AppGuard 4.x 32/64 Bit - Releases

I've escalated your question to a developer. What OS are you running?

 

Based on your previous post boasting about AppLocker (sorry can't locate it quickly), I asked our chief architect to weigh-in on AppLocker. He is very connected to Microsoft developers and is very knowledgeable about their security products. This is what he has to say about AppLocker and white listing in general:

We welcome white listing technologies such as AppLocker. Nevertheless, the type of rigid protection is too draconian protection even for the most conscientious enterprises that strive to implement locked down desktops. So, white listing solutions, looking great on paper, in practice, have failed to materialize due to the usability challenges they pose. But even if white listing solutions were to work flawlessly, the class of attacks that embeds malware in completely legitimate Microsoft documents, specially crafted RTF files or Adobe Acrobat reader files, easily defeats classical white listing, HIPS, and AV solutions. When such weaponized documents are opened by the corresponding white listed applications, the white listed applications are taken over by malware and such completely legitimate applications such as Adobe Acrobat Reader, MS Office applications themselves turn into malware. That is why AppGuard is designed to contain the white listed applications to prevent such applications from harming the system.

In another class of attack known as Advanced Volatile Threat, malware does not need to download DLL or EXEs. In a recent Internet Explorer 0-day case, IE itself taken over (when a user simply visits a contaminated Web site) and becomes the harvesting ground for the malware itself. That particular attack, undetected by traditional defenses like AV and HIPS, can create additional malicious code in-memory and perform lateral move to other white listed applications using completely legitimate Windows APIs defeating any defenses. AppGuard prevents the lateral move while white listing is defenseless as there is no DLL or EXE to intercept.

The last point about “Only that Applocker is better because it's system level protection, while Appguard is still program level”

This is incorrect: Applocker, like many white listing and HIPS, works at Window’s application layer (the statement calls in program level) Windows API interceptors. AppGuard’s main policy enforcement, isolation, containment is at the kernel space with some decisions are deferred to Window’s application layer.​

As a note AppLocker requires going forward Windows 8.x Enterprise edition only available for companies who can afford to sign special contracts with Microsoft. As a result, consumers and many companies will not have access to AppLocker.​

Though he may have misunderstood your statement about AppLocker being system level protection, I think his answer is very informative.

 

AppGuard has a kernel level component that does the policy enforcement.

 

Yes!

 

The "bug" doesn't seem to affect operation. I hope to get the development team to investigate today and if we determine that this warrants a quick patch release, we will try to get it out quickly.

 

I'm running Win7x64 Ultimate in a vmware guest. Thanks again, Barb!

 

Okay, thanks Barb.

 

Are you willing to try testing a patch release?

 

Sure, you can send it my way.

 

It may take till tomorrow. I'll post a PM when it is ready. Are you running 32 or 64 bit?

 

Under guarded apps, I set privacy mode to 'On' for Adobe Reader, but everytime after restart it goes back to 'Off'. Is this a bug ?

 

I've used Steam for buying a lot of my games, storing them there, and loading them from my online library. I haven't made any adjustments to AppGuard for Steam and so far haven't seen any conflicts between the two on my W7 x64 computer.

Considering that "75% of games bought online for the PC are downloaded through Steam", I hope AG development is aware of Steam. Please let us know if there are settings that need changing.

"Steam is an internet-based digital distribution, digital rights management, multiplayer, and social networking platform developed by Valve Corporation. Steam provides the user with installation and automatic updating of games on multiple computers, and community features such as friends lists and groups, cloud saving, and in-game voice and chat functionality. The software provides a freely available application programming interface (API) called Steamworks, which developers can use to integrate many of Steam's functions, including networking and matchmaking, in-game achievements, micro-transactions, and support for user-created content through Steam Workshop, into their products...

As of January 2014, over 3,000 games are available through Steam, which has 75 million active users. Steam has had as many as 8 million concurrent users as of June 2014. In October 2013, it was estimated by Screen Digest that 75% of games bought online for the PC are downloaded through Steam."
http://en.wikipedia.org/wiki/Steam_(software)

 

I do appreciate your explanation, and to be fair, some of the points you are trying to make sounds reasonable.

However:

1. Microsoft has many departments. So your chief architech has connections to the developers of what? And that doesn't mean anything. Windows is closed-source, if you tell us your chief architect technically knows how AppLocker works in detail, then someone at MS is in trouble. Obviously this did not happen.

2. Even I open a malware-embeded documents, RTF, DOCX or PDF, or whatever, under limited user account, what harm it can do, considering it only has limited privilege under a standard user account? I have EMET 5.0 installed which has default protection against such type of malware. EMET protects ms office, adobe acrobat and JAVA by default, and you can add other applications to its protection if you want. Will AppGuard do a better job in this case?

