AppGuard 4.x 32/64 Bit - Releases

Hjlbx, was it you that informed me you could not export the Activity Report?

 

Yes.

I know everything is saved to WELog. I avoid Events Viewer if I can, but it isn't absolutely terrible.

To me the ideal log is like that created by NVT ERP - just a simple word file.

Plus, I'd like a few other simple things that would make advanced configuration much easier for the user.

 

I have a little pip-squeak AMD A8 6GB - and CIS is one of the most responsive of all AVs on this particular system.

Can't predict how any security soft is going to behave on a system by the system stats only...

 

The best logging I have seen was Online Armor which used Excel if the user has excel installed. Extremely clean, and easy to find what you are looking for. Each event was broken down into columns, and rows. I think they also may have been color coated.

 

i just found out that we are allowed to only 16 power application processes... quite limited...can we have more processes ?

 

I am confused now. The help says: 'When not in the Locked Down protection level, AppGuard will allow user-space applications and installations to execute if they are digitally signed by a publisher contained in the Publisher List'. (my bolding)
Or am I missing something?

 

FEBE works for me in Medium mode (with default Publisher List)?

 

Ah, I've removed Publishers and usually at Locked Down. I'll check at Medium.
No joy. Maybe it's location of my Backup. With AG Alerts at Default. AG is silent. So, I'z forget. No biggy. I enjoy giggle. I giggle that AG prevents legit from doing legit to legit. I hope it's all legit.

 

Well, after the fact by viewing Activity (as I don't want to be bombarded by Alerts)
"usually ignore" "protection set to high"
I'll have to play with Alerts setting. Maybe, I can get more Alerts wo being inundated.

 

Trying to run IE11 in Sandboxie and AppGuard complains as below (unless I run in Install mode). I have c:\sandbox User Space include=yes as recommended in this thread. Should I remove this entry, or e.g. add c:\sandbox\xxxx\defaultbox\drive\c (or a level lower) with User Space include = no? Or would that compromise my security? @Peter2150 or anyone else with AG and SBIE?

07/07/15 17:05:02 Prevented process <comctl32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb>.
07/07/15 17:05:02 Prevented process <comctl32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda>.
07/07/15 17:05:01 Prevented process <tiptsf.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files\common files\microsoft shared\ink>.
07/07/15 17:05:01 Prevented process <tiptsf.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files\common files\microsoft shared\ink>.
07/07/15 17:05:01 Prevented process <a2hooks64.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files (x86)\emsisoft internet security>.

07/07/15 16:47:44 Prevented process <a2hooks64.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files (x86)\emsisoft internet security>.
07/07/15 16:47:44 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:47:44 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:47:44 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:47:44 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:47:44 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:47:44 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <a2hooks64.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files (x86)\emsisoft internet security>.
07/07/15 16:46:49 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
07/07/15 16:46:49 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.

 

When not in Locked Down Protection Level AG will allow any signed file to execute in the user-space even if it's not on the Publisher's List. As long as the file is signed AG will allow it to execute with limited rights in the user-space in Medium Protection Level. I don't like this policy. I believe AG should only allow files singed by Publishers on the Trusted Publisher's List in Medium Protection Level instead of allowing any signed file to execute in the user-space.

 

So the actual policy is different to that stated in the actual help? I assume you have tested this. I agree I don't like that either.

 

My help file is correct. I'm not sure where you are looking in the help file. Go to Advanced Topics, and then to Protection Levels in the help file. Take a look at the screen shot below. I have to go to sleep now. I have to get up early. I hope this helps. I will check back tomorrow.

 

Huh, you installed Emsisoft IS and HMP.Alert inside Sandboxie?

Perhaps the problem lies with the wording and it means software signed by some entity on the publishers lists can execute normally(since it also mentions installations) and any other signed software can also execute, but it will be Guarded(so unless they install to user-space and don't need registry etc, installation will fail.)

 

OK. Indeed I wasn't looking at the online help but the downloadable AppGuard User Guide 4.2 page 13. I wonder which is correct?

