AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hi @pegr (now that you are back!) ... the post you are replying to started in conversation round about post #3609, but which I will try to redefine here. I still consider myself a newbie with AG so would appreciate your input.
    I run a number of portable app suites e.g. c:\portableapps, c:\gegeek_toolkit, c:\liberkey each of which contain a many apps, etc. some of which are internet-facing e.g. browsers, pdf readers, and most just utilities.
    The creators of these suites generally require these to be set up in the root folder (as above), so placing these suites under Program Files (System Space) is not really an option.
    A.) In the case of c:\portableapps, which has a limited no. of internet-facing apps, I have added these .exe files as Guarded Apps, and as read/write exceptions in order for the utility suite to update successfully, but not taken any action under User Space.
    B.) In the case of c:\gegeek_toolkit which contains hundreds of portable utilities, I have added the whole folder under User Space as Include=Yes (I assume marking a folder in User Space as Include = Yes is equivalent to guarding everything in that folder? This may be overzealous, but just simpler ...), not set any .exe files as Guarded Apps (too many!), but also set a read/write exception for the whole folder, under the Guarded Apps tab (again to facilitate updating - I think before I did this, the updates did not work, even when setting AG to Install Mode).
    I wonder if you have any comment on these configurations for my portable apps suites? Both are working for me (I think!), and the latter is really the only option in the case of that suite ... I would like to use that approach in both cases - do you see any shortcomings or problems with this approach?.
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I think everything directly under C: user made folders are already in system space? I might be wrong though.

    EDIT:
    From the help file:
    "If additional directories are created on the C: drive they are considered to be part of System Space, but they can be designated as System Space Exceptions or added to the user space definition so they will also be protected by user space protection."

    But by default they belong to system space same as program files folders. So I think you did some unnecessary things for them,

    users/username folders will of course be user space. And I understand you might have read wrong my post. Was my meaning of any folder made by a user or by an installing program under C: "root"
     
    Last edited: Oct 23, 2015
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Yes - C:\users\username is pre-defined as Include=Yes in User Space, but the the folders I am referring to are directly under root C:\ ...
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Hi paulderdash,

    Jarmo P is correct. System Space is more than just the Program Files folder. All folders on the C: drive - apart from the user profile folder of the current Windows user, which is in User Space - are in System Space.

    You are correct that including a System Space folder in the User Space definition guards everything in that folder. I'm not sure how you've managed to get this to work though unless all of the utilities within the c:\gegeek_toolkit folder are digitally signed and AppGuard is running at the Medium protection level.

    In order to run an application from a folder included in the User Space definition that is not digitally signed OR to run any application in the folder at the Locked Down protection level there are two choices: 1. Add it to the Guarded Apps list; 2. Temporarily allow User Space launches from the tray icon.
     
  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    I think Peter 2150 might know this problem:

    Since updating PE from 3.1 to 5 (Macrium Reflect), being hit with messages from AppGuard :

    10/23/15 14:14:50 Prevented process <api-ms-win-downlevel-version-l1-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\macrium\reflect\windows kits\8.1\assessment and deployment kit\deployment tools\amd64\dism>.

    10/23/15 14:14:50 Prevented process <api-ms-win-downlevel-shlwapi-l1-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\macrium\reflect\windows kits\8.1\assessment and
    deployment kit\deployment tools\amd64\dism>.

    10/23/15 14:14:50 Prevented process <api-ms-win-downlevel-ole32-l1-1-1.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\macrium\reflect\windows kits\8.1\assessment and deployment kit\deployment tools\amd64\dism>.

    10/23/15 14:14:50 Prevented process <api-ms-win-downlevel-user32-l1-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\macrium\reflect\windows kits\8.1\assessment and deployment kit\deployment tools\amd64\dism>.

    Maybe safe to ignore? Might go back to PE 3.1
    This is on Windows 7x64.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Circuit

    Simple solution. I use PE5.0, and what I do is simply turn off Appguard when I do the build, then I turn it back on.

