AppGuard 4.x 32/64 Bit - Releases

Yes. What address ?

NOTE: My AppGuard config has changed since that incident. I will detail the change.

 

@Barb_C

AppGuard does not retain the Publisher Level @ Install (in this case SurfRight); AppGuard reverts to -- after setting Level to Install.

1. Change Publisher Level from -- to Install.
2. Select Apply.
3. Select OK.
4. Reopen AppGuard GUI.
5. Publisher Level has changed from Install back to -- .

 

There was nothing as far as Errors or Critical events go (Aside from my NIC not getting an address since it was unplugged). All I could find were the normal 'Informational' entries regarding AG under applications. I did get the alert when switching to locked down mode, but nothing in the Event log about it.

Code:

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:17 AM
Event ID:  20
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  GOLDEN\Gamer
Computer:  Golden
Description:
Security level is set to locked down.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16385">20</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:17.000000000Z" />
  <EventRecordID>4938</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-21-1337292581-3093101381-216091584-500" />
  </System>
  <EventData>
  <Data>locked down</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\windows\system32\java*.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4937</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\windows\system32\java*.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\java\*\bin\java*.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4936</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\java\*\bin\java*.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\videolan\vlc\vlc.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4935</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\videolan\vlc\vlc.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\cyberlink\powerdvd*\pdvdlp.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4934</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\cyberlink\powerdvd*\pdvdlp.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  313
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Guarded Application <c:\windows\syswow64\cmd.exe> found.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">313</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4933</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\windows\syswow64\cmd.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  313
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Guarded Application <c:\windows\syswow64\regsvr32.exe> found.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">313</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4932</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\windows\syswow64\regsvr32.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  313
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Guarded Application <c:\windows\syswow64\rundll32.exe> found.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">313</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4931</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\windows\syswow64\rundll32.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\adobe\*\reader\acrord32.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4930</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\adobe\*\reader\acrord32.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\windows media player\wmplayer.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4929</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\windows media player\wmplayer.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <office\winword.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4928</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>office\winword.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <office\powerpnt.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4927</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>office\powerpnt.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <office\msaccess.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4926</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>office\msaccess.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <office\excel.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4925</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>office\excel.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <office\outlook.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4924</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>office\outlook.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\aim\aim.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4923</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\aim\aim.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\outlook express\msimn.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4922</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\outlook express\msimn.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\opera\launcher.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4921</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\opera\launcher.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\opera\*\opera.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4920</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\opera\*\opera.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\users\gamer\appdata\local\mozilla firefox\firefox.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4919</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\users\gamer\appdata\local\mozilla firefox\firefox.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\mozilla firefox\firefox.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4918</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\mozilla firefox\firefox.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\aol desktop *\aolbrowser\aolbrowser.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4917</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\aol desktop *\aolbrowser\aolbrowser.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\google\chrome\application\chrome.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4916</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\google\chrome\application\chrome.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\users\gamer\appdata\local\aol\aim\aim.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4915</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\users\gamer\appdata\local\aol\aim\aim.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\users\gamer\appdata\local\google\chrome\application\chrome.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4914</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\users\gamer\appdata\local\google\chrome\application\chrome.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  312
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
Cannot locate Guarded Application <c:\program files\internet explorer\iexplore.exe>.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">312</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4913</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>c:\program files\internet explorer\iexplore.exe</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  302
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
USB Malware Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">302</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4912</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4911</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4910</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4909</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4908</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4907</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

Log Name:  Application
Source:  Blue Ridge AppGuard
Date:  2/10/2016 11:27:15 AM
Event ID:  301
Task Category: Configuration
Level:  Information
Keywords:  Classic
User:  SYSTEM
Computer:  Golden
Description:
User Space Download Protection is enabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Blue Ridge AppGuard" />
  <EventID Qualifiers="16388">301</EventID>
  <Level>4</Level>
  <Task>3</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-10T16:27:15.000000000Z" />
  <EventRecordID>4906</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Golden</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>enabled</Data>
  </EventData>
</Event>

 

unfortunately , i rollbacked so event logs are no more. However send you the msinfo and policy.xml file.

ok thanks. Maybe you could create group of "real and serious" beta-tester like some vendors used to do (Emsisoft, Adguard, etc...). and give them a kind of unique ID-ed beta-license renewable every year.

copied the policy.xml files in c:\users\<name>\appdata\roaming\blue ridge networks\appguard (from previous version) , disable AG's TamperGuard, paste the file in the new version and reboot.

i have to add even with a clean install without importing the policy, just by adding an apps to be guarded , generates the error.
with the previous beta it doesn't happens.

 

I was finally able to reproduce the locked down issue in a Win7 VM by manually copying just the "P17RunE.dll" over to the sysWOW64 folder and then adding a startup entry to the Wow6432Node run key.
String: RunDll32 P17RunE.dll,RunDLLEntry

I also tried changing the string to load the dll in a separate Limited account and ran it once manually to input the pass then rebooted. The problem persists.
runas /user:Limited /savecred "RunDll32 P17RunE.dll,RunDLLEntry"

Using ImDisk and the over talked about rule is still the only sure fire way to reproduce it but it certainly means there is a problem 'somewhere' if running a dll from my soundcard, with no accompanying hardware drivers, can cause AppGuard to stop blocking an unsigned file launch in Locked Down mode but not Protected even in a VM.

As the dll seems to be directly involved with the real problem on my side I've uploaded it so that you can recreate it in a VM yourself alongside ImDisk and the folder exception rule if you haven't already reproduced it.

