AppGuard 4.x 32/64 Bit - Releases

Research done:

After reading this it is intended design

If i have luck and the application is signed that i want to update

I think it's better/easier to switch AG "Off" before updating applications.

 

WPS was not added to Guarded Apps - so the block events were inappropriate for Install mode.

I made that report.

However, it was dropped by BRN because the issue could not be reliably reproduced at-will...

 

They have to reproduce it, that's the biggest hurdle of them all.
"If BRN can't reproduce it, it never happened"

 

Same with every other vendor that I have beta tested for and submitted bug\vulnerability reports.

Sometimes:

1. The person trying to replicate the issue does not understand\correctly follow the procedure to reproduce. So the issue never gets logged in bug tracker or fixed.

2. A fix gets delayed for many legitimate reasons for a long time.

 

First of all, I am NOT a Returniluser -- it's just an old user name from long ago that I was too lazy to change. I am a proud Appguard user. However, I am a novice and need help ons something weird that I have observed recently: I often get repeated logs in the Appguard Activity Report -- sometimes as many as 10 identical logs IN A ROW -- with this same identical message:

"Prevented <Google Chrome> from reading memory of <Host Process for Windows Tasks>."

This is usually accompanied by high CPU usage and sluggish scrolling on webpages.

I have observed that this happens all or almost all the time when I visit the Asus Transformer Forums, but maybe it happens on other websites too.

Can someone tell me what that insistent onslaught of repeated identical messages is about? What does it mean that Chrome sometimes tries repetitively 10 times in a row to read the memory of Host Process for Windows Tasks? (And what exactly is the latter?) And does all this mean that there could be some attempt at malicious behavior going on?

 

Chrome is a Guarded App by default AppGuard policy - so it is blocked from accessing other process memory to protect your system.

In this case, the block events are unrelated to the issue that you are experiencing; you can ingnore those block events.

Besides, blocks to taskhost has nothing to do with slugging or problematic browsing.

If you are experiencing sluggish browsing only on a small number of websites, then the issue is due to those sites' code instead of anything to do with AppGuard.

The problem could be the website itself or the browser itself - or both.

For example, all browsers will mis-behave on websites in which there is javascript that causes problems.

Cyberfox did not like quite a few websites and mis-behaved (high CPU, sluggish) for at least 4 or 5 major version releases until the developer got it all sorted out.

 

Thanks, but the main issue is: what does it mean when Chrome tries incessantly- sometimes 10 times in a row in a relatively short period of time-- to read the memory of Host Process for Windows Tasks? Appguard almost always only shows blocks to Chrome WRITING something to some location, but rarely this repetitive reading from memory message appears. Why would Chrome need to read the memory of Host Process for Windows Tasks in the first place? And why would it not give up trying? Is there any rational explanation for this? Perhaps there is; please enlighten this novice.

 

You'd be surprised that many programs do things that they do not need to... that's the way they were coded.

Chrome is trying to read taskhost memory - that's all. Why the coders did that I have no idea... perhaps someone here might know. I'm not a Chrome user, but even if I was, I wouldn't even bother trying to find out.

I know when I first started using AppGuard, I got all bent out of shape about block events - and tried to prevent them thinking something important was being blocked.

Cyberfox, for example, will do such things over a period of a few hours or days, and then it will stop.

Today I don't even look at the Activity Report very often - unless I am testing for BRN.

There are a lot of block events for Chrome. Unless something is obviously broken, then just ignore them.

Blocked events are no problem - nothing is detrimental to the system or something important isn't being blocked.

A blocked event that causes an obvious breakage is the only block event that is important.

 

My computer and browser had worked fine up to that time and had never stalled while scrolling a webpage, and I'm almost certain I never saw the Prevented Chrome Reading Memory messages before that, then all of a sudden all those particular log messages appeared repetitively all in a row, and my browser stalled, my computer (a tablet pc) got very warm and gave off a slight smoky smell through its usb port (it's a passively cooled comp.), so there was some kind of obvious change and maybe a breakage.

 

Chrome is not a static program; it is often updated. There are many undocumented changes - plus many programs run specific tasks on a schedule. For example, some programs won't run a task for many weeks.

You can remove Chrome as a Guarded App - and if the issue persists - then issue is most definitely not caused by AppGuard.

