AppGuard 4.x 32/64 Bit - Releases

I upgraded from AG 4.2.6.1 to 4.2.8.1, and the link to ignore the toaster prompt appears as an actual link in this build. The pointer changes to a hand when hovering over it with the mouse. The prior build gave no feedback when hovering the pointer over the link. I guess we should be good now.

 

So, I've added HMPA to Power App ... I'll post back progress.... Thanks
So, we have a divergence with #4324 as the work around for Prevented process <Firefox> from writing to <c:\windows\cryptoguard\bcd6a129>
EDIT: still getting Prevented process <Firefox> from writing to <c:\windows\cryptoguard\69111029>.
So, maybe I need 4.2 beta

 

It's redundant to exclude the CryptoGuard folder from the user-space definition by adding it to the User Space tab and setting the Include flag to No, because the folder is in system-space to start with.

The point of adding the folder to the User Space tab and setting the Include flag to Yes in this situation is to apply user-space launch protection to the folder having made it writeable.

As the CryptoGuard folder only contains data and not executables, applying user-space launch protection tightens security without the associated risk of AppGuard blocking an HMPA executable from running.

 

Making HMPA a power app won't solve your issue because AppGuard is perceiving that it is Firefox that is writing to the folder, and not HMPA.

You did add just c:\windows\cryptoguard as an exception folder and not c:\windows\cryptoguard\bcd6a129 didn't you? All sub-folders inherit the same permissions as the parent folder, so making a parent folder an exception folder will apply to all sub-folders within it.

If you added c:\windows\cryptoguard\bcd6a129 as an exception folder then the exception won't apply to any other sub-folders of c:\windows\cryptoguard that get created: e.g. c:\windows\cryptoguard\69111029.

Just checking . . .

 

Hello pegr ~ BTW Thanks for your continued interest !

I made HMPA a power app because of #2925 but, that didn't work for me. So, I removed HMPA as power app.

I added c:\windows\cryptoguard as an exception folder but, that didn't work for me. I started getting c:\windows\cryptoguard\69111029 instead of c:\windows\cryptoguard\bcd6a129. So, I removed c:\windows\cryptoguard as an exception folder.
Now, AG is back to reporting Prevented process <Firefox> from writing to <c:\windows\cryptoguard\bcd6a129>.

Now, AG criteria seems to object to Firefox writing to my deafult sandbox
Prevented process <Firefox> from writing to <c:\sandbox\bjms\defaultbox\user\current\appdata\local\mozilla\firefox\profiles\br0fgu8r.default\cache2\entries\56601c74b0aa0da7d473ab8b20048174789b9ec6>.

Confused ? AG 4.1.45.1

 

From your description of the problem and the things you've tried, I don't know what is going on either. I've never seen AppGuard block writing to a folder listed as an exception folder, or to a sub-folder within an exception folder.

It sounds as though AppGuard may not be working correctly on your system. I wonder at this point whether it would be worth resetting AppGuard back to default settings in case the policy files have become corrupted. If you do this, you will lose all of your customisations and exclusions, and will need to reapply them. (The option to "Restore all settings to default" is on the Advanced tab.)

If this doesn't resolve the issue, the next thing to try would be to completely uninstall and reinstall AppGuard. If the problem with AppGuard not working correctly still persists, I would suggest sending an email to AppGuard Support requesting assistance.

I don't know whether anybody else has got any ideas as to other things you could try first. It might also be worth posting a screenshot of your Guarded Apps Settings folder list.

 

<< screenshot of your Guarded Apps Settings folder list >>
Firefox Sandboxie > Prevented process <Firefox> from writing to <c:\windows\cryptoguard\54afe765>. Curious what the alpha numeric points to...and note alpha numeric changes with work around iterations.
fwiw ~ W8.1.x 64 w EXE Radar Pro / Driver Radar Pro / VoodooShield / HMPA / NIS

 

I did not know if that would resolve your issue of FF being blocked from writing to cryptoguard folder. You asked what settings I use with AG, and HMPA. Those are the settings I use, but I did not use those settings to fix the FF Cryptoguard folder issue you reported. Those are the settings I have always used since I started using HMPA. I use to get the same activity log events as you a while back. I'm not sure why it stopped. Maybe you are right. Maybe you should upgrade to the latest beta, and see if that resolves the issue. I have one question though. If you disable the Cryptoguard feature in HMPA do you still get those events off FF being blocked from writing to the Cryptoguard folder?

 

I just saw your screenshot above. I did not know you use sandboxie. Do you also get those blocked events of FF being blocked from writing to the cryptoguard folder when you run FF unsandboxed?

 

Yes, blocked events with / without SBoxie...only the alpha numeric is different. I disabled Cryptoguard. Will post progress. Thanks.

 

Thanks...do you have any idea what Firefox writes to Cryptoguard. Presumably, wo AG. Firefox would still write to Cryptoguard. Is AG blocking normal safe communication between Firefox and HMPA.

 

I don't know why FF needs to write to Cryptoguard folder. The communication being blocked is probably safe, but making a rule to allow it might not be that safe. I don't like the ideal of allowing a web application to write to the system space. I don't have HMPA installed right now. I just spent a couple weeks testing HMPA, and i'm testing some other software now.