9KB (Zip)
P17RunE.zip on Zippyshare
P17RunE.zip on MediaFire

 

By unrecoverable error did you mean this:
:

I thought that you meant there was a crash. It appears that AppGuard is having trouble processing rules for disk partitions and IMDisk ram disks. That has always been the case - just not reported. If you don't add rules related to the partitions, then AppGuard behaves fine. We are trying to add error messages when these conditions occur so that you know that AppGuard's protection is not working properly, but apparently we haven't addressed all cases.

 

I didn't mean to ignore any questions when posting my "answer" as you put it. Refresh my memory. What question do you think I was not answering?

 

This:
http://i.imgur.com/rLLA4hS.gif

 

I can confirm.

There is BUG in Publisher list Level on Windows 8.1.

 

No doubt a bug for some but just to say I'm not experiencing it here. I can make the changes to publishers and they stick. Win 10 x64.

Cheers

 

BUG present on W8.1.

 

Would help if I could read

 

You can read - I added infos about W8.1 after you pointed out AG working as intended on W10... LOL.

 

@Barb_C

Develop a bug report and tracker.

In the chaos of this thread, it is easy for you to miss things.

Just a suggestion to make things more efficient.

 

With the previous version, there is no error checking in this area (but there should have been). The error is caused because AppGuard cannot apply the policy with rules from those partitions/disks. In previous versions you won't get the errors but AppGuard won't be fully protecting you either. So going back to the previous beta (or even the previous released version) is not recommended. Removing the rules that are causing the issues is recommended. Hopefully AppGuard will still be usable for you without adding rules related to partitions. In the meantime, we will see if we can address the partition issues in a future release.

 

Actually we requested that people submit their bug reports to AppGuard@BlueRidge.com. That is how to officially get them addressed. By just reporting them here, they may not be seen (too busy addressing the issues reported via AppGuard@BlueRidge.com).

 

@Barb_C

AppGuard in Install Mode

Install Kingsoft WPS

NOTE: WPS is Guarded App by default

Prevented process <C:\Program Files (x86)\WPS Office\10.1.0.5486\wtoolex\wpsupdate.exe> from writing to <c:\windows\tasks\wpsupdatetask_hjlbx.job>.

Prevented process <C:\Program Files (x86)\WPS Office\10.1.0.5486\wtoolex\wpsupdate.exe | C:\Program Files (x86)\WPS Office\10.1.0.5486\office6\wpp.exe> from writing to <c:\windows\tasks\wpsupdatetask_hjlbx.job>.

These blocks are for scheduled updates via Task Scheduler (*.job file extension).

This block event was only recorded once after installing WPS 10 or so times.

This is yet another example of a "flaky" block event by AppGuard.

 

@Barb_C

No, you misunderstand... partially.

I meant develop a form for reporting bugs.... especially beta testing issues\quirks\bugs.

Most of us here know what infos you need, but some do not.

 

I was referring to the second half of: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-173#post-2562661

Basically I'm trying to figure out if all this stuff you guys have looked into about the way ImDisk handles the device\disk name and the new alert etc are going off in the entirely wrong direction. I was only using ImDisk to reproduce the actual problem where AppGuard launch protection stalls out / stops working but only in Locked Down mode [Mr Xs results were slightly different(worse) and he doesn't have that sound card dll on his so it can't be just the P17RunE.dll either] . Once again, it only happens on my machine with that sound card dll I uploaded which is why I could never reproduce it in a VM until finding that removing it fixed my issue and manually adding it to the VM allowed me to recreate the problem.

I can understand not being able to have folder/drive exceptions or protection on the ImDisk RamDisk with what you've said about the way it handles names. I just don't see how any of that results in AppGuard not blocking an unsigned app being launched from the desktop in Locked Down mode and yet continues to work in Protected. So I keep going back around to, "it's gotta be something happening in AppGuard or Locked Down mode"

The method I used to constantly recreate the problem is rather convoluted and seems to somehow involve the combination of ImDisk, my sound card dll, and Locked Down mode. I can understand the confusion (The whole thing has me confused still) if you never saw that failure before as when I started spamming I hadn't linked it to the dll yet.

I now realize the soundcard dll is involved.. so if you weren't able to reproduce that part of my problem in your tests, maybe you can add the dll and startup entry (reboot) in a VM alongside ImDisk and set up the rule in the current stable version of AppGuard to see it in action and understand why I am so worried that the actual problem might have been missed.
The existing Problem steps recordings show all the steps except for adding the sound card dll and rebooting but I can make a fresh one if it'll help.

 

This particular bug being discussed concerning setting install level for a publisher acts different for me depending on the version of windows. On Windows 7 and Windows 10 build 14257 (insiders fast ring) the install setting works as expected. But on Windows 10 build 104 (insider slow ring) I have the same problem as @hjlbx where setting a publisher to install doesn't hold. All of this is on the lastest build of AppGuard.

Now on Windows 10 build 104, I was able to make it work by toggling Guarded to yes. Even though the Level column was -- I was told install was on but it let me change guarded to yes. From then on I have been able to successfully use Install in the Level column with Guarded set to off. Seems the toggle changed something.

 

I can confirm. Change Guarded to yes, then change Level from -- to Install, select Apply, select OK. Reopen GUI, Guarded is OFF and Level is Install.

 

Thanks for the detailed descriptions. Perhaps we haven't solved your exact problem, but many issues did come to light with your scenario. Though you may think that we have moved in the wrong direction, the improvements we've made as a result of the investigation are very important. For instance, we found that in some cases when AppGuard is not able to apply the rules related to disk partitions, it does not report this and the use may think he is protected when he is not.

UPDATE: Our preliminary testing shows that the issues associated with the disk partitions are limited to immediately after the disk partition is created and the system is not rebooted. After reboot, AppGuard does fine with the partition rules.

 

We found the issue and it will be fixed in the next release.

 

Good find! I'm not experiencing this bug, but good find.

 

Good find! I'm not experiencing this bug, but good find.