AppGuard 4.x 32/64 Bit - Releases

No help, just write the version #.

 

4.2.8.1

 

Thanks much!

 

Welcome.

 

All the SysWOW64.exe's I added showed the correct path in AG, but they are all gone today. I may have discovered a bug. I will make a separate post for my findings.

 

I can confirm this...

 

I added the following from SysWOW64 folder to the guarded apps list, and they are all missing today: cmd.exe, rundll32.exe, cscript.exe, and wscript.exe Maybe AG still protects these by design by only adding them from the System32 folder, but i'm going to check anyways. The powershell components I added from from System32, and SysWOW64 folders are still on the guarded apps list.

 

I am unable to reproduce the problem edgetech, I've added both paths for CMD, wscript.exe, cscript.exe and when I reopen Appguard, they are still present. Also when I hover over each entry, the proper path appears. Of course I'm not using the beta so that could be the obvious difference

 

cmd.exe, wscript.exe, and cscript.exe from the SysWOW64 folder did not disappear right away. They shut our power off today to cut trees around the power lines. When I turned my computer back on they were all missing. I never experienced the wrong path problem reported by another user.

 

I can confirm there is definitely a bug with the guarded apps feature, or the GUI. I added cscript, wscript, cmd.exe, and rundll32 from the SysWOW64 folder to the guarded apps list again. After rebooting today they are already missing from the guarded apps list again. It's possible there is some sort of conflict with Shadow Defender. I exited Shadow Mode, and rebooted when they went missing. That could be just a coincidence though. I made them guarded apps long before entering Shadow Mode. I want to be clear on that. The only other real-time security software i'm using is Eset Smart Security. I'm using Windows 7X64 Ultimate.

I sent Barb another email about it. She said she is swamped so I may not get a reply back today. I actually have to leave for the rest of the day, and will not be back until late this evening so I informed her not to be in any hurry to respond. I think this is a bug that definitely needs to be fixed. I am really surprised more people has not reported this. I guess most AG users do not make files from SysWOW64 folder guarded apps.

 

@Barb_C To what IP address/port/protocol doeso AppGuard service connects out to check valid license?

 

Why is Google writing to Google deemed as requiring guarding.
Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\41.0.2272.118\debug.log>.

Even if this event is as per AppGuard protocol. Why ? Why not filter and allow innocent superfluous events.
Surely, Google talking to Google is okay.

 

I constantly get
Prevented <Malwarebytes Anti-Malware> from writing to memory of <Google Chrome>.

over and over, but I do see a few prevented google from google as well and even malwarebytes from malewarebytes

 

bjm, it was blocked because guarded applications are not allowed to write to program files folders. In order to allow that innocent event you would also have to allow possible malicious code to write to program files folders. It's just the way policy restriction works. If you can think of a way to block only malicious code from writing to program files folders, and allow all innocent code then i'm all ears lol

 

Is that all the information it gives if you right click on the event, and choose message info?

 

Yeah, it's easy to block malicious if everything is classified malicious. Does ignore future messages of this type allow the event or just not log the event. It's been interesting seeing so much background innocent events prevented and yet somehow my wheels haven't fallen off.
Sorta' like the boy who cried wolf though. When a true nefarious event is prevented how will I know.

 

AG operates under the mind set that web applications should be guarded, and ran with limited rights. Part of that limited rights is not allowing web applications to write to protected spaces. Program Files Folders, and System Space like the Windows Folder are protected spaces. I think the hard part was being able to do this in a way that would not cause functionality problems for the user's applications. I remember back in the old days of AG development it was a lot of bug reports. Any type of policy restriction that goes as far as AG has taken it can cause many problems. It's really amazing how few problems users really have with AG. They figured out a way to make it work, and I know it was not easy in the beginning. Ignore future messages of this type does not bother the user by blinking the icon when the event is blocked in the future. I have never used that option so i'm not sure if it still logs the event, but you want be bothered with a blinking icon anymore

 

I notice that I installed Malwarebytes onto one of my partitions (Q) perhaps that is the reason? None of the messages cause any problems so I was never sure if it was a concern or not

 

Thank you for the screen shot! I think that really helped. You are running MBAM from drive/partition q:. I think any partition other than C is always treated as user-space by default, and applications in the user-space do not have as many privileges as those installed in the Program Files Folders (the exception is if the applications are guarded; guarded applications have less privileges). Are you running a portable version of MBAM? If not I think the best solution is to install MBAM to the program Files(x86) Folder. That is were my installation is on my Windows 7X64 bit machine. It can be a little different depending on your OS. If you don't want to do that then you can go to customize/guarded apps/, and then to settings at the bottom of the screen. Choose add, and then add the MBAM folder by clicking ok. Then make the folder an exception folder by giving it read, and write access. Let me know if that works if you decide not to move your MBAM installation to the Program Files Folders.

 

I rarely see blinking and it's obvious why at the time. Easily sorted dropping protection level.
Yes, amazing how few problems. Gotta' agree with ya'. Have you ever seen AppGuard act on a real threat. I made the Exception for cryptoguard while I'm testing HMP.A
And not understanding why Firefox wants to write to cryptoguard.

 

Yes, I went to a site recently that was serving malware, and AG blocked it. I have to say though I don't find malware easy on the internet, and I surf the net a lot. It makes me wonder how some people manage to get infected so much. I have this one friend that is constantly getting infected. I told him to stay off the porn sites, but it didn't help. The website I visited recently gave me the bottom 3 prompts below. I closed the first prompt, then the second prompt, and when I closed the third prompt it attempted to execute. The AG icon started blinking right away. Disregard the name of the images. I don't think it was delivered by an exploit. I just thought maybe it was at first. I have also ran some of my own test on AG in the past on a few occasions to be a good beta tester.

 

Yup, just like C_E said, all partitions other than the system (c:\ usually) drive are treated as user space by default. Once again as he said your best bet, in this case, would be to install it normally into the program files folders. I run many portable programs from User Space (other drives) but always do so by adding them to the guarded list but none are security software. You could optionally try to add the specific path/files to 'Power Apps' which I believe would work in your situation but honestly I didn't read over the previous entries to see if you had already tried that.

Potentially you could also add that MBAM directory as an exclusion (read/write) but that's not a solution I'd use as it opens the directory up to other attacks that AppGuard would normally prevent.

 

That's a good point. It would be best to try adding mbamservice.exe as a power apps before making it an exclusion folder since it is what is being blocked from writing to the memory of Google Chrome.

 

Thanks for the info everyone. I'm not sure why it installed to that partition, probably was installing a 3rd party program before hand and didn't realize I was changing the pathway. I'll do a re-install in the near future especially if I test out the new build. Thanks again for the insight

 

No problem.