AppGuard 4.x 32/64 Bit - Releases

Yes it is. Actually I have that same configuration: AG + SBIE + RAM Disk with same paths R:\Sandbox, where R = RAM Disk and R:\Sandbox is an exception folder with Read\Write permissions.

 

Thanks for your confirmation @Mister X.

AG keeps blocking rundll32.exe (Guarded app) from writing to C:\bootsqm.dat even though I have excepted that directory with Read\Write permissions (in the Guarded Apps > Folders).

Can't figure that one out... perhaps a bug, but then again, I might be overlooking something. You know, tweaker is blind to what is right in front of him...

Do I need to use wild card: bootsqm.* ?

Thanks,

HJLBX

 

I did exception for read/write permissions too. That block also happens to me lol
What you can do is ignore it by using "Ignore Message" function.

 

@Mister X how much RAM does SBIE + AG + NVT ERP + WFC use on your system ?

I use everything you do except MBAE right now.

I am configuring SSD-only system - so don't want pointless and needless writes to disk.

Thanks,

HJLBX

 

I'm using AppGuard 4.2.8.1. A lot of times when I'm using Chrome, my keyboard stops typing. Has anyone else had this problem before?

 

@Mister X

I know you are always looking for useful, but very light and highly secure softs.

Here... I have one for you: https://www.quarri.com/products/mypoq/

Only works with Internet Explorer and is great with AppGuard...

• Create account
• Select DLP
• Install Quarri Launcher Helper (for best results set AG to install and WFC to off, then add Quarri Launcher and Enforcer_x64.dll to AG Power Apps, then re-enable WFC)

 

From Task Manager (MB):
AppGuard GUI Application 4.5
AppGuard Agent Service (x64) 7.9
Malwarebytes Anti-Exploit 2.7
Malwarebytes Anti-Exploit 64bit tasks 0.7
Malwarebytes Anti-Exploit Service 3.5
NoVirusThanks EXE Radar Pro Service 7.7
NoVirusThanks EXE Radar Pro x64 16.6
Sandboxie Control 2.2
Sandboxie COM Services (CryptSvc) 2.8
Sandboxie COM Services (DCOM) 1.9
Sandboxie COM Services (RPC) 2.9
Windows Firewall Control 36.8
Windows Firewall Control Service 9.3

Total RAM in my system: 12GB
RAMDisk img file: 2GB (SoftPerfect RAM Disk)
Custom page file: 100MB (don't need page file as I have plenty of RAM)
HDD: 1GB (system drive)

 

I appreciate that a lot, really but I completely dislike IE. I use Chrome / Firefox since many years now.

 

Additional drives such as R: are automatically in User Space so there is no need to make R:\Sandbox an exception folder or to add it to User Space. Here's the definition of User Space as defined in the AppGuard help file: -

"User space refers to the computer storage space that is typically accessible by non-admin Windows users. It includes the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares and all non-system hard drives such as additional external and internal disk drives."

 

Hello @pegr,

If I do not add the SBIE Sandbox directory to exception folders, then Sandboxie does not function with AppGuard.

HJLBX

 

That's only true if Sandoxie is running from the default location of C:\Sandbox, which is in System Space. I run Sandboxie from a RAM disk, designated as an R drive, and I haven't added R:\Sandbox as an exception folder. You don't need to make User Space folders exception folders because they already have read/write access.

 

Yes. You are absolutely correct. I figured it out...

Thanks @pegr

 

You're welcome.

 

Have you added the LibreOfficePortable folder as 'Exception (Read/Write)' under Guarded Apps>Settings?

 

Yes, alone result.

 

Hello Guys,

I keep getting these AG blocks during FF Nightly updates. It appears updates are applied and nothing is broken so I have been ignoring. Simply asking if there is anything I should be aware of...

09/14/15 12:19:14 Prevented process <pid: 1740> from writing to <c:\program files\nightly\updated.update_in_progress.lock>.

09/14/15 12:19:47 Prevented process <pid: 4576> from writing to <c:\program files\moz_update_in_progress.lock>.

09/14/15 12:19:47 Prevented process <pid: 4576> from writing to <c:\program files\nightly\uninstall\uninstall.update>.

Thanks,

HJLBX

 

Blacknight, post the blocked events from event viewer here, and I will try to help you.

 

These are the instructions I received from AppGuard Support on how to configure ?:\Sandbox in AppGuard:

There is no conflict between AppGuard and Sandboxie, but depending on where your application is installed you may need to fine-tune your AppGuard Policy. DO NOT add Sandboxie as a Guarded Application.


1. If Sandboxie is using a folder C:\Sandboxie or C:\Sandbox, you may need to add this as an “Exception” folder on the Guarded Apps Tab.
2. Make sure to change the type to Read/Write.


3. If SandBoxie or Sandbox is installed in Program Files, there is nothing else to do.

4. If SandBoxie or Sandbox is installed in the user profile directory, you need to exclude that folder from User Space. That is done on the “User Space” tab

5. [If SandBoxie or Sandbox is installed in the user profile directory on a RAM Disk] for your R: drive, you will need to exclude it from your User Space as well.

Regards,

Amina Vohra
AppGuard Support

 

Hi hjlbx,

What you've been told is only partially correct. It isn't necessary to remove a sandbox folder from AppGuard user-space protection.

For sandboxes that are only used to sandbox untrusted applications that are already installed elsewhere in system-space, e.g. web browsers, best practice is to leave the sandbox folder in user-space OR if it is in system-space, add it to the User Space tab with the Include flag set to Yes. This is also more convenient than using Sandboxie start/run restrictions, although they can be used as well if desired, without any risk of conflict with AppGuard.

