AppGuard 4.x 32/64 Bit - Releases

I do not add any of the processes in the list to either AppGuard's Guarded Apps or User Space; I use NVT ERP instead.

I experimented with AppGuard - by adding them to User Space. My point is that out of all the processes, only two were blocked - powershell.exe (during W10 upgrade) and csc.exe (using Control Panel) - because those were the only two instances where a vulnerable process was executed by a Parent.

In other words, for the vast majority of systems, it is likely that only a couple of vulnerable processes will be executed unexpectedly. It is better to use NVT ERP than AppGuard for vulnerable processes.

 

I've been using it since three years ago now. I like its lightness and nice features, but most important it still out of the sight of malicious hackers, well I guess.

 

I will list the executables I block soon. I block most of the same ones you do. Most of the .NETFramework resources I block is to prevent the attacker from being able to compile their malicious code.

 

I love PDF Exchange Viewer. It is lighter than Adobe Reader, and Foxit Reader. It's out of sight like you said, and it's not buggy on my machine.

 

@marzametal - this could also be accomplished by adding vssadmin.exe to vulnerable processes in NVT ERP - correct ?

 

As far as AppGuard, I am a bit perplexed - since - what it blocks varies.

For example, sometimes it will block an item during Install and other times it will not; sometimes it will block writes during malware removal, and other times it will not; etc.

Without any kind of comprehensive logging, it is difficult to determine what is happening. Both users and BRN fumble about - trying to figure out what AppGuard has done... LOL.

 

I created a thread for something like that about a year ago. It was a thread to discuss what executables we Guard with AG to learn about vulnerable executables, and to give feedback whether Guarding them cause any problems. A thread could be created to discuss vulnerable executables in general without AG being required as part of the conversation. Products like AppGuard, ERP, and Bouncer would definitely come up in the thread often though because of their relevance to the topic.

I have to get back to studying for now. I've slacked off for the past 3 hours. I have to budget my time between work, studying, and Cyber Security matters lol

 

It would be a big help if they could figure out how to always get process names, and paths instead of PID's. PID's are useless.

 

While there isn't much wrong with your list, my drunk @S^ can't help to say 'but'.

Sure, are all of the things you mentioned (along with some you didn't) worthy of note and protection of some type? Yes. In fact I've already added some of the ones I see in your list to the 'private' (eg deny access) section of AppGuard previously ~ just in case. That part being said, any 'guarded' program under the protection of AG should treat any calls to such files as similarly guarded and the following loading of them as yet another user space launch despite them existing in system space by default. At this moment it seems (to me) that you are missing a major part of how AG works. Maybe I'm wrong, I wouldn't be surprised, I am drunk after all....

But if I haven't missed something major already then the fact AG is (well it should be) guarding the program that is initially exploited, severally limits any potential harm they might be able to cause [I'm not saying it's worth dismissing] but your argument then becomes a bit more undefined. (to me)

While I won't state that it isn't possible to use any of these programs [while guarded] to bypass AG's protections, there is currently no reason [I can think of at least] to add them all (and in doing so they would simply adversely affect general usability) without at least one POC. This isn't one area where I think the what if's outweigh the rest. Just show me 'something' and maybe I'll switch my tune and annoy BRN to no end yet again to see it changed? Until then, I have to argue... :-/

 

I don't add the processes I listed in Guarded Apps nor add them to User Space; instead I do it in NVT ERP by adding to vulnerable processes.

I just experimented once by adding them all to User Space in AppGuard. Only two were blocked because they were executed. It was just a test.

 

OK I think I see where you were coming from but not every PC (or the software on it) is the same. Sadly many of the programs you mentioned (while not wrong for bringing attention to them) are used for a variety of tasks/programs where they would undoubtedly cause issues for many others. For instance on my PC, netsh, rundll32 and wscript (were they guarded by default) would result in many issues for me to work out.

 

Windows Host Process (rundll32) is Guarded by default - because it is often abused to run malicious code; look at the Guarded Apps tab.

I added all the processes - not already included in NVT ERP's vulnerable process list - to the list without ill effect.

 

With regard to comprehensive logging: If we block it we report it. If you have a case where you see otherwise, please send us the details.

 

Latest beta is here: https://blueridge-engineering.s3.amazonaws.com/AppGuardSetup_4_3_11_1.exe

By popular demand this version allows jar files to run, but Guards java executables. A bug was fixed where AppGuard was not adding JRE exes in x64 program files directory to the Guard list. Also, the IMDisk issues are "fixed" in the sense that AppGuard will not allow you to add rules for the folders because IMDisk is not reporting a proper volume name to the OS. Those that already have some IMDisk rules in their policy may have to restore to defaults to see the fix. You can now add up to 32 power apps.

 

@Barb_C

AppGuard in Install Mode

WPS is Guarded App by default

Prevented process <C:\Program Files (x86)\WPS Office\10.1.0.5486\wtoolex\wpsupdate.exe> from writing to <c:\windows\tasks\wpsupdatetask_hjlbx.job>.

Prevented process <C:\Program Files (x86)\WPS Office\10.1.0.5486\wtoolex\wpsupdate.exe | C:\Program Files (x86)\WPS Office\10.1.0.5486\office6\wpp.exe> from writing to <c:\windows\tasks\wpsupdatetask_hjlbx.job>.

These blocks are for scheduled updates via Task Scheduler (*.job file extension).

 

@Barb_C

HitmanPro <C:\Users\HJLBX\AppData\Local\Temp\HitmanPro_x64.exe> added to Power Apps.

Prevented process <C:\Users\HJLBX\AppData\Local\Temp\HitmanPro_x64.exe> from writing to <c:>.

 

This is just great! +11
Thank you very much. Muchísimas gracias.

 

Will *.jar files be allowed to execute in both Protected and Lock Down mode - or - only in Protected mode.

Either way, it's bad ju-ju; a malicious *.jar file can be a simple data stealer and accomplish its mission in a single user session since it need not persist on the system.

 

I agree with this.

 

How is it going to steal your data Guarded?

 

I thought you needed .JAR files to be able to execute to play Minecraft.

 

New beta over old working fine.