AppGuard 4.x 32/64 Bit - Releases

Thank you!

 

Download link for 4.4.6.1: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup-4-4-6-1.exe

 

hum hum... and be very patient

@hjlbx typo on the link

 

My bad... appguard@blueridge.com

 

AppGuard now running stable as it had been for many years before I stopped using it. I had 6 licenses for it so they will come into use once again.

 

very very very slow support lately (mailed 2 persons) , more than a week waiting to unlock my licenses ...seems they are very busy to fix the findings of @hjlbx

 

From what I understand a bunch of staff are on vacation during August. That's probably the reason for slow support...

 

i see, anyway their licensing system is inapropriate for testers like us, we should have unlimited activations...

 

I agree. It's a quirky licensing scheme.

 

On my AppGuard 3.x license I've activated it soo many times! I think Barbara told us back then that as long as we uninstall AppGuard properly, the activation will be subtracted from the limit of activations.

 

in theory , you are right, in practice a tester may not be able to do that , because we are more exposed to unbootable systems which may need a clean install right away...

 

I forgot exactly how "Private" directories work.

I have my OneDrive-directory set to "Private" and only Onedrive.exe in my Guarded Apps-list is set to "Privacy = No". The rest of the Guarded Apps are set to Privacy = Yes. That means all other Guarded apps are denied access to my OneDrive-files except Onedrive itself, correct?

Now, imagine this scenario based on my settings;

1) I download *.exe. The file is digitally signed and my protection level is set to "Protected". That means AppGuard will run the .exe which is digitally signed as Guarded, correct? And all non-signed .exe-files will be denied?

2) Are all unknown (digitally signed) files that are allowed to launch as Guarded, executed with the flag set to Privacy = Yes so that they cannot access my Private folders (in this case OneDrive-directory)? Or are they launched with memory guard only?

 

Yes. Correct.

Yes. Correct.

Executed Guarded, MemGuarded and Privacy (YES); in other words full protections.

However, Locked Down and Protected modes should block execution of unsigned files and loading of *.dlls (process dependent) from User Space.

You have to execute unsigned files manually using "Allow User Space Launches - Guarded" or exclude them from User Space (NO) [create an exception].

If you create an exception for a User Space program, it is NOT equivalent to adding it to System Space; some level of Guarding and MemGuarding will still be applied. For example, if an unsigned program is excluded from User Space, then if it executes a Guarded App then the remainder of the run sequence should be Guarded from the moment the Guarded App is executed. Same vice-versa. Details on this are sort of sketchy since I submitted a bug pertaining to it...

 

Thank you! Especially the bit where you clarified that "Allow User Space Launches - Guarded" still sets 'Privacy = Yes' flag on the executed file!

That means all digitally signed files that are not on my 'Guarded' list and the exceptions "Allow User Space Launches - Guarded" cannot access my private folders when I execute them.

Again, many thanks!

 

It you use either of those options, if they turn out to be ransomware, then they will encrypt User Space files and\or the MBR (e.g. Petya, Satana).

I wouldn't use "Allow User Space Launches - Guarded" without light virtualization (Shadow Defender, Sandboxie or VM) or rollback (Rollback Rx Home or Reboot Restore Rx).

Using User Space Launches - Guarded incorrectly will result in a messy clean-up of User Space and could encrypt your data if you are not disciplined about saving files to Private Folders.

 

Agreed. The scenario I made up was simply a way for me to make sure I got an accurate answer to the knowledge I was searching for. I'm sure there are ways to bypass even the protection of AppGuard, hence layered protection is essential, just as you describe it!

 

Locked Down mode - and don't use "Allow User Space Launches - Guarded" w\o virtualization or snapshot\rollback capability.

AppGuard protects data loss by blocking malicious process execution.

Vitualization \ snapshot-rollback restores system to a clean state.

Winning combination...

 

I'm not really worried about my OS in general, but specific files. I've used Sandboxie with AppGuard for a few years and they were a great team.

... if I get infected I'd wipe my PC and re-install Windows. I backup all important personal files on a "cold drive" and OneDrive anyway.

Do you by any chance have a list of additional system processes I could add as 'Guarded' without breaking the OS? I've 'Guarded' nearly all 3rd party applications (except one that isn't facing the Internet).

 

Why would I add them to User Space instead of just Guarding them? My protection level is 'Protected' - won't the files be Guarded either way? I suspect my knowledge is lacking here.

Executed from User Space (the way you suggest by setting the files to User Space) = Guarded
Set as Guarded = Guarded

 

It is additional protection against damage to User Space and registry (e.g. HKCU for fileless malware like Poweliks, Kovter) when a file is executed Guarded from user Space. In essence, it blocks the run sequence if any of the vulnerable processes shipped with Windows is abused. And the vast majority of the time, vulnerable processes aren't used legitimately by malicious files.

 

Yes, but what is the difference from when I add the same process to the 'Guarded' list in 'Protected mode'-level? The process will be Guarded either way. It's just two ways of 'Guarding' the .exes?

Also, BIG thanks for the list of processes!

 

Did I add them correctly with the wildcard and all?

I take it as it is better to add applications to User-Space when in Locked-down mode so they never start, but when I'm running in Protected Mode it won't make a difference? Processes will be Guarded either way I use 'Guarded' tab or 'User-space' tab?

 

Yes. c:\windows\*\vulnerable_process.exe saves a lot of time using the wildcard.

 

Either way works. Adding vulnerable processes to User Space (YES) would just stop a browser exploit run sequence earlier - that's all. Also, it make sense if you execute a lot of unknown files from User Space. It just adds an additional layer of protection.

Why allow an unknown process to run in the first place ? It might result in clean-up of User Space and\or missing User Profile files.

 

Can wildcards be used widely?

Like *Regsvcs* AppGuard will Guard every file named Regsvc as it was in User-Space and not just the particular .exe I could've added after the string?