AppGuard 4.x 32/64 Bit - Releases

Interesting...haven't been running AppGuard long enough to comment. I thought "pink" >
01/27/15 13:00:17 Prevented process <Plugin Container for Firefox> from writing to <c:\windows\rescache\rc0002\rescache.hit>. was okay with the Explanation.
I seldom view the Activity Report (maybe I should) but, more colors with granular reporting...yeah...makes sense. I trust pegr #2668

 

I still don't get why people even thing about using HIPS programs...

The main purpose of a computer is to help us being productive, and not the opposite...

Also, the probability of an HIPS fail is so much higher than a program like AppGuard...

 

I have been using Online Armor since 2003. It has no affect on my productivity. The only prompt I have gotten in the last 4 days was adobe flash updating. Also, there's rarely ever been a bypass found for Online Armor, and it has been around for years. It has a superb track record. I can only remember of 1 bypass for OA since I have been using OA, and it was fixed right away. Online Armor stops all the latest Crypto Ransomeware. What are you basing your opinion off of when you say the probability of HIPS failing is way higher? In the real world I have found that Online Armor stops everything except exploits, but it blocks there payloads easily unless they only infect the memory.

 

There is a market, and there is development, that's just a fact. And you're both missing the point. I thought we had just agreed that it doesn't make sense to compare them, yet you do.

Like I said, HIPS monitor for suspicious/unwanted behavior from apps that you run or install. This gives you a chance to block and/or terminate it, and refrain from using it ever again. So you actually want to see alerts pop up.

Sandboxie and AppGuard don't do this, so when I run some app "sandboxed" I still don't know for sure if it might be malicious or not. That's why I combine sandboxing with HIPS.

 

Pete, classical HIPS is not dead. Comodo is still around, and has regular development.

 

Totally forgot about them and Privatefirewall. And even other firewalls like Outpost and ZoneAlarm offer a HIPS. But OK, enough about this off topic subject.

 

By the type of program...

Like you said they aren't comparable.

We are just discussing our points, and this is the AppGuard topic...

I know what I want to install, so if something try to install/run without my knowledge it will be automatically blocked or restricted by AppGuard.

If I want to try a lot of programs, I would prefer to have a virtual machine for that...

For home or enterprise perspective, AppGuard make much more sense than using a HIPS!

But this is just my opinion...

 

@ rdsu and Peter2150

You're both missing the point. No need to compare, because they both offer something different. Actually, HIPS can do a lot of the same what "policy based" sandboxes can do, but it's not the other way around, go think about that one.

 

Emsisoft wants to switch everyone to EIS so I don't think they are a good example. Support for Online Armor consist of, you are having problems with OA, I recommend you try EIS. Bugs don't get fixed anymore, at least any that have been reported in almost the past two years. Emsisoft is doing everything they need to prevent people from using OA so it's not entirely OA's fault. Emsisoft wants to put all their time into developing EIS, hence their reason for not wanting to put time into OA development. The toolset used to develop OA is outdated so it will be a major job to make certain changes to OA like enable ASLR, and DEP. I have not seen a bypass for Online Armor in a very long time so it seems to be working well without it. The only bypass I can remember of was reported over at ssj100 years ago, and I think that bypass was fixed right away.

This discussion needs to be moved to a HIPS thread, or even Online Armor's thread. Lets get back to discussing AppGuard, or policy based security in this thread.

 

If you want to discuss this further post in Online Armor's thread, or we can start a new HIPS thread. The short of it is HIPS provides granular control of everything that runs on your system so it will be more secure than even Anti-executables in the hands of a knowledgeable user.

 

Make sure that the MemWrite and MemRead flags are set to On in the Guarded Apps tab for entries you want protected by MemoryGuard. When these flags are enabled for a guarded app, AppGuard prevents the guarded app from altering or reading the memory of other processes at the Medium protection level.

Note that MemoryGuard configuration only applies to the Medium protection level. At the Locked Down protection level, MemoryGuard applies to all guarded apps, irrespective of how they are configured in the Guarded Apps tab.