    Pete
     
  7. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    After that you get no more alerts?
    Are you saying every-time I do a build, or just once.
    Did not see the alerts with PE3
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Correct. Once the PE is built the actions causing the alert aren't repeated. Yes, also I do it every time I do a build which isn't all that frequent. Why not with PE3. Not sure, but I suspect it's due to different components being used.
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @Jarmo P and @pegr - I was not aware the all C: folders were automatically in System Space. Maybe I should RTFM :)
    re The c:\gegeek_toolkit scenario: I always use Medium protection level, but I really doubt that all the GEGeek utilities are digitally signed, yet I haven't had problems(?).
    Thanks to my new understanding that these portable directories are in System Space, maybe I can just remove c:gegeek_toolkit from User Space ...
     
  10. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I think that GEGeek must be signing their utilities or you wouldn't have been able to run them from a folder included in the User Space definition without either explicitly guarding them or temporarily allowing User Space launches from the tray icon.

    The User Space tab is used when you want to apply User Space launch restrictions to a System Space folder/file (Include = Yes) OR to remove launch restrictions from a User Space folder/file (Include = No). If you originally thought that c:\gegeek_toolkit was already in User Space then there was no need to add it to the User Space definition with Include = Yes in order to guard its executables.

    Now that you know that c:\gegeek_toolkit is in System Space, you should leave it included in the User Space definition if it is your intention that all of these utilities should be guarded by default. If you remove the folder from the User Space definition, you will have to guard each of the utilities individually, which is something that I got the impression you wanted to avoid because of the number of utilities involved.

    It's definitely worth reading through the help manual to get an understanding of how AppGuard works. Also, maybe have a look at post #5 on Page 1 of this thread where I wrote a quick introduction for new users. I also posted something a while back about folder file access and application launch protection. If I can find it, I'll post a link to it.

    EDIT: Here's the link I spoke of: AppGuard 4.x 32/64 Bit
     
    Last edited: Oct 24, 2015
  11. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    ProgramData folder is also considered User Space, according to the Guarded Apps -> Folder -> Settings page...
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I'm on XP so I can't see what the folder setting is, but I assume it has been added as an Exception folder. That doesn't make it User Space though; it simply gives a System Space folder write access for guarded apps. If it were really User Space, it wouldn't be necessary to give it write access; it would already have it by default.
     
  13. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I should've been more detailed. I apologise for assuming you were a W7 user. Wow, that folder doesn't appear in XP?
    ProgramData is in the User Space tab with a greyed Delete button, therefore it cannot be removed and is considered User Space by default.
    The only reason I mentioned ProgramData was because it isn't referenced in your help file, but it is in the AppGuard help file on page 18. I found it confusing somewhat... not referenced everywhere and not included in posts from time to time. So I brought it up.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Just read through your excellent post #5 (again) and link, and had a few aha moments. Excellent as a precursor to the help file, though I suspect it will still take a while to properly internalise how this quite complex software works!
    I am prepared to run the GEGeek utilities unguarded, as if they were Program Files executables (System Space), hence I think I'll just remove the User Space Include=Yes entry. I really am not sure why I have not had a problem with this configuration, as GEGeek_Toolkit is just a collection of 3rd party utilities and I really doubt that many are signed (unless I have only ever run signed ones!). I still think I need to keep the GEGeek folder as an Exception read/write folder in the Guarded Apps tab - for the update utility (Ketarin) extract of zipped files to work. (I then also don't know why I previously needed this entry if the GEGeek directory was included in User Space as Write protection would have been disabled ... it is almost as if the User Space Include=Yes of the GEGeek directory was ignored).
    Will play around (with a better understanding now). Thanks again!
     
    Last edited: Oct 24, 2015
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    On my Win 8.1 machine, c:\programdata is preset as Include=Yes under the User Space tab.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    No, it doesn't appear in XP. The XP equivalent of ProgramData is: c:\documents and settings\all users\application data.

    I've found the reference to ProgramData in the Help file where BRN describe it as being in User Space. The question though is whether AppGuard is really classifying ProgramData as User Space in Windows 7 OR whether BRN have added default customisations to make a System Space folder behave like User Space.

    The answer lies in whether or not Program Data has been defined as an Exception Folder AND included in the User Space definition. This wouldn't be necessary for a User Space folder, but would be necessary to make a System Space folder behave a like User Space folder.

    It also has a bearing on the Private Folders feature. User Space folders can be listed as Private Folders, whereas folders listed as Exception Folders can't. (Given that making a System Space folder an Exception Folder is part of "moving" a System Space folder to User Space, it should also be possible to make it a Private Folder. This is an anomaly that could do with tidying up.)

