono command line. It was going to be my attempt to repair install which I had hoped would generate the needed dump file but I forgot that the installer won't work in Safe Mode either,lol.

Question: If Event Viewer was showing all was OK for AG but my OS wasn't, what's the odds of it not generating the dump file?

Tarantula

July 23rd, 2010, 10:35 AM

I just have downloaded and installed appguard x 64 beta, on win 7 ultimate x 64 SP1(official beta).Started with my tests and what i saw-It's a piece of cake to disable the main service of appguard>>> http://yfrog.com/n558731608p

And this is with all options enabled.Now i can easily install whatever i want and appguard doesn't protect me anymore.Today, i've tested some AV's vs some malware and there was one that disables security center, firewall and windows defender services.What can stop it to do the same with Blue Ridge AppGuard Service?

Kees1958

July 23rd, 2010, 12:00 PM

-{ Quote: "What can stop it to do the same with Blue Ridge AppGuard Service?" }-

Well that would be very hard for malware. Some security programs like AppGuard are designed to protect with zero pop-ups for the average user.

Average Joe/Jane

Running Windows 7 (64 bit becasue it is put on every new PC nowadays), has UAC in default, with AppGuard you get
a) deny write (create/delete/update) intent access to Windows and Programs Directories for guarded programs
b) deny write (setting values, creating/deleting subkeys, etc) for HKLM registry hive
c) deny execute on user space (Users and Programs Data directories)
d) memory violation protection

Question:
How would a process running low or medium rights plus the protection of AppGuard be able to end system processes?

Regards Kees

Eirik

July 23rd, 2010, 01:11 PM

Hi Tarantula,

Thank you for participating in our beta. You've just made a helpful contribution to the beta. Engineering has declared this termination of the AppGuard service a bug.

I'm assuming that you used the service control manager (SCM) to terminate the AppGuard service. Is that correct? If not, please elaborate.

Cheers,

Eirik

Eirik

July 23rd, 2010, 01:34 PM

Thank you Kees.

AppGuard also suppresses script launches from user-space. I believe that includes (sorry, top of mind answer here): .bat, .vbs, .com, .cmd. I'm trying to remember others...

Are there other script types that you all consider too dangerous to be allowed to run from user-space? Please let me know.

Also, MSI files are not allowed to launch from user-space, unless digitally signed by Microsoft. We'll add other trusted publishers.

Other user-space protection features are under consideration right now.

Cheers,

Eirik

Eirik

July 23rd, 2010, 02:09 PM

This Windows LNK vulnerability hype has made for some interesting discussions. And from time to time, our 'high-value target' enterprise customers send us malware samples. This week we received roughly the same sample from multiple sources wishing to confirm MemoryGuard at work. I'm mentioning this because this sample is widely reported to affect both enterprise and consumer PCs. And, because it involves MemoryGuard, our beta.

Its a download that makes use of the LNK vulnerability with names such as W32.Changeup (Symantec), W32/Autorun.BFG (Sophos), Win32/AutoRun.VB.RD (Eset), Worm:Win32/Vobfus.R (Microsoft), Download-CJX (McAfee), TR/Dldr.Gaat.B (Avira).

As Wilders folk would expect, and as I wrote in our blog "AppGuard Snuffs-Out Windows LNK Vulnerability Zero-Day Attacks (http://www.blueridgenetworks.com/securitynowblog/computer-advanced-persistent-threat-protection-windows-lnk-vulnerability-zero-day-attacks)", the LNK vulnerability alone is not that remarkable give the oldest of AppGuard protection features.

The sample gets interesting when one lets the downloader run, unguarded, without privacy mode, or anything but MemoryGuard restricting it. Here's a screenshot from AppGuard (beta):

http://www.blueridgenetworks.com/securitynowblog/wp-content/uploads/2010/07/Rieonim_LNK-Malware-Blocked-by-MG21.jpg

Frankly, I was surprised because in the one or two write-ups on the Internet that I had read did not mention code injections. But, I'm not a professional malware ...

Are you seeing MemoryGuard intercepting malware in consumer space?

We've gained some useful insights regarding MemoryGuard 'out of the lab'. I believe you'll be quite pleased with it in AppGuard 2.x next month (possibly September). Its still important for us to continue to receive log files from your beta1 and soon beta2 observations.

Barring any last minute Quality issues, we'll release beta 2 Thursday evening (eastern daylight time) next week.

Cheers,

Eirik

Tarantula

July 23rd, 2010, 05:11 PM

-{ Quote: "Hi Tarantula,

Thank you for participating in our beta. You've just made a helpful contribution to the beta. Engineering has declared this termination of the AppGuard service a bug.

I'm assuming that you used the service control manager (SCM) to terminate the AppGuard service. Is that correct? If not, please elaborate.

Cheers,

Eirik" }-

You are welcome!And yes, that's right.:)

edit:One question-Is this the correct email, that i'm supposed to use for feedback-> appguard@blueridgenetworks.com
I'm asking, because i have a file(pdf exploit), that creates an administrator account, without a notice by appguard and I want to send it to You.

Eirik

July 23rd, 2010, 06:28 PM

-{ Quote: "Is this the correct email..." }-

Yes, thanks for the file. I'm looking forward to hearing what our folk say.

Btw, I've got many activation codes to send out. I'll do so tonight.

Thanks again for the helpful feedback.

Cheers

Eirik

Greg S

July 23rd, 2010, 08:24 PM

-{ Quote: "Greg,

I'm sorry about the problem.

The command line instruction I provided was incorrect. It should be:

AppGuardSetup.exe /v"/L*v AppGuardInstall.log

Eirik" }-
It's still incorrect at least for the Beta, it should be

AppGuard6432Setup.exe /v"/L*v AppGuardInstall.log
Anyway, unless I'm missing it somewhere, it didn't create a log file. This time the install worked without crashing the desktop but for some reason, no Memory Guard alerts. I haven't tried the xml tweak yet so it's not that. Memory Guard is working because like the last install, Avast will not update and two other apps I usually run willl not work. I'm just not getting the alerts.

-{ Quote: "Yes, but it involves a little XML tweaking.

Modify the default policy located at:

C:\ProgramData\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml

Edit it with something like notepad, search for:

<bPreventCodeInjection>

Change the value to false, save the change, and reboot. MemoryGuard is disabled.

Editing policy files like this can be unforgiving. Its always a good idea to make a copy and set it aside before making any changes. If something goes wrong, one can simply use the copy.

Cheers,

Eirik" }-
There is no <bPreventCodeInjection> in ProgramData. I have that entry in my User folder xml policy. Which is correct? I'm confused

I'm getting the feeling this install is botched as well.

Update: My feelings were correct. I re-booted to the crashed black desktop with nothing left to do but kill the power and restore.

Eirik

July 23rd, 2010, 09:38 PM

Greg,

I'm very disappointed that you've encountered these problems. I apologize for your inconvenience. I've asked developers to contact you via your email.

I agree with your expedient resolution: 'restore'.

Eirik

Greg S

July 23rd, 2010, 11:00 PM

-{ Quote: "Greg,

I'm very disappointed that you've encountered these problems. I apologize for your inconvenience. I've asked developers to contact you via your email.

I agree with your expedient resolution: 'restore'.

Eirik" }-
As a last ditch effort, I uninstalled the release version and nuked everything BRN from the HD and Registry. Installed the Beta, edited the XML policy and all appears to be well. I'm sorry I couldn't provide any useful info but as mentioned earlier, even though it wouldn't allow my desktop to load, Event Viewer stated that everything was fine. Have you changed my license info? Can I install this on my wifes x64 using my present license?

Greg S

July 26th, 2010, 05:38 PM

I have this(rescache.hit) set in Malware Defender to ask on everything.
07/26/10 16:13:19 Prevented process <Internet Explorer> from writing to <e:\windows\rescache\rc0007\rescache.hit>.

Why is AG alerting me to such a thing when Malware Defender is not. I have tested Malware Defender ask policy on this particular file and it will warn if anything is attempted but when AG alerts me, I get no warning from MD. Should I allow this one file in AG's exceptions? It is possible that if in fact AG has prevented this then MD would not even have a chance to chime in. Curious

Eirik

July 26th, 2010, 10:01 PM

-{ Quote: "I have this(rescache.hit) set in Malware Defender to ask on everything.
07/26/10 16:13:19 Prevented process <Internet Explorer> from writing to <e:\windows\rescache\rc0007\rescache.hit>.

Why is AG alerting me to such a thing when Malware Defender is not. I have tested Malware Defender ask policy on this particular file and it will warn if anything is attempted but when AG alerts me, I get no warning from MD. Should I allow this one file in AG's exceptions? It is possible that if in fact AG has prevented this then MD would not even have a chance to chime in. Curious" }-

I don't recognize it. My rule of thumb: if a block hadn't 'broke' anything, don't create an exception, especially if the action is unknown.

As for MD, your speculation may be correct. Unfortunately, I don't know.

Eirik

July 29th, 2010, 11:19 AM

Hi all,

We need to delay beta 2 until Monday. The QA folks found a bug we consider a showstopper. Sorry.

Eirik

tonyf1971

July 29th, 2010, 04:19 PM

-{ Quote: "Hi all,

We need to delay beta 2 until Monday. The QA folks found a bug we consider a showstopper. Sorry.

Eirik" }-

do you still want additional log files from beta 1 or shall i wait until beta 2 before submitting more ?

Eirik

July 29th, 2010, 05:27 PM

-{ Quote: "do you still want additional log files from beta 1 or shall i wait until beta 2 before submitting more ?" }-

All logs are potentially helpful. If I had to choose, then I'd wait for beta 2 logs.

Thanks,

Eirik

1000db

August 3rd, 2010, 09:28 PM

-{ Quote: "Hi all,

We need to delay beta 2 until Monday. The QA folks found a bug we consider a showstopper. Sorry.

Eirik" }-

Can we have a status update? Is the "show stopper" resolved?

Eirik

August 3rd, 2010, 11:22 PM

You just beat me to the punch... Our webmaster was unavailable and could not post the new beta until about an hour ago. Its live!!!

So what's new in beta2?

To begin with, MemoryGuard has an enable/disable button. The refinements we have in mind will be in the next release (2.1.x) later this month, possibly early September. This will not be a beta release. For beta 2, we ask that you enable MemoryGuard to gather log data. Be warned, in its present form, MemoryGuard blocks many legit actions by antivirus software and a few Windows facilities. We need your log data to better refine MemoryGuard for the 2.1 release coming soon. Please run MemoryGuard long enough to generate extensive blocking event logs, which can help us define even better refinements.

Beta2 adds the following to what you saw in Beta1:

- Parental Controls (please read the embedded Help for details)
- MBRguard is integrated into AppGuard
- Ignore Messages
- Enhanced User-Space Protection, we're renaming 'Drive-by Download Protection' to 'User-Space Protection'
- Update alert

More details and the download here:
http://www.blueridgenetworks.com/support/appguard6432/

I should like to also clarify a system requirement that we failed to communicate. AppGuard on Vista requires Service Pack 1 (and later).

As many of you probably know by now, David Kennedy reported and demonstrated a vulnerability that allows an attacker to elude built-in PowerShell restrictions. Apparently, no AV or HIPS product can stop such attacks, though I wouldn't care to make so bold a statement myself other than merely repeat what others assert. I hear these attacks also elude software restriction policies (SRP). We have NOT verified this!!! Kennedy has released MetaSploit modules, btw. We expect attacks in the wild soon.

I mention this PowerShell vulnerability because we believe AppGuard beta 2 will stop such attacks from user-space by default. Those that add powershell.exe to the 'guard list' enjoy a higher degree of protection from a less common vector where the PowerShell code is executed by a 'trusted' application (I use this term loosely as we do NOT really 'trust' applications). This latter form of attack tends to be executed by more sophisticated cyber criminals on high value targets such as government organizations and large corporations. As per the beta, we would greatly appreciate your feedback on the guarding of powershell.exe.

We look forward to your feedback and would appreciate your spreading the word. Beta participants get a free lifetime license for up to three concurrent computers.

Cheers,

Eirik

pegr

August 4th, 2010, 01:10 AM

-{ Quote: "Enhanced User-Space Protection" }-Hi Eirik,

I have two questions relating to the new version.

Q1. Will there also be enhanced System-Space protection in the new version? This is something we've discussed previously.

The scenario I have in mind is this: Many machines come with a pre-installed system recovery partition as well as the partition that the system boots from. As non-system partitions are automatically treated by AppGuard 1.4.7 as Extended User-Space, there needs to be a way for the user to add exclusions to move selected drive letters, folders, and sub-folders from User-Space into System-Space, in order to protect them against being written to by Guarded Applications.

In AppGuard 1.4.7, the Drive-By Download Protection Settings has two tabs: Allow and Deny. If the Guarded Applications Exception Folders Settings also had a Deny tab in addition to the (implicit) Allow tab, it would not only enable the user to allow Guarded Applications write access to the specified folders, it would also enable the user to deny Guarded Applications write access to the specified folders.

It would be nice to see the AppGuard 2.x GUI provide better transparency regarding what constitutes System-Space and User-Space, combined with the flexibility for customisation to move folders in both directions between the two. Whilst the concept is both brilliant and simple, I've always thought that the implementation in AppGuard 1.4.7 is incomplete and lacks clarity.

Q2. As you are aware from previous conversations, AppGuard is adding around 20 seconds to the boot times on my Windows XP system. You did say that the engineers had found what they thought was a problem with the licensing code that may be causing this problem. Has this now been fixed in the new version?

TIA.

Regards

Eirik

August 4th, 2010, 02:32 PM

-{ Quote: "Hi Eirik,

I have two questions relating to the new version.

Q1. Will there also be enhanced System-Space protection in the new version? This is something we've discussed previously.

