AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay CWS let me take a shot at this. First a couple of things.

    1. Let say right up front we are not discussing Bromium type stuff. Yes it can bypass almost everything, but in the real world not a threat.

    2. Exploits: The best analogy, I've seen that put it into context is this. An exploit is say having a missile launcher, the missile body, the warhead and fuel. Once it's put together and launched you now have an attack with a payload. Most defense approaches aim at stopping or destroying the incoming payload. This is basically where Appguard fits.

    So does appguard actually protect DLL's?. I would answer that no. All of your answers come from how Appguard works. 2 basic things.

    1. User space vs System Space. System Space is folders like c: windows and the program files area. Appguard allows applications to run from these area. The user space is areas like my documents, the desktop, downloads etc. This is typically where malware first ends up prior to being installed. Applications are generally not allowed to run from these areas by appguard.

    2. Guarded Apps. These applications are guarded so they can't write to any system space folders. So this is in essence how dll's are protected. Also guard apps have the memoryguard protection so they can't read or write to another applications memory. Also if you enter a special folder and enable the privacy settings, a guarded app can't access that folder.

    Here's something you can try to see this in action, and I recommend you image your system or use something like Shadow Defender.

    Take any trusted installer. I used one of my EIS installers. With appguard in lock down try and execute it from the desktop. It won't run. Then place it in the program files(x86) folder, and create a short cut on the desktop. With appguard on try and run it. It will run fine. At this point you might have to restore. Then put it back in Program files(x86) with a short cut. But also add that application to Appguard Guarded appl list. The installer will run and pretty quick break down and fail. Why, because it can't write to the system areas.

    Don't compare to sandboxie the are similar and also very different. Trying to compare them will result in confusion. I take a simple approach on this. I run both.

    The way appguard protects from keyloggers etc, is it prevents their installation. Unless you deliberately allow it, and that is your fault.

    Appguard essentally has start run protection in the sense unless you install something to the system area you can't run it.

    CWS, I monitor about 20 different security blogs, and a very high percentage of the attacks like Sony, the Dequ thingy all start with targeted emails. Even the general attacts, usually require you to click on a link or download an attachment, or do a drive by, and then install some malware to take over the computer. Appguard stops that dead in it's tracks. It's very easy to get wrapped up in all the technical discussion in this forum, and lead to confusion.

    I think both appguard and sandboxie by themselves are excellent. Used together, over the top protection

    I would say to you, use them set up appguard, setup a restricted sandbox and relax.

    As to adding more memory technique to Appguard. Maybe, but if it works now, why mess with it. I know they monitor what's going on and will stay on top of it.

    Pete
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The last documentation I received about AG's dll protection was 2-3 years ago. This is directly from the documentation given to me by BRN. I don't know if BRN ever made any changes to this. "Loading of DLLs is now conditioned based on digital signature and trusted publisher policy. So for instance if a DLL’s publisher is on the trusted publisher list, it will be allowed to load. The DLL will be Guarded if the process that is loading it is Guarded."

    I can't answer your specific questions about kernel32.dll. I think a strong HIPS provides the best dll protection in the hands of a knowledgeable user. The average user would not know how to respond to prompts about dll injection, etc. I will take a stab at your other questions when I have more time. I hope Pete already answered them. I have not had a chance to read his post yet. The network shares question is a good one. I ran into a problem myself disabling network shares, and other shares in windows. Each time I disable network shares they become enabled again after I reboot. I will have to look into it more, but maybe Pete already answered it in his post. I'm in a rush right now, and have to go.
     
    Last edited: Jan 25, 2015
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    No need to make user-space folders exception folders. Adding a user-space folder to the User Space tab and setting the Include flag to No allows unguarded launches from the folder but access remains read/write.
     
