AppGuard 4.x 32/64 Bit - Releases

There's a bug I reported in the past that never was fixed that makes the user have to disable AG in order to choose the application that opens an unrecognized file extension. If the user clicks on an unrecognized file then AG prevents the user from selecting the application that opens the file if the user has to browse to the application in order to add it to the list. AG prevents the user from adding the application to the list to select from in the Windows Context Menu. Also if the application is already on the list to choose from then AG prevents the user from settings Windows to open that file extension from then on. If the user ticks the little box so that Windows will use that application from then on to open that file extension it will not work if AG is enabled. Windows will continue to inform the user each time that the file extension is not recognized. Windows will then give the user the option to browse for the application, search the internet for the application, or select the application from those already on the list in the context menu. I'm using Windows 7X64 Ultimate with all patches.

 

@Barb_C For my clarity: I have added Webroot, Emsisoft, Malwarebytes, NoVirusThanks and Surfright which are the Trusted Publishers of the security products that I use. Are you saying that Memory = ON is the recommended default setting for these security product publishers (as it is for Symantec, which I do not use)? Unless there are problems, with self-updating of these products, in which case MG should be set to OFF?

 

adding to paulderdash
Publisher I've added is Yes On On Allow ----
clearly not as default Publisher List or BRN
I've read Help > Trusted Publisher

 

Publishers I added in #3328 were added as No Off On Allow ---- which seems to be the default (not only Symantec) except for the Blue Ridge Networks entry.
@bjm_ I had not read the Help > Trusted Publisher as you have - hope @Barb_C can give us guidance?
Edit: Or @Cutting_Edgetech?

 

Hi paulderdash,
Yeah, what's unknown after reviewing Help. Is whether Publisher default settings are simply for example or as recommended.

 

Curious is AppGuard superfluous while running Shadow Defender.
Meaning AppGuard polices are about preventing something from doing something to something.
And when I Reboot Restore all my 'somethings' are reverted anyway.
What am I missing...?
Thanks

 

Yeah, not a fan of certificates. Don't abide them with ERP.

 

Agreed.

 

Indeed, you have a point - will see if / how @Barb_C comments though.

 

Always operate in Lock Down Mode. AG allows any signed file to execute in the user-space with limited rights. I don't like this policy at all! I hope they change it soon.

 

Seems, it's all or nothing. Why are there Publishers if Medium allows any signed file.
Unless Locked Down does not allow except for Publishers. Then maybe Publishers are okay. But I can add BRN to Power App. Wonder what's the theory behind Publishers. Can I remove eg: Mozilla sans FF problems. Wouldn't I want to keep Symantec as I run Norton.

 

Lock down Mode ignores the Publisher's List. Lock Down Mode only allows Guarded Apps to execute in the user-space. I don't know what special needs BRN's clients might have, but I don't see any reason to allow all signed files to execute in the user-space in Medium Mode of Protection. AFAIK, Medium Mode of Protection was originally designed to facilitate allowing applications to update without having to disable AG's protection. This would work out well for me with Adobe Flash, and Firefox if they only allowed certificates on the Publisher's List. I don't like having to disable my protection, and leaving myself open to attack. It's a catch 22, you either have to disable your protection to allow applications to update, or you use certificates to allow them to update. There's always a risk either way you go. If BRN would switch to only allowing certificates on the Publisher's List in Medium Mode in the user-space then it would greatly increase security. The chances of malware being signed with a certificate on the user's Publisher's List would be slim. Medium Mode would provide much greater security, and allow the user's applications to update. I would say Adobe would be the certificate to worry about though in my opinion if you are worried about a common certificate on most user's machines. Almost everyone uses Flash, and I think Adobe's certificates were compromised once in the past. I would just stick with the certificates you have to have.

 

Yeah, it's a giggle for me when I forget to drop to Install for FEBE backup. Darn if I don't scratch for a mo' before I remember AppGuard. Medium is recommended for everyday use & Locked Down recommended for browsing in untrusted sites.
Been along time since I've trusted. Trusted sites = Oxymoron.

 

Digitally signed adware\scumware\riskware\scareware is a major problem. I see users reporting infects all the time on the security or AV vendor forums.

Allowing digitally signed installers by default is a really bad idea.

The whole point of an anti-executable is to block the execution of all files not white-listed on the system - with some critical things allowed to update - like Windows updates.

 

Where are we with Win 10 coming up soon? AppGuard ready for it?

 

BRN also said AG is compatible with Windows 10 during a video net meeting I joined.

 

I agree. I don't want anything executing on my machine unless I intentionally allow it using the Publisher's List. Malware should never be allowed to run to begin with so the user does not have to worry about containment.

 

@Cutting_Edgetech

What is the point of running both AG and NVT ERP together ?

Afterall, NVT ERP achieves everything I need to protect system. However, I am aware that AG has some additional protections.

Both are anti-executables, are they not?

Best,

HJLBX

 

ERP does not restrict application behavior if an application is allowed to run. You can control some behavior by controlling the command lines, but I don't think it is as indepth. I think AG will protect System Space, and Program Files Folders better by not allowing web apps to write to those protected resources. AG also has the benefit of memory, folder, and registry protection. You could untick the option to allow all software in the Program Files Folders in ERP, but it can be tedious for a while until the user builds their whitelist.

Edited 7/5 @8:56

 

Sorry forgot to answer your question. I consider them both anti-executables, but some users do not. I consider AG a policy based AE, and ERP a whitelisting AE. They both have their strengths, and weaknesses.

 

That's my NVT ERP methodology. Then enforce Lock-Down mode.

Plus, I use Comodo IS. My config blocks writes to any objects in System32, SysWOW64, Program Files and Program (x86) Files. Only Windows Updates are possible by default. App updates via created rules. I haven't configured any rules for Windows (Metro) Apps yet.

 

OK. What, in your experience, are the weaknesses?

I dislike AG's UI... but it did pretty good for me except in a few cases when I tested it against some malicious scripts. The scripts were blocked, but cmd.exe ran just long enough that a few files got dropped to App Data.

No big deal, just inactive malware that was detected by AV scan.

 

I used Online Armor since 2005 until this year so I had everything covered, but I have some weaknesses in my security now. I tried Comodo for 6 weeks, but it was not for me. It was extremely heavy on my computers. Probably the heaviest application I have ever used. I tried it on two different extremely powerful machines with the same result.