What is AppGuard

Discussion in 'other anti-malware software' started by trjam, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    8,939
    Location:
    North Carolina
    And is it any good. Well, there is this, and this, and this, and from the looks of things, I could go on and on. I would say it is worthy of a "hard" look.:thumb:
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well Appguard features in a nut shell:
    1. Runs the listed programs
    - in a limited user environment (XP like) plus
    - all programs and active X spawned (started) by those programs
    - protects HKEY_CURRENT_USER Run and RunOnce keys

    2 .Starts all programs from My Documents (as long as you do not move this) with limited user rights

    3. Blocks executables of USB sticks/drives

    It uses a different protection than the DRM (which can be theoretical evoked in XP when running as Admin or Power User), allows to run as Admin

    Offers a 5 minute protection break (so you can install programs)

    Interesting for any user currently not using a Policy Sandbox (like GW or DW). It requires nearly zero user intervention, so I would recommend to any user currentlly only running an AV only, or simple FW with AV. It could also be a add-on to someone using an AV + Behaviour blocker combo. Possibly also a good security extention for Sandboxie users.

    Way to go
    - make where My documents, Movies, Pictures, etc are located configurable
    - improve compatibility with some other security programs

    Cheers
     
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Let me see if I can make Kees1958 characterization even better:

    Extremely low CPU usage.

    We want average users to forget AppGuard is there, because it is so quiet. And, we want it to cause as little confusion to users as is practical. That means sparing them from having to make security decisions as best we can.

    AppGuard prevents guarded applications from altering HKLM registry keys also. We're looking to protect other HKCU keys that do not result in an unacceptable experience to the typical novice user.

    All restrictions to a guarded application are applied to any executable or ActiveX control spawned by a guarded application.

    What we call 'Drive-by Download Protection' means that all executable launches from user-space (i.e., \Documents and Settings\user_login, which includes 'My Documents', 'Desktop', etc. ) are suppressed, unless such an executable is 'guarded'.

    The restrictions to guarded applications are enforced by intercepting file system actions rather than manipulating the token issued to the process by the operating system.

    End-users can SUSPEND protection/guarding: drive-by download protection, USB malware protection, or any individual guarding of an application. The user does not have to remember to re-enable, it does so in 5 minutes by default.

    More features are on the way. We're listening!

    Cheers,

    Eirik
     
  4. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Eirik,
    I have a question about the behavior of Appguard.
    Last night Avira Premium downloaded it's update and I went to do a scan.
    As soon as the scan started XP Pro shut down and I got the blue screen saying that I had a problem.
    I rebooted and removed Appguard. After removing it I was able to run my av scan.
    I'd like to install the program again but wanted to ask first if there might have been a problem that I don't know about or if I had done something wrong.
    Regards.
    Hugger
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,870
    Location:
    Canada
    in one of my pc i am running AppGuard with ThreatFire Pro with no problems,very fast;)i wonder if one tried runn it with mamutu:)0)o)
     
  6. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hugger, I've notified customer support of your observation. I apologize for your inconvenience.

    Eirik
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,870
    Location:
    Canada
    i tried with avira free yestarday also but it was all fine here and for the updates too,it was the free version:D of avira
     
  8. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Thanks for the quick reply.
    I went ahead and installed AG again.
    Hugger
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,870
    Location:
    Canada
    what i did was to install avira first and then appguard;) all was ok:thumb:
     
  10. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I'm doing an av scan of XP Pro right now with no problems. Everything is the same as it was yesterday except that today I didn't get the blue screen of misery.
    @ Jmonge-AG works well with Mamutu on my machine.
    @ Eirik-if you ever figure out what happened with this please let me know.
    Thanks.
    Hugger
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,870
    Location:
    Canada
    thanks,i am running it with threatfire pro and it is good till now;)
     
  12. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I just took a look at windowqs event viewer.
    It shows 'error crypt32, catagory none, event 8'.
    I don't know if it's related but it's there.
    Hugger
     
  13. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    Running Avira premium when I installed AppGuard.
    Have been no conflicts or problems with either. :D
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,714
    So, EdgeGuard Solo seems to be a list of apps to guard. It seems as if it starts them as basic user, or protects them in the same way? Is appguard basically the same, where you assign your files to protect? Is protection then actually protecting the integrity of the .exe? Or as I said, limiting what the .exe can do, as in demote it. AKA DropMyRights. AKA SRP/basic user?

