AppGuard Guarded Apps Project

Yes, that seems like a bug to me.

 

Here are my lists, any further suggestions?

Also CE, I also could not add the WOW folders, so you are not alone.

Spoiler: Guarded apps

7Zip
GIMP
Chrome
Microsoft Word
Microsoft Excell
Console Based Script Host
Windows Based Script Host
Microsoft Register Server
Notepad
Peek Through
qBitorrent
Soulseek
Windows Command Processor
Windows Host Process (Rundll32)
Windows Media Player
Windows Powershell ISE

Spoiler: Installed

7-Zip 9.20 (x64 edition)
Baldur's Gate - Enhanced Edition
Blue Ridge Networks AppGuard
CCleaner Piriform
Classic Shell
Dell Touchpad ALPS ELECTRIC CO.
DW WLAN Card Utility Dell Inc.
Freemake Video Converter version 4.1.5
GIMP 2.8.14 The GIMP Team
Google Chrome Google Inc.
HitmanPro.Alert SurfRight B.V.
IDT Audio IDT
Intel(R) Network Connections Drivers Intel
Intel(R) Rapid Storage Technology Intel
Intel(R) Turbo Boost Technology Driver Intel
Malwarebytes Anti-Malware version 2.0.4.1028 Malwarebytes Corporation
Microsoft .NET Framework 4.5.2 Microsoft Corporation
Microsoft Office Enterprise 2007 Microsoft Corporation
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
NoVirusThanks Driver Radar Pro v1.6.5 NoVirusThanks Company Srl
NoVirusThanks EXE Radar Pro (x86/x64) v3.1 NoVirusThanks Company Srl
NVIDIA Graphics Driver 311.93 NVIDIA Corporation
NVIDIA HD Audio Driver 1.3.24.2 NVIDIA Corporation
NVIDIA nView 140.62 NVIDIA Corporation
NVIDIA PhysX System Software 9.12.1031 NVIDIA Corporation
OpenAL
Oracle VM VirtualBox 4.3.20 Oracle Corporation
Peek Through
qBittorrent 3.1.12 The qBittorrent project
Qualcomm Gobi 2000 Package for Dell QUALCOMM
Samsung Magician Samsung Electronics
Sandboxie 4.15.6 (64-bit) Sandboxie Holdings, LLC
SoulseekQt
WinDirStat 1.1.2
Windows Firewall Control BiniSoft.org
WinPatrol Ruiware

 

As for GIMP:

It seems that Script-fu and Pythonw.exe seem to be the only two that are still blocked by Appguard. I have settings in guarded Apps as

Privacy OFF
MemWrite ON
MemRead On

It is however installed on my partition (Q), so I wonder if I add the folder if that would solve the issue

 

I seem to recall that someone suggested it at one time in the AG thread, I figure it can`t hurt. If you have a valid reason not to protect it please let me know.

 

Yes, try it and let us know the result...

 

Thanks. We'll look into it. Are you sure that the programs aren't being Guarded? In other words could this be a GUI issue?

 

Thanks for starting this thread. I'll be checking it regularly.

 

Actually, it is looking more like a GUI bug to me (not as serious, but still requires fixing to avoid confusion!). I copied procexp64.exe to both the system32 and syswow64 bit directories and added them both to the Guard list. When I restarted the AppGuard service, looking at the Guard list, it appears that only the system32 version remains in the Guard list. But when I actually run the procexp64.exe from the syswow64 directory, AppGuard IS guarding it:



It's wrong in the policy too:



Yet AppGuard continues to block the 64 bit version:



Also, still protecting the system32 version as well:



You can actually Guard both the system32 and syswow64 versions by adding only the system32 or syswow64 version to the guard list. This is because the AppGuard service is smart enough to handle these directories properly, but the GUI seems to be having issues.

Please let me know if I've overlooked some nuance in the bug report (that's been known to happen).

 

I didn't think it would be a GUI issue because I checked the policy file, and it is not listed anywhere in the policy. The only question is if the 32 bit version is guarded then does that guarded the 64 bit as well. For example, if cscript is guarded from the system32 folder then does AG automatically guard cscript if it is launched from the SysWOW64 folder?