The scenario I have in mind is this: Many machines come with a pre-installed system recovery partition as well as the partition that the system boots from. As non-system partitions are automatically treated by AppGuard 1.4.7 as Extended User-Space, there needs to be a way for the user to add exclusions to move selected drive letters, folders, and sub-folders from User-Space into System-Space, in order to protect them against being written to by Guarded Applications.

In AppGuard 1.4.7, the Drive-By Download Protection Settings has two tabs: Allow and Deny. If the Guarded Applications Exception Folders Settings also had a Deny tab in addition to the (implicit) Allow tab, it would not only enable the user to allow Guarded Applications write access to the specified folders, it would also enable the user to deny Guarded Applications write access to the specified folders.

It would be nice to see the AppGuard 2.x GUI provide better transparency regarding what constitutes System-Space and User-Space, combined with the flexibility for customisation to move folders in both directions between the two. Whilst the concept is both brilliant and simple, I've always thought that the implementation in AppGuard 1.4.7 is incomplete and lacks clarity.

Q2. As you are aware from previous conversations, AppGuard is adding around 20 seconds to the boot times on my Windows XP system. You did say that the engineers had found what they thought was a problem with the licensing code that may be causing this problem. Has this now been fixed in the new version?

TIA.

Regards" }-

Per your first question, you made two excellent points. We were unable to get the requested 'enhanced system space' into beta2. I'll have to get back to you on when we will. On the second point about improving the GUI, particularly in terms of displaying what user-space is at the moment (add/remove an external hard drive, one changes user-space), that is very much what I want the AppGuard GUI to do. In fact, I had hoped to get this into beta1 but had to surrender it this time around to other features.

On the second question regarding prolonged boot times, yes we have implemented changes that we hope significantly improves this insofar as the licensing was delaying things. If however, there was a different, undiscovered cause or contributor, then we probably didn't fully solve the issue. If the problem was not solved, please let us know ASAP to improve the chances of discovering the 'other' cause and solving it before the next release.

Cheers,

Eirik

pegr

August 4th, 2010, 03:26 PM

Hi Eirik,

Thanks very much for the comprehensive and helpful reply. :)

I would very much like to test a beta version in order to see if the slow booting problem has been resolved before the next release, and also to provide any other feedback that may be of use, but it appears that Windows XP is not a supported operating system for the current beta.

Regards

Greg S

August 4th, 2010, 04:36 PM

Eirik, I don't think you ever answered my question as to where the AppGuardInstall.log is located but I have just now downloaded the latest version for install and noticed the log file in the folder of the last beta. Do you need this log file? Do I need to run the command line again for this install just in case? Should I uninstall the previous Beta? Is this installation problem a result of me editing my XML policys? And before you ask, yes they are edited correctly I assure you. One more, is the MBR protection enabled by default? I'm still skeptical of this with the likes of Comodo Time Machine, Eaz-Fix etc..

One thing I noticed in the log file
MSI (c) (00:30) [18:46:03:578]: Cleaning up uninstalled install packages, if any exist
For me, AG does not do this. At one time, I had four different installers in the Windows/Installer folder.

Also, the download link gives me the previous beta according to the install. The options I get are to remove, repair etc.. Right click, Save Target as seems to give me the correct file.

Update:
Gave the latest version a try at installing. BSOD on the Welcome Screen. I also got this during install
220658

Eirik

August 4th, 2010, 06:08 PM

-{ Quote: "Hi Eirik,

Thanks very much for the comprehensive and helpful reply. :)

I would very much like to test a beta version in order to see if the slow booting problem has been resolved before the next release, and also to provide any other feedback that may be of use, but it appears that Windows XP is not a supported operating system for the current beta.

Regards" }-

My bad!!! Except for the MemoryGuard feature, XP is supported by the beta.

Eirik

Eirik

August 4th, 2010, 06:15 PM

Hi Greg,

I'll ask someone from engineering to work directly with you. The support needed for your system is over my head.

As for the screenshot of the unsigned driver, that is normal. We have not gone through the Microsoft process of signing our driver software. We want to avoid this until the driver software stops changing so frequently due to additions and refinements, primarily due to MBRguard integration and MemoryGuard. Then, we'll suck it up and go through the process of signing.

Cheers,

Eirik

Greg S

August 4th, 2010, 06:37 PM

-{ Quote: "Hi Greg,

I'll ask someone from engineering to work directly with you. The support needed for your system is over my head.

As for the screenshot of the unsigned driver, that is normal. We have not gone through the Microsoft process of signing our driver software. We want to avoid this until the driver software stops changing so frequently due to additions and refinements, primarily due to MBRguard integration and MemoryGuard. Then, we'll suck it up and go through the process of signing.

Cheers,

Eirik" }-
Nevermind,lol. It's up and running. For whatever reason, I guess I'm always going to have to uninstall preivous versions. I went ahead with MBR Guard and all seems well. I wish that I knew what causes all my install troubles with AG. I do have some more questions.

1) Is AppGuardAgent the part that will use the net for updates?
2) When uninstalling or even updating, does AG install overwrite and add to the Default xml policy? After uninstalling, Program Data/BRN was left in tact and I'm curious to know if it gets updated if there are any new additions to the default policy

Eirik

August 4th, 2010, 10:37 PM

Hi Greg,

I'm glad your system is working. I wonder if there's a software conflict with some configuration or back-up software that hinders driver removal. I still believe engineering needs to study.

The AppGuardGUI executable checks for update. It notifies but does not auto-update. We will do so. I want to overhaul the GUI and add some other important features first.

Well gotta run, posting from an iPhone is slow going and I've got a phone call coming any minute.

Cheers

Eirik

Eirik

August 4th, 2010, 10:39 PM

One more thing Greg...

I don't know the answer to your XML question. The engineer that contacts you tomorrow will know.

Cheers

Eirik

jmonge

August 4th, 2010, 10:42 PM

Researchers at Black Hat 2010 and DefCon 18 demonstrated how to circumvent security restrictions intended to prevent malicious PowerShell scripts from doing harm. The researchers say antiVirus, host intrusion prevention system (HIPS), as well as software restriction policies (SRP) built into Windows Group Policies, and other advanced security software products cannot protect computers from these attacks. AppGuard protects Windows computers from these sophisticated zero day attacks

pegr

August 5th, 2010, 08:43 AM

-{ Quote: "My bad!!! Except for the MemoryGuard feature, XP is supported by the beta." }-Excellent! Thanks very much Eirik - I'm going to download it and give it a try.

Regards

Eirik

August 5th, 2010, 12:12 PM

-{ Quote: "Researchers at Black Hat 2010 and DefCon 18 demonstrated how to circumvent security restrictions intended to prevent malicious PowerShell scripts from doing harm. The researchers say antiVirus, host intrusion prevention system (HIPS), as well as software restriction policies (SRP) built into Windows Group Policies, and other advanced security software products cannot protect computers from these attacks. AppGuard protects Windows computers from these sophisticated zero day attacks" }-

Correct, AppGuard is expected to block there attacks. I wrote a MARKETING blog post PowerShell vulnerability exploits. (http://www.blueridgenetworks.com/securitynowblog/zero-day-powershell-attacks-advanced-persistent-threat-protection-software)

Cheers

Eirik

tonyf1971

August 5th, 2010, 02:41 PM

the version i am downloading from the link is 1.5.20

SHA-1 -63CCED6A39FBCA4CC59C7C0B87180358826BA2BE

http://www.blueridgenetworks.com/support/appguard6432/

??

Eirik

August 5th, 2010, 04:43 PM

-{ Quote: "the version i am downloading from the link is 1.5.20

SHA-1 -63CCED6A39FBCA4CC59C7C0B87180358826BA2BE

http://www.blueridgenetworks.com/support/appguard6432/

??" }-

Your web browser may be displaying a cached version of the web page, or if you're viewing it through a translator... I just visited the page as I'm posting this, refreshed the page, downloaded the executable, and re-calculated the hash of the downloaded executable, which is the same as posted on the web page:

c4ace02e1cb87a104870d02233d196d7926f549e

Version 2.0.6

I have often questioned our webmaster about something he failed to change only to have him tell me I need to refresh my browser. Very frustrating! If you keep seeing this after refreshing, however, please let me know.

Eirik

Greg S

August 5th, 2010, 07:24 PM

-{ Quote: "One more thing Greg...

I don't know the answer to your XML question. The engineer that contacts you tomorrow will know.

Cheers

Eirik" }-
Then we are probably not going to know for sure. No offense intended but in all the times that you have told me that someone from the upper brass was going to contact me, they never have. I do like this version of AG. The ignore feature is working well

wearetheborg

August 5th, 2010, 08:38 PM

-{ Quote: "My bad!!! Except for the MemoryGuard feature, XP is supported by the beta.

Eirik" }-

Will it be supported in the final release?

And I assume its ok for a person to send beta test reports for multiple test computers?

How much log files are needed? I dual boot to linux, and my main work OS is linux. I use windows not a whole lot (ie. not 24/7).

Eirik

August 6th, 2010, 09:38 AM

-{ Quote: "Then we are probably not going to know for sure. No offense intended but in all the times that you have told me that someone from the upper brass was going to contact me, they never have. I do like this version of AG. The ignore feature is working well" }-

My bad on yesterday. I had forgotten that the engineer was off.

Eirik

Eirik

August 6th, 2010, 09:51 AM

-{ Quote: "Will it be supported in the final release?" }-

MemoryGuard will not be supported in the final release in XP. It may never be supported. XP lacks what Vista/7 has, which would require very extensive work to achieve without, assuming that can be done. We do have an R&D back-burner project dedicated to this because XP is still the most popular OS.

-{ Quote: " And I assume its ok for a person to send beta test reports for multiple test computers?" }-

Yes, absolutely. The more the better. The purpose of the beta is to expose it to as many environments as practical.

-{ Quote: "How much log files are needed? I dual boot to linux, and my main work OS is linux. I use windows not a whole lot (ie. not 24/7)." }-

We ask for folk to send a week's worth of log data because this increases the odds of discovering possible software conflicts or disruptions with whatever 3rd party software is used on the host. One could accelerate this by simply running as many different applications as is practical, doing as many different activities... Doing this on multiple machines with different 'elements' generates logs on ever more diversity. In other words, continuous OS usage is not absolutely critical.

Cheers,

Eirik

Eirik

August 6th, 2010, 10:18 AM

BETA ANNOUNCEMENT

Hi All,

I met with engineering late Wednesday where we decided to conduct yet another round of beta, which makes it the 3rd. The rationale for doing so orbits MemoryGuard. It will be the first implementation of MemoryGuard refinements that strive to eliminate all the issues identified in the first two betas.

I personally don't like people to beta something if there's nothing new/additional in terms of features. After all, we're asking you to install and run something that is not officially released, folks ought to get some new features. I'm negotiating with engineering on those additional features, which will bend to be of 'small t-shirt size' each in terms of development effort to ensure that the final AppGuard 2.x release is ready for end of September. Unfortunately, this means we will not do the GUI improvements that I've sought. GUI work as many of you programmers know is rather time intensive.

Among other things, I'm be asking engineering to add more applications guarded by default. We've long intended to guard the following by default (I mistaken the spelling on these but I think you'll know what I mean):
- Regsrv32.exe
- Rundll32.exe
- cmd.exe

I'd appreciate it if more of you would add these to your guard list during this beta and report any disruptions to what you do on your PC.

I had hoped to get a copy of the Secunia Top 50 (anybody have it?) List to help identify (and justify guarding) the most common and the most vulnerable 3rd party applications. When we add to the default guard list, we naturally have to test everything from head to toe. This is why we do not liberally add other 3rd party apps. Some of you have asked us to add other apps. When ask us to add one, it helps to hear of your observations from doing so manually (e.g., no problems).

As always, we listen and try to implement your feature requests when we can, and if it complies with our overall positioning (we don't want to be as complex as a HIPS product).

Cheers,

Eirik

Eirik

August 6th, 2010, 10:31 AM

One more Beta point:

A number of Wilders folk requested that one be able to define a file-specific exception to guarded applications to let them write to a specific file within program files or windows directories. To those of you that requested it, and others too, please try it out and provide us feedback.

An example, a guarded application is prevented from writing to say a log file in the program files application directory. In the exceptions area of the AppGuard GUI, one can specify a specific file instead of an entire directory.

Cheers,

Eirik

tonyf1971

August 6th, 2010, 11:21 AM

-{ Quote: "Your web browser may be displaying a cached version of the web page, or if you're viewing it through a translator... I just visited the page as I'm posting this, refreshed the page, downloaded the executable, and re-calculated the hash of the downloaded executable, which is the same as posted on the web page:

c4ace02e1cb87a104870d02233d196d7926f549e

Version 2.0.6

I have often questioned our webmaster about something he failed to change only to have him tell me I need to refresh my browser. Very frustrating! If you keep seeing this after refreshing, however, please let me know.

Eirik" }-

still no joy with this Eirik, i have tried both IE8 and Opera 10.60, have refreshed on the download page, cleared all previous temp files,history etc with Ccleaner and Rwipe but i still get the download for Beta 1 !

wearetheborg

August 6th, 2010, 02:47 PM

-{ Quote: "BETA ANNOUNCEMENT

Hi All,

I met with engineering late Wednesday where we decided to conduct yet another round of beta, which makes it the 3rd. The rationale for doing so orbits MemoryGuard. It will be the first implementation of MemoryGuard refinements that strive to eliminate all the issues identified in the first two betas.
" }-
When will the third beta be up?

-{ Quote: "
I personally don't like people to beta something if there's nothing new/additional in terms of features. After all, we're asking you to install and run something that is not officially released, folks ought to get some new features.
" }-
Hammering out the flaws is good enough :)
In this age of companies rushing out flawed products, its nice to see flaws being hammered out.

Eirik

August 6th, 2010, 03:26 PM

AppGuard Beta2 Download

I've been unable to replicate Tony's observations via two different computers and multiple web browsers. Has anyone else observed the same where the beta page (http://www.blueridgenetworks.com/support/appguard6432/) is displaying beta 1 instead of beta 2 content/install-file?

