AppGuard 1.4.7.0 is out

I can tell you that quite a few folk here at Blue Ridge want that tray icon to simmer down a bit [employ country-western accent with nasal twang].

One can disable notifications for a guarded application. This does so for all blocks pertaining to that application, however. We intended to do some enhancements in this area that I'm pretty sure AppGuard users will appreciate.

One can also click on the check box of an AppGuard generated prompt on privacy mode blocks. This however, does not eliminate everything, however.

We're users too, and we want that icon to speak only when it has something new and useful to say...figuratively speaking.

Cheers,

Eirik

 

Absolutely!

 

Sorry but that doesn't make sense. In both cases, it's IE trying to do the accessing which means it should display both warnings unless one disables the warning of the first screenshot in that post.
On any forum, click the attachment paper clip icon, select one of the browse buttons, Explorer opens up with the first screenshot previously posted(single warning that can be disabled). In AG's default state, shouldn't the second screenshot be the norm? I do not get the second screenshot with both warnings until I select/expand Documents and click My Documents. I will also get the second screenshot if I add a folder to be Private. I think AG has a problem interpreting or distinguishing between Documents and My Documents. I know both are essentially the same but the mechanics of getting to them can be different.

Thanks Eirik, I'm not looking for a performance gain but this leads to the real question, Does AG look for the existence of these apps once on install or on every boot?

Is this the number that has to be changed to correspond with the number of apps?

Code:

<usAppNum>10</usAppNum>

 

I want to give AG a trial using Shadow Defender.

Does AG require a restart during its installation?

 

yes you have to restart man

 

For people who strip down services: Appguard requires Terminal Services to work (because it is the stand alone client of a applcation which can be managed centrally at companies).

Regards Kees

 

so when are we going to see a update for AppGuard? maybe minor updates or major?

thanks

 

IMHO, either ditch, or greatly reduce both the flashing tray icon and the obscure window messages as " X is is not a valid Win 32 application". Average Home users will run a mile away from this sort of intrusive messaging.

I installed the new version about a week ago and after placing various programs in the Guard list and unchecking the alarm box it seemed to quieten down. But after a couple of hours the tray icon flashed up again with the new Office 2010 beta which I could not stop even after placing the exe. in the Guard list.

AppGuard has the advantage of being a very light application, but compared to other "sandboxes" it is still too "Chatty", particularly for average Joe.

 

Hi Greg,

I received an answer to your questions from one of the engineers.

Answer 1:

My apologies, I didn’t read the original post closely enough to notice that in the first case you are accessing the Libraries\Documents Library. AppGuard is not having trouble distinguishing between Documents and “My Documents” and is behaving the same in both cases (i.e. blocking access to C:\users\seven\documents which is mapped to “My Documents” folder). It should be noted that the Libraries\Documents “container” is not actually a folder but a Library (http://windowsteamblog.com/windows/...04/06/understanding-windows-7-libraries.aspx). Libraries are a new concept in Windows 7 and by default I believe that the “My Documents” folder is a part of the Documents Library.

In the first case when opening up the Documents Library, I.E. reads the contents of the library in order to display it. Because the “My Documents” folder is part of the Library, in the process of opening up the Documents Library, I.E. is attempting access to the “My Documents” folder as well. AppGuard is blocking this access to the “My Documents” (hence the AppGuard error message). In this case I.E. is not displaying an error message (perhaps I.E. does not consider this to be error-worthy since you are not trying to access the “My Documents” folder directly). In the second case when AppGuard blocks access to the “My Documents” folder, I.E. is responding with an error message (perhaps because in this case you are accessing the folder directly). Another explanation as to why I.E. is behaving inconsistently is that two different functions (accessing a Library vs. accessing a Folder) may be involved and not sharing the same code (and perhaps even two different programmers wrote the code). Since I’m not an I.E. developer I can only speculate as to why I.E. is behaving inconsistently, but I can assure you that in your second case, AppGuard is NOT displaying the “Location is not available – Access is Denied” message. Nor is AppGuard confusing the Documents Library with the “My Documents” folder. In both cases, it is simply blocking access to C:\users\seven\documents.

To prove this to yourself (or to prove me wrong), reconfigure your Documents Library (right click on the Library and select “Properties”) to not include your “My Documents” directory and then attempt to open up the Documents Library from I.E. In this case, AppGuard will not display a message (because it will not have blocked access to C:\users\seven\documents).