3. Regarding the AVT, isn't that the long existed memory-only malware? You are correct, Applocker itself probably will not be able to do anything against AVT. However, the lateral move you mentioned by such kind of malware requires privilege elevation, an action that any decent HIPS and firewall can block it, not to mention EMET. Yeah Appguard should also be able to do it, but the way you are saying it sounds like only Appguard can do it, which is not true.
Please see this post for more information:
https://www.wilderssecurity.com/threads/any-statistics-on-memory-only-malware.291756/#post-1819371

4. Your statement regarding Applocker is wrong: "This is incorrect: Applocker, like many white listing and HIPS, works at Window’s application layer".

No, not like other HIPS, Applocker is actually working under Windows kernel mode. Please refer to the last row in the table in this link: http://technet.microsoft.com/en-us/library/hh994614.aspx
Yeah Appguard is working at "Kernel space", but is that "Kernel space" = Windows kernel mode? Please confirm. I highly doubt it.

5. Your point of not everyone having access to Applocker is valid. Hence there are ppl using Appguard and other security products.

 

64 bit.

 

That doesn't sound good. Steam is in the same spot on my computer, c:\program files(x86)Steam. Can you tell me why Steam writing to its own folder isn't good programming? Does it create a vulnerability AppGuard wouldn't cover? Because of Steam's bad programming, do you think it would be safer not to use Steam?

 

Exactly. My experience too.

 

It's a billion dollar company with digital signatures. All games are checked before release. Steam can't install new games unless you set AppGuard in 'install mode' even when not set to Guarded. You're quite safe without Guarding Steam in other words.

Just to be safe you can use your normal Anti-Viral software to protect against threats (never happened that Steam spread malware in their entire history, they're a HUGE player on the market...).

 

Has anyone looked to see how many files it writes to in it's installation folder? Maybe you could Guard steam, and just make an exception in AG settings for the file/files it writes to. If it only writes to a few then that could be a viable option. If it writes to what ever you consider too many, or it creates new files in it's installation folder then you will have to use some other method. I never play games so I don't have to deal with that mess.

 

True about the install mode with Steam.

I've used Steam for years without any malware issues from them. But just to be sure, I'll keep an AV running (NOD32 these days) when Steam is on the computer. Thanks.

 

Item 1: I'm not even going to address this comment except to say: How do you know what arrangements we might have with Microsoft?
Item 2: I think AppGuard would do a better job (based on actual test results where AppGuard was tested head-to-head with EMET). Of course that test was done a year ago. Perhaps EMET has been improved since then.
Item 3: I don't think we've ever claimed that AppGuard is the only product to be able to something.
Item 4: This may be a misquote on my part. I usually have to take my expert's explanations and simplify them (no offense intended, well at least not to most of you) before I post them publicly. It's likely that I screwed things up in the translation. I'm getting clarification. I will also clarify if he meant Windows Kernel Mode but I would not doubt it.
Item 5: Finally, some agreement - Am I actually reading correctly?

 

From Microsoft: http://msdn.microsoft.com/en-us/windows/desktop/dn385721.aspx#windows_security_best_practices_test

Program Files folders

The app must be installed in the Program Files folder by default (%ProgramFiles% for native 32-bit and 64-bit apps, and %ProgramFiles(x86)% for 32-bit apps running on x64).

Note: The app must not store user data or app data in a Program Files folder because of the security permissions configured for this folder.​

 

Okay, it's looking more and more like there isn't a bug involved. Here is the latest explanation for seeing "phantom" PIDs being blocked by AppGuard:

This is an indication that these tasks may have been spawned temporarily and even in the kernel there is never a guarantee if a process name will be recovered fully.
​

I hate to admit, that is over my head, but I will try to find out more.

 

Clarifying as promised:

His original answer was in response to a statement that Oliverjia made: "Only that Applocker is better because it's system level protection, while Appguard is still program level." And I think that he was reacting more to what you were saying about AppGuard vs. AppLocker.

When I asked for further clarification from him he said:

I’d say 99% of Applocker is implemented at the app layer and maybe for some code load section for programs/DLL/SYS etc. at the kernel interception as some other White Listing products. In contrast, AG’s principle engine is in the kernel space.
​

Unfortunately he uses his phone to answer a lot of his email, so it's not always so clear (and why I often need to translate and maybe sometimes I misquote), but I think in this case, you get the gist of it (and I don't think that my misquote was that far off).

I also confirmed that AG's driver is in deed a kernel-mode driver.

My expert and I both have 20 years of experience developing security-related Windows products (yes we started back in the days of Windows 3.1, and now I guess you all know how ancient I am). His focus has been mainly at the system architecture and driver level while I have focused more on the application level and product management. Anyway, between his contacts at Microsoft and his knowledge of Windows and his examination of AppLocker, I would trust what he is saying. Oliverjia, may not trust his opinion, but I certainly do.

Oliverjia, perhaps your resume is even better than ours (feel free to post it), but can we just stop this nonsense? If you would only stop making false statements about AppGuard I would be happy.