Appreciate the help thanks,

Eirik

wearetheborg

August 6th, 2010, 03:49 PM

I get the correct version in Linux:
$ sha1sum AppGuard6432b2Setup.exe
c4ace02e1cb87a104870d02233d196d7926f549e AppGuard6432b2Setup.exe

Greg S

August 6th, 2010, 03:50 PM

-{ Quote: "One more Beta point:

A number of Wilders folk requested that one be able to define a file-specific exception to guarded applications to let them write to a specific file within program files or windows directories. To those of you that requested it, and others too, please try it out and provide us feedback.

An example, a guarded application is prevented from writing to say a log file in the program files application directory. In the exceptions area of the AppGuard GUI, one can specify a specific file instead of an entire directory.

Cheers,

Eirik" }-
Not much to feedback on with this one. It works very well but the drawback for me is this.

-{ Quote: "
Note, these exceptions apply to ALL guarded applications. For now, we're not supporting application-specific exceptions in the interests of simplicity for the end-userEirik" }-Isn't allowing all guarded applications a possible semi breakdown in the overall securtiy that AG is suppose to be providing?

Eirik

August 6th, 2010, 04:17 PM

-{ Quote: "Not much to feedback on with this one. It works very well but the drawback for me is this.

Isn't allowing all guarded applications [to write to an 'exception'] a possible semi breakdown in the overall securtiy that AG is suppose to be providing?" }-

Yes. Its an ease of use trade-off. It should be used thoughtfully. If one defines an application log file, no big deal. This is the most common example. However, an application preference or software component (I don't know of any specific examples.) could be. I'm afraid I don't know the significance of specifying a Windows.log file. This would be a good discussion subject.

I don't want to do application-specific exceptions without making very significant changes to the GUI. Otherwise, we might intimidate non-technical users. When we do, we'll also be able to introduce some capabilities only available in the enterprise version that I consider very exciting. I'd prefer not to elaborate until we're closer to a release, until we schedule a target date for major GUI revision.

Cheers,

Eirik

Greg S

August 6th, 2010, 04:22 PM

-{ Quote: "still no joy with this Eirik, i have tried both IE8 and Opera 10.60, have refreshed on the download page, cleared all previous temp files,history etc with Ccleaner and Rwipe but i still get the download for Beta 1 !" }-
Yes, I've mentioned this earlier. When clicking the download button on the page, I get Beta 1. If I right click, save target as, I get Beta 2. Weird I know but that was the only way I could get the second Beta.

Greg S

August 6th, 2010, 04:24 PM

-{ Quote: "Yes. Its an ease of use trade-off. It should be used thoughtfully. ...

Cheers,

Eirik" }-
OK, I understand now. I didn't quote the log file part but that does make sense in light of what you said about them.

Kees1958

August 6th, 2010, 04:45 PM

Eirik,

I tried to install the latest beta on my play PC. Only software I have got running is Windows Defender (on execute application check disabled) and Norton UAC Tool.

After install, PC dumpted (not even a BSOD) twice, rebooted with latest known good install. Strangly AppGuardGUI loaded. But control panel only showed status. After de-install, I lost my recovery points and also all cached icons in system tray. Norton UAC acted as if a major Vista update had happened (had forgotten all its allowed elevations).

Greg S

August 6th, 2010, 07:58 PM

-{ Quote: "AppGuard Beta2 Download

I've been unable to replicate Tony's observations via two different computers and multiple web browsers. Has anyone else observed the same where the beta page (http://www.blueridgenetworks.com/support/appguard6432/) is displaying beta 1 instead of beta 2 content/install-file?

Appreciate the help thanks,

Eirik" }-
Wanting to trial AG on my wifes x64, I clicked the download link at BRN site. It gave me Beta 1. I right clicked, save target as and got the Beta 2. Just for the record, she doesn't even know who or what Blue Ridge Networks is so she has never visited the site, meaning no cookies or temp files.

clicking link:

220722

save target as:
http://www.blueridgenetworks.com/support/appguard6432/AppGuard6432b2Setup.exe

page source snippet:
<a href="AppGuard6432b2Setup.exe" class="button1" style="width:260px;margin:0;" align="left" onClick="Trackalyzer (14069, 'http://www.blueridgenetworks.com/support/appguard6432/AppGuard6432Setup.exe');pageTracker._trackPageview('/support/appguard6432/AppGuard6432Setup.exe'); " target="_blank">> Download AppGuard 64/32 </a></p>

both betas are listed

wearetheborg

August 6th, 2010, 08:09 PM

-{ Quote: "Wanting to trial AG on my wifes x64, I clicked the download link at BRN site. It gave me Beta 1. I right clicked, save target as and got the Beta 2. Just for the record, she doesn't even know who or what Blue Ridge Networks is so she has never visited the site, meaning no cookies or temp files.

clicking link:

220722

save target as:
http://www.blueridgenetworks.com/support/appguard6432/AppGuard6432b2Setup.exe" }-

That is one wierd behavior. I get the same beta2 file if I click, or right click.

Greg S

August 6th, 2010, 08:15 PM

-{ Quote: "That is one wierd behavior. I get the same beta2 file if I click, or right click." }-
Is your browser IE8? Do you have it setup to open pretty much everything in a tab with popup blocker enabled?

wearetheborg

August 6th, 2010, 08:32 PM

-{ Quote: "Is your browser IE8? Do you have it setup to open pretty much everything in a tab with popup blocker enabled?" }-

Nope, firefox under linux.

Greg S

August 6th, 2010, 10:22 PM

-{ Quote: "I've been reading this thread for a while, and am tempted to try the Beta, it looks like it is going to be a good program, but is this something an average user like me should install?" }-
Yes! It's geared towards "non-technical users". In my opinion, it's the best buy for a security app at the present time.

1000db

August 6th, 2010, 10:58 PM

I still get beta 1!

jmonge

August 6th, 2010, 11:16 PM

agree with GregS 100%

jmonge

August 6th, 2010, 11:37 PM

an advise here always when one test beta software is recomended to just run the beta alone with out layer mean while testing;) my 5 mexican pesos;D

Eirik

August 7th, 2010, 01:26 AM

Hi All,

I can confirm the problem too. I suspect there is a Javascript or maybe PHP error in the webpage. I don't know. When I mouse-over the link it reports the correct download link. Once I download, depending on web browser, it either downloads both the first and the second one, or just one of them (either). With Firefox, I've seen it appear to start to download the correct one but pause, require another click, and then it downloads the first one.

Until the webmaster can identify and correct, please try this direct download link (http://www.blueridgenetworks.com/support/appguard6432/AppGuard6432b2Setup.exe), pasted below in text as well.

http://www.blueridgenetworks.com/support/appguard6432/AppGuard6432b2Setup.exe

Installation File Attributes

File Name: AppGuard6432b2Setup.exe
File Size: 13,041 K
SHA1: c4ace02e1cb87a104870d02233d196d7926f549e

When those of you have downloaded the beta1, despite our intents, are you seeing a web page that says at the top:

AppGuard 64/32 Beta (Version 2.0.6)

I heartily apologize for the inconvenience to those affected. Moreover, I'm quite embarrassed.

Eirik >:(

Update: I compared the SHA1 hash checksum of the beta1 that is being downloaded despite our wishes with the SHA1 hash checksum of the install file I submitted to the webmaster in early July. They are a match.

pegr

August 7th, 2010, 01:43 PM

Hi Eirik,

I now have the 2.0.6 beta running on my Windows XP system. My initial impressions are as follows: -

I upgraded over the top of 1.4.7 with MBRGuard already installed. The installer correctly detected the upgrade and everything went smoothly; all of my previous settings were successfully retained.

The slow boot problem that I reported previously has not been completely eliminated but is much reduced. The additional boot time has reduced from 20 seconds to 12 seconds, so a definite improvement there.

Even though I'm running in an admin account, under Advanced Settings, the User Name and Password fields are disabled (greyed out). Not sure if this is intentional or whether this is a bug. Doesn't seem to have affected anything though, as I'm still able to suspend and enable protections, add folder excusions, etc.

IMO, the renaming of Drive-By Download Protection Settings to User-Space Protection is a good idea. It makes things clearer conceptually as it emphasises the relationship between the launching of unguarded applications and user space.

In a similar vein, I would like to suggest that Exception Folders settings under the Guarded Applications tab be renamed to System-Space Protection, with the addition of Allow & Deny tabs, similar to User-Space Protection settings. This would make clearer the relationship between guarded applications and write access to folders in system space. It would also enable additional partitions and folders to be protected against write access at user discretion.

As I'm running Windows XP, I'm unable to test MemoryGuard. Apart from that everything is running normally and I haven't experienced any problems or unusual behaviour since installing the beta. It's running exactly the same as 1.4.7 and apart from the additional features, I haven't noticed any difference. If the situation changes, I'll report back.

Regards

Greg S

August 7th, 2010, 03:26 PM

-{ Quote: "

Even though I'm running in an admin account, under Advanced Settings, the User Name and Password fields are disabled (greyed out). Not sure if this is intentional or whether this is a bug. Doesn't seem to have affected anything though, as I'm still able to suspend and enable protections, add folder excusions, etc.

Regards" }-
I was under the impression that this had to do with Parental Controls and needed two users for activating, one Admin user and one Limited/Basic user. Maybe I've misunderstood?

Eirik

August 7th, 2010, 04:21 PM

-{ Quote: "I was under the impression that this had to do with Parental Controls and needed two users for activating, one Admin user and one Limited/Basic user. Maybe I've misunderstood?" }-

Yes, plus one must turn on the parental controls. Otherwise, the mentioned fields are greyed out. There are detailed descriptions in the built-in Help guide.

Cheers

Eirik

wearetheborg

August 7th, 2010, 04:46 PM

Eirik, when will the third beta be out?

Greg S

August 7th, 2010, 05:54 PM

-{ Quote: "What should I do about these sorts of events: 'prevented IE from writing to memory of IE' and 'prevented Windows search indexer from writing to memory of microsoft windows search protocol host'?" }-
JE, those are from Memory Guard and the two you mention are condsidered normal. Send your logs to BRN. I think somewhere in this topic or maybe on BRN website is instructions on how to Beta Test. It's my understanding that they are using the logs/info in these Betas to refine AG's Memory Guard Protection as well as other settings/functions.

Eirik

August 7th, 2010, 06:16 PM

-{ Quote: "Eirik, when will the third beta be out?" }-

1st week of September, give or take a few days.

Eirik

August 7th, 2010, 06:20 PM

-{ Quote: "JE, those are from Memory Guard and the two you mention are condsidered normal. Send your logs to BRN. I think somewhere in this topic or maybe on BRN website is instructions on how to Beta Test. It's my understanding that they are using the logs/info in these Betas to refine AG's Memory Guard Protection as well as other settings/functions." }-

Excellent answer.

A likely new feature will be a new button that gathers host environment data, logs, policy, and whatever else makes sense and respects privacy.

Eirik

August 7th, 2010, 06:28 PM

We're considering the addition of the following to the default guard list:

.exe (and the 64 bit equivalent)
Regsrv32.exe (did I spell that right?)
cmd.exe

AppGuard old timers may recall our reluctance to do this, fearing it might confuse non-tech folk. If any of you do/would guard these, we'd love to learn of any undesired blocking events related to 3rd party software. If you consider yourself non-tech, you might want to sit this beta request out.

Thanks

Eirik

wearetheborg

August 7th, 2010, 06:53 PM

-{ Quote: "OK, I have the instructions on sending log files. I'll send what I have so far.
" }-

Er, could you send me a pointer to the instructions?

Greg S

August 7th, 2010, 08:31 PM

-{ Quote: " but how do you take a program out of protection permanently? For instance a program such as X-Plane won't start up.

" }-
Is X-Plane really a program? If so, try adding it to the Guarded Applications. I had an app in one of the first AG releases that gave me problems. At the advice of Eirik, I added it to the Guarded Applications list and it worked perfect. I don't remember the specifics of it, but I think the app was in a folder on the desktop but I had it setup to autostart via one of the startup locations.

justenough

August 8th, 2010, 02:16 AM

I deleted my posts here, I couldn't get the hang of this program and had too many questions, they were just cluttering up the thread without the answers I needed to solve some computer hang-ups this weekend. I'll be looking for the public release of AppGuard.

pegr

August 8th, 2010, 02:16 AM

-{ Quote: "Yes, plus one must turn on the parental controls. Otherwise, the mentioned fields are greyed out. There are detailed descriptions in the built-in Help guide." }-Hi Eirik,

Thanks to you and Greg S for the clarification. Looks like I didn't quite understand how it was supposed to work. :-[

What did you think of the suggestion I made about renaming Exception Folders in Guarded Applications to System-Space Protection and adding a Deny tab to the implicit Allow tab?

Regards

stackz

August 8th, 2010, 05:25 AM

-{ Quote: "We're considering the addition of the following to the default guard list:

.exe (and the 64 bit equivalent)
Regsrv32.exe (did I spell that right?)
cmd.exe
k" }-

.exe (and the 64 bit equivalent)? lol, any one in particular?
regsrvr32.exe - I'll give you half marks for the spelling. :dry:

Greg S

August 8th, 2010, 06:42 AM

-{ Quote: ".exe (and the 64 bit equivalent)? lol, any one in particular?
regsrvr32.exe - I'll give you half marks for the spelling. :dry:" }-
Lol,
Try here http://www.wilderssecurity.com/showpost.php?p=1724874&postcount=90

Eirik

August 8th, 2010, 10:20 AM

-{ Quote: "What did you think of the suggestion I made about renaming Exception Folders in Guarded Applications to System-Space Protection and adding a Deny tab to the implicit Allow tab?" }-

Loved it! It will probably be in the next build.

