AppGuard 4.x 32/64 Bit - Releases

Its best to uninstall AG when connected to the internet because it contacts BRN servers to tell them that license is no longer being used on that computer anymore so it frees up that license to be used again on a different computer, or on the same computer at a later date. I have forgotten to uninstall AG before when rolling back my machine to an image before installing AG, and all I had to do was send Barb an email with my license information with a very brief description of what I done. I actually did that twice this year, and she reset my license within 20 minutes.

 

Well i'm really retiring now Lol, Good night, or good day depending on where you are in the world

 

I was wondering about this also a few days ago. The latest Fash player is installed in my PC to this folder:
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_179.exe .

It is not selectable from the program list, but I think you can Browse... to it. However I am not sure it is needed to be added as a guarded application as it is started by Firefox, so it should be also guarded as a child app?

Anyways I have not added it yet.

EDIT:
Just added it. It is somewhat a bother that the filename changes with each Flash update. Now there are 3 programs where I have to update it. As a TinyWall exception, Sandboxie in both Start/Run and Internet access restrictions on my Firefox-sandbox and then here in AG. Well I am for sure not the only one who gets annoyed by the Flash updates

 

Thank you. Very useful! I'm using AppGuard alongside Emsisoft Anti-Malware. Also I added Nitro PDF manually as suggested. Just have few questions:

1. Do I have to add every program I use regularly to the Guarded Apps list (CCleaner, VMware workstation)?
2. When changing the protection mode to Install, does that mean I will have no protection?

There are no conflicts or broken functionality with other apps during Medium mode protection.
What I've done so far with AppGuard is changing the mode to Install when trying to install some software as I was getting some errors doing so in the Medium mode, like couldn't write to registry or open (Norma I guess).

This is a photo of my config. (Default, except for adding Nitro to the list):



Other options are default too.

Thanks again.

 

@ Barb_C (and others)

About the Memory Guard feature, do you know of any malware that can perform malicious actions by "reading memory of another process"? I did read about "memory scraping" POS malware, but they are not a threat to home user PC´s I assume.

http://threatpost.com/new-backoff-pos-malware-identified-in-several-attacks

 

Not a risk to the PC, but maybe a risk to the user of identity or data theft if there happened to be sensitive data residing in the memory of a process that could potentially be harvested by reading its memory.

 

1. You should add every program that handles/opens content from untrusted sources such as the internet or removable drives.
Browsers, PDF readers, Java, Media players, Image viewers etc. VMware might also be a good idea. I can't think of a reason for CCleaner, and that will probably break it's functionality.
2. Yes, so it would be advisable to close other Guarded Apps before setting it to Install.

Do you mean adding every .exe in the VMware\VMware Workstation\ folder?

 

1. You only guard applications that should not be trusted. This includes Internet-facing applications and applications that load data files with the potential to contain embedded code: office applications, document readers, media players, etc. You shouldn't guard trusted applications, such as other security programs and system utilities, as they may not work properly if you do.

2. AppGuard will not protect you if you run a malicious executable with the protection level set to Install. That's why you should be careful to ensure that you only download official vendor-supplied software from reputable sources and check that executables are clean before running them. AppGuard should not be used as the sole means of protecting a system and is best deployed as part of a layered security.

 

Rasheed, who was it that said the memory protection offered by AG is nothing special because almost all HIPS offers the same memory proteciton? It seems like 3 different users were saying this. I confirmed with Emsisoft that Online Armor's memory protection is not the same. I'm not saying AG's memory protection is better than OA's; i'm just pointing out they are not the same. I will look at Comodo's memory protection next. I think maybe Comodo's is closer to what AG offers. Are you still using a HIPS? If so which one? This thread also has some good information about configuring OA's HIPS to protect web applications from exploits. http://support.emsisoft.com/topic/15469-oas-physical-memory-access-hips-component-question/

The way I understand AG memory protection is it works in conjunction with other AG polices to sandbox applications allowed to run. AG does not allow guarded applications to read/write to the memory of other applications. It is a very simple concept to me. I'm no security expert, but I think it is needed. The memory protection has caused no problems on my machines.

 

I will have to get back with you Pete about Adobe Flash. I'm looking into it myself right now. I thought it automatically added it to the Guarded Apps list. I see blocked events from Adobe Flash always showing up in the event log. It may not need to be added at all. If it does then I need to figure out the best method for doing it. Adobe does not always install to the same directory depending on the type of installation, and the user's OS.

 

I was specifically talking about code-injection, just about all HIPS protect against that. Reading process memory is something else, and Fabian Wosar basically answered my question in the thread you linked to, normally it can cause problems if you block this, but apparently AG has found a way not to?

Also I´ve read that M$ has designed Win 7/8 in a way that you can not read memory from important OS processes. And BTW, access to "physical memory" is also not allowed since Win Vista. And to answer your last question directed to Fabian: no it will not mitigate exploits.

 

You probably mean Process Explorer, but yes I know that some legitimate tools will not be able to function correctly if you block read access to memory. The question is: which malware is using this technique, and does it makes sense to protect against it.

I´m sorry but it sounds a bit vague to me. I wonder if it can be used by malware to steal passwords and cookies for example.

 

@ Peter2150

This may come as a surprise, but you can not find everything online, so that´s why I´m asking over here, I´m sure that Barb_C can give some more info. So far I have only read about POS malware, but I haven´t managed to figure out if it can also be used by banking trojans for example. BTW: an example of stuff you (or I) can not find: How do anti-exploit tools implement "exploit mitigations"? I had to ask it to a developer.

 

That's why I was asking who it was that said that. There are several post on this forum that specifically states that the memory protection method being used by AG is the same that almost all HIPS has been using for some time now. I'm not going to waste my time to go back, and read all those post. Online Armor's is not the same, and that's a fact. It's not my opinion. When I have time I will look at Comodo, Private Firewall, and Outpost. If they are the same then its not really that big of a deal to me. I only want to report the facts.

 

I have googled the he%% out of threats that only infect the memory, and what I have found is that they are pretty rare. It's makes sense though because at some point the exploit would need to drop an executable somewhere, or it could only do harm until the user reboots. I don't think it would survive a reboot. If i'm wrong then give me some literature on it so I can read more about it myself. I found one page that listed some documented exploits that only infected the memory, but it only list a handful for the past 10 years. I would like to see a complete list. If that was the complete list for 10 years then we don't have much to worry about lol

 

@ Cutting_Edgetech

You´re making too much a big deal out of this. I already explained that protection against "code-injection" is the most important thing. Even the POS malware can probably not do any damage if it only reads memory without injecting code. I also said that on Win XP you had HIPS like AntiHook, ProSecurity and Process Guard who had protection against writing into/reading from memory. On Win 7/8, not all HIPS offer both features, but Kaspersky, Comodo and SpyShelter all claim to do so.

And the only reason why it ended up being such a lenghty discussion is because some members claimed that "Memory Guard" protects against exploits in the same way that MBAE and EMET do, that is just not correct. But different definitions of the word "exploit" also played a role in it.

 

Some of those that are more knowledgeable with exploits should be recommending some exploit mitigation methods that would work well with AG. You never know, maybe BRN will integrate some additional security into AG. I've been testing AG since 2007, and they have always been very reasonable when it comes to listening to their beta testers. Surely there are a handful of exploit mitigation methods that could be integrated into AG to cover the areas that AG falls short in. Constructive criticism, and ideals are always welcome.

 

Well, I described AG memory protection as facilitating containment, but there are a few members here that do not understand the difference.