What is AppGuard

Discussion in 'other anti-malware software' started by trjam, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. Dave53
    Offline

    Dave53 Registered Member

    The way I did this was to open Sandboxie's Control window, click on the Sandbox menu, select Set Container Folder, and then select the drive (D:, etc.).

    Dave
  2. AvinashR
    Offline

    AvinashR Registered Member

    Thank You very much bro. I have just changed it...Does it have any upper hand ...i mean is it more secure then the default location?
  3. pegr
    Online

    pegr Registered Member

    From Sandboxie's point of view, it makes no difference where the sandbox container folder is located. From AppGuard's point of view, as stated in post #698, the advantage of relocating the sandbox container folder to user space is that you don't have to add it as an exception folder for guarded applications. Each exception folder that guarded applications may write to potentially slightly weakens AppGuard security.

    For some additional perspective, also see post #680 where I tried to explain my understanding of how AppGuard handles drive-by download protection in relation to user space.
    Last edited: Feb 18, 2010
  4. pegr
    Online

    pegr Registered Member

    It certainly isn't normal for browsers to be trying to access My Documents on launch. I can't think of a valid reason why a browser should need access to personal data. I only have IE8 and Firefox installed but neither of them triggers any AppGuard alerts. I assume that you've already thoroughly checked your system for malware, so this is going to need further investigation. I don't know if anybody else has experienced this behaviour; if not, perhaps Eirik can shed some light on this. On the face of it, it does seem to be suspicious as it is happening with all of your browsers, and I am inclined to suspect malware as a possible cause.

    As far as Hitman Pro updates go, I don't use Hitman Pro myself but, assuming that it is an unguarded application, in principle there shouldn't be any problems with the updates. Having said that, it does depend on how updates are handled. Some applications write temporary executables to user space which AppGuard then blocks when they try to launch. I've seen this happen with Windows Automatic Updates, which is why I always disable AppGuard first. It also depends on whether you've guarded additional Windows components such as cmd.exe, regsvr32.exe, and rundll32.exe, etc. If Hitman Pro were to use Windows components that you'd added as guarded applications then the update could fail. Maybe someone who uses Hitman Pro and AppGuard together can give you a more definite answer.
  5. Eirik
    Offline

    Eirik Registered Member

    Hi All,

    I'm afraid there's insufficient information to conclude that Dave's observations are the result of malware. It seems unlikely that all three browsers (IE8, Chrome, Firefox) would be compromised in the same manner by malware. That said, caution is justified.

    The symptoms that Dave has observed do not relate to any known bug. And, as Dave noted, the privacy mode definition does not appear to overlap with the locations that web browsers typically employ for cached internet files or preference files.

    For now Dave, I can only suggest re-defining privacy mode to a new folder within My Documents, such as 'My Private Stuff' (re-locate other folders within this new one). DO NOT SUSPEND drive-by download protection during the first round of launching those web browsers. This suppresses any executable launches but allows read/write operations. Dave, if you observe that something written into 'My Documents' after this by the web browsers, we'd have stronger evidence of an infestation. Similarly, be sure nothing sensitive resides outside of the new privacy folder(s).

    Dave, another train of thought, are the Chrome executables located in user space or in Program Files? If they're in Program Files, did you select that Google installer option to handle Firefox updates? Also, did you select the option to endow IE8 with the Chrome renderer extension? These could represent a common thread among the three browsers, and POSSIBLY ...

    BTW, I encourage AppGuard folk to reinstall Chrome into Program Files (there's an effective utility at Google, though it may forget to delete the originate googleupdate.exe from user-space). Chrome and AppGuard generally get along better, when Chrome adheres to the Windows NT Security Framework by residing within Program Files. This reduces AppGuard blocks of Chrome (legit actions) but may not eliminate ALL. As much as I love Chrome's speed, its a bit of a diva from a security perspective.

    Cheers,

    Eirik
  6. Dave53
    Offline

    Dave53 Registered Member

    EDIT: Thanks Eirik and pegr for your feedback. I discovered that the culprit was Google Desktop. After uninstalling it, I no longer get the alert when launching a browser.

    I suspect that the issue with Hitman Pro is that a product update probably uninstalls the previous version and launches an executable to install the new version. I guess that I will just have to continue to stop the update when it starts and temporarily suspend Appguard until the process is finished. I don't have a problem with definition updates for AntiVir or Malwarebytes.

