AppGuard 4.x 32/64 Bit - Releases

I agree.

 

This is basic stuff - in that it needs to work as described\as expected.

However, that is the primary problem that I have seen posted here for years - that AppGuard doesn't work quite right - as users should expect - it gets reported to BRN over-and-over - but it never gets fixed.

Hate to say it, but that is a COMODO move...

 

They are working on getting all process names instead of process ID's in the kernel, but they ran into some problems. Regardless they want be able to do it for this beta period.

 

BRN should put a tickbox or sth to only hide "known" blocked process; at the moment , if you click "hide this alert" (i did once), it hides ALL of them.

 

I agree on this one.

Unexpected behavior - since - I thought I was only disabling the reporting of a specific block event - but instead - it disables the reporting of all events of that type...

 

Uh oh... big no-no right there...

 

why no? did you try the beta? if yes you will understand what im talking about... (aka "schtasks.exe")

so you prefer either be bothered by the same blocked events over and over; or not be alerted at all?

BRN already put a checkbox but the way it is implemented is very non-friendly. user-friendliness isn't the aim of BRN actually?

not saying , slightly modifying the alert's checkbox to "hide this Process alert" and put a tickable option in the GUI with "Hide all alerts" would be simpler for new users.

do i need to remind that we are giving suggestions for the NEXT version, BRN want AG to be less complicated to use but still efficient in protection without being bloated with useless features.

 

I think @marzametal agrees @guest . It is the way he wrote his sentence - at least that is the way I interpret it.

 

Missing targets are almost as much of a problem as are missing processes.

What does "Blocked process XYZ from writing to <C>" tell me ?

Next to nothing.

In the above case, it is completely impossible to determine what exactly AppGuard blocked.

 

Bingo. Sorry for the confusion guest...

 

ah ok , my bad then

 

I believe I discovered a bug in the Power App feature. I just reported it to Barb. Below is the report I made to Barb.

I believe there is a bug in the Power App feature now. I have always used Process Explorer from the following path C:\Program Files (x86)\Process Explorer\procexp.exe. Procexp.exe must be made a Power App so that it can spawn procexp64.exe from the following path: c:\users\achilles\appdata\local\temp\procexp64.exe I have always done this in the past in order to use Process Explorer, and it has always worked. If I make procexp.exe a Power App now it will no longer allow procexp64.exe to be spawned in the appdata local temp folder. It blocks it as you can see in the image, and Event Log attached in the archive. Some other users have also been having problems with applications being blocked that they made Power Apps, but I disregarded the reports initially because I know making something a Power App does not always work. Maybe they are experiencing the same possible bug. I do know that Process Explorer should launch successfully if I make it a Power App. I think everything you need should be in the archive attached with this email. I'm using Windows 7X64 Ultimate.

regards,

Michael

 

I just discovered that AG will allow Process Explorer to launch if I drop the Protection Level from Locked Down to Medium. I do not believe this has ever been the behavior on my machine in the past. I believe Power Apps were always allowed to launch in Locked Down, and Medium. What has been the behavior on other user's machines? I may have to roll my machine back to be for sure.

 

I can confirm it was present before, at least in the previous stable version. I completely forgot about this behavior since I grab procexp.64.exe and dropped it on a self made C:\Programs Files\Process Explorer\ folder though.

 

So AG blocked Process Explorer in Locked Down Mode in previous versions?

 

Iirc, yes.

 

A solution already exists for Process Explorer.

 

I have always made it a Power App. That has always worked.

 

I use a portable version in C:\PortableApps.com\PortableApps\ProcessExplorerPortable\ProcessExplorerPortable.exe.
I recently tried Process Explorer's VT check and had some issues, because it spawns the temp file you mention, which I became aware of through NVT ERP. AG in Medium mode.
I whitelisted the temp file in NVT ERP, and also tried adding it as User Space Include=No in AG . But IIRC I still had to drop to Install for it to work correctly.
It would launch but would not e.g. show Company Name, and VT check results (could not find hash to submit).
I have now added the temp file to Power Apps (stable version, not beta) and it works like a charm.
So if you are using beta now, something may have changed ...

 

It turns out that somehow I managed to add the folder instead of the executable. I think maybe it was glitch because i'm pretty sure I chose the executable. I can't reproduce it. It turns out that AG does allow Power Apps in Locked Down Mode. I'm not sure why other users are seeing a different behavior.

 

Somehow I managed to add the folder instead of the executable. It turns out that AG does allow Power Apps in Locked Down Mode. Process Explorer is working in Locked Down Mode now.

 

Guess what, I added the exe again to Power Apps and the spawned procexp64.exe file in C:\Users\MrX\AppData\Local\Temp is working once again, I don't understand.

 

Well, the reason it was not working previously was because somehow the folder got added as a Power App instead of the exe. I'm pretty sure I added the exe, and not the folder. I'm not going to worry about it though unless I can reproduce the problem.

 

AppGuard still blocks certain things - even for Power Apps - in Lock Down mode.

 

I assume you never did get Quarri - MyPOQ to work with AppGuard, even in Medium mode?