    Can you please confirm whether ProgramData has been listed as an Exception folder in the Guarded Apps tab and included in the User Space tab with Include = Yes.

    I'm curious now as to whether the code was changed for Windows 7 to classify ProgramData as User Space OR whether it is still System Space under the hood and BRN added customisations to make it behave like User Space.

    It doesn't make any real difference, but enquiring minds want to know.

    Thanks
    pegr

    EDIT: This has now been clarified and you are correct. The ProgramData folder in Windows 7/8 and the equivalent All Users Application Data folder in XP are definitely classified by AppGuard as properly being in User Space. The reason I questioned it is because you made a reference to the Guarded Apps -> Folder -> Settings page in post #3712 above, so I wondered if it had been added as an Exception folder.

    Thanks for pointing this out. I didn't know this particular folder is part of User Space, so I've learned something new.
     
    Last edited: Oct 24, 2015
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    On my machine (Win 8.1) ProgramData is by default included in User Space tab with Include=Yes, but not listed as an Exception folder in the Guarded Apps tab.
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Okay, thanks. That confirms that ProgramData is configured the same as the equivalent XP folder on my machine: C:\Documents and Settings\All Users\Application Data.

    I just tried creating a file from a guarded app in the All Users Application Data folder and it was allowed. I also tried creating files in the other All Users folders and they were blocked. This confirms that AppGuard does classify this particular folder as User Space, which makes sense because it is where applications store their program data.

    As it is normally redundant to add User Space folders to the User Space definition with Include = Yes, it looks like BRN have done this deliberately for security reasons in this case, as there is no option to amend or delete the entry.
     
  19. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    You're welcome. Glad it helped.

    Regards
    pegr
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    My apologies for the confusion; it wasn't done intentionally to steer you down the wrong path. I mentioned the Settings page purely for the description on top of that dialog window. Cheers for being there for us amateur AppGuarders...
     
  21. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    No problem. Thanks again for pointing out that ProgramData is User Space. I wasn't aware of that, but some testing soon confirmed it.

    Regards
    pegr
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    A last word on this - and to clear up any confusion I may have caused.
    Adding the C:\gegeek_toolkit portable apps directory to User Space was the issue. And lowering the Protection Level was indeed required to run these apps / utilities after all. I had previously misunderstood that AG treats folders under C: as System Space. I thought these were somehow neither System Space (Windows system directories, Program Files) or User Space (User directory, appdata, programdata). So just removing the User Space Include=Yes for C:\gegeek_toolkit works as I want it to (i.e. like Program Files), and I probably don't even need the Exception folder either, unless the update process, or a spawned process, is somehow guarded. Will test that.
    Thanks again @pegr, for your intro, link and clarifications, I think I am getting to grips with AG now!
     
    Last edited: Oct 26, 2015
  23. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    @pegr IIRC, BRN have included ProgramData as User Space since early AppGuard v3 builds.

    @paulderdash, if there are any internet facing apps in your C:\gegeek_toolkit (browsers etc), I'd add them to the guarded apps.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @stackz, I had thought of that but they are nearly all (non-internet facing) utilities, that I use anyway. But I have done that with browsers, PDF readers, etc. downloaded vie PortableApps.com.
     
  25. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Yes, I think you're probably right, but I don't remember it being so clearly stated within the help file in v3 as it is now in v4.

    Also, no mention of program data within the definition of User Space in the separate downloadable PDF AppGuard v4.2 User Guide: -

    "User-space refers to the computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block or protect the execution of any programs contained in user-space directories."

    Although, it is mentioned under the Protected Folders section within the same User Guide: -

    "AppGuard prevents protected applications from writing to a set of protected folders and registry settings. By default, AppGuard prevents applications from writing to all folders on the System Drive (usually C:\) except for the user profile directory and the program data directory.
    "


    It is the definition of User Space within the User Guide that I was basing my understanding on and I missed the reference to program data under Protected Folders. Maybe it would have been clearer if the definition of User Space had explicitly included program data, rather than simply mentioning it under the Protected Folders section.
     
    Last edited: Oct 27, 2015
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.