    Last edited: Jan 25, 2015
  4. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Can and actually should I, with AppGuard, guard C:/Sandbox?
    Can it be configured that I run Sandboxie guarded and protected by Sandboxie and all files exess, dlls, that run under Sandboxie protected by AppGuard?
    By the way big thanks to your answers here, yes, like you said, Sandboxie and AppGuard provide truly the top protection against all forms of malware (I tested on my own many times).
    Yes, I tried to run many keygens as (trust me they were all malicious and AppGuard stopped them dead in their tracks.
    But I still don't know how would AppGuard behave when we talk about crucial drivers on computer like win32k.sys and kernel32.dll?
    If you don't mind how exactly do you configure Sandboxie in AppGuard?
    Just for the record I do enable DropMyRights option in each and every sandbox.
     
    Last edited: Jan 26, 2015
  5. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well, the one software that is similar to AppGuard is DefenseWall, however, DefenseWall also has very robust HIPS it is very useful for those who are on XP, Although I dropped it to install and buy Sandboxie and AppGuard.
    For example does No Virus Thanks Exe Radar Pro do good job when it comes to dlls, I'm not sure if anti-exe is good at this, I think HIpS will always be better, this is why I consider Spyshelter as my third option (with both Sandboxie and AppGuard already installed on my computer).
     
  6. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    For compatibility you need in AppGuard add C:\Sandbox file in guarded apps tab to be an exception folder.

    You can choose if you have a payed version of SBIE in User Space tab to have individual Sandbox container subfolders to have an include flag Yes to allow AG guard the executions in those folders. Or you can make like me the whole Sandbox container with Yes flag and put some software install sandbox folder to have an include flag No.

    If you have in Sandboxie box start/run restrictions, then I think AG guarding that folder is not so important. But I have both for say to my browser sandbox.

    I say nothing about dll protection as I don't know. And I as I am sure most others neither don't guard Sandboxie processes.
     
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I hate to say that Bo might be right in his comments warning not to install Spyshelter. Yes I have read some posts where it seems working sort of. It is Sandboxie has some hips capabilities and installing any other app with that capability, might in my opinion cause system slow starts, possible BSOD. I have used hips programs in the past and they also introduce paranoia and usability problems, possibly hard to uninstall etc etc.

    Nice post from Pete btw.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've added c:\Sandbox to the settings tab on the guarded app tab tab with the exceptions set. If you don't do that Sandboxie can't write to the folder. Also I don't use DropMyRights in Sandboxie because I use Appguard. It causes strange chinese type characters in Firefox.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    One thing both you and Rasheed have to come to terms with is that the classical HIPS is dead. If that is what SpyShelter is, it to will die No one can make money with them because they are just too complex for most users, hence no market. If you look at EMSIsoft's site you can see how they classify OA. Originally that had a 40% return rate

    You guys might not remember Prevx2. It was a classical HIPS, and they found on average people answered pop ups incorrectly 50% of the time. That's when they shifted gears. Appguard offers no fun, no pop ups, no fancy interactions. Only offers you one thing. It silently protects your system. In conjunction with SBIE that is powerful protection
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well, both AppGuard and Sandboxie are both HIPS programs, but which are already pre-configured and install and forget (this is why they are so much usable), plus if you want to configure it is extremely easy to both Sandboxie and AppGuard, plus both Sandboxie (when properly configured) and AppGuard (in Lockdown mode) equally and on equal level protect against all forms of malware.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes, so use both restrict SBIE, and run Appguard in Lock down, and last and equally important RELAX
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    If you hover over "pink" you get an Explanation and if you highlight and right click. You'll open Help for that event. How would you suggest "better inform" ....
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Where do you see strange characters in Firefox .... I run with DropMyRights. Curious where to look for characters. Your SBox is probably tighter than mine....as you're in the know.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Everywhere. No english characters at all. Also with Appguard I don't see the need for DropMyRights
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Okay ~ ...I'll keep an eye out for no English characters. Running same SBoxie config from before AppGuard. So, never thought about DropMyRights.
     
  16. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Hi bjm_, i have read all the help files but i would as i mentioned earlier, allocate a column that will relate to the activity. In the column next to the activity maybe label it (expected, unexpected), or something of that nature.

