What is AppGuard

Discussion in 'other anti-malware software' started by trjam, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. trjam
    Offline

    trjam Registered Member

    And is it any good. Well, there is this, and this, and this, and from the looks of things, I could go on and on. I would say it is worthy of a "hard" look.:thumb:
  2. Kees1958
    Offline

    Kees1958 Registered Member

    Well Appguard features in a nut shell:
    1. Runs the listed programs
    - in a limited user environment (XP like) plus
    - all programs and active X spawned (started) by those programs
    - protects HKEY_CURRENT_USER Run and RunOnce keys

    2 .Starts all programs from My Documents (as long as you do not move this) with limited user rights

    3. Blocks executables of USB sticks/drives

    It uses a different protection than the DRM (which can be theoretical evoked in XP when running as Admin or Power User), allows to run as Admin

    Offers a 5 minute protection break (so you can install programs)

    Interesting for any user currently not using a Policy Sandbox (like GW or DW). It requires nearly zero user intervention, so I would recommend to any user currentlly only running an AV only, or simple FW with AV. It could also be a add-on to someone using an AV + Behaviour blocker combo. Possibly also a good security extention for Sandboxie users.

    Way to go
    - make where My documents, Movies, Pictures, etc are located configurable
    - improve compatibility with some other security programs

    Cheers
  3. Eirik
    Offline

    Eirik Registered Member

    Let me see if I can make Kees1958 characterization even better:

    Extremely low CPU usage.

    We want average users to forget AppGuard is there, because it is so quiet. And, we want it to cause as little confusion to users as is practical. That means sparing them from having to make security decisions as best we can.

    AppGuard prevents guarded applications from altering HKLM registry keys also. We're looking to protect other HKCU keys that do not result in an unacceptable experience to the typical novice user.

    All restrictions to a guarded application are applied to any executable or ActiveX control spawned by a guarded application.

    What we call 'Drive-by Download Protection' means that all executable launches from user-space (i.e., \Documents and Settings\user_login, which includes 'My Documents', 'Desktop', etc. ) are suppressed, unless such an executable is 'guarded'.

    The restrictions to guarded applications are enforced by intercepting file system actions rather than manipulating the token issued to the process by the operating system.

    End-users can SUSPEND protection/guarding: drive-by download protection, USB malware protection, or any individual guarding of an application. The user does not have to remember to re-enable, it does so in 5 minutes by default.

    More features are on the way. We're listening!

    Cheers,

    Eirik
  4. Hugger
    Offline

    Hugger Registered Member

    Eirik,
    I have a question about the behavior of Appguard.
    Last night Avira Premium downloaded it's update and I went to do a scan.
    As soon as the scan started XP Pro shut down and I got the blue screen saying that I had a problem.
    I rebooted and removed Appguard. After removing it I was able to run my av scan.
    I'd like to install the program again but wanted to ask first if there might have been a problem that I don't know about or if I had done something wrong.
    Regards.
    Hugger
  5. jmonge
    Offline

    jmonge Registered Member

    in one of my pc i am running AppGuard with ThreatFire Pro with no problems,very fast;)i wonder if one tried runn it with mamutu:)0)o)
  6. Eirik
    Offline

    Eirik Registered Member

    Hugger, I've notified customer support of your observation. I apologize for your inconvenience.

    Eirik
  7. jmonge
    Offline

    jmonge Registered Member

    i tried with avira free yestarday also but it was all fine here and for the updates too,it was the free version:D of avira
  8. Hugger
    Offline

    Hugger Registered Member

    Thanks for the quick reply.
    I went ahead and installed AG again.
    Hugger
  9. jmonge
    Offline

    jmonge Registered Member

    what i did was to install avira first and then appguard;) all was ok:thumb:
  10. Hugger
    Offline

    Hugger Registered Member

    I'm doing an av scan of XP Pro right now with no problems. Everything is the same as it was yesterday except that today I didn't get the blue screen of misery.
    @ Jmonge-AG works well with Mamutu on my machine.
    @ Eirik-if you ever figure out what happened with this please let me know.
    Thanks.
    Hugger
  11. jmonge
    Offline

    jmonge Registered Member

    thanks,i am running it with threatfire pro and it is good till now;)
  12. Hugger
    Offline

    Hugger Registered Member

    I just took a look at windowqs event viewer.
    It shows 'error crypt32, catagory none, event 8'.
    I don't know if it's related but it's there.
    Hugger
  13. danny9
    Offline

    danny9 Departed Friend

    Running Avira premium when I installed AppGuard.
    Have been no conflicts or problems with either. :D
  14. Sully
    Offline

    Sully Registered Member

    So, EdgeGuard Solo seems to be a list of apps to guard. It seems as if it starts them as basic user, or protects them in the same way? Is appguard basically the same, where you assign your files to protect? Is protection then actually protecting the integrity of the .exe? Or as I said, limiting what the .exe can do, as in demote it. AKA DropMyRights. AKA SRP/basic user?

