AppGuard 4.x 32/64 Bit - Releases

The Trusted Publisher list applies to user-space launches (perhaps with the exception of the Install setting) so having MG set to On for Symantec here should not present a problem, but if you do see MG related blocks with Symantec user-space apps, then by all means, change the setting.

P.S. Sorry for not responding sooner. Have been out of the office for extended periods in June.

 

Since it only affects memory guard events of executable's in the user-space then it probably want cause any problems then. It has helped me on several occasions though to add a Publisher from an AV to the Trusted Publisher's List. AppGuard has blocked launches from Webroot in the past from the user-space. After making Webroot unguarded on the Publisher's List that fixed the problem for me. I think I experienced memory blocks belonging to Webroot as well, but it has been almost a year ago so I can't remember for sure. I always configure AG to avoid those possible conflicts all together now by using the Publisher settings I recommended previously in this thread. If you do start to see blocked Memory Guard events belonging to Symantec on your activity report then please let us know. That is good information for the developers to have as well as the community.

 

1) BRN quote: We would recommend that if you make a folder an exception folder, that you actually include these directories in UserSpace (i.e. make c:\sandbox on User Space > YES and c:\windows\cryptoguard on User Space > Yes). I’m 90% sure that is okay for Sandboxie, but not sure if it would affect CryptoGuard adversely.

2) User Space Yes renders User added <c:\sandbox> to user space folder list, launching is <disabled>.
and No renders User added <c:\sandbox> to user space folder list, launching is <enabled>.
Seems backwards. Yes renders <disabled> ...?

3) So, launching is <disabled>. What is <disabled>...What is launching...What is not launching...and what is the affect re CryptoGuard.

4) "AppGuard prohibits suspicious User Space programs and Guards legitimate User Space programs".
So, is "prohibit" and "Guard" <disabled>...?

 

It is an OEM machine (Lenovo ThinkPad Yoga). I am not aware of any auto-updater but investigate this possibility.

The strange thing is that the .dlls prevented from launching in that log from <c:\programdata\package cache\{75895d95-3e4b-42b6-8440-97a0e234aeb3}> don't seem to exist. And this folder only contains the following three files: setup.exe for Intel PRO/set Wireless Software, setup.xml and state.rsm

I will ignore these alerts for now.

 

Has anyone been able to run privateinternetaccess VPN program succesfully with AppGuard without loosing too much security?

I was disapointed with the vpn program and posted this: https://www.wilderssecurity.com/threads/problems-with-privateinternetaccess-vpn.377420/

AppGuard has no wildcard/joker character thing for program path etc.?
The problem with PIA is this:
https://support.privateinternetacce...or-when-trying-to-installrun-your-application
I did something to make the vpn work sort of in the first link, but was not really succesful.

I might also be out of luck even if AG could cover all the neccessary dirty because if PIA needs internet access for that rubyw.exe or some other program in a random location then my TinyWall windows firewall controller won't have any wildcard for the path either.

Well it was only $6.95 for one month as I for sure wanted to test this thing and not to buy the license for say 1 year to "save" some money. This vpn program is now uninstalled from my computer. I somehow even messed my computer connection when uninstalling it. I think it had disabled dhcp. Waited a few hours to be sure it was not the ISP connection problem and then fixed that thing.

Anyways if some of you have been succesful, I am willing to install PIA back if some instructions given what is really needed.

I am running EMET too, but nothing special done of AG or PIA in it. Just mentioning it here too.

EDIT:
A reply to CET's questions below, c:\program files\pia_manager. Yes openvpn.exe of course. That always needs outgoing tcp and udp internet access with any VPN, but it is in the standard system space fixed location under that folder, so no problem. I think most knowledge is in my first link.
Rather than go at lengths in general things, I'd just like to know if anyone has been succesful and then how?

EDIT 2:
Thank you Cactus5 for your reply. I might consider that or even try, except I payed only for 1 month. And that is not as secure and misses I think also some options like that Killswitch. So it seems I have to turn for other VPN programs, again. Or revert to some old fave. Privateinternetaccess is very cheap though.

