AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I couldn't find any good literature on Publisher settings as requested. The Publisher's List only pertains to user-space executions. The Publisher's Settings are only relevant in Medium Protection Mode. The Publisher's List is ignored in Locked Down Mode. The Publisher Settings decides whether the Publisher will be Guarded, run in Privacy Mode, or execute with Memory Protection in the user-space. It does not pertain to applications located in Program Files Folders, or in the System Space. Guarded applications will be ran with limited rights. That's means guarded applications will not be able to write to the system space, program files folders, or protected registry keys. If you have Privacy Mode enabled then that Publisher will not be able to access folders defined as private within AG. If you have Memory Protection enabled then the Publisher will not be able to read/write to the memory of other processes.

    Edited 8/29 @ 8:32
     
  2. peters4000

    peters4000 Registered Member

    Joined:
    Jun 30, 2012
    Posts:
    26
    Location:
    GB
    Thanks for your help Cutting
    Will have to read & reread a few times to understand fully. As I have said new to this program.

    A few more questions which could help me more understand the Publishers setting

    Does publishers list effect a "Guarded" program in "System space" ?

    Why would Publishers list need to be set private or Guarded wouldn't it stop it working correctly?

    Is it preferred to use a Publishers certificate so as to allow updating at "Medium" level or not use certificate and drop to "install" level ?
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I recently noticed something similar with the Windows Firewall rules on a machine I was working on. It had rules such as C:4\etc... and appeared to be related to a file based write filter that was installed on the system. (Guessing but it was the only difference I noticed...) Any chance you use (or at least have one installed even if it's not active?) a write filter on your system? Windows 10 Enterprise (I think that's the only one) comes with a unified write filter but I don't believe it's installed by default.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    No, it only effects user-space executions.

    It could cause an application not to function correctly. I guess BRN wanted to allow the user to configure the Publisher's settings to give the least privileges possible, and still allow the application to update. Anytime you use digital certificates it could leave an opportunity for malware to piggy back off of the digital certificate so I guess BRN wanted to make it harder for this to occur. I never guard Publishers I add to the list, but that's not to say I want in the future. I also haven't needed to make a Publisher run in Privacy Mode, but that could be useful for some users.
    That will depend on user preference. Some users like the convenience of not having to disable AG so they add applications that update often to the Publisher's List, other users choose not to add any unless they have an application that will not function correctly due to that application executing in the user-space. In that case it will be necessary to add it's digital certificate to the Publisher's list if it is a signed application. It's safer to add the least Publisher's possible in my opinion. Malware also use stolen digital certificates, or find ways to get their own. In that case the malware would be allowed to execute in the user-space with limited rights. It will always be safer not to allow the malware to execute to begin with so I recommend only adding certificates you are sure you need, and removing the ones that come on the list that you don't need.

    edited 8/30 @ 11:50 am
     
    Last edited: Aug 30, 2015
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Does anyone else see these entries in their AG Activity Report? I occasionally get these entries, and was wondering if anyone might knows what application is triggering them. The parent process shows as blank. I was using Firefox when the block occurred.I have lots of blocked events from Adobe Flash as well which is normal.

    08/31/15 13:31:48 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.
    08/31/15 13:29:54 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes. Iirc they come in a couple of lines always.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Just wish it showed the parent process.
     
  8. peters4000

    peters4000 Registered Member

    Joined:
    Jun 30, 2012
    Posts:
    26
    Location:
    GB
    Thanks Cutting Excellent information, Think I will cull some of the publishers certificates not needed on my machine & decide if I want to "Trust" others.

    I read a good article in this forum explaining why for "ordinary Browser" use its best to put Sandboxie's containing folder in "user" space as well as making the folder a read/write exception which I'd like to reread.
    I have looked everywhere but can't find the post, can anyone help please.
     
    Last edited: Sep 1, 2015
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Not sure if this is what you are looking for but here is something I posted on this subject a while ago: -

    https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-12#post-2307841

    Regards
    pegr
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I don't use Sandboxie, but I know some users add the sandbox folder to the user-space. That is what I would do if I could do it without conflict. Some users were unable to get Sandboxie to work after adding the sandbox folder to the user-space. I would try adding it to the user-space, and see if they work together without conflict. I was able to get them to work together in the past on Windows 7X64 after adding the Sandbox to the user-space. I may have had to make some of Sandboxies executables Power Apps. What OS are you using? I'm still using Windows 7X64 Ultimate, but will be upgrading 2 of my machines to Windows 10. I'm sure another Sandboxie user will be able to help you configure AG if they have the same OS as you.
     
  11. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I've never have any problem with c:\Sandbox folder in user space. Even when also having SBIE start/run restrictions in that sandbox. In this case using them in SBIE might be a bit redundant when AppGuard is also guarding the programs running.

    However when you want to install a program into a sandbox, you might prefer to have that special sandbox folder excluded from user space. That with an include flag No. Otherwise you have to use the icon right click options to "Allow User Space Launches ..." when installing the program into a sandbox.
     
  12. peters4000

    peters4000 Registered Member

    Joined:
    Jun 30, 2012
    Posts:
    26
    Location:
    GB
    Thanks Pegr that's the post I have been searching for, very useful, as is your post #5 which actually made me decide to buy the license!

    Hi Cutting, pegr's user space method works perfectly for me, just a thought make sure it's Sandboxie's "container folder" only in user space, keep the actual program the one with the .exe & .dll & stuff in program files System space.

    Hi Jarmo, not tried any program installs yet thanks for information the "Allow user space launches" will be my choice as don't install that many untried programs.

