AppGuard 4.x 32/64 Bit - Releases

Why is cmd.exe allowed to make directories in System Space
It's guarded, and it should be forbidden.

 

@mood - were you able to confirm the simple test results ?

 

@hjlbx
I can confirm simple test results...

[Q] - If I had launched an elevated cmd prompt, the test results had been expected?

 

1. Thanks

2. [Q] - No.

3. The file can be installed and executed, but it cannot be made to auto-start via a write to the registry, start-up folder, etc by the Guarded process that created it. The process can be executed but it should inherit Guarded status from the Guarded process that created and launches it.

4. Case 1: User can mistakenly go into the C:\new_folder - after the fact - and execute the file - which will do so completely un-restricted (Un-Guarded).

5. Case 2: An easy way to "target" AppGuard - a combo of *.lnk (shortcut) file on desktop that points to the process in the C:\new_folder and will execute it (which is a case of social engineering I suppose).

*.lnk (shortcut) files can be made to execute processes in System Space (Un-Guarded) by AppGuard policy.

Most riskware installs *.lnk (shortcut) files on the desktop - and the user virtually never questions the safety of the shortcut. The problem with *.lnk files is that command lines can be added to the shortcut. With AppGuard, if you *.lnk to a process in System Space it will run un-restricted - and so will its child processes - but they cannot start processes residing in User Space directories for the most part. There are exceptions: *.sys, *.sfx - self extracting archives, etc.

6. If Case 1 or 2, once executed - then file can write to registry, start-up folder, etc - make all manner of modifications to system because it is in a folder treated by AppGuard as System Space and the process\system modifications will persist on system.

 

Yes, but AG can't prevent the user from starting files from System Space, where the execution is not forbidden.
Or if the user mistakenly executes files like this:

especially Step 4 is user-initiated.
and Step 6 = Locked Down is only protecting User Space

AG is working as designed

 

I have reported it to BRN. That's all I can do...

 

Here is new, updated list of vulnerable processes from Florian @ Excubits - courtesy of @WildByDesign.

DO NOT add runonce.exe to User Space (YES) - because AppGuard GUI needs it to start.

Otherwise, I have added all the new processes to User Space (YES) and c:\users\public\* as well. On W10 Home I have been running with the new AG config and have had no issues.

https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-55#post-2602424

 

Petya.exe
Satana.exe

Both MBR encrypting ransomware.

1. Protected or Lockdown mode.

2. AppGuard Tray icon > Allow User Space Launches - Guarded

3. Both Petya.exe and Santana.exe will encrypt the MBR

Y'all have fun now... and don't use anything but Lock Down mode.

 

After i sent a bugreport i always received an answer, like "we're investigating / we can reproduce / ..."
Maybe a few hours/days later.
But that doesn't mean that it will be fixed in the next version... Better don't rely on that.

I see that MBAE is started via runonce.exe too.

 

I've added an enhancement bug to AppGuard bugbase for future consideration, but how is step 4 accomplished? If manual, then I don't view this as a likely malware threat and the enhancement will be prioritized accordingly. If you are somehow able to do from a user-space application, then I will raise the priority.

 

Hi all, sorry I have been absent for so long. I was away on a much needed vacation and since I've been back have been catching up with hundreds of emails and supervising our latest AppGuard Enterprise release which should be finalized shortly. Then focus will most likely be shifted to the consumer versions and as such I hope to get back on Wilders to review some of the posts later this week.

 

@Barb_C

In the simple test, the user just manually moves the file (PE32) to C:\new_folder.

Malware can do it directly via various means. What got me started down this road was actual malware that created and dropped files to C:\new_folder.

A malware or script launched Guarded from User Space can create a new directory at the drive root - e.g. C:\, create executables and launch them.

The real problem is when the malware creates a short-cut (*.lnk) to C:\new_folder\any_process.exe. When the user clicks the short-cut, the process will be running Un-Guarded because AppGuard treats C:\new_folder as System Space.

 

@Barb_C

How is the beta program to be administered now that BRN has phased-out 4.X ?

Will 4.X essentially be the "base" beta version for Personal, Small Business and Enterprise ?

 

I need volunteers to test AppGuard in the default configuration.

Anyone who would like the details please contact me via PM as I cannot post any further information here on the open forum per Wilders' Terms & Rules.

 

Not sure how a Guarded malware app could have dropped files in the new folders. Will look into it.

 

Guarded Apps can write to C:\ - this includes both folder and executable creation inside the folder.

Unfortunately, I cannot locate the sample. I obtained it via CleanMX and the link is no longer active.

I feel badly about losing the sample...

 

Both Powershell and Powershell_ISE really should be in User Space (YES) by default AppGuard policy.

 

I am unable to find within appguard the ability to be able to save my edited user space , guarded apps and folder/file read/write exemptions.

I think it would be very useful to be able to export and import user configurations with in appguard.

 

Confirmed officially with BRN that they did not use Windows Detour for hooking in AppGuard; AppGuard is free of reported Windows Detour vulnerabilities.

 

C:\Users\User\AppData\Roaming\blue ridge networks\appguard\appguardpolicy.xml

1. Disable tampering protection

2. Go to C:\Users\User\AppData\Roaming\blue ridge networks\appguard\appguardpolicy.xml

3. Copy appguardpolicy.xml

4. Save to external media - cloud, flash drive, etc

5. Re-enable tampering protection

 

only if you have only the admin account; if you have more than one account, it becomes pain in da...

 

Thanks @guest - I forgot to mention it.

You have to create a custom config in AppGuard while in SUA from scratch; you cannot import the one from your Admin account.

Both @guest and I know -- we both tried.

It is a pain...

 

Yes, it is ...
and the format of the xml-file (from the user) is an additional pain

 

Thank you hjlbx,guest and mood for you help.

That certainly sounds a pain, but glad there Is a workaround.

I wonder why they have not added this feature to appguard, is there any particular reason they have not added it?

I think its quite necessary to have such a feature.

 

Nobody really asks for it, except for us here at Wilders.