It's not a good idea to guard system utilities like Process Explorer and Task Manager, which need to access the memory of other processes, because they won't work properly if you do. Taking Process Explorer for example, you will see the processes listed but the Description and Company Name columns will be blank.

Programs that should be guarded include Internet-facing applications and applications used to load documents that may contain embedded code: office applications, media players, etc. These cannot be trusted. System utilities and other security programs should not be guarded. These must be trusted to ensure they work properly.

It's worth reading through the AppGuard help file, accessed via the GUI. It's all clearly explained there. Maybe also have a look at post #5 on page 1 of this thread, which contains a quick guide to help new users get started.

 

Actually, both Sandboxie and AppGuard do all this you mentioned, the key difference is they don't ask questions, you have to do configure them both manually, also they both use different approach for protection unlike HIPS, but the result is the same, either you block or allow those behaviours, since everything also needs to write and read and also needs to start/run and access internet.

 

What a stupid argument. Appguard IS ITSELF a form of HIPS. Besides, each and every program brings different things to the table and so much depends on user preference. There is no right or wrong answer here. As long as it meets your needs.

 

Well, everything you wrote here were my points exactly including the fact that AppGuard is combination of form of HIPS and anti-exe, but without all of those annoying questions, but I wrote my answer pretty clumsy.

 

There is no need for that...

I just remind when the new type of Firewalls, with HIPS, were very popular, and every week or month a new release was made to handle new proactive tests, like Matousec, and so on...

But like you said, lets go back and discuss AppGuard...

 

I'd also rather not have a subscription based model and you're right that the other model encourages the developers more to improve the product and be innovative, but on the other hand it might also encourage adding more and more features(bloat) to sell more licenses instead of making the existing product better.

 

I don't think classical HIPS are dead, but the market is becoming much smaller.
I've opened a thread to continue the discussion in order to keep this clean and also keep the discussion easier to follow between purely AG related posts:
https://www.wilderssecurity.com/threads/classical-hips-and-policy-based-hips-discussion.372859/

 

First, make sure Memory protection is On, as pegr posted:

Secondly, I'm not sure of the details and this is mostly guesswork, but it could be that Task Manager, Process Hacker etc request a list of running processes, CPU usage etc from Windows itself and are not actually reading the memory of these processes themselves. I just tried adding Process Explorer to Guarded Apps with MemRead and MemWrite protection and it shows all processes, but it is not able to show some details such as Description and Company Name. AppGuard also shows a lot of blocked memory reading/writing events from Process Explorer.

 

I wasn't addressing you in particular, CoolWebSearch. Just the whole HIPS vs Appguard debate that was unfolding felt like it was starting to degenerate into a dog chasing its tail.

 

[Windows 7 SP1 64-bit, AppGuard 4.1.45.1 Trial]

Is there a way I can redirect the "Blue Ridge AppGuard" events from the Application log to a custom log?

Also, where is the AppGuard Activity Report log stored? And is it possible to make AppGuard display past events (earlier than the previous reboot) in the window that pops up after clicking the "AppGuard Activity Log" button?

Thank you.

 

The events shown in the AppGuard Activity Report are also written to the Application section of the Windows Event Log. Use the Windows Event Viewer to view them.

Make sure the Event Log checkbox in the Alerts tab is checked for all AppGuard events that you want logged.

 

Hi Pete, i dont realize how much extra code it would take im not a programmer. Just so we are clear, i was not asking AG to determine for itself to allow or block an event. Honestly i do not want it to. I like its default deny approach. AG gives us an option to ignor an alert, like you said it takes some thinking on the users side. Im just trying to make that a bit clearer for the user. Because by hiding and ignoring an alert seems to me you have trusted that event.

Anyway. Its was just an expression of opinion, lets move on.

regards.

 

Okay so how do I disable connection between program and CPU usage from windows, is there any manual how to do it, and if you can send it. If appguard cannot block it is there any other program that can.
I have as well put Task Manager in guarded apps and set under settings to block entire C drive from being accesed but Task Manager still works, and displays all of my process information.