Eirik

August 8th, 2010, 10:26 AM

-{ Quote: ".exe (and the 64 bit equivalent)? lol, any one in particular?
regsrvr32.exe - I'll give you half marks for the spelling. :dry:" }-

Lol. I must have posted this from my iPhone, as I am now. The keyboard fills up over half the screen, and the font size maxes out. I should use the preview fn.

I meant to type rundll32.exe.

wearetheborg

August 8th, 2010, 10:49 AM

Eirik, could you also post the instructions for the beta testers...on how we are supposed to obtain and submit the logs etc?

Thanks

pegr

August 8th, 2010, 12:17 PM

-{ Quote: "Loved it! It will probably be in the next build." }-That's good news! Kudos to the engineers - the current build is completely stable on my Windows XP system and the boot time has improved! :)

Thankful

August 8th, 2010, 12:34 PM

-{ Quote: "That's good news! Kudos to the engineers - the current build is completely stable on my Windows XP system and the boot time has improved! :)" }-I thought AppGuard Beta only runs on Windows 7 and Vista .

jmonge

August 8th, 2010, 01:11 PM

the memoryguard part of appguard is for vista and seven only:)

Thankful

August 8th, 2010, 01:12 PM

-{ Quote: "the memoryguard part of appguard is for vista and seven only:)" }-
Thanks.

jmonge

August 8th, 2010, 01:19 PM

your welcome;)
i wanted to try it for my xp2 and no luck;D only in my vista:thumb: but still appguard is his good moments:)

Eirik

August 8th, 2010, 01:44 PM

-{ Quote: "Eirik, could you also post the instructions for the beta testers...on how we are supposed to obtain and submit the logs etc?

Thanks" }-

For Windows Vista/7, here's a screenshot with arrows. The second arrow pertains to the tear-down menu that appears after the right-click. XP is actually simpler in that there are fewer 'things' in the GUI. As for the GUI, one usually finds it in 'administrator tools' from the 'start' menu or in the 'control panel'.

220748

Then name it, save it somewhere you can find, then attach it to an email to appguard@blueridgenetworks.com

Cheers,

Eirik

jmonge

August 8th, 2010, 02:19 PM

very clear big arrows;D

Greg S

August 8th, 2010, 09:39 PM

-{ Quote: "
...
A likely new feature will be a new button that gathers host environment data, logs, policy, and whatever else makes sense and respects privacy." }-
As usual, I'm confused. Is the button for collection of needed info for BRN or is the button for use with Memory Guard on the user level? User level as in click the button and AG surveys the system and installed apps etc.. and from the gathered info will determine each user allowances for Memory Guard. It would be great if AG could inventory what a user has installed/running and use the info for Memory Guard tolerances. Of course if it could be done, it would have to come with the warning of make sure the system is Malware free before applying which shouldn't be a problem since AG's security is protection and not cleaning. I'm just thinking out loud.

RHE10

August 8th, 2010, 09:55 PM

-{ Quote: "As usual, I'm confused. Is the button for collection of needed info for BRN or is the button for use with Memory Guard on the user level? User level as in click the button and AG surveys the system and installed apps etc.. and from the gathered info will determine each user allowances for Memory Guard. It would be great if AG could inventory what a user has installed/running and use the info for Memory Guard tolerances. Of course if it could be done, it would have to come with the warning of make sure the system is Malware free before applying which shouldn't be a problem since AG's security is protection and not cleaning. I'm just thinking out loud." }-

I'm guessing is for BRN...

(Hey Eirik)

Eirik

August 8th, 2010, 11:36 PM

The 'button' is a convenience for end-users that need assistance from Blue Ridge. Assistance requires us to know their system environment, sometimes their AppGuard policy, what AppGuard has blocked, the status of AppGuard, and sometimes a mini dump file. I would like this to give users discretion in what they send us, unchecking items they do not wish to send us.

Gathering this data can intimidate non-tech users. And, helping them do so takes up our time too.

For the beta and the next, the button also makes it easier to share log data. And yes, MemoryGuard data is our top interest.

Greg is actually telegraphing future capabilities we might not implement this year. We have some building blocks we should complete first.

Cheers

Eirik

Eirik

August 10th, 2010, 05:53 PM

Hi All,

There are a couple of items I'd like to share.

First, the download issue has been corrected. The webmaster fixed a Javascript that resulted in serving the wrong install file, as well as in some cases, serving the old and the new install files both. The correct version of the 2nd beta is 2.0.6.

Second, there is a GUI ambiguity concerning MBRguard. When you can see the "Enable MBRguard" button in the AppGuard 'Settings' tab, MBRguard is not enabled. When you see the "Disable MBRguard" button, that means MBRguard is enabled. Clicking either actually installs or uninstalls the driver, which requires a restart.

Second and a half, the MBRguard driver is not digitally signed. We will do so after we make changes necessary to generate log events, alerts, and no longer require a restart to implement enable/disable. Yes, at present, MBRguard blocks attacks but doesn't brag about it.

So as you know, installing unsigned drivers causes Windows to suspend the installation and ask the end-user if he/she wants to install an unsigned driver. Once a user has clicked 'ok' to the Windows prompt that says the driver is not signed, Windows remembers that driver as trusted if it should be removed and reinstalled again, eliminating need for another 'ok' prompt.

The other AppGuard driver 'BRNfilelock.sys' does NOT require user-approval for installation.

BTW, I've met with the engineering team a few times in the last few business days to discuss simplifying the end-user experience, the GUI. We've defined stretch items for the third beta that would incorporate some non-trivial changes. However, if we cannot, the GUI may actually get a little more complex than it was before we began the beta process this summer: 'darkest before the dawn', as it were. Anyway, the engineering team and I are quite excited and motivated per these discussions.

As always, we welcome your inputs. We've received a lot of good feedback and ideas from all over the world. The Internet still amazes me sometimes.

Cheers,

Eirik

EDIT: See how I started this post saying 'two items' but actually more than doubled it? Now you know how our engineering team feels when I talk to them. 'Oh, one more thing...'

Greg S

August 10th, 2010, 06:21 PM

-{ Quote: "Hi All,
When you see the "Disable MBRguard" button, that means MBRguard is enabled." }-Mine shows as enabled(Disable MBRguard). I was reluctant to do this during installation since I do use an ISR app for quick restore and the MBRguard kinda skeeered me. I've made numerous snaps and restores without any problems though.

-{ Quote: "We're considering the addition of the following to the default guard list:

.exe (and the 64 bit equivalent)
Regsrv32.exe (did I spell that right?)
cmd.exe

AppGuard old timers may recall our reluctance to do this, fearing it might confuse non-tech folk. If any of you do/would guard these, we'd love to learn of any undesired blocking events related to 3rd party software. If you consider yourself non-tech, you might want to sit this beta request out.

Thanks

Eirik" }-
Since installing beta 2, I have added the above to the guarded list. Not a peep out of AG so far. I added these to an earlier version of AG some time back but removed them after a few days because AG was a little too noisy on some of Windows SOP's. So far this time around it's not that way. I know it's been asked before, but are there any other apps that should or could be added to the Guarded Applications list?

Eirik

August 11th, 2010, 08:34 AM

-{ Quote: "...are there any other apps that should or could be added to the Guarded Applications list?" }-

I do wonder if explicitly guarding all Java engines would be beneficial without adverse consequences. Generally the applications that use them are themselves guarded. So, when they use them, they dynamically become guarded while used. Should an application unguarded do so, they would not.

I don't know whether there would be adverse consequences from explicitly guarding them.

Cheers

Eirik

HAN

August 11th, 2010, 10:36 AM

So, how is the password/parental control implemented in the beta builds? Did they abandon the 2 user account approach? (I hope I hope!!!)

Kees1958

August 12th, 2010, 02:13 AM

Eirik,

I think I know what caused my problem. Lately I tried Spyshelter and it would not work also. I think is because I have restricted legacy aps from starting up in RUN HKLM through group policy. I noticed that Vista business had virtualised Spyshelter installation. I also found AppGuard in the virtual store.

I have no idea what combo of GP-settings this has forced virtualisation (I installed with right click run as Admin). I known some guy managed to use an undocumented API to virtualise appplications (when you can do it through task manager, it is somehow possible).

After the failed install of Spyshelter, I has lost again all my restore points. So it is not related to AppGuard, but because I have set some strange combo in GPO.

Regards Kees

Eirik

August 12th, 2010, 07:58 AM

-{ Quote: "So, how is the password/parental control implemented in the beta builds? Did they abandon the 2 user account approach? (I hope I hope!!!)" }-

Hi Han,

I might have answered your question earlier. But, I was hoping to hear what others say. We are in beta afterall. But, I hate to see your question unanswered.

So, yes. It does require at least two login accounts. This can coincide with a best practice recommended at Wilders and other security circles: one admin account, one LUA account. AppGuard asks nothing more than that.

Cheers

Eirik

Eirik

August 12th, 2010, 08:01 AM

-{ Quote: "Eirik,

I think I know what caused my problem. Lately I tried Spyshelter and it would not work also. I think is because I have restricted legacy aps from starting up in RUN HKLM through group policy. I noticed that Vista business had virtualised Spyshelter installation. I also found AppGuard in the virtual store.

I have no idea what combo of GP-settings this has forced virtualisation (I installed with right click run as Admin). I known some guy managed to use an undocumented API to virtualise appplications (when you can do it through task manager, it is somehow possible).

After the failed install of Spyshelter, I has lost again all my restore points. So it is not related to AppGuard, but because I have set some strange combo in GPO.

Regards Kees" }-

Thanks for the update. I'll pass this on. Are you running AppGuard ok now?

Kees1958

August 12th, 2010, 08:11 AM

-{ Quote: "Thanks for the update. I'll pass this on. Are you running AppGuard ok now?" }-

No I am writing content and managing the design for a website of a small IT company (I did the repositioning earlier and due to low work stretched the job until my holiday in september - it is a hard time for one man band consultancy). So constantly waiting for the new designs, reviewing increments and killing those minutes with lurking on Wilders. I need my play PC for this, so leave my configuration as is.

HAN

August 12th, 2010, 10:18 AM

-{ Quote: "Hi Han,

I might have answered your question earlier. But, I was hoping to hear what others say. We are in beta afterall. But, I hate to see your question unanswered.

So, yes. It does require at least two login accounts. This can coincide with a best practice recommended at Wilders and other security circles: one admin account, one LUA account. AppGuard asks nothing more than that.

Cheers

Eirik" }-

Sorry to hear that. It eliminates AppGuard from any potential use I might have, either at home or at work. Complicates things beyond what I would be willing to accept. :(

**EDIT**
Some additional thoughts...

If this is a beta, maybe it's not too late to beg for what I see as a more realistic solution. Why do you (meaning the developers, not you personally!) feel the multiple account approach is the best way? Seems to me this is not being looked at from a real, day to day users perspective. Logging on back and forth between user accounts to change a protection setting/solve a user issue? I feel there may be a bit of not seeing the forest for the trees going on.

My feeling is that THE reason for programs like AppGuard is solely for running only as an Admin. I am no expert but there seems to be very, very little malware that infects limited accounts. I have ran as a Limited User for years and never had any issues. It's the Admin users that need the help. And contrary to what you see here, most users in Windows run as Admins. And most have only 1 account on their machine. And IMO, no amount of discussing this situation at forums such as Wilders will ever change that. So if that's the way it really is, why not design to deal with that reality instead of the sophisticated, multiple account (including Limited) users you encounter here?

Eirik

August 18th, 2010, 04:10 PM

Hi HAN,

I appreciate your original feedback but didn't feel I had anything constructive post regarding it. I just now noticed your edit/update, which offers raises good points.

-{ Quote: "...Logging on back and forth between user accounts to change a protection setting/solve a user issue?..." }-

If one wishes to do something from within a Windows account contrary to parental controls, one can tell AppGuard to engage 'privileged mode'. AppGuard responds with an authentication challenge. One must answer this challenge with credentials associated with a Windows account NOT restricted by parental controls. Once in this mode, one is no longer restricted, and can do whatever, and when done, turn off the mode. All this without logging out and into another account.

-{ Quote: "...most users in Windows run as Admins. And most have only 1 account on their machine...why not design to deal with that reality instead of the sophisticated, multiple account (including Limited) users you encounter here?" }-

You've hit the crux of it. There's no eluding your point, not that I would wish to do so.

There are two reasons for our two-account minimum approach.

First, we sought to avoid the customer support issues of lost parental control passwords. This approach keeps us out of that entirely. Self-serving? Sure. However, this benefits customers too. Consider how many days responding to such a trouble ticket could take and what circumstances a customer might be in while waiting.

Second (cynics, you'll love this!), our choice is an act of 'tough love' and 'integrity'. [he says in his best Bill Clinton empathetic voice]

We feel that we ought to be encouraging security best practices among consumers.

As effective as we believe AppGuard to be at stopping zero-day malware attacks, running a PC with local admin rights increases the odds of something, somehow getting through. That's bad for our customers, which is bad for us too.

So, if we lose some sales because we want to spare customers from support headaches and reduce their exposure to sophisticated attacks, we'll live with it.
I don't want to lose customers. But, we cannot please everyone.

We're sincerely disappointed that we've displeased you with our parental controls. If the majority of folk felt this way, however, we'd reconsider. For now, I can only say that we are listening to you and taking your feedback very seriously.

Cheers,

Eirik

ace55

August 20th, 2010, 03:08 AM

I'm currrently evaluating the beta and am impressed so far. I do have one question regarding Memory Guard though. Does memory guard prevent read operations on another application's memory to prevent data leakage? If not, I believe it would be a good idea to add a 'private processes' list to the current private mode, complementing the private folders list. Memory Guard would then protect these processes from memory reads from guarded applications, just like the private folders list.

Also, how widespread is the registry protection offered? I would hope it covers more than just the obvious Run, RunOnce and the like. Is Appinitdlls protected, for example?

ace55

August 20th, 2010, 04:33 AM

Well, perhaps I spoke too soon, as I am now experiencing a rather serious problem. AppGuard insists that all protections are active, but no protections are actually being applied. Not to guarded applications and not general user-space execution prevention. I've attached a screenshot showing Firefox reading data from a file in the private folder, which it should not be able to access. All protections are listed as on in the status page.

