AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. hjlbx

    hjlbx Guest

    No. BRN stated despite best efforts some programs just will not work with AppGuard.

    I can understand that, since POQ is not an ordinary security application.

    Power Apps just kept blocking... so POQ was doing something that AppGuard disallowed - even for a Power App.
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    But it shouldn't block anything right? That's the main goal or reason to exist for Power Apps in the first place: to have free way to do their things.
     
  3. hjlbx

    hjlbx Guest

    I agree - that's what I expect of Power Apps, but the reality of AppGuard is different - and that fact isn't fully explained in the Help file.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    To resolve those "special" apps like POQ, BRN should release more frequent releases with "special" fixes to AG's policy file. Am I wrong asking for this?
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Maybe if AG supported hashing it would not be a problem. You could whitelist blocked items by hash if it's hash did not change each time it was spawned. What is Quarri, and MyPOQ?
     
  6. guest

    guest Guest

    Browser sandboxing & isolation.
     
  7. hjlbx

    hjlbx Guest

    Like @guest states. But unlike Sandboxie, in POQ sandbox is hosted on remote server.
     
  8. hjlbx

    hjlbx Guest

    Heh, heh... BRN executives probably think we are all OCD... :blink: ... "Just use Protected Mode..." LOL :argh:
     
  9. hjlbx

    hjlbx Guest

    Does AppGuard protect pagefile.sys and hiberfile.sys o_O
    • AppGuard Protected Mode
    • Digitally signed malware is permitted to execute from User Space
    • Malware is a data stealer and scans pagefile.sys, hiberfile.sys and User Space (eg User profile\ProgramData) for plain-text data (eg passwords\logs)
    Does AppGuard prevent malware running in User Space from accessing Network Filtering Platform\firewall ?
     
    Last edited by a moderator: Feb 4, 2016
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you!
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I would not want to use it then out of Privacy Concerns.
     
  12. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    What OS are your running. Unless it is XP, AppGuard should not interfere with other security programs.
     
  13. hjlbx

    hjlbx Guest

    @Barb_C

    Windows 8.1

    What concerns me is that, in some instances, AppGuard will block security softs (eg HitmanPro), even when added to Power Apps. For example, in this thread I reported that AppGuard Activity Report showed "Blocked hitmanpro_x64.exe from writing to <C>" during malware removal. Another person has reported on this thread that HitmanPro is prevented from updating.

    This type of behavior is difficult to diagnose since current logging does not provide sufficient infos.
     
  14. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Is more information provided when selecting the message info for the event? The full path should be present for the exe that was blocked. I know sometimes we only report the pid, but if we can resolve the name, it's usually the full path. I would speculate that the path provided for the power app differs from the blocked process's path. I've never seen the case where AppGuard is only reporting the blocked path as "<C>". Anyone else see this?

    For blocked updates, Hitman Pro's publisher should be added to the trusted publisher policy. Making Hitman Pro a power app will not necessarily allow it to update (it depends on how the updates are accomplished). When we come up for air (after this release), I'll see if someone here can experiment with Hitman Pro.

    If you still have the events from this timeframe in the windows event log, I'd really like to check them out. You can email be at "barb@blueridge.com"
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    When I do the normal update of HitmanProAlert I turn off Appguard, and I have no issues. I have also made c:\users\Pete\Appdata\local\temp\hitmanpro_x64.exe a power app and no issues there.
     
  16. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    A couple weeks ago Mr.X described a situation on this thread where, on his PC with AppGuard, it simply wasn't doing anything. Programs were allowed to launch from user space under locked down mode, guarded apps were not being guarded, etc...but AppGuard didn't report any issues. By the time someone from BRN took a look at his PC, the problem had vanished. It reminded me of something I'd seen before in regards to another program I use called ImDisk, a free RAM-Disk software, which by the way, he did not have on his system at the time.

    Unfortunately, as I learned the hard way, this does not seem to be reproducible in a VM for 'some reason'. Yet on my real machine it happens every time through a very specific rule being set inside AppGuard. When we tried to duplicate the issue on Mr.X's PC using ImDisk and such a rule I was surprised to find that it seemed to be even worse for him and wasn't limited to a specific setup on his end. Up to that point I had assumed it was a small bug located in an area of code that was rarely used and thus easily miss-able. After that, I was at a loss.

    There are a couple of obvious solutions to the problem starting with, don't use ImDisk but that's not what this post is about. What bothers me is that they get along fine 'until' a rule is set in AppGuard concerning the Ram-Disk. Then poof, absolutely no protection or even a warning that AppGuard is no longer protecting me. Removing the offending rule suddenly allows AppGuard to work again. It's very odd.

    So I thought I'd bring it up here for those of you brave enough to try it on a real machine yourselves. Maybe you'll be able to reproduce it and we can get an idea as to why this happening.

    The steps are:

    1) Install ImDisk
    2) Create a Ram-Disk, give it a drive letter and format it. (It has a GUI in the control panel)
    3) Open the AppGuard GUI
    4) Choose Customize
    5) Go to the Guarded Apps tab
    6) Near the bottom, select Settings...
    7) Select Add
    8 Add the Ram-Disk drive

    This is where it gets a bit fuzzy, on my machine only one rule type causes this issue constantly, on Mr.X's any of the protection types caused this issue...

    My test machine: Windows 7 SP1 x64, no third party security apps, tested without updates and with-same results
    On my machine, in Locked Down mode with this rule for the RAM-Disk, Anything can launch.
    On my machine, in Protected mode with this rule for the RAM-Disk, it suddenly works again and blocks the app from launching.

