AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Hmm, thought some pages back... #5287 that wildcards for User Space and Power Apps was okay.
    I was just checking current status regarding wildcards.
    AG default employs wildcard. Are *\wmic and *\reg -- okay.
     
  2. hjlbx

    hjlbx Guest

    Yes. c:\windows\*\wmic.exe and reg.exe are both OK. Using c:\windows\*\ as part of the file path works; I haven't found any buggy behavior connected to it.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Again, much appreciation for 5287 & 5727
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1
     
  6. hjlbx

    hjlbx Guest

    hh.exe able to launch when added to User Space (YES) bug resolved; user error.

    My mistake. I checked my User Space (YES) list and I incorrectly typed c:\windows\*\hh.exe instead of c:\windows\hh.exe.

    Thanks @mood for pointing out the error.

    Sorry guys... I will also correct it with BRN.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Curious, what's the risk related to RegAsm #1366
     
    Last edited: Jul 24, 2016
  8. Schorg

    Schorg Guest

    Hello all, I have added c:\program files\windows journal\journal.exe, to user space (YES). But I have been doing a few file searches and two instances of journal.exe are also located in c:\windows\WinSxS\......\journal.exe should I also create a rule for these as well?

    I believe there are a few other examples of vulnerable process also located in c:\windows\winsxs\....

    But correct me if I am wrong, does for example c:\windows\*\msra.exe cover the other instance in c:\windows\WinSxS\?
     
    Last edited by a moderator: Jul 24, 2016
  9. guest

    guest Guest

    I never saw any application being executed from this c:\windows\WinSxS-directory (ok, except TiWorker.exe :))
    But i think it's not necessary to add one additional rule for "c:\windows\WinSXS\...\journal.exe"
     
  10. Schorg

    Schorg Guest

    Thanks @mood, for your help!!!
     
  11. hjlbx

    hjlbx Guest

    c:\windows\*\ includes the WinSxS folder.

    Like @mood, I have never seen any process executed from the WinSxS folder; my rules have never created a problem.

    For basic infos on WinSxS: http://www.thewindowsclub.com/winsxs-folder-windows-7-8
     
  12. Schorg

    Schorg Guest

    Thanks @hjlbx, you have helped alot especially with the very informative read via your link regarding WinSxS - links gone? - Sorry my phone is playing up, I can see link again.

    I was unfamiliar with WinSxS this has helped.
     
    Last edited by a moderator: Jul 24, 2016
  13. hjlbx

    hjlbx Guest

    If anyone has any concern over the pending digital certificate rules in 2017 and the AppGuard kernel-mode driver's digital certificate - don't fret over it.

    The brnfilelock.sys certificate RSA is compliant at 2048-bit, but the Thumbprint algorithm is still SHA-1.

    BRN is aware of it and has a plan. Issues of backward compatibility need to be sorted out.

    It will be OK...
     
  14. hjlbx

    hjlbx Guest

    For anyone that needs download link for 4.4.6.1: http://www.appguardus.com/support/products/AG44/AppGuardSetup-4-4-6-1.exe

    You can thank @FleischmannTV - he kept the old link for 4.X from 2013.
     
  15. hjlbx

    hjlbx Guest

    Has anyone had any block events or problems by adding all vulnerable processes to User Space (YES) ?

    I know @paulderdash had one - dfshim.dll on W8.1.

    Anyone else using a "hardened xml" ?
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    what exe is dfshim.dll associated with #1366
     
  17. hjlbx

    hjlbx Guest

    Microsoft's Click Once Application Deployment (.NET Framework)
     
  18. Schorg

    Schorg Guest

    Hi @hjlbx, I have not had any issues with adding all (debug.exe and set.exe are not present on my system) vulnerable processes to User Space (YES).
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    and that's one of the items listed #1366
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Yes that is the only one I had an issue with so I took it out. I am subsequently on Win 10 and haven't tried adding it back.

    Like @Schorg, I don't have set.exe and debug.exe on my system, nor mrsa.exe.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Somewhere I think @WildByDesign reported these new rules would be effective for Win 10 with the Anniversary Update?
     
  22. hjlbx

    hjlbx Guest

    Feb. 14, 2017 - per latest public Microsoft policy.
     
  23. hjlbx

    hjlbx Guest

    set.exe, debug.exe and mrsa.exe are not shipped with W8+.
     
  24. hjlbx

    hjlbx Guest

    No. ClickOnce is an application deployment technology and not a process shipped with Windows.
     
  25. Schorg

    Schorg Guest

    In
    I don't have mrsa.exe on main PC, Windows 10 Pro. But I wonder why I have on my Windows 10 home laptop mrsa.exe in system32 and syswow64 directories?

    Edit : I see made an error mrsa.exe very similar to msra.exe that why.
     
    Last edited by a moderator: Jul 26, 2016
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.