AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks CE, I agree with you. Could you open that thread for us? I'll appreciate a lot you did it and maintain it.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I will do that sometime today.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thank you...
    btw I hate to spam the forums just to thank someone but no thanks/likes system in here so far.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    On the Java thing, I don't have it on my system but when I did there were 3 Java apps I always guarded

    On the syswow64 thing that is interesting. I got the same results. I wonder if although size and hashes are different the files are essentially the same. I don't think I've ever seen anything but the system32 version every run.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm pretty sure some malware runs cmd.exe from the SysWOW64 folder instead of the System32 folder. I think the same can be done with the other executables I listed. I will try to find malware that does this, but I can't make any promises. Using real samples is the best way to test.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
  8. hjlbx

    hjlbx Guest

    I am trying to obtain a definitive answer regarding this matter.

    The calls to the interpreters in SysWOW64 directory may point to System32 in some cases.

    I do know that the interpreters, for example cmd.exe, are not always identical; on my system System32\cmd.exe is 349 KB whereas SysWOW64\cmd.exe is 308 KB. I haven't explored the differences any further than that rudimentary inspection.

    My initial suggestions to guard both directories may be unnecessary... so I am trying to get the issue clarified and settled.

    Best Regards,

    HJLBX
     
    Last edited by a moderator: Apr 19, 2015
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm hoping BRN has already been looking into it, but I thought I would have heard something back by now. Barb is on vacation now so I doubt we will hear anything until she gets back.
     
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    These SysWOW64/System32 queries have all been previously addressed dating as far back as the first v3 beta.
    Even though the file path may be listed as System32, both the System32 and SysWOW64 directories are covered.
    e.g. Guarding System32\cmd.exe will also guard SysWOW64\cmd.exe

    The same also applies for Program Files and Program Files (x86).
    e.g. If you select a program that resides in Program Files (x86) as a PowerApp, after a reboot, it will be listed as residing in Program Files,
    but will most definitely be handled as a PowerApp.
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you Stackz, and BoerenkoolMetWorst! I tried saving Notepad to Program Files Folder when running it from SysWOW64 Folder, and AG blocked it from writing to the Program Files Folder. I will try to figure out a way to test some of the others. It would still be nice to find some malware that uses runs using cscript, wscript, etc. from the SysWOW64 Folder.
     
  13. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Mister X raised a question in the "AppGuard Guarded Apps Project". In an effort to keep that one on topic I decided to move my response to this thread.

    AppGuard makes heavy use of paths for it's restriction / guard policies that I can't see being pulled off with just file names. Particularly in locked down mode (which I prefer).

    I suppose if AppGuard were to optionally add the file names instead and store a copy of that exe's digital signature information in a fashion similar to the current publishers list something might be doable there (if both are checked and the signature is valid- eg not broken or untrusted) for a majority of cases.

    Example:
    Code:
    <C_BRN_APP>
      <eFolder>0</eFolder>
      <bUser>true</bUser>
      <bSuppressAlarms>false</bSuppressAlarms>
      <bDisabled>false</bDisabled>
      <bPrivacyMode>false</bPrivacyMode>
      <bMemoryGuard>true</bMemoryGuard>
      <bMemoryRead>true</bMemoryRead>
    
      <tcAppName>wow-64.exe</tcAppName>
      <tcOrganization>Blizzard Entertainment, Inc.</tcOrganization>
      <tcLocation>Irvine</tcLocation>
      <tcState>California</tcState>
      <tcCountry>US</tcCountry>
    
      <dwSecLevel>1</dwSecLevel>
    </C_BRN_APP>
    
    Currently it's possible to get something similar to this using just the publishers list though that only works in medium mode.

    But how to handle apps that aren't signed, do they revert to just the path rules again? /shrug

    I doubt this would be an easy change to implement even if there aren't other issues I haven't thought of yet...which I'm sure there are more
     
    Last edited: Apr 21, 2015
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I think I remember Barb informing me that AG uses some sort of mapping in several other post. I just forget what she called it.
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    This path rules are a bit impractical. For example we have java stuff which all is located in C:\Program Files (x86)\Java\jre1.8.0_45
    But in the near future the jre1.8.0_45 foldername is going to change, then we need to add this new path, of course, if you don't forget to do so.
     