 

Guess, I'll have to choose AG or Cryptoguard. Thanks...

 

Do you mean AG, or HMPA? Those blocked events may not be causing any harm. Did you ask the developer if that would impair HMPA from protecting against crypto-malware?

 

Personally, if I had to choose, I'd choose AppGuard for a number of reasons.

First, if you are sandboxing the browser with Sandboxie, ransomware won't be able to touch any files outside of the sandbox.

Second, even if not using Sandboxie, providing the folders where your personal data is held are defined as private folders within AppGuard, the browser will have no access to them so long as it is running in privacy mode. The system will be protected because AppGuard will prevent any attempt by a guarded app to write to system space.

Third, Cryptoguard only protects against one kind of attack whereas AppGuard is broad-based in its protection.

 

Feedback:
Well, after 2 weeks testing AG 4.2.8.1 and besides the "AppGuard stopped <1> suspicious activity while active" event, everything seems to be fine and stable in my environment: Win8.1.3 x64/x86

 

all I can write with some small certainty based upon what I try to understand is that wo the exception FF is prevented from writing to the cryptoguard folder and wo cryptoguard files I'll have no roll backs if infected with crypto type malware ... so, heck IDK what to do ?

How do I know if AG is blocking a legitimate operation.

03/09/15 16:39:36 Prevented <Google Chrome (Norton Identity Safe native host)> from writing to <\registry\machine\software\wow6432node\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\common client\ccipc\endpoints>.
03/09/15 16:39:03 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{4dc8b4ca-1bda-483e-b5fa-d3c12e15b62d}>.
03/09/15 16:39:03 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\_numaccounts>.
03/09/15 16:39:03 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\41.0.2272.76\debug.log>.

 

afaik ~ I need cryptoguard files to have roll backs in a cryptolock event... having cryptoguard enabled within HMPA while AG is preventing FF writing to the cryptoguard folder ...then I won't have crytpoguard roll back files... IDK ... seems, there is an irreconcilable conflict... that is over my pay grade.
Truly, appreciate all comments and replies !

 

Yeah, setup properly .... the devil in the details. So, if I set AG back to default then FF will be blocked from writing to cryptoguard folder.

 

HitmanPro.Alert Support and Discussion Thread

Although you posted this in the HMPA thread, I'll answer here to avoid taking the HMPA thread off topic.

The myprivatefolder folder that AppGuard creates on installation is simply there to illustrate the use of the Private Folders feature. Any personal data placed the myprivatefolder will automatically be denied read access to all guarded apps running in privacy mode. It has nothing to do with CryptoGuard.

Note there are two aspects to using the feature: Private Folders and Privacy Mode.

Private Folders: All folders containing personal data to be protected against unauthorised access should be listed as Private Folders in the Settings section of the Guarded Apps tab. You can add any folder where your personal data is held and make it a Private Folder. You don't have to use myprivatefolder - it's just an example.

Privacy Mode: The Private Folders setting only applies to guarded apps running in Privacy Mode. By default, all browsers listed in the Guarded Apps tab, and all apps running guarded from user-space, run in Privacy Mode. You can extend this to other guarded apps listed in the Guarded Apps tab by setting the Privacy flag to On for each guarded app you want to run in Privacy Mode.

Now let's talk about CryptoGuard.

In order to get rollback data permanently saved into the CryptoGuard folder when using Sandboxie and AppGuard, there are two things you must do. The CryptoGuard folder must be listed as a direct access folder within Sandboxie and as an exception folder with AppGuard. You have to get both of these features to work or it won't be possible to save the rollback data when using these two programs.

Assuming you are able to get this working, there's a couple of optional things you could consider in order to further tighten security. The first is to apply AppGuard launch restrictions by including the CryptoGuard folder in the User Space tab with the Include flag set to Yes. The second is to list the folder as a forced folder within Sandboxie so if anything does manage to run from there, it is forced to run sandboxed.

Having answered the questions you asked about how to get data permanently saved into the CryptoGuard folder when using Sandboxie and AppGuard, you should now consider whether this is a wise thing to do when using Sandboxie. As has already been said, both Sandboxie and AppGuard (if the Private Folders feature is used) protect against CryptoLocker.

The point being that virtualization and snapshot/rollback techniques don't always work well together.

Because Sandboxie is virtualizing the changes to the file system that CryptoGuard is tracking, if the CryptoGuard folder is given direct access within Sandboxie, what would happen during a CryptoGuard rollback could become unpredictable for the following reason.

If CryptoGuard is aware that the encrypted files were sandboxed, it may try to reverse file system changes inside the sandbox that no longer exist after the sandbox is emptied. If CryptoGuard is not aware that the encrypted files were sandboxed, it may attempt to apply a reversal against the real file system that was never touched in the first place due to sandboxing. Either way, an attempted CryptoGuard rollback under these conditions could be a recipe for trouble due to an inconsistency between the tracking control files and the state of the file system.

As you are using both Sandboxie and AppGuard, I would be inclined to forget about CryptoGuard; or at the very least, don't exclude the CryptoGuard folder from sandboxing, so that all related file system changes and tracking remain inside the sandbox during browsing. That way, emptying the sandbox will always leave the file system in a clean state.

Just something to think about . . .

 

Magnificent explanation pegr! As usual...