    If so, what are the benefeits of using this over just using SRP built into the OS?

    Inquiring minds want to know ;)

    Sul.
  15. jmonge
    Offline

    jmonge Registered Member

    it protects your browser againts exploits attacks(activex vulnerabilities)
  16. Kees1958
    Offline

    Kees1958 Registered Member

    I recon I solution of Appguard, ThreatFire free (with outbound custom rule) and Avira free would provide very strong security with few pop-ups

    Eirik

    Forgot to tell you, that you should Outlook Express to the default program list in AppGuard


    Cheers
  17. Fuzzfas
    Offline

    Fuzzfas Registered Member

    It's also useful for adding p2p programs, if any, to the AppGuard list. Just in case they have some exploit. I have tried both torrent and emule and both work fine under Appguard. You can also add simple files from p2p temporarily just to see if they will run ok or not. If you get an alert from Appguard maybe it wasn't so innocent as you thought.

    In deed, in deed! :thumb:
    Last edited: Jan 28, 2009
  18. Eirik
    Offline

    Eirik Registered Member

    I'll answer this below.

    AppGuard is a superset to EdgeGuard Solo capabilities. EdgeGuard Solo, when installed, starts with a clean slate. There are no applications listed in the 'guard' list. AppGuard includes many by default. If any of those applications are not present in the host, there are no ill effects from having them included in the 'guard' list.

    AppGuard also provides drive-by download and USB malware protections. AppGuard provides advanced users insight into what is happening, Windows Log Events. Businesses can remotely configure and retrieve log events but do not have to employ yet another management system. The AppGuard driver is a bit more advanced too.

    Neither EdgeGuard Solo nor AppGuard alter the token issued to a process (i.e., application) by the operating system as done by DropMyRights. We experimented with this approach with something we called TokenGuard. We found it brittle.

    Some applications refuse to operate if they do not have the permissions they demand, such as Microsoft Office when the host is operating with admin rights, or Quicktime player (I don't believe this has changed but this observation is over a year old.). So, engineering came up with a "mechanism" (don't ask, please) for overcoming this challenge from applications demanding risky privileges.

    AppGuard and EdgeGuard Solo employ a driver that intercepts what I like to call file system actions (this relieves me from mis-stating actual terms;) ). This driver gives AppGuard much greater flexibility than token manipulations.

    Rather than get more specific, let me just say that many familiar applications interact with the rest of the host in a manner not recommended by the Microsoft operating system best practices. Some familiar applications actually mis-use APIs, which allow them to operate okay but make securing a PC more complex. The lean driver in AppGuard gives us the flexibility to overcome these and other challenges.

    See above.

    This subject-matter is tough stuff. I hope I've answered your questions. If not, please follow-up with more.

    Cheers,

    Eirik
  19. GES/POR
    Offline

    GES/POR Registered Member

    So basicly AG is kinda like DW in a sense that it gives strong HIPS protection out of the box without any hassle and enough room to tweak/crank **** up for the expert user?
  20. Kees1958
    Offline

    Kees1958 Registered Member

    Other benefit of Appuard could be fo rXP users that SoftwareRestrictionPolicy under XP could be evaded by a PoC when you have not disabled null shares also.

    Vista does not have this problem

    Although I have read about this PoC only once (somewhere can not reproduce where), by I thought EPXoff. This PoC consisted of two parts which prooved it was theoretically possible (but did not actually break SRP).

    Cheers Kees
  21. trjam
    Offline

    trjam Registered Member

    well yeah, but maybe without the poop part.:cautious: ;)
  22. trjam
    Offline

    trjam Registered Member

    Let me add, looks to be a pretty impressive Executive Team at Blue Ridge that you are a part of.

    Blue Ridge Networks
  23. Eirik
    Offline

    Eirik Registered Member

    The purpose of AppGuard is to stop most malware attacks but without confusing or annoying users, even very novice ones. So, AppGuard is not focused on enabling power-users to customize policy rules. There are many tools out that provide total command and control over a PC with extreme customization capabilities. AppGuard is not looking to compete with those. We may open up AppGuard for some user-tweaking. But, those future capabilities would have to be implemented in a manner that the novice users would not be confused or intimidated, perhaps a drill-down 'advanced' GUI area. All that said, we're listening to our users.

    Eirik
  24. firzen771
    Offline

    firzen771 Registered Member

    can someone post screenshots of appguard plz
  25. trjam
    Offline

    trjam Registered Member

Thread Status:
Not open for further replies.