    Thanks again for everyone's help. Great forum.

    Peter
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    How do you configure it?
    I'm very much interested in how are you configuring AppGuard so Sandboxie does not break up, I'm asking you here about the configuration since in about 2 months I will have fresh and new computer with Windows 10 on it, one of the options are AppGuard and Sandboxie-I only want to know how do you configure AppGuard so Sandboxie does not break, even though you use Sandboxie with start/run restrictions.
    If you don't mind can you help me with that?
    And also could you send me your Sandboxie configuration on private message?
    Big thanks in advance, Jarmo P.
     
  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I do nothing else in AppGuard regarding Sandboxie. Noth at all. From where comes this believe of yours that AG can break Sandboxie, the program I mean? I might be a bit behind of things regarding SBIE I admit. I have not followed the Sandboxie forum lately or even the posts in Wilders on the 2 current ongoing threads.

    My Sandboxie usage these days is a bit limited to browsers with using the start/run restrictions. In my sandbox named Chrome I have settings for Chrome browser:

    1. Always force Chrome to run sandboxed .... Thats a Program Start/Forced programs feature. Program Stop --> Leader Programs ... only chrome.exe.
    2. Restrictions-->/Start/Run Access .... only program I have allowed is chrome.exe. I think I can't post attachements to this forum if not allowing dllhost.exe. But that is old memory. I can anyways use something like DefaultBox -sandbox for running Chrome in there.

    Firefox-box has I think the same kind of settings for firefox.exe. In restrictions I have allowed also plugin-container.exe, the FlashPlayerPlugin_x_y_z_w.exe, dllhost.exe. Firefox has really become too much a bother for me. Update Flash, update firewall rule for it, update Firefox-box in SBIE.

    Main point about posting my reply to CET was to give information that I personally have never had any problems with C:Sandbox folder in user space. And also to peters4000 about what to do if wanting to do installs into a sandbox with that option enabled. I use a test-sandbox or if I want keep some program between Windows restarts installed a specially made box for it with no restrictions. The boxes "excluded" from user space. If I had only SBIE free version and so not able to use differently configured sandboxes, I would do what peters4000 planned since I am also not a heavy installer/tester of programs.

    But that only because I have not experienced problems, with include flag Yes. If you know otherwise, please share.

    I do some wierd things with SBIE like running one instance of Chrome in box Chrome and another in a sandbox Chrome2. Now when I save a bookmark, that enabled feature works only on the firstly opened instance of the browser gui. I was told that maybe not so recommended thing to do with Sandboxie. But that has nothing to do with AppGuard. Just I am the wrong guy to ask any deep stuff. I believe the uMatrix & uBlock Origin allowances .. cookies scripts, etc. are separated a bit when running the same browser in 2 sandboxes. In fact I am curious to know what risks/benefits doing so might involve. I have been just too lazy to try make a thread on the Sandboxie forum.
     
    Last edited: Sep 2, 2015
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Default installation of Sandboxie, will install c:\Sandboxie as the default. If your browser is sandboxed it will try and write to that folder, Appguard will block it. In the guarded app folder you need to go to settings and add that folder with the read write exceptions.
     
  16. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    No Pete, even excluding that would have not exactly broken Sandboxie as a program. But we were not discussing here that necessary step you mentioned, if you had cared to read the original post #3509 and the replies generated from it.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I just went back and re read. I am just following what PEGR recommended myself, and I have no issues. I'll step back
     
  18. cybergary

    cybergary Registered Member

    Joined:
    Dec 6, 2006
    Posts:
    28
    09/03/15 08:12:36 Prevented process <api-ms-win-security-lsalookup-l1-1-2.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\composersetup\bin>.

    I see this often, should I allow: api-ms-win-security-lsalookup-l1-1-2.dll ?
     
    Last edited: Sep 3, 2015
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Do you people know what is Chrome trying to do here?
    09/05/15 09:43:47 Prevented <Google Chrome> from writing to <\registry\machine\software\excubits\bouncer>.

    No bad symptoms or loss of functionality so far but just out of curiosity I want to know.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    No idea - but it is interesting, if not baffling what Appguard 'exposes'.
     
  21. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I am pretty sure Chrome is not trying to interfere with Bouncer. You have to be very careful interpreting these events. Sometimes third party security software interferes with guarded applications and it looks like the guarded application is behaving suspiciously in the event log. Some time ago there was an AppGuard event log entry posted here, where Chrome was supposedly trying to write to Sandboxie's program folder. The truth was that it was Sandboxie (the service I think) itself and it only looked like Chrome was doing it, because Chrome was running under Sandboxie's supervision.

    Please lookup the event in the event log and click on message info, this should provide more details.
     
    Last edited: Sep 5, 2015
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I believe it has something to do with Sandboxie:

    Message info:
    Blocked Application Path: c:\program files (x86)\google\chrome\application\chrome.exe
    Parent Process: c:\program files\sandboxie\start.exe
    Protected Resource: \registry\machine\software\excubits\bouncer
     
  23. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    It is also possible that Bouncer is injecting into Chrome and makes Chrome do something it wouldn't do otherwise. I can't tell from here. However, I am still confident that Chrome isn't trying to mess with Bouncer.
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    did we ever finalize sandboxie in user space....seems we decided not to add sandboxie to user space...
    is that still valid or have sandboxie messages been determined as not relevant #3522
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Bouncer is KMD and I don't think it's injecting into anything. You can check how this works out, if you wish: http://www.bitnuts.de/KernelBasedMonitoring.pdf
    I'm going to watch closely and post at Bouncer's thread.
    Thank you @FleischmannTV
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.