    Mr.X's test machine: Windows 8.1 x64, check his signature for a list of his apps
    On Mr.X's machine in Locked Down mode with ANY rule for the RAM-Disk, Anything can launch.
    On Mr.X's machine in Protected mode with ANY rule type for the RAM-Disk, Anything can launch.

    9) Select Exception (Read/Write) [yes, I realize this is a useless rule without first adding the drive to system space but it seems to be the most likely to cause the problem]
    10) Hit OK to close that area
    11) Hit OK again to close the customization section of the GUI
    12) Put AppGuard into Locked Down Mode if it isn't already.

    At this point the rule setup will either work for you or cause the issues we saw during the test where AppGuard does nothing.

    13) Try to run an app from userspace. (I put a small, unsigned app on my desktop to test it.)


    The weird part is that so far I've only been able to reproduce this issue reliably using an ImDisk RAM-Disk. This could mean the fault lies with ImDisk itself but what bugs me is that it only occurs when a rule for one of the disks is set inside AppGuard.

    What's worries me is that AppGuard seems to think it is functioning but isn't. I can't figure it out. Can you? Either way, if some others can test this on their machine, perhaps it'll help us isolate a reason if it happens for some and not others.

    I've uploaded a set of procmon logs and a problems step recording (.mht, may need to use IE) I made today showing this issue on a clean Windows 7 x64 SP1 (No updates, only ImDisk and AppGuard) install on my live system [as it never happens in a VM for me at least] if anyone wants to take a look at those and see it instead of try it.

    It's 14 MB (zipped)
    3.zip on mediafire
    3.zip on zippyshare
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you for your detailed reporting. I will try to reproduce this later tonight, or tomorrow. Maybe we can narrow it down to some common factor.
     
  18. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I suppose I should add that while I can reliably reproduce it 'this way' I have on occasion seen similar problems but was never able to find a pattern constantly resulting in the issue. So far only an ImDisk RAMDisk and rule in AppGuard as shown above has allowed me to re-create the issue 'at will' on my system.

    It doesn't explain the problem Mr. X had as he did not have ImDisk installed at the time. So unless it's an issue someplace with the rule processing in AppGuard they may not even be linked but they are so 'eerily' similar that I figured maybe having more people testing it might help us get closer to the root of the problem. After sharing many theories with BRN via email, it still has me totally confused and I'm sure they're bored of my spams by now. (Sorry Barb!)
     
    Last edited: Feb 5, 2016
  19. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks for the detailed description of the problem. I will look into this further today. It's too bad it can't be reproduced on a VM. Does anyone know if this is with the released version as well or just the new Beta? Also, with Mr. X's machine, this was the ultimate conclusion:
    The events in the system event log show that the AppGuard driver is not getting loaded properly. We believe that one of your other security software is not following Microsoft’s framework for interacting with FilterManager and that is why our driver isn’t getting loaded properly. AppGuard does follow the guidelines and so the option is to uninstall the other software products and see if the system message that we are expecting is recorded. Once it is working you can try re-installing the other software to see if our driver still loads properly (sometimes the order of installation will permit the products to play together).​
     
  20. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Here is a link for the latest beta update: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup_4_3_9_1.exe . I'll provide more details later, but this version has the following fixes/enhancements:
    1. Power apps in (x86) or system32 should have the correct paths shown in the GUI.
    2. Java runtime programs are now Guarded (you might have to reboot to actually see these in your list and of course they need to be installed).
    3. When adding user-space and other folder/file policies, AppGuard will remember the last path.
    4. .Jar files are now prohibited from running from user-space.
    5. You can now delete schtasks.exe and at.exe from your policy if you desire (but we DO NOT recommend that).
    6. You can update from 4.x without uninstalling first.
     
  21. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I first noticed it with a stable version a while ago. After sending you a PM and hearing that you weren't able to reproduce it, I shrugged it off as an incompatibility that I simply worked around to avoid until I read Mr. Xs posts which sparked my memory and interest with it again because it was so alike. Sadly I've just chasing my own tail trying to figure it out so I thought having more people try it might reveal something.
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks, this helps. I was thinking this might have been something at the application layer that was a side effect of moving Locked Down off of the main GUI. So it appears that this has been there for a while. One of the Engineers is using the released version to try to replicate and I am using the new Beta version. Hopefully between the two of us we will figure out something.
     
  23. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Downloaded new beta and running it now.
     
  24. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Good news, sort of. I located the cause of the problem on my computer. I've uploaded new psrs and procmon logs showing the change. It actually involves my Sound card drivers (or more specifically a dll it loads at run) Sadly this doesn't explain why it happens on Mr. X's machine since he has a completely different brand of sound card.

    Its about 5 MB in size:
    Cause.zip on zippyshare
    Cause.zip on mediafire

    Link to my sound card drivers, I'm on Win 7 x64:
    http://support.creative.com/downloads/download.aspx?nDownloadId=13171

    Simply by killing 'P17RunE.dll' and refreshing AppGuard on my end with the ImDisk rule still in place, it works perfectly together. Talk about confusing, from what I can tell that isn't a kernel mode thing so how on earth is it affecting AppGuard?!

    Uninstalling the sound card drivers resolves the issue as well but that isn't an option. Killing the dll seems to cause errors with the creative apps/control panel but otherwise sound seems to be functioning properly so far.
     
    Last edited: Feb 6, 2016
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Thankfully this issue hasn't appeared again, not even once. Hope that was a one time issue. Now, thank you so much for the new beta...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.