Answer 2:

AppGuard will look for the existence of protected applications in the following cases:

Any time the user modifies the policy.
Log off/Log on (which implies reboot as well).

 

We decided to combine the next 32-bit AppGuard release with the first 64-bit AppGuard release, which is why we haven't released anything for awhile. Its looking like we'll do the next release in July. The feature set is still fluid. We may classify the first 64-bit AppGuard release as a beta.

Cheers,

Eirik

 

Everyone on the AppGuard team at Blue Ridge wants the next AppGuard to be less 'chatty'. We will include some tweaks in the next release to help that.

Unfortunately, we probably won't do anything in the next release that eliminates the cryptic messages such as 'not a valid Win 32 application' because those aren't actually generated by AppGuard but by either the operating system or a guarded application, depending on the scenario. There are methods possible that we could employ that effectively close such prompts almost as quickly as they open, which can then be replaced by a more practical AppGuard generated prompt. This requires some rather heavy lifting to accomplish in a meaningful way.

Cheers,

Eirik

 

Question regarding "Privacy Mode", we're thinking about re-defining the default setting. Note, "privacy mode" prevents applications guarded with "privacy mode" from accessing designated folders, unless the user temporarily suspends this protection.

What do you prefer the default setting be for "Privacy Mode"?

A) leave it as is: all of "My Documents"
B) change it to a new folder created at installation called "Private Folders"
C) change it to unspecified/blank
D) something else (your idea)

Please provide two answers labeled accordingly, one for yourself (i.e., an advanced user) and one for your friends/family (i.e., not advanced).

There are other questions I'd like to ask. Stay tuned.

Thanks,

Eirik

 

Hi Eirik,

Will Kernel Patch Protection (PatchGuard) adversely impact 64-bit AppGuard in any way, and will the 64-bit version provide the same level of security as the 32-bit version?

Thanks.

 

Same protection.

 

Most competitors create a private folder, so when you want to go with the flow. There are only a few aps (e.g. Chrome) which can be restricted for private folders as my documents. So I would opt for creating a new folder and explaining explictely in somesort of instal wizard.

AppGuard recognise Chromium as Chrome, I have put chromium in C:\Program Files, so I manually changed folder type to 4. This is a bitch to recognise on application name alone, just to inform you Eirik.

Regards Kees

 

Thanks Eirik.

That's good news.

Regards

 

Ah Ha, so the second one is not coming from AG. I'm blown away by this,lol. I never get that message until after AG has been installed and do as mentioned. But get this, I just now performed the same scenario as previously mentioned and can not reproduce it now that AG has been re-installed for about a week. It must be something on this end that causes it to happen for about a week or so, don't know now. I'm hard headed, I still say this has something to do with AG. Here's a previous screen shot from a previous install of AG. This is what I got after adding Desktop to the private folder. It's the same dialog.

View attachment 216361

Send me the link for policy editing. I want to get rid of those that I do not use. I don't need AG populating the Event Viewer with such useless info. Notice I said "I don't need", that's not to say that it is not useful for others, it's just me not like it

 

I just realized that I had not answered this question. The answer is "no". Kernel Patch Protection does not adversely effect... The Kernel Patch Protection team at Microsoft was very helpful on this matter.

Cheers,

Eirik

 

Waow, Eirik, you should have done for a pretty good karma, then, from what I heard from some other security developers!

 

Oh, he works for a company that more then likely has some friends close by in Washington, who have some friends in Redmond.

Great news Eirik.

 

Hmmm... AG is using ring 3 then, right?

 

Thanks again for the further clarification, Eirik.

I assumed that was what you were implying when you said that the protection would be exactly the same.

Regards

 

From my limited understanding of how AG works, I have always assumed it is implemented via some kind of filter driver rather than hooking, which is why it claims to protect against around 90% of threats, rather than 100%.

I'm not a technical expert when it comes to these things but my understanding is that to build a policy HIPS with 100% protection would require hooking for things like inter-process monitoring, etc, which as you rightly point out would mean Ring 3 on 64-bit.

These are only assumptions on my part, so I think we need Eirik to provide further clarification that 64-bit AG is not using Ring 3 user-mode hooks.

 

AG doesn't protect against memory injection, man-in-the-browser, or cross-site scripting attacks etc. I think that is why AG only claims 90% protection. Such threats are outside the scope of AG apparently.

 

Yes, that's my understanding too.