Let me know what steps you want me to take in order to troubleshoot this. I have restarted my machine a few times and AppGuard continues to provide no protection. The only thing I can think of that may have caused problems was either running Windows Update and applying the 40-odd updates or adding and subsequently removing both svchosts from the guarded applications list. I also applied an update for Adobe Reader and attempted to install ZA before I restarted. The installation of ZA failed, I suspect, because of pending file operations from the Reader update. I can now install ZA with nary a peep from AppGuard.

Eirik

August 20th, 2010, 10:10 AM

Hi Ace,

Thanks for trying AppGuard. As I'm sure you know, this beta is all about finding issues and other opportunities for improvement. Clearly, you are observing abnormalities.

One generally shouldn't 'guard' operating system services. This can cause unforeseen consequences as they can be extremely inter-dependent and dynamic. As you have unguarded one or more of such items, did you restart your PC after doing so? This would give the services a chance to reassemble/regroup.

I would like to ask that you contact our support at appguard@blueridgenetworks.com so we can better assist.

Cheers,

Eirik

PS To your questions:

- MemoryGuard preventing 'reads': not presently, we're always assessing the value and practicality of such possibilities

- Registry: all of HKLM is protected, which includes the key you mentioned. I'm not up to speed one all of the HKCU keys.

ace55

August 20th, 2010, 03:39 PM

Thanks for your prompt reply Eirik. I had guarded a few applications per the suggestion in the AppGuard whitepaper found on your site. It only now occured to me that that document was not written with knowledge of MemoryGuard.

This may or may not be a bug: I unchecked the Operating System components I had added and rebooted, operating under the assumption that they would disabled until such time as I chose to enable them again. Upon reboot, the ones I had unchecked had been enabled again.

Is this intended behavior?

Regardless, I then deleted these components from the guarded application list and rebooted. Lo and behold, protection is now working. I will add the OS components to the list again one at a time and try and isolate which one is causing these problems.

If you like, I can email the address you mentioned with my results as well as continuing to post here.

ace55

August 20th, 2010, 04:13 PM

Interestingly, I have added all the operating system components I had removed again: cmd.exe, regsvr32.exe and mshta.exe.

I added them all one by one, to see at which point a conflict occured. The conflict occured only when all of them had been added. At that point, I removed all except the two versions of cmd.exe. The issue disappeared, so I added both versions of regsvr32.exe, followed by both versions of mshta.exe. The issue is now not present.

Either the issue is somehow dependent on the order in which the applications were added to the guarded list or it is simply random.

I rebooted between every change made to the guarded applications list.

Greg S

August 20th, 2010, 04:17 PM

-{ Quote: "Interestingly, I have added all the operating system components I had removed again: cmd.exe, regsvr32.exe and mshta.exe.
" }-
mshta.exe
Is this one recomended in the White Paper you mention?

Eirik

August 20th, 2010, 05:41 PM

-{ Quote: "Interestingly, I have added all the operating system components I had removed again: cmd.exe, regsvr32.exe and mshta.exe.

I added them all one by one, to see at which point a conflict occured. The conflict occured only when all of them had been added. At that point, I removed all except the two versions of cmd.exe. The issue disappeared, so I added both versions of regsvr32.exe, followed by both versions of mshta.exe. The issue is now not present.

Either the issue is somehow dependent on the order in which the applications were added to the guarded list or it is simply random.

I rebooted between every change made to the guarded applications list." }-

I'm not sure if you've observed a bug or not. There's also the possibility that you made a common mistake that our GUI could frankly improve upon. When unchecking applications in the 'guard list', one must click on the 'apply' button. If you're confident that you did hit it, then we may have a bug that engineering needs to investigate. One should not have to reboot the PC. Perhaps, with the addition of MemoryGuard... I'll look into it.

Cheers,

Eirik

Oh and yes, please to send log files, msinfo files, observations, and feedback to our email. Thanks.

Eirik

August 20th, 2010, 05:47 PM

-{ Quote: "mshta.exe
Is this one recomended in the White Paper you mention?" }-

mshta.exe

I don't recall recommending that this be guarded. I'm unfamiliar with the potential risks this Windows binary poses. I'm not sure if Ace was able to do so without adverse consequences; consider me interested.

Cheers,

Eirik

m00nbl00d

August 20th, 2010, 05:55 PM

Hello Eirik,

I hope I didn't miss it, but I don't think it's something AppGuard allows. You must be wondering what, uh? ;)

Well, today I was working with some of my VMs (Virtual Machines), and I thought to my self: It would be great to have some application that would allow me to restrict what could be done to the system by Internet facing applications, for example, but to selective accounts.

I'll explain. Imagine the following.

I'm the Administrator. So, obviously, there is an Administrator account. Now, say there are two more accounts, which are least-privileged user accounts.
I login to the system using one of those least-privileged accounts. But, I'd like to make use of an Internet facing application, like browser or e-mail client, but using the other least-privileged user account.
So, I'd like to have the possibility only to apply AppGuard's restrictions to this secondary user account, and not to the all system, which is how I believe AppGuard works, for what I could verify a few months back. Maybe something has changed?

I also don't know if it would be possible to do it, but what do you think of, taking the example above, restricting thing even further, like say, allowing this secondary account only to make use of the Internet facing application (web browser, e-mail client, whatever...).?

Well, just though of sharing this crazy idea of mine. :D But, it would be nice though. Implementing something like this in some relative's and friends (and not only) systems would be great.

What do you think? Not that doable?

Thank you

ace55

August 20th, 2010, 06:53 PM

Chalk another one up to user error. The issue is not random or dependent upon the order in which applications are added to the guarded apps list. I had forgotten to add a component the second time around that I had originally added to the guarded applications list: rundll32.exe.

I added the 32 bit rundll32.exe and clicked apply. No reboot was necessary and protection now seemed to be completely disabled. I could execute programs in user-space as well as view private documents from a guarded application as before. I removed the 32 bit rundll32.exe and protection now functioned as intended. I repeated the process with the 64 bit rundll32.exe and experienced the same problem. I unchecked all the other system components to further ensure that rundll32 was the problem. It was. Adding rundll32 by itself was sufficient to disable protection.

So, having either (or both) versions of rundll32.exe in the guarded applications list globally prevents AppGuard protection from operating correctly.

Mshta.exe is the Microsoft HTML application host. It is not recommended to be guarded in the white paper, which recommends rundll32, cmd and regsvr32 only. I currently use Comodo on another machine and have to add mshta to the rules there, as by default an application can execute an html application (.hta file) and thus escape the protection offered by comodo. More on HTAs here: http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx#Security

It seems that adding mshta.exe to the guarded applications list results in much the same benefit as adding powershell.exe or cmd.exe to the guarded applications list does - prevents rare, but theoretically possible, attacks wherein a guarded application directly attempts to run a powershell script, batch file, or in this case an HTML application.

Now that I think about this more carefully, I don't see why powershell or cmd should be guarded. Doesn't AppGuard dynamically guard any application spawned from a guarded application? If this is the case, wouldn't powershell be guarded if, say, Firefox spawned it in order to execute a script or cmd be guarded if Firefox spawned it in order to execute a batch file? Or, does Firefox in this case utilize some facility of the OS to pass the desired script or batch file to the parser outside of the supervision of AppGuard, requiring that parser itself to be manually guarded? Or perhaps, is the execution of the parser allowed by default because it is not in user-space?

In any case, I'll make sure to send the results of this troubleshooting to your email. Would you prefer my observations here to be sent now or in a week, when I have the 7 days of log files and possibly other observations to send as well?

Greg:

If you want to take a look at the white paper, here is the link: http://www.blueridgenetworks.com/docs/AppGuard-Technology-Computer-Protection-White-Paper.pdf

Zero3K

August 22nd, 2010, 01:41 PM

I have a suggestion and a bug report for it:

1. Implement a hotkey that'll suspend/enable all protections.
2. Tray Launcher (http://code.google.com/p/traylauncher/) doesn't work properly when MemoryGuard is enabled (it gives an error box when trying to load a program via its shortcut menu).

Eirik

August 23rd, 2010, 11:08 AM

-{ Quote: "...What do you think? Not that doable?..." }-

It is doable but we implemented parental controls such that the same 'restricted' policies apply to all LUAs. Am I correct in inferring that you would like to apply different restrictions/policies to different LUAs? One might also infer that you might wish for another kind of policy. If so, would you please elaborate.

Cheers,

Eirik

Eirik

August 23rd, 2010, 11:22 AM

-{ Quote: "...So, having either (or both) versions of rundll32.exe in the guarded applications list globally prevents AppGuard protection from operating correctly..." }-

I've passed this on to engineering to investigate. Thank you.

-{ Quote: "...Doesn't AppGuard dynamically guard any application spawned from a guarded application? If this is the case, wouldn't powershell be guarded if, say, Firefox spawned it in order to execute a script or cmd be guarded if Firefox spawned it in order to execute a batch file? Or, does Firefox in this case utilize some facility of the OS to pass the desired script or batch file to the parser outside of the supervision of AppGuard, requiring that parser itself to be manually guarded? Or perhaps, is the execution of the parser allowed by default because it is not in user-space?" }-

When a guarded application places and downloads a restricted script file from user-space, AppGuard prevents its execution. If a guarded application attempts to do so from system-space, the write operation is blocked.

Adding the script engines to the guard list applies the restrictions to ANY script regardless of location. Dynamically applying guard restrictions to a script engine so that scripts may launch from user-space can have unintended consequences. However, we are looking at it.

As pointed out, script based attacks are rare. And, we are positioning AppGuard as something of an anti-HIPS, if one accepts the premise that HIPS tend to be excessively complex for average PC users. The more we intervene with script engines the more we gray this positioning. We are looking at how to strike the ideal balance here. These observations of late regarding scripts is helpful. We hope you all continue to explore, speculate, question, and report observations. We are indeed making AppGuard even 'stronger'. Thanks to all.

-{ Quote: "Would you prefer my observations here to be sent now or in a week, when I have the 7 days of log files and possibly other observations to send as well?
" }-

Folks with simple environments are good for every week or so of log submissions. Those with multiple security applications and other complexities, however, would help us better, as well as themselves (log files can get big) by sending their log files in as often as they are comfortable. A stretch item for the next release would simplify this.

Cheers,

Eirik

Eirik

August 23rd, 2010, 11:24 AM

-{ Quote: "I have a suggestion and a bug report for it:

1. Implement a hotkey that'll suspend/enable all protections.
2. Tray Launcher (http://code.google.com/p/traylauncher/) doesn't work properly when MemoryGuard is enabled (it gives an error box when trying to load a program via its shortcut menu)." }-

Thanks, got your email also. This google thing particularly intrigues me. We'll do the hot key after we make some other changes first so we don't have to re-do the hot key.

Cheers,

Eirik

Greg S

August 31st, 2010, 08:30 PM

-{ Quote: "
Second, there is a GUI ambiguity concerning MBRguard. When you can see the "Enable MBRguard" button in the AppGuard 'Settings' tab, MBRguard is not enabled. When you see the "Disable MBRguard" button, that means MBRguard is enabled. Clicking either actually installs or uninstalls the driver, which requires a restart.

'" }-
Ah, just now re-read this. What if you see both buttons of Enable and Disable? Let me guess, it's not Enabled..

Any update on the next Beta?

221484

stackz

August 31st, 2010, 11:34 PM

http://www.wilderssecurity.com/attachment.php?attachmentid=221484&d=1283300937

This shows -

MemoryGuard is disabled.
MBRGuard is enabled.

Greg S

September 1st, 2010, 05:37 AM

-{ Quote: "

This shows -

MemoryGuard is disabled.
MBRGuard is enabled." }-
Oh my, Lol. I can't believe that I have stared at that and have read MemoryGuard to be MbrGuard. I am off to have my eyes checked. I wanted to post in my last reply that I could have sworn at one point that MbrGuard was enabled, LOL.

Zero3K

September 1st, 2010, 05:30 PM

There won't be a new build for 2 weeks since Eirik is out of office.

Eirik

September 2nd, 2010, 07:36 AM

-{ Quote: "There won't be a new build for 2 weeks since Eirik is out of office." }-

Hi Guys,

I'm in the office. However, it is correct that the next beta will be around two weeks out. As you may have observed, with each beta we've introduced additional features. But, we've done so without significantly altering the GUI. In yesterday's status meeting on beta3, we concluded that the internal build between beta2 and beta3 is unacceptable. AppGuard has always been intended to be novice-friendly. This last build was not, and the beta2 as well. So, we decided we absolutely must make major GUI changes. I've asked engineering to schedule a series of design meetings next week. Meanwhile, I'm thinking about how we might leverage the valuable insight of Wilders folk.

BTW, MemoryGuard refinements appear to be on the mark based on log data we're continuing to receive from beta participants. Thank you!

I'm hopeful that this extra time means that we'll be able to make a few MBRguard tweaks as well. 64 bit users might note this is why we haven't signed the driver yet.

Cheers,

Eirik

Zero3K

September 20th, 2010, 12:35 PM

Well, its been more than two weeks. Any news regarding the new version?

Eirik

September 20th, 2010, 03:18 PM

-{ Quote: "Well, its been more than two weeks. Any news regarding the new version?" }-

Barring a last minute internal bug find, we'll be releasing beta 3 Thursday morning, maybe Wednesday.

It will feature a refined MemoryGuard. However, it will not feature a significantly altered GUI. This was superseded by a 'surprise' from our 'XP MemoryGuard Team, which came up with a practical method for implementing MemoryGuard on Windows XP. So, beta 3 will feature MemoryGuard for WinXP SP2+. Just when I had given up hope on this, they came up with something. I'm looking forward to your feedback on how well it serves you.