  16. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I added Opera browser, and AppGuard auto add a new entry when a new Opera version is installed...
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I'm pretty sure it is due to the path which never has changed, neither the exe name nor the main folder and sub-folders. Why don't you try java and see?
     
  18. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    The path is different, and I have these entries in AppGuard:

    C:\Program Files (x86)\Opera\28.0.1750.48\opera.exe
    C:\Program Files (x86)\Opera\28.0.1750.51_1\opera.exe

    I'm just talking about this case.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    There is no way APpguard can work without the path, as how does it know whether it is system space of user space.
     
  20. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I don't think anyone (at least I wasn't) was suggesting getting rid of the paths all together. The current setup of defining user and system space wouldn't be affected but perhaps my example/suggestion didn't make that clear. If it's in system space and not on the list (by name) nothing would change. If it's in user space and matches a (1) filename(or system space and the name has been added; in this case I don't expect the fact it normally exists in system space matters much, the user just wants it to be launched as 'guarded'), they'd simply need to check that the (2) signature matches the info stored in the xml at the time that app was added and (3) is valid. This would allow for broader 'cross version/install path' rules and less hassle. Not that different from how the publishers list is used except that it could be applied (with specific file names/sigs/verification) to locked down mode as well and results in much less hassle for the user. In addition those apps that aren't quite 'normal' with install conventions could still remain guarded without manual intervention. Obviously apps without a signature would have to use the current path setup, so at first at least it should be added as an*optional*/*experimental* selection when guarding an app (this of course assumes it ever happens...)

    Does it carry other potential security issues? Maybe, but if so I haven't yet thought of them. Feel free to blast me away with a scenario where those three checks aren't enough, I certainly don't want to support a change that makes AppGuard less secure. [THIS GOES FOR ANYONE, PLEASE SPEAK UP!]


    Heck I expect adding this option (and the checks mentioned above) for only those apps existing in system space (eg program files/ (x86) / windows, etc) would solve many user annoyances (issues?). Retaining the standard path rules for user space would likely mitigate any potential issues I'm as of yet unaware of. This would allow for a broader 'guarding' of installed apps that might change paths across versions but maintain the current level of strictness for other areas in user space such as 'program data /temp /etc'. Just a new thought and to be honest I love this idea more as so far as I understand, it 'guards' recognized files regardless of where they reside in the 'System Space' as long as they match the name, sig, and are validated. Currently they can run without assurance of being guarded without manual intervention between versions. This change would help ensure they are guarded between versions, but depending on how it was implemented, it could potentially be used for User Space Apps as well. (Back to the questionable areas here, feedback anyone? ~ how would using this be a risk for user space apps?)

    Those 'System Space' apps aren't normally guarded anyway so allowing broader rules and enhancing the method in which such (user defined|system space) apps are detected and guarded can only help. Any User Space app cannot modify the 'System' with appguard in place by default.

    In fact I expect this is more what Mr. X had in mind when he originally made the suggestion but I just now realized and put into words that were *hopefully* understandable. (after a bit of drunken thought / many edits and headaches ; oh lord the pain, how dare you make me think Mr X!) =) [that goes double for you peter. The sbie icons still stinks...IMO anyway... :p] /hug
     
    Last edited: Apr 22, 2015
  21. meatouph

    meatouph Guest

    I have a feeling that AppGuard is incompatible with Bitdefender. I have had weird issue. Bitdefender Internet Security processes constantly uses 100% of one of the cpu cores. This occur only if OS is running for around 48 hours. Repair BIS 2015 or reinstalling did not help. I had to uninstall AppGuard first then reintstal BIS.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    @syrinx

    ROFL. Hey you want a real brain burner. I just had to upgrade my Rhapsody music player. It uses Microsoft's Clickonce installer, which installs the complete app in Appdata.(user space), and the icon that launches it launches via Rundll32.exe. It's an Oh Joy experience
     
  23. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Unorthodox application behavior like this is the reason I've stopped using AppGaurd. The product needs hash based process whitelisting and command line whitelisting. The present methods for adding exclusions are either to complicated (in the sense of exhausting, not intellectually) or pose a security risk.
     
  24. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    If I ran AppGuard, would this be all the protection that I'd need?
     
  25. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    No. Add an antivirus.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.