AppGuard 3.x 32/64 Bit

[shadek]

Eirik (from Blue Ridge Networks) suggested a new thread to be created with this topic. Any questions or remarks about the software with version number 3.x should be posted here.

[shadek]

Quote:

Originally Posted by Blackcat

Anyone seen this update today? New version or a bug?

I haven't got a pop-up about it yet on any of the three machines I'm using at home with AppGuard.

[Blackcat]

Pop-up here.

[Peter2150]

I downloaded it recently and that is the version I got.

Pete

[shadek]

Quote:

Originally Posted by Peter2150

I downloaded it recently and that is the version I got.

Pete

Odd. I just downloaded and installed on a new machine. Same version as before; meaning we're getting different versions.

[jmonge]

am i getting an older version?

[trjam]

Quote:

Originally Posted by jmonge

am i getting an older version?

jmonge, mine is the older.

[Kees1958]

My change request:

An option to allow windows update for all

[shadek]

How well does AppGuard protect the registry? AppGuard on 'normal protection' certainly blocks files installed when executing a malicious file... but what about registry?

[Greg S]

Quote:

Originally Posted by Kees1958

My change request:

An option to allow windows update for all

That would be nice but might be tricky for them to do. If one has external hard drives, MS on some updates will use the largest HD with the most available/free disk space to launch the update installer.


What I really need is a way to stop AG's Event viewer writing. Specifically when it comes to WMP. Even though AG is excluded in my AV, it continually monitors the continuous events being written to the event viewer when WMP is open. I get thousands of these in a matter of just a few hours.

[shadek]

It would be nice to see in the log of what's blocked writing to registry entries.

[fredra]

Quote:

Originally Posted by Kees1958

My change request:

An option to allow windows update for all

+1
Cheers

[Eirik]

Hi All,

If you right-click on the AppGuard tray icon and select 'About', you'd see the following:



If you see 3.0.13.0 when doing this, you have the latest version.

Cheers,

Eirik

[Dave53]

On the AppGuard support page on your website it shows the version number as 3.0.13.1

Dave

[Blackcat]

We are going round in circles again.

Although the latest version is supposedly 3.0.13.0, some people in this thread say they have 3.0.13.1

I have seen the pop-up for the "new" version several times; generally after a fresh install. And the information about the latest version, if it is still 3.0.13.0, on the AppGuard web-site has still not been corrected

Can Eirik clarify?

[Eirik]

The total version number is indeed 3.0.13.1, as noted on the support web page. The version number indicated in the 'About' GUI states 3.0.13.0, however. If you find this inconsistent and confusing, so do I. I hope to eliminate this source of confusion with the next release.

The fourth decimal group indicates installation package version. In this case the difference between 0 and 1 was a newer help file. However, the version reported in the 'About' GUI is NOT the absolute authority on this decimal group (see next paragraph). While I'm at it, the third decimal group reflects build number (e.g., bug fixes, tweaks, but no new features). And finally, the second group reflects a difference in features or how they are implemented (e.g., new GUI, EirikGuard, etc.).

If one goes to the Windows Control panel, locates AppGuard in the "Add/Remove Software" control, one should find the software version listed there to be 3.0.13.1 when on the same host the 'About' window says 3.0.13.0.

I would appreciate a little help from folk on fleshing out a possibility I'd like to "rule out". Some have reported a prompt saying there's a newer version of "3.0.13.1". To those folk, I ask, please indicate what version is reported in the 'About' window. My point here is to determine if there's something more that needs to be investigated.

Please accept my apologies for the confusion.

Cheers,

Eirik

[Blackcat]

Quote:

Originally Posted by Eirik

I would appreciate a little help from folk on fleshing out a possibility I'd like to "rule out". Some have reported a prompt saying there's a newer version of "3.0.13.1". To those folk, I ask, please indicate what version is reported in the 'About' window. My point here is to determine if there's something more that needs to be investigated.

My pop-up says "a newer version is available" but my "About" says version 3.0.13.0. I have seen this prompt only after a fresh install of AG; after awhile it disappears.

Glad to hear that I was not the only one who is confused

[starfish_001]

I have had an issue on cold reboot the last couple of days where no user space app can be launched and the gui does not seem to influence or change the protection level. I have to reboot again to access the system


Is there a log file I can read to see what is going on ?
The system is windows 7 x64

[Eirik]

Quote:

Originally Posted by starfish_001

Is there a log file I can read to see what is going on ?
The system is windows 7 x64

Yes, all AppGuard blocking events are stored in your Windows Event Log. Events that appear in the 'status' window of AppGuard's GUI disappear with a restart.

Cheers,

Eirik

[starfish_001]

Hi likely event detail are as follows any idea?


