Introducing EdgeGuard Solo Beta (zero-day malware defense)

Same problem, i just get invalid win32 application for everything.

 

Eirik i just wonder if we could get like password protect the GUI for incase of configuration alteration?thanks in advance so far so good here it is cool app

 

I suspect clt.exe is located in user-space (i.e., C:/Documents and Settings/login_name). By default 'Drive-by Download Protection' is enabled, this suppresses all launches from user-space, except for guarded (i.e., in the list in the GUI) applications.

In trying to keep the protection lightweight, we do not inject our own prompts when a 'block' occurs. Instead, either an operating system or an application-specific (defined by the application author) appears. The obvious downside is that prompts can be very cryptic and people not realize that AppGuard is responsible.

Thanks. You might say we're going for the 'so easy a cave man can use it' position in the anti-malware space. We still have more work to make it even easier. I hope you all help us identify ways to make it easier.

 

I'll make a note of that. It may already support what you wish to do.

If you're looking to configure AppGuard for one or more other users, but wish to limit or deny them the ability to add/remove applications from the guard list, or suspend protections, you can edit the XML configuration file. This file resides in a 'Documents and Settings' directory where an end-user without admin rights cannot alter. Administrators with software distribution capabilities can then push/replace these files at their discretion. On the flip side, administrators can use 3rd party Windows Event Log tools to retrieve, analyze, and report on what's happening with all the deployed agents. They don't have to install/manage another management console.

If you're interested, I can send you and others the administrators help guide.

We will make this much simpler for administrators to do in the near future.

 

You are right, it was in a folder on desktop. I was just reading about it in the help file. (i was too overconfindent that i didn't need to...)

I think you did FINE! The blinking icon is enough to inform the user (at least me) that something was blocked and in settings i did see that it was being blocked under "status" and that's fine!

I think it's on a very good way for becoming very easy-going. I just tested Utorrent and Emule and seem to work fine too! (which isn't easy with many security apps). Opera also seems to work ok. I think it's pretty idiot-proof as it is now and runs very very light! Maybe one thing you could do for lazy people (like me) that won't read the help file, is to put a notification somewhere in the GUI that the 2 directories (user profile and application data) are write protected. A small note somewhere maybe.

All and all, i think it's very nice! It can be used by average Joe with probably very little problems... No strange pop ups, no blocked applications even with p2p (that are complex), no cpu eating! What can i say! It's not 340/340, but probably if it was, it would become less user friendly and create more problems! So, it's ok as it is. It covers most areas that are commonly attacked by malware anyway.

Maybe for those that aren't very observative, you could add an optional acoustic warning when something is blocked... Nothing too scary.

I definitely like this small application! It's a valid add-on for any average Joe's (and not only!) PC to help the antivirus!

 

I decided it. Tomorrow i will change setup and run this little gem with a hips-less setup. Probably together with Threatfire and Sandboxie. Oh, it will be lovely! No pop ups and a reasonably high security level at very low CPU cost!

 

thanks please

 

Oh, a question. I noticed that you can't delete the "default" applications. I suppose they require special settings (resource access) , that's why?

Because i don't see how i can disable some of them. They will get re-activated after 5 minutes. Not much of a problem, but they clutter uselessly the interface. I don't have 6 of those applications , so they are waste of space for me.

 

you could set the time to more or less

 

Any screenshots?

Any tests? I wish some one can try against it:

KillDisk
Some nastry rootkits
File infectors( like BlackDay)
Ransomeware
Latest Conficker worm
RegTest
MBR Tool
Robodog trojan
SSDT Unhooker rootkits( for example Bifrost trojan)

and many more ...

 

It only accepts between 0 and 5....

 

i didnt realize that 5 minutes is more than enough

 

i got it running with malware defender with network protection only

 

I see your point about the clutter. The GUI does not facilitate this as you've found. We will have to correct this soon!

As for what can you do now, download our admin guide (mentioned in the post above with Jmonge). It will show you how to edit the configuration file to permanently remove those items. I'll send you a link.