Edited 4/20 @6:18: Barb, your policy file is showing Procexp64.exe listed twice for the System32 folder. I added the following files from the SysWOW64 folder, and the System32 folder. After rebooting twice they are all only listed in the policy file once for the system32 folder: cmd.exe, rundll32.exe, cscript.exe, script.exe, notepad.exe, powershell.exe, powershell_ise.exe (cmd.exe, and rundll32.exe were already in the policy file from System32 folder by default).

 

If I add anything from the SysWOW64 folder to the guarded app list it shows it being located in the System32 folder after rebooting. I have not verified if everything I added to the guarded apps list from the SysWOW folder is in fact being guarded. I'm looking for some actually malware that will call these executables from the SysWOW64 folder instead of from the System32 folder.

 

No problem.

 

I wonder whether AppGuard could be made to add guarded apps by just using the exe filename and NOT the full path. Just like we force programs in Sandboxie which doesn't require full path.

 

I think it already does. I think that functionality was added about 5 years ago.

 

Disregard my last post. I thought that functionality was added, but I just tried it and it will not allow me to type anything into the box. I wonder if it is a bug.

 

Moreover, try to run a properly guarded app out of its current path and AppGuard will not let it run. I think that proves my comments about paths.
I copied a guarded portable app which resides in C:\Program Files\... to the desktop and AG prevents its execution.

 

The other Appguard thread aside (sooo many posts, sooo many pages), does this thread suggest that Appguard is moving closer to or away from the need for tweaking default settings? Is this thread set-up to offer suggestions for a simpler and more efficient future default settings for Appguard or is this another "Sandboxie technical tests and other technical topics discussion thread" respective to Appguard? I'm trying to determine if this is advice is aimed at Blue Ridge for product improvement or if this albeit great stuff here as usual, fodder for the casually anointed? 41 posts in, as if it really mattered..

Edit: "The purpose of this thread is to allow AppGuard users exchange information about the applications they guard, and to give feedback to Blue Ridge Networks>"

Is this our (Wilder's )idea for a line of inquiry or a specific invitation from from BRN? Delirious (or is that deleterious) minds wanna know.

 

@StillBorn
Well, first off the mere action to add your specific programs to guarded apps indicates that we are always moving closer to the need for tweaking default settings.
I believe this thread is to share information about your settings for your specific guarded apps, if they apply/suit to you then use them if you wish, in other words default settings won't guard apps for specific scenarios unless user intervention, and if you don't guard those programs perhaps you're compromising your machine's security.

 

This thread is to allow AG users to exchange information on which applications they guard to increase their security. Also, this thread is to give feedback to BRN. BRN needs to know if guarding an application, or system components causes any adverse effects. The only way to know this is to have a test group guarding applications, and system components over a significant period of time. There's a lot of other info BRN can get from the thread. Barb, from BRN said she will be checking the thread regularly.

 

Great thread. Thanks for the feedback, gents.

 

I didn't show the policy file for all of my experiments. What I have found is that the policy file never shows the syswow64 path even if that is the one that you added to the Guard list. If a file is listed in the policy is in either Program Files (X86) or System32 directories, AppGuard will check the 64 bit equivalent and Guard those too (I've actually located the code that is doing that). You can look at the windows event log (AppGuard event 313) to see if AppGuard has found the application and is Guarding it:



Unfortunately in 4.1 version, you will see the path of the application, but the event's text is not present. 4.2 has the fix for the incorrect event text. BTW, we are hoping to release 4.2 this week. Trying to get the documentation required in order.

 

Good news! Thanks

 

Thank you for the clarification. I'm using beta 4.2.8.1 now. I guess all I need to be doing is finding some good malware to test with on my test machine.

 

AppGuard uses file name, path, and another proprietary method. I forget what Barb called it in the past, and BRN does not want the method to be public domain.

 

Got it CE, thank you.

 

Sorry, it took me so long to get back with you. I have been working on some projects of mine, and I wanted to try guarding GIMP in Shadow Mode in case it caused GIMP to become corrupted. I guarded gimp-2.8.exe, and gimp-console-2.8.exe, and just launching the application did not cause AG to block anything from GIMP on my Windows 7X64 Ultimate machine.