Day 1

Faulting application name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Faulting module name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Exception code: 0xc0000005
Fault offset: 0x00006a88
Faulting process id: 0x788
Faulting application start time: 0x01cbe27dc722b2ae
Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Faulting module path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Report Id: 27ba06df-4e71-11e0-8916-005056c00008


then

C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
c:\windows\syswow64\werfault.exe

then

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: AppGuardAgent.exe
P2: 3.0.13.0
P3: 4d530420
P4: AppGuardAgent.exe
P5: 3.0.13.0
P6: 4d530420
P7: c0000005
P8: 00006a88
P9:
P10:

Attached files:
C:\Windows\Temp\WER4C0C.tmp.appcompat.txt
C:\Windows\Temp\WER4EAC.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER4F0B.tmp.hdmp
C:\Windows\Temp\WER567B.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AppGuardAgent.ex_158bc39d3936f46083a5cf86cbd5a45b8afdf6e2_cab_081d56e5

Analysis symbol:
Rechecking for solution: 0
Report Id: 27ba06df-4e71-11e0-8916-005056c00008
Report Status: 4





Day 2
Faulting application name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Faulting module name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Exception code: 0xc0000005
Fault offset: 0x00006a88
Faulting process id: 0x7d8
Faulting application start time: 0x01cbe347e52086e8
Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Faulting module path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Report Id: 50215dc6-4f3b-11e0-a0f2-005056c00008

[pegr]

I know I've raised this issue before but so far I've never received a reply.

Can somebody from BRN please explain why processes belonging to Prevx and Trusteer Rapport are continually blocked from writing to the memory of guarded applications even though they have been added to the MemoryGuard Application Exception List.

These are the only two applications where I have seen this happen. All other applications that I have added to the MemoryGuard Application Exception List have been allowed to write to the memory of guarded applications, as expected.

Is this something that will be investigated with a view to resolution in the next release?

[Barb_C]

Quote:

Originally Posted by pegr

Is this something that will be investigated with a view to resolution in the next release?

Hi, Pegr. Will you please send your policy file and a copy of the events where Prevx and Trusteer Rapport are blocked to AppGuard@BlueRidgeNetworks.com. The agent’s policy file is in the following location: On XP: Documents and Settings\All Users\Application Data\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml. On VISTA, the file will be in C:\users\<user_name>\AppData\Roaming\ Blue Ridge Networks\AppGuard\AppGuardPolicy.xml. Thanks!

[starfish_001]

Quote:

Originally Posted by starfish_001

http://www.wilderssecurity.com/showp...5&postcount=20

Barc ... can you comment on my issue ...

[ellison64]

Im having the same problem.Not all the time but perhaps once every other day.Im also using w7 64 bit.Ive just checked my event viewer logs,

12/03/2011

Faulting application name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Faulting module name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Exception code: 0xc0000005
Fault offset: 0x00006a88
Faulting process id: 0x6e4
Faulting application start time: 0x01cbe0c5d2b50422
Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Faulting module path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Report Id: 40c2c699-4cb9-11e0-b4d0-705ab6c6f9e1

14/03/2011

Faulting application name: AppGuardGUI.exe, version: 3.0.13.0, time stamp: 0x4d5303ce
Faulting module name: MSVCR80.dll, version: 8.0.50727.4927, time stamp: 0x4a2752ff
Exception code: 0xc0000005
Fault offset: 0x0001500a
Faulting process id: 0x11cc
Faulting application start time: 0x01cbe22cc5c69c95
Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe
Faulting module path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\MSVCR80.dll
Report Id: 7737012e-4e20-11e0-bea1-705ab6c6f9e1

16/03/2011

Faulting application name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Faulting module name: AppGuardAgent.exe, version: 3.0.13.0, time stamp: 0x4d530420
Exception code: 0xc0000005
Fault offset: 0x00006a88
Faulting process id: 0x87c
Faulting application start time: 0x01cbe3ec3e6d4cf1
Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Faulting module path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe
Report Id: aa6af7bd-4fdf-11e0-a3e5-705ab6c6f9e1


ellison

[pegr]

Quote:

Originally Posted by Barb_C

Hi, Pegr. Will you please send your policy file and a copy of the events where Prevx and Trusteer Rapport are blocked to AppGuard@BlueRidgeNetworks.com. The agent’s policy file is in the following location: On XP: Documents and Settings\All Users\Application Data\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml. On VISTA, the file will be in C:\users\<user_name>\AppData\Roaming\ Blue Ridge Networks\AppGuard\AppGuardPolicy.xml. Thanks!

Hi Barb,

I've done as you requested and sent a copy of the Application Event Log showing the blocked events together with a copy of the AppGuard agent's policy file in the following location: "C:\Documents and Settings\Administrator\Application Data\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml".

I sent the policy file located in the Administrator profile and not the one located in the All Users profile, because it's the one located in my personal user profile (i.e. Administrator) that contains the MemoryGuard Application Exceptions List. Please let me know if you also need the policy file for the All Users profile.

Regards