With beta 3 we're starting to introduce the notion of different security assurance levels. Users will have the option of the usual anti-execute preference (maximum) for user-space or they may allow things to launch but auto-guarded with MemoryGuard (medium).

Cheers,

Eirik

buckslayr

September 20th, 2010, 03:45 PM

Anxious to try on XP sp3.

Zero3K

September 22nd, 2010, 01:18 PM

So, will the new beta come out today or tomorrow?

Eirik

September 22nd, 2010, 04:19 PM

-{ Quote: "So, will the new beta come out today or tomorrow?" }-

I expect it'll be posted tomorrow morning (Thursday/Eastern Time). It just got released by our test department half an hour ago. It then has a few more steps to process before its available for download from our website.

Cheers,

Eirik

DasFox

September 22nd, 2010, 10:16 PM

Should we add to 'Guarded Applications' other security tools, like firewalls, malware apps, av, etc., anything running resident/real-time?

I forgot, been reading the Help, so that would mean as long as they don't run in the System context, right?

THANKS

Zero3K

September 22nd, 2010, 10:24 PM

You shouldn't. It would probably cause major slowdown/errors if you did.

DasFox

September 22nd, 2010, 10:40 PM

-{ Quote: "You shouldn't. It would probably cause major slowdown/errors if you did." }-

Ok, one other thing in the Help from what I read it looks better to keep programs in the system path like Program Files to run all apps from?

As example I use Alt.binz for Usenet but that's a standalone exe and I use to just run it inside My Documents, but I see now it's better I keep that now as C:\Program Files\Alt.Binz and Guard it with Privacy Mode Yes?

THANKS

Zero3K

September 22nd, 2010, 10:42 PM

That would be correct.

DasFox

September 22nd, 2010, 10:50 PM

-{ Quote: "That would be correct." }-

Ok thanks...

Hey I posted this regarding AppGuard;

http://www.wilderssecurity.com/showthread.php?t=282625

Tell me what you think, or anyone...

THANKS

P.S. Does anyone think running Comodo Firewall with AppGuard a bit overkill?

pegr

September 23rd, 2010, 04:22 AM

-{ Quote: "Does anyone think running Comodo Firewall with AppGuard a bit overkill?" }-I'm running Comodo Firewall and AppGuard together with Defense+ disabled. Whilst there would no doubt be some overlap in protection between AppGuard and Defense+, IMO it would not be an overkill to run them together as the underlying philosophy behind each is different.

In capable hands, Defense+ may provide slightly stronger protection against infection than AppGuard, but I find AppGuard easier to work with. As AppGuard has the option of a Privacy Mode for guarded applications, it is well positioned to guard against data theft should a problem occur.

Personally, I prefer AppGuard's silent automatic blocking approach to the HIPS alerts of Defense+ but that's just a personal preference. As I rely on virtualisation and imaging for system recovery it wouldn't be the end of the world if something did get through providing that data theft didn't occur prior to removal.

Eirik

September 23rd, 2010, 10:52 AM

Hi All,

The third beta is posted and ready for download. The following link takes you to the revised beta support page (http://www.blueridgenetworks.com/support/appguard6432/). BTW, a requirements typo in the release notes (minimum requirement for Win XP is SP2, and for Vista is SP1) has been fixed. [update]

I'm particularly interested in your observations regarding MemoryGuard.

In case you missed it, this beta delivers MemoryGuard to Win XP.

Cheers,

Eirik

Greg S

September 23rd, 2010, 03:53 PM

-{ Quote: "

I'm particularly interested in your observations regarding MemoryGuard.

In case you missed it, this beta delivers MemoryGuard to Win XP.

Cheers,

Eirik" }-
Does this Beta address the issues of MG being too strict with such things as Avast updating it's definitions?

Eirik

September 23rd, 2010, 04:37 PM

-{ Quote: "Does this Beta address the issues of MG being too strict with such things as Avast updating it's definitions?" }-

Yes. However, we're doing this beta in part to confirm that we got it right. Also, this is our first implementation of MemoryGuard on WinXP.

Cheers,

Eirik

Greg S

September 23rd, 2010, 07:47 PM

-{ Quote: "Yes. However, we're doing this beta in part to confirm that we got it right. Also, this is our first implementation of MemoryGuard on WinXP.

Cheers,

Eirik" }-
Good news, bad news and some questions. Good news, installation over the top went very smooth this time! No BSOD or paralyzed black desktop. Bad news, with MG enabled, my Internet Exploder 8 will not start. Questions,

1) Have you added some kind of protection for .bat files? I use a bat file for a quick enabling/disabling of SRP. In previous versions I didn't have to add the folder that housed these two bat files for them to work. Now I do.

2) Has the indvidual file exclusions been taken away or am I missing it somewhere in the GUI again?

Also, I'm getting quite a few of these in the status tab, I assume it's OK to use the very useful feature of "Ignore" on these
09/23/10 18:46:42 Prevented process <Host Process for Windows Services> from writing to <e:\windows\prefetch\audiodg.exe-bdfd3029.pf>.

DasFox

September 23rd, 2010, 07:56 PM

-{ Quote: "Hi All,

The third beta is posted and ready for download. The following link takes you to the revised beta support page (http://www.blueridgenetworks.com/support/appguard6432/). BTW, a requirements typo in the release notes (minimum requirement for Win XP is SP2, and for Vista is SP1) has been fixed. [update]

I'm particularly interested in your observations regarding MemoryGuard.

In case you missed it, this beta delivers MemoryGuard to Win XP.

Cheers,

Eirik" }-

MemoryGuard to XP. ;D

THANKS

Greg S

September 23rd, 2010, 08:19 PM

Eirik, disregard my last reply. I found all my answers in the link you posted. Sorry, I missed that earlier.

DasFox

September 24th, 2010, 07:01 PM

I'd love to see the C:\Documents and Settings\user\My Documents\MyPrivateFolder removed so users can create their own directory.

Even if you remove and make your own, it always keeps making this MyPrivateFolder on startup... :(

THANKS

Greg S

September 24th, 2010, 07:04 PM

-{ Quote: "I'd love to see the C:\Documents and Settings\user\My Documents\MyPrivateFolder removed so users can create their own directory.

Even if you remove it make your own, it always keeps making this MyPrivateFolder on startup... :(

THANKS" }-
What's the purpose of this "MyPrivateFolder"? I guess I missed that new option also,lol

stackz

September 25th, 2010, 12:19 AM

-{ Quote: "What's the purpose of this "MyPrivateFolder"? I guess I missed that new option also,lol" }-It was actually present in beta 2. It's a private folder that guarded applications running in privacy mode can't access. You can adjust it from the Guarded Applications tab -> Private Folders -> Settings.

pegr

September 25th, 2010, 02:36 AM

-{ Quote: "I'm particularly interested in your observations regarding MemoryGuard.

In case you missed it, this beta delivers MemoryGuard to Win XP." }-MemoryGuard is not working for me on Windows XP. As soon as I launch Firefox, MemoryGuard starts repeatedly blocking the AppGuard Agent service with the following message: "Prevented <C:\Program Files\Blue Ridge Networks\AppGuard\AppGuardAgent.exe> from writing to memory of <C:\Program Files\Mozilla Firefox\firefox.exe>."

AppGuard repeatedly writes this message to the Windows Event Log until eventually AppGuard becomes totally unresponsive and the tray icon disappears. At this point there is no alternative but to reboot.

I realise that, as a workaround, I could try disabling MemoryGuard for Firefox but this shouldn't be necessary just to get MemoryGuard to work. A screenshot of the AppGuard Status tab showing AppGuard looping is attached.

EDIT: It's not just Firefox; it's happening with ALL guarded applications. What's more it's not just the AppGuard Agent that is getting blocked. MemoryGuard is also preventing Prevx from doing memory injection. In order to co-exist with those security applications that need to inject themselves into the memory of runnning processes in order to establish control, an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection. For the moment, I've now disabled MemoryGuard.

Greg S

September 25th, 2010, 01:08 PM

I like this Beta as much or more than the last one. I only have one issue, with Memory Guard enabled for IE8, IE8 will not run. It opens up then closes quickly. Status Tab in AG dialog reports the prevention of Internet Explorer from writing to the memory of Internet Explorer. Could this happen because I run everything in Tabs with IE8 and not multiple windows of IE8? Any ideas?

Eirik

September 25th, 2010, 06:10 PM

-{ Quote: " ....[MemoryGuard problems on XP]..." }-

Nuts!!!

Pegr

Would you please send an msinfo file and event logs so engineering can investigate? Appguard@blueridgenetworks.com

All,

Please do same when observing problems.

I hope you feel these betas have improved AppGuard. We're grateful for your help improving it.

Cheers

Eirik

pegr

September 26th, 2010, 04:27 AM

-{ Quote: "Would you please send an msinfo file and event logs so engineering can investigate?" }-Done, as requested.

Regards

demoneye

September 26th, 2010, 06:22 AM

hi

i am using eaz fix , May MBR protection conflict with eaz fix pre boot screen ?

Greg S

September 28th, 2010, 07:57 PM

-{ Quote: "hi

i am using eaz fix , May MBR protection conflict with eaz fix pre boot screen ?" }-
It doesn't present any problems with Comodo Time Machine. I have a license for Eaz-Fix and more than likely will go back to it for awhile the next time I uninstall CTM. Personally, I haven't had any problems with CTM even with making and restoring hundreds and hundreds of snapshots.

Eirik,
Any ideas on how to correctify this Memory Guard issue I'm having with IE8?
09/28/10 18:31:19 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:19 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:17 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:17 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:16 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
09/28/10 18:31:16 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

IE8 will not start with Memory Guard enabled for it.

I have also run into a situation where guarding Rundll32 can have an adverse affect. Start IE8 in InPrivateBrowsing, surf for awhile and close IE8. When InPrivateBrowsing session is closed, all tracks will be cleared. AppGuard Blocks the cleaning of the Temporary Cache etc..

Eirik

September 28th, 2010, 09:01 PM

Greg,

I expect engineering will ask what IE plug-ins or add-ons or anything else modifying it's behavior?

Thanks

Eirik

Greg S

September 28th, 2010, 09:13 PM

-{ Quote: "Greg,

I expect engineering will ask what IE plug-ins or add-ons or anything else modifying it's behavior?

Thanks

Eirik" }-
I can't get it to start even if I select Start IE with no addons.

Kees1958

September 29th, 2010, 03:39 AM

Eirik,

Just 2 tips.

Memory protection
IE8 and Chrome start normally with Medium Rights (LUA) then they spawn processes running Low Rights (Protected Mode). In the spawning process IE8 injects itself, like Chrome injects itself. I would suggest two modes for memory protection
a) protect process infecting another process (mild, same process name injections are allowed)
b) total memory protection (aggressive = current implementation)

You can't Iron out (;D also injects itself) all the different situations at customers. So choose a pragmatic implementation. When a customer faces a self injection which is blocked by B, fall down to level A [***], send a log file and let AppGuard support analyse and fix it.

For ease of support, I would ask the customer for an option to auto send an issue report (when memory intrusion is blocked). With some data intelligence and filtering this must give you a wealth of information.

You can stay in Beta for months with the current approach. Combine flexibility with pragmatism your marketing and sales department loves the time to market reduction, the development department enjoys the feedback of real life data, customers still have an option to use the feature (with the extra mild option, which is better than NONE).

Confidential file access Execeptions
In general when you create report logs, it is an elegant option to generate rules automatically. Malware Defender is a HIPS with such a sophisticated feature. A lot of geeks like that. Geeks are the ones that their friends to use application so and so (social networking as a marketing instrument). You could also provide a learning mode for confidentiallity exceptions.

Note [***]
Off course all sorts of preconditions can be set, like only when it is a signed program, only when it is on the list of officilally supported applications by AppGuard, only when this gracefull degration is allowed by central management (of the customer) etc

Regards Kees

DasFox

October 1st, 2010, 09:10 PM

I wonder if this Memory Guard can work the way it is intended?

I see a lot of legitimate applications trying to write to memory that this is blocking...

Hmm Hmm Hmm :-\

pegr

October 2nd, 2010, 05:41 AM

-{ Quote: "I see a lot of legitimate applications trying to write to memory that this is blocking..." }-Agreed, which is why in a previous post in this thread I suggested that an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection.

Kernelwars

October 2nd, 2010, 12:24 PM

jmonge

October 2nd, 2010, 04:48 PM

appgurad is getting alitle complicated i remenber when the company realeased EdgeGuard Solo,it was very simple ;)

Kees1958

October 2nd, 2010, 05:06 PM

-{ Quote: "Agreed, which is why in a previous post in this thread I suggested that an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection." }-

good request :thumb:

I would only suggest for memory guard
a) Threatgate programs like mail and browsers
b) System Utilities to be misused
- regedit
- regini (change permission of registry)
- regsrv (register a dll)
-command
c) forget about office programs (to protect memory that is)

DasFox

October 4th, 2010, 02:47 AM

-{ Quote: "Agreed, which is why in a previous post in this thread I suggested that an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection." }-

Well I wrote this post that no one ever answered:

http://www.wilderssecurity.com/showthread.php?t=282625

It sounds great in theory but can it be done, which I believe is what AppGuard is trying to do, enforce this...

BUT I don't see why legitimate applications should be stopped at all, unless AppGuard might have the ability to detect that what it sees might be malicious.

I actually thought the whole point of the Memory Guard was only to stop a malicious application from writing to memory, not stopping legitimate applications.

pegr

October 4th, 2010, 03:16 AM

-{ Quote: "I actually thought the whole point of the Memory Guard was only to stop a malicious application from writing to memory, not stopping legitimate applications." }-Unless I've completely misunderstood the way AppGuard works, I don't think it tries to classify applications into good and bad in the way that an AV/AM would do. It's rather a kind of software restriction policy where the whole point is to enforce a pre-defined set of rules on applications that must by their very nature be regarded as untrusted because of the risks they pose. This is in the main Internet facing applications such as browsers, mail clients, etc. This puts AppGuard in the same software class as programs such as DefenseWall, GeSWall, etc.