With sandboxes used for software testing, program launches for programs installed inside the sandbox folder have to be allowed. If the folder is in user-space, one option is to permanently exclude it from AppGuard user-space protection by adding the folder to the User Space tab with the Include flag set to No. Alternatively, a temporary suspension of user-space protection when testing software inside the sandbox can be made by right-clicking the AppGuard tray icon and choosing Allow User Space Launches.

The second option may be preferred if there is only one sandbox that is used both for web browsing and software testing. Multiple sandboxes, with separate sandbox folders for web browsing and software testing, each configured appropriately, are arguably a better option though.

If a sandbox folder is in system-space, it will be necessary to make it an Exception folder to give write access to programs running sandboxed. Whether it should also be added to the User Space tab with the Include flag set to Yes will depend on what the sandbox is to be used for, as previously stated.

Regards
pegr

 

Hi, all.
Long time lurker has a question,
At Locked Down level, what's the difference between:

ECHO foo>"C:\MyPrivateFolder\bar.txt"
Access is denied.

ECHO foo>"%USERPROFILE%\Documents\MyPrivateFolder\bar.txt"
(succeeds)

I do believe I made NTFS permissions explicitly identical save for disabled inheritance (hence Explicit).

Both folders are Included [Yes] in User Space.
Both paths are Private (Deny Access) in Guarded Apps.
Windows Command Processor . Privacy [Off]

Conjecture: Hardcoded rule governing userprofile?

At Locked Down level, files outside of USERPROFILE cannot be written by Guarded Apps when there is no added exception rule. [Folders can be created however??]

But I'm recommending User Space files & folders should be treated as umm user's work-space as well.
Suggestion: Add third option in column Included, something unambiguous.

Workaround: Sequence is all important for both rules to take.

C:\MyPrivateFolder* Private (Deny Access)
C:\MyPrivateFolder Exception (Read/Write)
or
C:\MyPrivateFolder Private (Deny Access)
C:\MyPrivateFolde* Exception (Read/Write)

Hacky and unsupported but it seems to work currently.

By the way, just by Googling some information [third link down from I'm feeling lucky], I was now a victim in a drive-by, infected by Crypto Locker for a whole 3 minutes (unsandboxed IE), 2 outbound connections were established and at some point Windows Defender detected "suspicious activity". I've since clean installed from boot. Nuked from orbit - the only way to be sure. AppGuard would not have let it run from LOCALAPPDATA, write itself there, yes, further execute from there, no. However, it seems to me that such a browser exploit from a Guarded App could launch an existing Windows program to further instigate its dirty deeds...

Another question which is more bringing it to one's & all's attention rhetoric than expectation for an answer: Any plans to protect drives sectors/private files being read from/by standard $handle or APIs, umm defragmentation APIs ? - I don't know I haven't done the research... yet - I know it's already too late if x program is Elevated, but not necessarily with AppGuard - can't install drivers in Locked Down, right.

 

Cutting_Edgetech, thank you for your help, but yesterday I installed Libre Office in my system, so problem...solved.

 

I realise the below may be slightly OT to Appguard and maybe belongs in the Quarri MyPOQ thread, except for AG settings.
Had installed MyPOQ and Quarri Launcher previously with a view to trying it for banking only but was not sure if it was working properly. @hjlbx: It appeared to me from the FAQs you could launch it from any browser, but in the case of FF it does not find the launcher even when installed, but one can start a Secure Browser (in a new window, or tab in my case). It did start the Secure Browser in IE without problems in a new tab. I only set c:/programdata/quarriagent_tmp folder, which includes the Quarri Launcher installer, as Include=No in User Space. (Edit: Also set Quarri as a Trusted Publisher). My questions are: Is the rest of that browser session in IE or FF then secured - there is no real indication in that tab? I did ask support - no answer but it is a freebie after all. I may give it another go with your settings in AG to see what happens, though so far I have not had to put anything in Power Apps ...

 

@Barb_C

I am having a really difficult time getting AppGuard and Quarri MyPOQ to work together. If you are not familiar with Quarri it is an Enterprise browser security solution - essentially an armored browser that is remotely hosted as a virtual session.

I have tried everything suggested:

1. Added Quarri to the Trusted Publisher's list
2. Excluded the Quarri temp directory from User Space (allowed User Space launches for the directory)
3. Added Quarri executables to the Power Applications list
4. Added the Quarri temp directory to the excepted folders list

Nothing I can think of is working.

Best Regards,

HJLBX

 

@hjlbx: Did you ever get any further with this? Quarri support did respond and it seems the Quarri secure browser (with border as visual indicator that it is secured) can be launched from IE or non-IE browsers, but this doesn't happen for me, although I do get the tab 'Secure browser started' ... we both have AppGuard so it may well be that, though I don't see a message in the Activity Report now (do you?); my reply to Quarri included a link to your post - hopefully BRN have a response if AppGuard is blocking MyPOQ.

 

@paulderdash

Even adding all these Quarri MyPOQ objects into AppGuard, once MyPOQ breaks it will not function even if AG is disabled:

1. Exclude Quarri .tmp folder from User Space
2. Added Quarri to Trusted Publisher's list
3. Made Quarri .tmp folder an Exclusion (read\write) folder on Guarded Apps tab
4. Added Quarri Helper.exe and Enforcer_x64.exe to Power Apps list

I am not sure what exactly is happening. Perhaps i will send infos to Quarri Support - which in my experience - is very good. However, I suspect they will say it is an AppGuard issue...