AppGuard 4.x 32/64 Bit - Releases

AppGuard comes I think with a good protection "out of box" for the Windows OS. Only thing needed in most cases is to add untrusted non OS apps to the guarded list. Blocking C drive sounds a quite unusual? And thus maybe not recommended. And I would want to be able to run Task Manager.

2 files that are added to user space tab with Yes are schtasks.exe and at.exe from c:\Windows\system32 folder. That is done I guess to protect OS from unwanted scheduling of tasks. When taskmgr.exe is not there, I sort of think it should not be added either.

 

Tor browser cannot be guarded, and ran from Program Files. If I guard Tor Browser AG will not allow it to launch. I tried making special exclusion, but that has not worked. Looking at the event log has not helped either because if I make exceptions for the blocked events then AG goes on to block something else. If I make exceptions for those blocked events AG goes on to block something else. I then make the entire profile folder an exception with read/write access, and it goes on to block something else. The only way to get around this so far is to disable AG each time I need to launch Tor Browser, and then enable AG after the browser has launch. AG will block some write attempts when you shut down Tor browser, and I think this could be causing Tor Browser to become corrupt. I say this because after the blocked write attempts it appears to only make 1 HOP before exiting through an exit node when I use the browser again.

I'm running Tor Browser from Program Files (x86). Could someone else give it a try? I'm using Windows 7X64 Ultimate. I'm guarding firefox.exe, and plugin-container.exe. firefox.exe, and plugin-container.exe are at the following path: C:\Program Files (x86)\Tor Browser\Browser So far the only way I can get Tor Browser to launch is by disabling AG.

 

I run Tor from D:\Documents\Tor browser
User space tab:
D:\Documents\Tor browser > Include: No

Guarded apps tab:
Tor Browser > Privacy On MemWrite On MemRead On
So far, no issues.

 

Just found this on malwaretips....
hxxp://malwaretips.com/threads/appguard-bypass.41482/

 

If you don't add Tor Browser to the guarded apps list, and also don't include it as part of the user-space then AG is not providing much protection for Tor Browser. I would like to find another way.

 

I have not used XP in a long time. What is the path of the user profile? For windows 7 it is C:\users\currentuser. In the video I did not see that path included in the user-space. The video shows C:\documents and settings\all users\application data, and C:\documents and settings\x Does that include the entire user profile on Windows XP?

 

I forgot to mention I run it under Sandboxie supervision, with its own dedicated sandbox.

 

Oh, ok. I don't use Sanboxie so i'm still in the same predicament.

 

In the past I've had one app that would only work guarded inside Sandboxie and not outside of it. Reason for that was that registry and disk activity was redirected to the sandbox and therefore not blocked by AppGuard.

 

My problem is described in post 2703.

 

I'm also having problems running Tor Browser from Program Files Guarded, but I'm currently running Tor Browser Guarded from a Private folder in User Space, works fine

 

I have never used a Tor Browser thing. From a tray icon a guarded browser is able to be suspended from Privacy mode or from the Guarded Execution. But I am not sure if when using some virtualization techniques like Sandboxie or like the link Siketa posted about that 'pass' that tester whatever was using. If and when the browser is actually guarded?

I have the browser sandbox with include flag Yes in user space tab.
I have my browser forced to run in a sandbox, it becomes able to be suspended and yes it is guarded. After double clicking the desktop browser icon.

But if I instead right click a browser icon and say run sandboxied into that sandbox. It won't be able to be suspended. So it remains a question from me if the sandboxed browser then is actually guarded by AppGuard?

 

This is true and I thought common knowledge in here. Look:

Spoiler

01/30/15 08:41:33 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:39:36 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:30:33 Prevented process <pid: 1216> from writing to <c:\windows\appcompat\programs\amcache.hve>.
01/30/15 08:29:27 Prevented <Google Chrome> from reading memory of <Host Process for Windows Tasks>.
01/30/15 08:29:27 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:28:54 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:28:51 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\appcompat\programs\amcache.hve>.
01/30/15 08:27:51 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:27:51 Prevented <Google Chrome> from reading memory of <Host Process for Windows Tasks>.
01/30/15 08:26:58 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\debug.log>.
01/30/15 08:26:11 Protection level is set to <locked down>.

Those are in the event log of a sandboxed Chrome.

 

As of yesterday I've been following this thread http://malwaretips.com/threads/appguard-bypass.41482/page-2#post-341921
Actually I participated a bit on it but seems to be ignored here at Wilders

 

Well I can confirm the malware actually works, it can run, execute processes in Medium Level and the worst: it's payload, encryption of files.
The interesting part of this is I didn't know a program could be run within a text file using the command processor (scary). Moreover, this test run at Malwaretips.com was a prepared scenario but a similar attack could be performed in the wild?

 

But when you try to run this malware in Lockdown mode, it will be 100% blocked in all of its malicious actions and you will be 100% protected, that's how I understood it, right?

 

Unfortunately I am an amateur and when I did the test it was for the sole purpose to see if AG could stop it in Locked Down mode hence I didn't use a process monitor / analyzer to investigate any further.
Let's wait for Peter2150 comments about this thing.

@Peter2150
You are way more connected to AG team (Barb_C) so when you decide please be sure to PM Barb_C. Thanks.

 

I want to run it from the program files folders, but will go back to running it from the user-space for a last resort. I reported this to BRN months ago, and if I remember correctly I was informed that I may have to make the entire profile folder an exception. I tried that, and it did not work either.

 

I jumped on over to malwaretips, and discussed the problem there since it was reported there. I reported it to Barb yesterday, and BRN thinks they already know what the problem is.

 

I emailed Barb about it yesterday. She said she thinks she already knows what the problem is.