EDIT 3:
FTV, while I am not sure how direct parent program pia_manager.exe is, I did made it a power app and was somehow making the program work. Read the first link. Just it stopped always working at some point. I run my browsers etc. internet programs always under standard user account. Running under admin is not an option for me. If that would make any difference in this case.

 

What path does PIA install to? Does it use Open VPN protocol? It also may help to post your log of blocked events for PIA if you install it again.

 

Sorry, I see the rubyw.exe problem you mentioned now where it has to start in some random folder within appdata. That is a nightmare for any policy based software. I was going to recommend that you move PIA installation from the user-space to Program Files Folders if possible if it was installed in the user-space.

 

Exactly. From what I saw it changes location under that AppData folder every that ruby made client start.

 

@Jarmo P I had the same issue and the solution I chose was to use PIA's IPSEC/L2TP VPN setup which I did through Windows itself. I have no issues this way and no software installed. The instructions are on the support pages.

 

I don't remember exactly, but it will work if you make one of PIA's exes in program files a power app. It should be the parent process of the one with the random location in AppData. If you look at it with Process Explorer in tree view, you can see which is the parent process. No need to change VPN providers because of this.

 

I will second that.
NordVPN works very well with all my security programs.

 

Boleh VPN also works well with AppGuard default settings.

 

Thank you all repliers. To spread the knowledge for anyone using AppGuard as our security protection!

I have used 4 VPN's before this incidence that I remember and also them not what Pete and CET suggested, so thank you for them too. And no problems with AG with any of those. It is not common to meet one like PIA that does not work with the client provided with AppGuard. PIA is the first one in my experience.

So I think my post served its purpose. Not to put down PIA exactly, just to find out what is imcompatible. There are other unsigned verified VPN's too.

------------
EDIT: to FTV and faircot, your questions etc. below "try help" come too late, for me. I had already uninstalled the PIA program before I posted the first, #3306. Some solution and not too nerdy might help some future victims though. Must be quite explicit for sure and needs you to install and sort out what to do.

I am such a guy that will never subject myself to try this and try that approach, to satisfy some developer with lacking resources/interest. I already did that once, with another VPN in it's development stage. Never no more, period.

 

PIA and AppGuard are not incompatible. It works with the method I described in post #3311.

 

Have you tried this?

 

Most VPN providers use also use the OpenVPN protocol which is more secure compared to L2TP/IPsec and definitely more than the insecure PPTP. Then they also probably provide an option for the user to download OpenVPN config files and then you can use it with the official OpenVPN software, which works with AG flawlessly.

 

Yes, that would be his best option if he wants to stick with PIA. I'm not sure why it took so long for one of us to recommend it Lol Good recommendation BorenkoolMetWorst! Surely they support OpenVpn native client.

 

The latest version is 4.2.8.1. That link was for testing of the upgrade path only. 4.2.9.1 is identical to 4.2.8.1 in functionality. It just has a version number change in order to test the upgrade of the final release which is 4.2.8.1.

 

Hello Wilders,
Please help me understand User Space Yes.

User Space Yes means launch is disabled. Please help me understand. Why do I want the launch of Sandboxie disabled? Why do I want the launch of CryptoGuard disabled?

Please help me understand.

Is '90% sure' .. okay for Sandboxie? Is 'not sure' .. okay for CryptoGuard?

Does User Space Yes mean that the launch / execution is disabled for the folder or that launch is disabled from the folder.
1) For example User Space Yes for c:\sandboxie. Does User Space Yes mean I have disabled execution/launch of the sandboxie folder. Or, does User Space Yes mean I've disabled launch/execution of something from the sandboxie folder.

2) For example User Space Yes for c:\windows\cryptoguard. Does User Space Yes mean I have disabled execution/launch of the c:\windows\cryptoguard folder. Or, does User Space Yes mean I've disabled launch/execution of something from the c:\windows\cryptoguard folder.

Why do I want the launch/execution of Sandboxie disabled? Why do I want the execution/launch of CryptoGuard disabled?

Thanks

 

It is difficult for us to advise on the best settings for other programs unless we use them in-house. I'm sure that some people on Wilders can help with your settings for these products.