If I've understood it correctly, MemoryGuard extends the protection for guarded applications by preventing ALL processes from doing code injection into the memory space of a guarded application in order to further protect the guarded application from interference by other processes running on the machine. Of course AppGuard has no way of knowing whether the other processes are legitimate or not; it only has a concept of guarded versus unguarded applications. This is why I believe that an exceptions tab will be necessary for MemoryGuard in a similar manner to the exception tabs that enable the default file and folder permissions to be overridden for guarded and unguarded applications.

Eirik

October 4th, 2010, 10:28 AM

-{ Quote: "Eirik,

Just 2 tips.

Memory protection
IE8 and Chrome start normally with Medium Rights (LUA) then they spawn processes running Low Rights (Protected Mode). In the spawning process IE8 injects itself, like Chrome injects itself. I would suggest two modes for memory protection
a) protect process infecting another process (mild, same process name injections are allowed)
b) total memory protection (aggressive = current implementation)

You can't Iron out (;D also injects itself) all the different situations at customers. So choose a pragmatic implementation. When a customer faces a self injection which is blocked by B, fall down to level A [***], send a log file and let AppGuard support analyse and fix it.

For ease of support, I would ask the customer for an option to auto send an issue report (when memory intrusion is blocked). With some data intelligence and filtering this must give you a wealth of information.

You can stay in Beta for months with the current approach. Combine flexibility with pragmatism your marketing and sales department loves the time to market reduction, the development department enjoys the feedback of real life data, customers still have an option to use the feature (with the extra mild option, which is better than NONE).

Confidential file access Execeptions
In general when you create report logs, it is an elegant option to generate rules automatically. Malware Defender is a HIPS with such a sophisticated feature. A lot of geeks like that. Geeks are the ones that their friends to use application so and so (social networking as a marketing instrument). You could also provide a learning mode for confidentiallity exceptions.

Note [***]
Off course all sorts of preconditions can be set, like only when it is a signed program, only when it is on the list of officilally supported applications by AppGuard, only when this gracefull degration is allowed by central management (of the customer) etc

Regards Kees" }-

In case I forgot to thank you...thank you. I forwarded your suggestions to engineering.

Eirik

Eirik

October 4th, 2010, 10:31 AM

-{ Quote: "I wonder if this Memory Guard can work the way it is intended?

I see a lot of legitimate applications trying to write to memory that this is blocking...

Hmm Hmm Hmm :-\" }-

This is why we are conducting betas. This is our third for MemoryGuard. Many things worth having require much effort to get right.

Please keep sending us Windows Event Logs. They help us make refinements.

Cheers,

Eirik

Eirik

October 4th, 2010, 10:36 AM

-{ Quote: "appgurad is getting alitle complicated i remenber when the company realeased EdgeGuard Solo,it was very simple ;)" }-

Very important observation!

Ideally, an exceptions capability for MemoryGuard would be unnecessary. We'll try to avoid it, but ...

Eirik

pegr

October 4th, 2010, 11:26 AM

-{ Quote: "Ideally, an exceptions capability for MemoryGuard would be unnecessary. We'll try to avoid it, but ..." }-In order to avoid it wouldn't that mean having to build (and maintain) a whitelist of applications that are allowed to bypass MemoryGuard's protection?

For example, on a friend's machine, MemoryGuard is blocking Prevx from injecting itself into Firefox. Presumably, Prevx would need to be whitelisted within AppGuard or am I missing something here?

Eirik

October 4th, 2010, 04:58 PM

-{ Quote: "In order to avoid it wouldn't that mean having to build (and maintain) a whitelist of applications that are allowed to bypass MemoryGuard's protection?

For example, on a friend's machine, MemoryGuard is blocking Prevx from injecting itself into Firefox. Presumably, Prevx would need to be whitelisted within AppGuard or am I missing something here?" }-

Yes, multiple approaches will ultimately contribute to refining MemoryGuard.

Cheers,

Eirik

jmonge

October 4th, 2010, 07:33 PM

thanks Eirik

Kees1958

October 5th, 2010, 01:45 AM

-{ Quote: "This is why we are conducting betas. This is our third for MemoryGuard. Many things worth having require much effort to get right.

Please keep sending us Windows Event Logs. They help us make refinements.

Cheers,

Eirik" }-

Eirik,

I would suggest the following. Drop the memory guard protection of what guarded aps do to other aps, only protect the guarded aps from tampering. The guarded aps are the most likely entry points of intrusions. When you stop it there, it is game over for most intrusions. The Memory Guard protection of what IE does to others is more or less redundant, because guarded applications are not allowed to change HKLM and Program FIles.

Since AppGuard provides UAC like protection (what guarded applications can do to core components), the memory guard should only focus on what 'others' can do the these threatgate programs (like mail, webbrowser).

This looks like reduction in scope, but in practise will provide pragmatic and solid protection (pareto's 80/20 rule). Keep the USB protection of memory guard, because USB and Mail and Browsers account for the majority of malware entrypoints. I would also add the possibility that USB launched aps are not allowed to change HKLM and Programs FIles.

KISS (keep it simple stupid)
Earliest intrusion step (inject code)
Memory Guard = Internetfacing Aps + USB = target protection prevent (high risk entry point attacks)

Second intrusion step (drop executable)
Optionally a Deny execute on user space (+USB) = target protection of LUA / user space, practically implementing a deny execute SRP (prevent drive by attacks)

Third intrusion step (try to get access to admin space)
Traditional AppGuard protection = Windows + Program FIles + HKLM + Startup entries HKU = source protection

Fourth intrusion step (steal confidential data)
Optional Confidential folders (like E-mail and pictures which are allowed access by Mail and WMP, but not Webbrowses and USB aps) = sophisticated source protection of user folders

Regards Kees.

Greg S

October 7th, 2010, 06:58 PM

Eirik, are ya'll sure this top warning dialog does not belong to AppGuard? Also, any news for me about the IE8 writing to memory of IE8 situation that I am having? I did some testing by uninstalling everything except Comodo Time Machine which I needed for quick restoration from the testing and I IE8 still doesn't open up with MemGuard enabled for IE8. If needed, I can uninstall CTM. I would like to hear from any users that are running CTM and AG to see if they experience this.

222415

Eirik

October 8th, 2010, 10:13 AM

-{ Quote: "Eirik, are ya'll sure this top warning dialog does not belong to AppGuard? Also, any news for me about the IE8 writing to memory of IE8 situation that I am having? I did some testing by uninstalling everything except Comodo Time Machine which I needed for quick restoration from the testing and I IE8 still doesn't open up with MemGuard enabled for IE8. If needed, I can uninstall CTM. I would like to hear from any users that are running CTM and AG to see if they experience this.

222415" }-

Mea culpa!!! :-[

It appears your last email with the requested information never left my individual email account. I failed to forward it to engineering. I am very sorry!!! :-\

The top dialog certainly looks like a Windows dialog triggered by AppGuard Privacy Mode. If I'm incorrect, I expect the engineers will point that out. They usually like doing so. :ouch:

I've read through all of their emails to date on your ticket and they hadn't figured out how to replicate your observations, which is why they requested the registry data. On removing the other security applications, except CTM, may we assume you restarted your PC before making further observations? As for CTM, yes, please try without it. Personally, I don't know why there would be any impact. But, doing so would eliminate another potential variable.

Cheers,

Eirik

Eirik

October 8th, 2010, 10:20 AM

-{ Quote: "Eirik,

I would suggest the following. Drop the memory guard protection of what guarded aps do to other aps, only protect the guarded aps from tampering. The guarded aps are the most likely entry points of intrusions. When you stop it there, it is game over for most intrusions. The Memory Guard protection of what IE does to others is more or less redundant, because guarded applications are not allowed to change HKLM and Program FIles.

Since AppGuard provides UAC like protection (what guarded applications can do to core components), the memory guard should only focus on what 'others' can do the these threatgate programs (like mail, webbrowser).

This looks like reduction in scope, but in practise will provide pragmatic and solid protection (pareto's 80/20 rule). Keep the USB protection of memory guard, because USB and Mail and Browsers account for the majority of malware entrypoints. I would also add the possibility that USB launched aps are not allowed to change HKLM and Programs FIles.

KISS (keep it simple stupid)
Earliest intrusion step (inject code)
Memory Guard = Internetfacing Aps + USB = target protection prevent (high risk entry point attacks)

Second intrusion step (drop executable)
Optionally a Deny execute on user space (+USB) = target protection of LUA / user space, practically implementing a deny execute SRP (prevent drive by attacks)

Third intrusion step (try to get access to admin space)
Traditional AppGuard protection = Windows + Program FIles + HKLM + Startup entries HKU = source protection

Fourth intrusion step (steal confidential data)
Optional Confidential folders (like E-mail and pictures which are allowed access by Mail and WMP, but not Webbrowses and USB aps) = sophisticated source protection of user folders

Regards Kees." }-

Engineering characterized your recommendations as 'very thoughtful'.

I'm a bit confused about what tweaks to MemoryGuard we'll be doing next because I've been distracted with other matters. I have noticed the engineering team having quite a few discussions of late, sounds like they're having one now.

Cheers,

Eirik

Eirik

October 8th, 2010, 02:15 PM

Greg,

What is modifying these prompts (see below)?

http://www.wilderssecurity.com/attachment.php?attachmentid=222431&stc=1&d=1286561579

Cheers,

Eirik

buckslayr

October 8th, 2010, 03:53 PM

I'm liking the new beta. Would Appguard and something like MBAM Pro be pretty solid protection?

pegr

October 8th, 2010, 04:02 PM

-{ Quote: "Since AppGuard provides UAC like protection (what guarded applications can do to core components), the memory guard should only focus on what 'others' can do the these threatgate programs (like mail, webbrowser)." }-I agree that protection should focus on guarded applications but this doesn't eliminate the need for exceptions to be made. As I've already reported, Prevx is being blocked by MemoryGuard from injecting code into browsers. I'm guessing that the purpose of the Prevx code injection is likely to be associated with the workings of Prevx's SafeOnline browser protection.

I suspect that Prevx is not the only security program that may need to inject code to function properly. These kind of trusted security applications either have to be whitelisted by Blue Ridge or some provision has to be made for the user to create their own exceptions list of trusted applications.

Sorry to keep coming back to this but I think it's important. I've also had to turn off MemoryGuard completely because of conflicts with the Comodo firewall.

Another possibility could be to allow the user an option for digitally signed applications to override MemoryGuard's protection. This could be handled by means of a check-box within the settings. This would allow the user some additional control without unduly complicating the user experience.

chipo

October 8th, 2010, 04:15 PM

I have one question: the new feature of appguard (memoryguard) will be compatible with comodo memory firewall, or be redundant?

Thanks

Greg S

October 8th, 2010, 04:36 PM

-{ Quote: "Greg,

What is modifying these prompts (see below)?

http://www.wilderssecurity.com/attachment.php?attachmentid=222431&stc=1&d=1286561579

Cheers,

Eirik" }-
Those pics were taken with everything restored back to original snapshot. The extra titlebar buttons are from 4t-Tray Minimizer which is unrelated, I'm pretty sure. Reason being, I didn't have 4t installed in the past when I've questioned the same about the top warning dialog in the pics. I'm not too concerned about the top dialog, more curious than anything. The top dialog will eventually go away as it has done in the past. It only re-occurs when I install AG from scratch as in uninstall previous version and remove all traces of AG from HD and Registry before installing latest AG version.

I will uninstall CTM and see how it goes.

One more question. My AG install files are located on USB HD and this may be the answer to my question. If I'm launching the AG install file from another HD, why is a copy of that MSI file always stored in this Downloaded Installations folder? See pic below

222436

Eirik

October 8th, 2010, 05:30 PM

-{ Quote: "...trusted security applications either have to be whitelisted by Blue Ridge or some provision has to be made for the user to create their own exceptions list of trusted applications..." }-

Both. Blue Ridge will whitelist what we know and allow advanced users to add their own (e.g., Prevx, etc.). Technically this feature is a "stretch" item for the final release this month. I wish we had time for the 'trust digitally signed...' approach. We'll keep it in mind.

Cheers,

Eirik

Eirik

October 8th, 2010, 05:45 PM

-{ Quote: "compatible with comodo memory firewall?" }-

We have no reports of problems. Unfortunately, we have no EXPLICIT reports of coexistence either. As far as I know, the MemoryGuard conflicts with CIS were pretty much taken care of with beta 3. If not, please tell us. Lastly, if we manage to get the user white list stretch feature into the production release, that might take care of any lingering issues.

-{ Quote: "...comodo memory firewall, or be redundant?" }-

Complimentary.

MemoryGuard might actually be more aptly called a Memory Firewall than Comodo Memory Firewall. This is not meant as derogatory. If I'm correct about CMF, it strives to prevent a vulnerability exploit such as a buffer overflow. However, I do not believe it blocks a code injection from one process into another.

MemoryGuard on the other hand, does not attempt to prevent the vulnerability exploit, instead relying on programmers to further use DEP, ASLR, SEH, and 64 bit registers when relevant. And, AppGuard does not trust applications, assuming some programming mistake will inevitably occur. And when this happens, it does so in the context of that hijacked process, which is restricted in what it may or may not do regardless.

So, CMF strives to keep a process from being hijacked by stuff that exists within that process. MemoryGuard essentially erects a wall between two processes, blocking one from writing into another. In that narrow, simplistic sense, MemoryGuard is more of a WALL.