    If so, what are the benefeits of using this over just using SRP built into the OS?

    Inquiring minds want to know ;)

    Sul.
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,870
    Location:
    Canada
    it protects your browser againts exploits attacks(activex vulnerabilities)
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I recon I solution of Appguard, ThreatFire free (with outbound custom rule) and Avira free would provide very strong security with few pop-ups

    Eirik

    Forgot to tell you, that you should Outlook Express to the default program list in AppGuard


    Cheers
     
  17. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    It's also useful for adding p2p programs, if any, to the AppGuard list. Just in case they have some exploit. I have tried both torrent and emule and both work fine under Appguard. You can also add simple files from p2p temporarily just to see if they will run ok or not. If you get an alert from Appguard maybe it wasn't so innocent as you thought.

    In deed, in deed! :thumb:
     
    Last edited: Jan 28, 2009
  18. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    I'll answer this below.

    AppGuard is a superset to EdgeGuard Solo capabilities. EdgeGuard Solo, when installed, starts with a clean slate. There are no applications listed in the 'guard' list. AppGuard includes many by default. If any of those applications are not present in the host, there are no ill effects from having them included in the 'guard' list.

    AppGuard also provides drive-by download and USB malware protections. AppGuard provides advanced users insight into what is happening, Windows Log Events. Businesses can remotely configure and retrieve log events but do not have to employ yet another management system. The AppGuard driver is a bit more advanced too.

    Neither EdgeGuard Solo nor AppGuard alter the token issued to a process (i.e., application) by the operating system as done by DropMyRights. We experimented with this approach with something we called TokenGuard. We found it brittle.

    Some applications refuse to operate if they do not have the permissions they demand, such as Microsoft Office when the host is operating with admin rights, or Quicktime player (I don't believe this has changed but this observation is over a year old.). So, engineering came up with a "mechanism" (don't ask, please) for overcoming this challenge from applications demanding risky privileges.

    AppGuard and EdgeGuard Solo employ a driver that intercepts what I like to call file system actions (this relieves me from mis-stating actual terms;) ). This driver gives AppGuard much greater flexibility than token manipulations.

    Rather than get more specific, let me just say that many familiar applications interact with the rest of the host in a manner not recommended by the Microsoft operating system best practices. Some familiar applications actually mis-use APIs, which allow them to operate okay but make securing a PC more complex. The lean driver in AppGuard gives us the flexibility to overcome these and other challenges.

    See above.

    This subject-matter is tough stuff. I hope I've answered your questions. If not, please follow-up with more.

    Cheers,

    Eirik
     
  19. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,485
    Location:
    Armacham
    So basicly AG is kinda like DW in a sense that it gives strong HIPS protection out of the box without any hassle and enough room to tweak/crank **** up for the expert user?
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Other benefit of Appuard could be fo rXP users that SoftwareRestrictionPolicy under XP could be evaded by a PoC when you have not disabled null shares also.

    Vista does not have this problem

    Although I have read about this PoC only once (somewhere can not reproduce where), by I thought EPXoff. This PoC consisted of two parts which prooved it was theoretically possible (but did not actually break SRP).

    Cheers Kees
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    8,939
    Location:
    North Carolina
    well yeah, but maybe without the poop part.:cautious: ;)
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    8,939
    Location:
    North Carolina
    Let me add, looks to be a pretty impressive Executive Team at Blue Ridge that you are a part of.

    Blue Ridge Networks
     
  23. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    The purpose of AppGuard is to stop most malware attacks but without confusing or annoying users, even very novice ones. So, AppGuard is not focused on enabling power-users to customize policy rules. There are many tools out that provide total command and control over a PC with extreme customization capabilities. AppGuard is not looking to compete with those. We may open up AppGuard for some user-tweaking. But, those future capabilities would have to be implemented in a manner that the novice users would not be confused or intimidated, perhaps a drill-down 'advanced' GUI area. All that said, we're listening to our users.

    Eirik
     
  24. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    can someone post screenshots of appguard plz
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    8,939
    Location:
    North Carolina
Thread Status:
Not open for further replies.