 

At the request of Blue Ridge Networks the AppGuard Bug Tracker posts have been removed.

I'd like to thank @JRViejo and @LowWaterMark for their assistance in removing them.

I have submitted additional bug reports to BRN, reviewed any that were posted here by other Wilders members, reformatted them with reliable procedures to replicate, and have made sure everything was officially added to the internal BRN bug tracker.

All the things that have been reported repeatedly are on the official BRN bug tracker. I can assure you, if it has been reported, then it has been added. For example, issues with the Activity Report WinAPIs, tray icon (race condition), mysterious block events (some of it is actually due to something as simple as a poor choice of wording\strings), an earlier start-up of the tray icon by implementing it as service as opposed to using runonce, issues with services tampering, etc. It's a big list -- I know -- as I've reviewed it carefully with my own eyes.

The bug that I most wish to establish a reliable procedure to replicate and add to the official bug tracker is any block events and\or blocked\failed soft installations with AppGuard in either Install or Off modes.

Anyone that can assist with definitively establishing this bug, it would be much appreciated...

* * * * *

As far as pen-testing AppGuard, the main focus will be on hardening AppGuard's various Guards. Essentially that will involve whatever improvements can be made to Allow User Space Launches - Guarded, resurrection of MBR protection, increased User Space file system and registry protections - without decreasing usability\increasing complexity.

 

BRN doesn't have a proper forum to post issues and bugs (and create a beta tester section as well) as other big vendors, don't tell me a forum is hard to implement... their support is extremely slow to react and report to the users their findings; so they have to expect users posting those issues in security forums like here. At least we can share our issues with other users to confirm if it is a real issue/bug/flaw or just a localized issue.

I can tell you that I could pinpoint the whereabouts of my issue by interacting with other users here faster than waiting their support team's answers.

Now they ask us to not post our problems publicly? come on...

No offense but the few experienced users of AG here do a better and faster job that BRN support team...

 

I think dedicated BRN forum with non-public, closed beta testing section is in BRN's future...

Anyhow, the bug tracker I created included an easy method to target AppGuard - so I was very politely asked to remove it via an internal discussion.

 

a post of mine was removed too, no idea which one however...

 

Thanks for your efforts in improving AG.

 

I agree, this move from BRN is security through obscurity..

 

The infos were removed so as to not provide any details for a malicious agent intent on targeting AppGuard; it was in everyone's best interest to take it down.

Allowing the issue to remain publicly viewable was deemed as essentially making it "open source" and a needless security risk.

The issue has been assigned a priority fix -- that doesn't mean it will be fixed tomorrow -- but it is intended to be fixed by the next release.

 

i experienced this too. Something related to the "Bug Tracker posts" maybe.

What kind of posts are allowed now? Posts about "small problems", but not bug-reports? Nothing security-related? ...

 

You can post whatever you wish.

It was in this particular case some details were present that were best removed.

 

When the Bug Tracker posts were removed, all connected user posts were auto-removed.

I know what it looks like - as if people's posts were censored - but that is definitely not the case.

A Wilders member has the right to post whatever they so choose within the rules at Wilders.

The take-down of my Bug Tracker posts was at my own personal request - after carefully considering the security risk.

The unintended consequence of the take-down was that any replies to any of those posts were also removed.

 

Ok, thanks for the detailed explanation

 

I think you can do this, the Install thing, with IDM guarded and an installation file downloaded with it, just like what I did.
Don't you think that IDM, an internet-facing application, shouldn't be guarded? IIRC, it was Pegr, himself, who suggested to include IDM in the Guarded apps list since it is an internet-facing application.

 

It is some kind of bug... I have to submit it.

However, I am also talking about when someone who downloads an installer, but cannot install the app - e.g. downloads with a browser.

I think it could be related. It will take some time, but I will get to the bottom of it...

 

These downloadmanagers are getting more and more features nowadays.
"Site Explorer/Grabber", included Bittorrent-client, "Flash Video-Downloader", "Video Grabber", and they can even play video/sound-files.
But i only use one for simple downloading of some files (oldschool ), and if i would use some of the other features i would definitely guard it.

 

Is there any way to save AG's settings ? Thanks a lot.