 

Just 3 windows (really simple):

http://img209.imageshack.us/img209/9762/36057542ky7.png

http://img209.imageshack.us/img209/9809/21461305ax2.png

http://img520.imageshack.us/img520/4522/88658270jl3.png

I only did the comodo leak test in the previous page. For real malware and specially rootkits, it's your job! (i have no vmware). Or, if you know exactly how they infect, maybe you can draw some conclusions from comodo's test. For example, it doesn't appear to stop hooks.

This isn't Defenswall. It's more lightweight in everything (protection, cpu, simplicity).

I will run the Spycar reg test soon though.

 

Ok, thanks! I 've already located the file that can be edited in docs & settings...application data.

 

Thanks.

I wish to put it under these tests but unfortunately no time at all. May be later some day.

 

Hmmm....the download link does not work for me.

 

I understand. Unfortunately, i don't even have this malware you mention, so even under Shadow Defender, i can't run them.

Spycar's results: when ran through the browser (Opera), all tests fail to execute because opera uses the user profile area. So i 'd say it's a pass for little AppGuard. When downloaded the single test files, and added in its protection list, it fails in all tests (they are all successfuly executed and change the registry).

So, i don't think it has registry protection, but in the case i executed them directly from within Opera, all failed because of the write-protected directories.


Which brings to my mind... Maybe an interesting addition, would be to include some custom directories to include to the write-protected areas.

EDIT : Another handy modification would be to be able to select more than 1 applications at a time from the application window. For example now i had about 10 processes from the spycar test that i wanted to remove and i had to do that 1 by one. Using CTRL+left click to select them all and click "delete" would have been more cosy. It's a minor thing that for most users wouldn't serve to anything, but, just an idea.

 

The EdgeGuard Solo results posted earlier generally apply to AppGuard except that AppGuard will stop attacks that depend on unknown executables launching from user-space or from USB drives.

Neither AppGuard nor EdgeGuard Solo intercept RAW I/O calls. So these won't be stopped. Individual vendors trying to deal with these create a very high risk of software conflicts with other software/drivers. We've engaged Microsoft with this to come up with a solution that avoids conflicts.

Fortunately, malware makers are now primarily motivated by financial gain. So, these kinds of attack are uncommon. Even so, we want to deal with them.

Top of mind, I'm not sure which of the above were included in previous tests (one or more by different names). AppGuard will not stop Conficker from exploiting the Windows Services Server vulnerability but would block its USB vector.

Some Wilder's folk have been sending us malware samples (see earlier pages). We welcome them. We don't always have the time to test and post results, however. But, we try.

 

the site is down from my end

 

Those guarded executables should be able to launch but unable to write to HKLM and some HKCU keys (run and run-once, top of mind). If I correctly understand that they did write successfully, then I need to open a trouble ticket. Please confirm.

 

Unfortunately i can confirm. RegProt asked me to allow, i did. I had included it in the list, but it was written. Confirmed from startup manager.

http://img223.imageshack.us/img223/2888/48164797vf9.png

http://img223.imageshack.us/img223/6773/90426058wq0.png

You can find them all here:

http://www.spycar.org/Spycar.html

They all ran for me. I just saved them in another location (and partition actually) and ran them after adding them to the AppGuard list. And they ran...

 

Sounds interesting. Would you mind telling me about the problems you seek to solve with this addition? If I assume, I might miss something.

Thanks,

Eirik

 

Not solving problem. Just to "lock" access to "sensitive" directories. One can keep documents there, passwords, etc. I know, i could keep them in the already protected directories. But someone might have more partitions for examples with various things he would like kept "out of reach" from the "protected applications". Just an idea. Maybe i miss something in the whole concept.

EDIT: Just came to me a tangible example. Aigle mentioned ransomware. Say it comes from drive-by and you have "precious" documents in other hard disks, apart from the user profile... Or you get a mail with the malware and you foolishly click on it.