 

I am new to SBIE but no I don't think so. Those programs are just installed on my Win 8.1 machine, and I am just forcing IE11 to run in sandboxed mode. I only get these messages with IE11, not Firefox or Chrome.

 

Have you added c:\sandboxie to Guarded > Settings > Exception (Read Write)
Have you added c:\sandboxie to User Space

 

The one I posted is correct. I'm 100% positive. If AG is not behaving according to the description for Medium Protection Mode given by this manual then it is a bug. You can access it by clicking on the hyperlink labeled help in AG UI. Have a look at the image below if you are not sure where to find the help manual.

 

Hi paulderdash, does this look familiar... AG went hyper excited when I tried to open zip file...
AG wanted me to drop level. AG was really riled up. Blinking and popping dialog.
Zip went to Firefox download history and I saw evidence in Sandboxie Control window. Nothing in Quick Recovery. I terminated Zip evidence in Sandboxie Control. And then tried to calm AG down from blinking n' throwing drop level windows.
07/08/15 21:58:55 Protection level is set to <locked down>.
07/08/15 21:58:53 Protection level is set to <medium>.
07/08/15 21:58:51 Protection level is set to <install>.
07/08/15 21:58:51 AppGuard will stay in unsecured level <infinitely>.
07/08/15 21:58:49 Protection level is set to <install>.
07/08/15 21:58:48 Protection level is set to <medium>.
07/08/15 21:58:07 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:58:07 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:58:07 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:58:07 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:58:07 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:58:07 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:57:36 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:53:37 Prevented <Windows Problem Reporting> from reading memory of <Sandboxie COM Services (DCOM)>.
07/08/15 21:52:55 Protection level is set to <locked down>.
07/08/15 21:52:51 Protection level is set to <off>.
07/08/15 21:52:48 Protection level is set to <install>.
07/08/15 21:52:26 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:26 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:26 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:26 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:26 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:26 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:52:02 Protection level is set to <medium>.
07/08/15 21:51:56 Prevented <Windows Problem Reporting> from reading memory of <Sandboxie COM Services (DCOM)>.
07/08/15 21:51:55 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:55 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:55 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:55 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:55 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:55 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:24 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:51:15 Protection level is set to <locked down>.
07/08/15 21:51:08 Protection level is set to <install>.
07/08/15 21:50:54 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:54 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:54 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:54 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:54 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:54 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:23 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:50:06 Protection level is set to <medium>.
07/08/15 21:49:52 Prevented process <combase.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:49:52 Prevented process <shlwapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:49:52 Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:49:52 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:49:52 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:49:52 Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\bjms\firefox\drive\c\windows\system32>.
07/08/15 21:36:38 Protection level is set to <locked down>.

Makes me wonder what AG activity means and I'll post over at Sandboxie.
AG has recommended Sandboxie and HitmanProAlert customize + hmpalert as Power App + only Publisher = BRN

 

Yes - c:\sandbox added to Guarded > Settings > Exception (Read Write) and to User Space = yes

 

Yes it does look familiar I have added c:\sandbox\xxxx\firefox\drive\c\windows\system32 to User Space = no ...
With regard to your comment 'AG has recommended Sandboxie and HitmanProAlert customize + hmpalert as Power App + only Publisher = BRN' can you be more specific about any customisations required for HMPA?
So far I have c:\windows\cryptoguard set to Exception (Read/Write) in Guarded Apps settings, but I do not have not needed hmpalert.exe to be set as Power App (yet) ...
For SBIE I have c:\sandbox set to Exception (Read/Write) in Guarded Apps settings and User Space = yes (except for some subfolders = no e.g. above)
I also have c:\program files\sandboxie\sandboxiecrypto.exe + sandboxiedcomlaunch.exe + sandboxierpcss.exe set as Power Apps (read that somewhere in this thread, but not 100% sure if this is necessary ...).

 

Thanks @Cutting_Edgetech - I do see that; was just wondering why the online help is possibly inconsistent with the User Guide (page 13) downloadable here.