    For example the activity

    " Prevented process <Chrome> from writing to c:\program files (x86)\google\chrome\application\*\debug.log" Label it as Expected.
    " Prevented < *.dll > originating from <IExplorer> from altering registry Label it as Unexpected.

    It will quickly show the user that even though AG has blocked something it may or maynot be something to be worried about. Having a RED ACTIVITY may alarm some users.

    Red activity may be unexpected and deemed Unsafe
    Yellow activity may be expected and monitored by AG and deemed Safe
    Grey activity may be the first time this event has occurred or is unknown and monitored by AG.

    Thoughts?, i am very much capable of determining safe unsafe events as for many users here on Wilders, but for new users or the less technically inclined, Red means bad.

    regards.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I will try to run Sandboxie with DropMyRights and AppGuard to see what would happen.
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    What you are suggesting is an evaluation of application behaviour in order to classify blocked events according to the risk they pose, but that isn't how AppGuard works.

    AppGuard blocks any behaviour that violates policy without attempting to determine the purpose or intent of the application that generated the blocked behaviour. All blocked behaviour is considered by AppGuard to be unsafe, with a potential to compromise the system if allowed.
     
  19. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Yes i understand that and completely agree for all attentive purposes, im just merely suggesting that an activity may be better relaid to the user if that said activity is expected or unexpected. For everyday users, how are they supposed to know that chrome writes to debug log and is normal. Fair enough AG blocks these and they are unnecessary, but how do they know that. Some might see a prevented activity and think there is a problem.

    But you are right, its not AG task to determine if its safe or unsafe. But i still feel like we may be better informed, some users might take comfort in this.

    regards.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi TS4h

    Do you have any idea how much code would need to be added to Appguard to accomplish this. In reality is very simple. If something breaks look at the error message. if nothing breaks don't worry about it. That is very simple, but I realize it does require thinking on the part of the user.
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I also don't want AppGuard to become abandonware. and a model whereby you get a permanent licence with 1 year free updates, or one where you also get a permanent licence but only pay for major upgrades, still allows them to receive revenue, assuming they add worthwhile new features in the future. It encourages the developers to add these new features/improvements.

    A subscription model doesn't encourage developers to improve the product since they know that people are going to have to pay every year just to use the product as it is.

    Companies with apps which don't need regular signature updates got by fine without subscriptions for years.
     
    Last edited: Jan 27, 2015
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I understand what you are saying, but looking at it the other way round, how is AppGuard to know that Chrome writing to the debug log is normal and expected behaviour? To work this way, AppGuard would have to have detailed knowledge of what is normal behaviour for a large number of applications.

    As Pete said, this would be very complex and costly to code and maintain, and to what end? Most of the time blocked events are harmless and can be ignored. If something isn't working correctly, the blocked messages reporting already provides enough detail to work out what to do to solve the issue.

    Regards
    Pegr
     
    Last edited: Jan 27, 2015
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You're wrong, you've still got: SpyShelter, Zemana AntiLogger, Online Armor. Yes the market is small, but these guys have managed to survive for years. Even if they stop development, you can still use the product, and they will probably make it freeware.

    What you need to realize is that you can't compare HIPS with sandboxing. Tools like SBIE and AG can't do what HIPS can, they can't or won't alert you about suspicious or unwanted behavior. This especially comes in handy when installing some new app.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If I am wrong, then there should an active market, and active development. You are right they don't compare. But the difference other products like Appguard provide the same quality protection with out pop up hell.
     
  25. Plerian

    Plerian Registered Member

    Joined:
    Jan 18, 2015
    Posts:
    4
    I have installed AppGuard program on my computer, how do i block successfully program Task Manager with it, so Task Manager cannot read process memory. Or to block any other memory reading program.
    I have put both Task Manager , Process hacker 2, sysinternals process explorer in appguard under guarded apps, and when I open those programs they still work and show list of all my working processes in computer. Do i need to block some special content in Settings so those programs cant access it and read my process information.

    Can someone perhaps send to me detailed user manual how to do it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.