Cheers,

Eirik

jmonge

October 8th, 2010, 07:37 PM

a Wall like DefenseWall , maybe you guys change the name to AppWall;D :thumb:

pegr

October 9th, 2010, 01:44 AM

-{ Quote: "Both. Blue Ridge will whitelist what we know and allow advanced users to add their own (e.g., Prevx, etc.). Technically this feature is a "stretch" item for the final release this month. I wish we had time for the 'trust digitally signed...' approach. We'll keep it in mind." }-Thanks Eirik. It's good to know that this will soon be resolved. :)

Regards

pegr

October 9th, 2010, 02:18 AM

-{ Quote: "As far as I know, the MemoryGuard conflicts with CIS were pretty much taken care of with beta 3. If not, please tell us." }-Hi Eirik,

I reported a problem in post #186 in this thread affecting beta 3 on XP. After some email correspondence between us, the engineers reported back as follows: -

"Based on msinfo, it seems the user installed other security software like comodo and prevx. We suspect that 3rd party software actually injects code to AppGuardAgent, and the injected code tries to inject code again to firefox from AppGuardAgent, which was blocked by AppGuard. To verify this, we need to inspect dlls loaded by AppGuardAgent."

I supplied the requested information. On inspection it appeared that AppGuardAgent hadn't loaded anything by Prevx but it had loaded guard32.dll, which is part of CIS. I didn't have any other security software running at the time that could have interfered with the proper functioning of MemoryGuard.

I didn't hear any more regarding the outcome of the investigation but are you now saying that CIS was subsequently eliminated by the engineers as the cause?

Regards

DasFox

October 9th, 2010, 07:17 PM

I have a simple request, PLEASE change the icon.

Sometimes, unless you look really close you can't tell if you are looking at the green icon for enabled or the one for suspended. Both of them are too small. :(

But honestly, AppGuard needs a better looking icon too, time for a face lift is what I say!:thumb:

jmonge

October 10th, 2010, 12:45 AM

agree with you;) my friend

pegr

October 10th, 2010, 01:30 AM

Personally, I like the current icon but if it is to be changed perhaps that could be done as part of a complete overhaul of the GUI in a future release to make the relationship between system space and user space clearer, as previously discussed.

For the moment though, my preference is for the engineers to focus all their energy on getting MemoryGuard right.

DasFox

October 10th, 2010, 09:54 PM

-{ Quote: "Personally, I like the current icon but if it is to be changed perhaps that could be done as part of a complete overhaul of the GUI in a future release to make the relationship between system space and user space clearer, as previously discussed.

For the moment though, my preference is for the engineers to focus all their energy on getting MemoryGuard right." }-

Sure focus on making the program right, but making an icon change isn't that much work for a professional graphic designer to do. ;)

An Ant is as big as that green check mark area and I don't have Eagle eyes, LOL... :o

Kees1958

October 11th, 2010, 01:46 AM

-{ Quote: "Engineering characterized your recommendations as 'very thoughtful'.

I'm a bit confused about what tweaks to MemoryGuard we'll be doing next because I've been distracted with other matters. I have noticed the engineering team having quite a few discussions of late, sounds like they're having one now.

Cheers,

Eirik" }-

Thx,

They will get it right. Development prinicple of AppGuard was allways very transparent. It happens often when a team shifts paradigms (I think it is very ambitious to implement memory protection without user intervention). I have been there to, regretting a too high ambition level. ;D

Working as a free-lance projectmanager for a re-insurer in the mid-eighties, I thought the company could outcompete the big ones (Swiss Re and Munchener Re) by developing a rule based risk assessment system with the system generating its own rules based on collective weighted value of expert's decisions.

We got funny results so we had to remove the auto-rules part of it. After I made that decision two weeks before scheduled implementation, the dev team threw me in the garden pool (they had been working 12 hours a day straight for at least a three weeks), minutes before I had to meet the CEO and CFO to ensure we would implement on-time.

In the meeting the CFO told me he would buy all the dev-members a 12 pack with excellent wine and would subtract the bill from my monthly invoice.

I guess I deserved that. :-[

Regards Kees

Cutting_Edgetech

October 11th, 2010, 02:53 PM

Keep up the good work. I can't wait for it to be 64bit compatible. I'm currently using it on XP Pro.

Cutting_Edgetech

October 11th, 2010, 03:35 PM

Is anyone finding any bugs other than with memory guard at the moment? I had problems in the past with AG not blocking exe. files from external drives even when the protection was enabled. Also, is anyone using it with Online Armor or Comodo? I was wondering if AG was running well with those 2 HIPS. I had some minor issues with Online Armor blocking some of the functions of AG in the past. I would have to reboot 2 to 3 times, and keep allowing files manually because OA was silently blocking them, and not prompting me to allow or deny. I also randomly had times where AG's protection would stop working. I believe it may have had something to do with a driver conflict with AG, and OA. I never did figure that one out since it only happened randomly, and I could not reproduce the problem. I would have liked to beta test, but I gave my 64 bit beta machine to my mother. It looks like the beta phase is almost over with anyways. I could always try it in a VM i suppose.

Eirik

October 11th, 2010, 05:39 PM

-{ Quote: "I have a simple request, PLEASE change the icon.

Sometimes, unless you look really close you can't tell if you are looking at the green icon for enabled or the one for suspended. Both of them are too small. :(

But honestly, AppGuard needs a better looking icon too, time for a face lift is what I say!:thumb:" }-
Probably not this year.

I would say, however, that if we received a great looking alternative ico file(s) of the proper dimensions (same as current tray icons) from an AppGuard user, we'd be open to replacing the existing one with it. From the looks of the schedule, that would have to be by the morning of 25 October at the latest.

Cheers,

Eirik

Eirik

October 11th, 2010, 05:54 PM

Hi All,

With Beta 3 we're still seeing quite a bit of 'chatter' from MemoryGuard. Much of that appears to be trivial insofar as it doesn't actually impair anything. Much of that 'chatter' shows up because of how programmers/developers write their code, requesting access to 'the whole building [application], instead of just the one or two rooms [e.g., registry keys] that are needed'. The often seen result: MemoryGuard actually blocks nothing of substance, and thus impairs nothing.

So, we'd like to ask you all to try to correlate any MemoryGuard 'blocks' with actually impaired application behavior.

Thanks,

Eirik

Greg S

October 11th, 2010, 09:36 PM

-{ Quote: "

So, we'd like to ask you all to try to correlate any MemoryGuard 'blocks' with actually impaired application behavior.

Thanks,

Eirik" }-

10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Just back from uninstalling Comodo Time Machine, made an image, uninstall all software down to the basic installation of Win 7, and still get the above. Restarts after uninstalls with registry leftovers cleaned as well. Looks like Memory Guard on my end doesn't play well with IE8 or Rundll32 which is needed for Clear My Tracks of InPrivateBrowsing.

pegr

October 12th, 2010, 02:55 AM

-{ Quote: "I reported a problem in post #186 in this thread affecting beta 3 on XP. After some email correspondence between us, the engineers reported back as follows: -

"Based on msinfo, it seems the user installed other security software like comodo and prevx. We suspect that 3rd party software actually injects code to AppGuardAgent, and the injected code tries to inject code again to firefox from AppGuardAgent, which was blocked by AppGuard. To verify this, we need to inspect dlls loaded by AppGuardAgent."

I supplied the requested information. On inspection it appeared that AppGuardAgent hadn't loaded anything by Prevx but it had loaded guard32.dll, which is part of CIS. I didn't have any other security software running at the time that could have interfered with the proper functioning of MemoryGuard.

I didn't hear any more regarding the outcome of the investigation but are you now saying that CIS was subsequently eliminated by the engineers as the cause?" }-Hi Eirik,

Any further news on this?

Regards

Eirik

October 12th, 2010, 10:26 AM

-{ Quote: "Hi Eirik,

Any further news on this?

Regards" }-

I've just sent an inquiry to engineering. For the first time in what seems like a long time, I don't think I dropped the ball on this one. Nonetheless, I'm very sorry we hadn't followed up sooner.

I'm also looking into Mike's ticket too.

Cheers,

Eirik

Eirik

October 12th, 2010, 10:31 AM

-{ Quote: "
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Just back from uninstalling Comodo Time Machine, made an image, uninstall all software down to the basic installation of Win 7, and still get the above. Restarts after uninstalls with registry leftovers cleaned as well. Looks like Memory Guard on my end doesn't play well with IE8 or Rundll32 which is needed for Clear My Tracks of InPrivateBrowsing." }-

Greg,

Would you please explicitly describe your observations of how IE behaved when these log events occurred? We're finding that many such log events do not actually impair or in any way alter the behavior or capabilities of the related applications. So, we're trying to find those examples of where the MemoryGuard events are in fact impairing something. We suspect you're observing something like this but need more explicit details.

We are extremely grateful to you for uninstalling and altering your PC to zero in on the root causes of the observations you're reporting.

Cheers,

Eirik

pegr

October 12th, 2010, 02:42 PM

-{ Quote: "I've just sent an inquiry to engineering." }-Thanks for the update, Eirik.

I'm still hopeful that the problem with MemoryGuard on my system will be resolved before the release as I would like to be able to use MemoryGuard.

Regards

pandlouk

October 12th, 2010, 02:57 PM

-{ Quote: "Greg,

Would you please explicitly describe your observations of how IE behaved when these log events occurred? We're finding that many such log events do not actually impair or in any way alter the behavior or capabilities of the related applications. So, we're trying to find those examples of where the MemoryGuard events are in fact impairing something. We suspect you're observing something like this but need more explicit details.

We are extremely grateful to you for uninstalling and altering your PC to zero in on the root causes of the observations you're reporting.

Cheers,

Eirik" }-
Hi Eirik,

on my system when it happens, prevents IE from deleting the "Browsing History" cookies, cache, passwords, etc.

I noticed it only yesterday since I rarely use IE.

Panagiotis

Greg S

October 12th, 2010, 05:39 PM

-{ Quote: "Greg,

Would you please explicitly describe your observations of how IE behaved when these log events occurred?

Cheers,

Eirik" }-

I have two different issues

1) Rundll32 is default protected by AG with Memory Guard enabled. With that in mind, open an IE8 session of InPrivateBrowsing. Surf as you normally would and typically when you close out an InPrivateBrowsing session, this is what happens
10/12/2010 15:38:53 e:\program files\internet explorer\iexplore.exe Created new process e:\windows\system32\rundll32.exe Permitted [App]* Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
The above command is the beginning of IE8 clearing all browsing history for that InPrivateBrowsing session. With Memory Guard enabled for the process of rundll32, the above does not happen. No IE8 InPrivateBrowsing history is cleared and remains.

2) Memory Guard is enabled for IE8 as well. When I click the IE8 icon to open IE8 up, the IE8 window appears for a brief second and then closes. Before the window briefly appears, AG tray icon starts blinking and of course I get this in AG status tab

10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Here is an example of what happens when closing out an InPrivateBrowsing session when Rundll32 has MemoryGuard set to No and ClearMyTracks is allowed to run

10/12/2010 15:38:53 Create new process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:38:54 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:54 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:55 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:56 Modify thread of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:00 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\Shared[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:01 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\lazierLoad.js,prototype.js,ph.js,base.js,submenu_ph_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:02 Create new process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:39:03 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fb_input.js,autocompleter.js,autocompleter_dyn_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:04 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:04 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:08 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:08 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\jquery_2[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:09 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:09 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\scroll_hr[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:10 Modify thread of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:11 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\prototype.js,ph.js,base.js,thumb_resizer_v1239092002.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:12 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\BingDefs[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:13 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\search_tags[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:14 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:15 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\swfobject[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:16 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fade_script[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:17 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\submenu_items[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:19 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:20 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\iframes[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:21 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\prototype.js,ph.js,base.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:22 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:23 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\PostContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:24 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\rm_swfobject-1284507810[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:25 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\hpvR3[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:26 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:27 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[4].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:30 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\javascript[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:31 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:33 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[3].js
Rule: [File Group]All Executable Files -> [File]*; *.js

Eirik

October 12th, 2010, 07:04 PM

-{ Quote: "I have two different issues

1) Rundll32 is default protected by AG with Memory Guard enabled. With that in mind, open an IE8 session of InPrivateBrowsing. Surf as you normally would and typically when you close out an InPrivateBrowsing session, this is what happens
10/12/2010 15:38:53 e:\program files\internet explorer\iexplore.exe Created new process e:\windows\system32\rundll32.exe Permitted [App]* Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
The above command is the beginning of IE8 clearing all browsing history for that InPrivateBrowsing session. With Memory Guard enabled for the process of rundll32, the above does not happen. No IE8 InPrivateBrowsing history is cleared and remains.

2) Memory Guard is enabled for IE8 as well. When I click the IE8 icon to open IE8 up, the IE8 window appears for a brief second and then closes. Before the window briefly appears, AG tray icon starts blinking and of course I get this in AG status tab

10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Here is an example of what happens when closing out an InPrivateBrowsing session when Rundll32 has MemoryGuard set to No and ClearMyTracks is allowed to run

10/12/2010 15:38:53 Create new process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:38:54 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:54 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:55 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:56 Modify thread of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:00 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\Shared[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:01 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\lazierLoad.js,prototype.js,ph.js,base.js,submenu_ph_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:02 Create new process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:39:03 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fb_input.js,autocompleter.js,autocompleter_dyn_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:04 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:04 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:08 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:08 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\jquery_2[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:09 Access memory of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:09 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\scroll_hr[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:10 Modify thread of another process Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:11 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\prototype.js,ph.js,base.js,thumb_resizer_v1239092002.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:12 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\BingDefs[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:13 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\search_tags[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:14 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:15 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\swfobject[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:16 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fade_script[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:17 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\submenu_items[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:19 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:20 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\iframes[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:21 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\prototype.js,ph.js,base.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:22 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:23 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\PostContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:24 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\rm_swfobject-1284507810[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:25 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\hpvR3[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:26 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:27 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[4].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:30 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\javascript[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:31 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:33 Delete file Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[3].js
Rule: [File Group]All Executable Files -> [File]*; *.js
" }-

Thanks for specifics. I've passed this on to engineering.