For Sandboxie, I don't *think* that it tries to run programs out of c:\sandbox. If it does, then NO you should not include it in AppGuard user-space protection. I believe that Sandboxie uses that directory to write to (not run programs out of) and that is why you have to make it an exception for Guarded applications to be able to write to that directory. Whenever you make an exception allowing a Guarded application to write to a folder, it is usually prudent to also add that folder to user-space and I think that I recall some on this forum doing just that.

Looking back on your old posts regarding CryptoGuard, it appears that CryptoGuard is somehow causing Guarded applications (at least FireFox) to write to the c:\windows\cryptoguard directory. Not sure why CrytoGuard would work that way (also not a good Security Practice), but in that case you need to make c:\windows\cryptoguard an exception folder for AppGuard's Guard list. I would hope that CryptoGuard is not expecting to launch programs out of that folder as well since it is causing unsafe writes to be performed there. If no executables are being written to that directory, then I would also include that directory in the user-space protection as well. [My apologies to CryptoGuard if I have this incorrect - I'm just basing my assumptions on some posts in this forum].

My recommendation would be to make c:\sandbox and c:\windows\cryptoguard exception folders (on AppGuard's Guarded Apps tab). I would also include both those folders in AppGuard user-space protection. Then I would test. If you are seeing AppGuard events related to either of these programs, send them to Blue Ridge. If you don't see any events and all appears to be working properly, then you are good. If something appears to be broken, then remove the user-space protection for the folder. You might have a slight security risk, but it is not because of a flaw with AppGuard, it is because the other products are not following Microsoft's best security practices.

I've been looking at BJ's posts and emails regarding CryptoGuard and I don't see any record of the related CryptoGuard events. That might be useful. BJ, if you're willing to remove all CryptoGuard related AppGuard policy tweaks and then provide us with the AppGuard blocking events, related to CryptoGuard, that may help us to provide you with the answers you seek.

 

Hello Barb_C
Adding Exception is detailed in User Guide 4.2 and Wilders agrees Exception for c:\sandboxie and c:\windows\cryptoguard.
So, adding Exception is no brainer. What is of curious concern is User Space Yes or No.
User Guide 4.2 offers example for User Space No. User Guide does not offer example for User Space Yes.
You've advised Yes. While other has advised No
I see no activity with User Space at Yes or No that I may readily attribute to c:\sandboxie or c:\windows\cryptoguard
That's why I have no basis to grasp whether Yes or No is appropriate.

Regarding CryptoGuard. Without c:\windows\cryptoguard Exception I see..
03/05/15 22:20:56 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\dc52011e>.
03/05/15 22:00:45 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\80906ba2>.
03/05/15 21:59:09 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\80906ba2>.
03/05/15 21:52:29 Prevented process <Firefox> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
03/05/15 21:51:55 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\0028ee8d>.
03/05/15 21:50:44 Prevented process <Firefox> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
03/05/15 21:50:07 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\0028ee8d>.
03/05/15 20:11:24 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\20b20944>.
03/05/15 20:09:53 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\20b20944>.
03/05/15 20:09:12 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\20b20944>.
03/05/15 20:07:21 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\20b20944>.
03/05/15 20:03:41 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\d79b15a0>.
03/05/15 20:01:43 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\d79b15a0>.
03/05/15 19:54:18 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\d79b15a0>.
03/05/15 19:52:44 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\d79b15a0>.
03/05/15 18:28:44 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\3f095d53>.
03/05/15 18:27:00 Prevented process <Firefox> from writing to <c:\windows\cryptoguard\3f095d53>.

Thank you

 

This only affects Symantec applications in user-space normally used for self-update. Usually self-update does not require MG.

 

Hi Peter2150,
Um, to whom are you speaking and which folder..?
If you're taking to me. Just tried axcrypt on 10 files at once with c:\windows\cryptoguard at Yes.
Tried with AG at Medium and Locked Down.
Um, what am I supposed to observe...?
Tried 8 text + 2 pdf files (at once) from my Documents folder.
I tried 10 images. AG = silent. HMP.A threw dialog. Now, I'm left with 3 that will not decrypt. HMP.Alert blocked 7 but, three were encrypted and axcrypt will not decrypt.
Now, I need to know if AppGuard degraded HitmanPro.Alert. #6337