    Regards,

    Dave :)
    Last edited: Feb 18, 2010
  7. jmonge
    Offline

    jmonge Registered Member

    Eirik when is version 1.4 with pasword protection ready for?;) thanks
  8. pegr
    Online

    pegr Registered Member

    Glad you solved the problem. :)

    Regards
  9. AvinashR
    Offline

    AvinashR Registered Member

    Hi Bro,

    I have not changed the default location of C:\Sandbox but i have done something else. I added this folder and ticked it from where no unguarded application can launch...I guess this will protect me from any Drive-By-Download threat...

    Please see the screen shot of the same.

    Your comment on this please....

    Attached Files:

    • App.PNG
      App.PNG
      File size:
      50.2 KB
      Views:
      346
  10. pegr
    Online

    pegr Registered Member

    I've just tried this myself, and it does indeed work.

    In effect, what you've managed to achieve by creating an exception to allow guarded applications write access to C:\Sandbox, and a creative use of the Drive-by Download Protection Extensions Deny tab to deny unguarded applications execute access, is to add the C:\Sandbox folder to extended user space, even though it is located on the system partition and wouldn't nomally be considered by AppGuard to be user-space.

    I would be very interested in Eirik's comments on this, as it brings to mind a conversation we were having in posts #597, #601, and #602 where I wanted the ability to go in the other direction and exclude a folder from extended user space in order to prevent write access (not currently possible AFAIK). The concept of user-space, what it consists of, and how it appears to the user, may need rationalising and simplifying, in order to make it clearer how AppGuard is protecting.

    Regards
  11. AvinashR
    Offline

    AvinashR Registered Member

    But one problem still persist...if i do not mark write access to C:\Sandbox then no sandbox application will launch...
  12. pegr
    Online

    pegr Registered Member

    In post #695 you said that you'd already done that, so now I'm a little confused. o_O

    If you are going to leave the sandbox container folder in its default location and you want to allow guarded applications to be able to write to it, while at the same time prevent unguarded applications from being able to execute from it, you need to do two things: -

    • Add C:\Sandbox to the Guarded Applications Exception Folders list (allows guarded applications write access).
    • Add C:\Sandbox to the Drive-by Download Protection Settings Deny tab (denies unguarded applications execute access).
    These settings will allow any Sandboxed application to write to the sandbox without losing the benefit of AppGuard's drive-by download protection for the sandbox container folder itself which, if I've understood you correctly, is what you are trying to achieve.
  13. AvinashR
    Offline

    AvinashR Registered Member

    Ya you are absolutely correct...I m sorry, even i am bit confused now...i forgot what i want to say...:D
  14. pegr
    Online

    pegr Registered Member

    No problem - so long as you've got the outcome you wanted, that's what matters. :D
  15. AvinashR
    Offline

    AvinashR Registered Member

    Yeah..You are right...I try to be more flexible and found the way...So without changing the location i have tightened the security...:D
  16. demoneye
    Offline

    demoneye Registered Member

    why add deny to drives d: and e: etc when they already set to deny by default ?
    Last edited: Feb 21, 2010
  17. pegr
    Online

    pegr Registered Member

    Only user-space on the system partition is set to deny by default. Extended user-space on non-system partitions has to be explicitly protected by checking the "Deny launches from all non-system volumes" checkbox on the Drive-By Download Protection Extensions dialog screen. At least that's my understanding.
  18. Greg S
    Offline

    Greg S Registered Member

    Isn't this checked by default though?
  19. AvinashR
    Offline

    AvinashR Registered Member

    Due to lack of information on this, i took this step. You can say that i am lil bit paranoid.
  20. demoneye
    Offline

    demoneye Registered Member

    Deny launches from all non-system volumes is a default setting
    the guy picture show its already tagged+ he define a none system partition to be deny...weird :doubt:
  21. demoneye
    Offline

    demoneye Registered Member

    that explain :D
  22. gerald100
    Offline

    gerald100 Registered Member

    This note on AppGuard is regarding a new install on XP SP3. I saw a review on Remove-Malware.com. Decided to give it a try. No issues with the install. But, it was missing all tabs except the status. In the status all entries were "pending". Noticed that "Terminal Services" were required to be running. This did not solve the problem. Thought that this app may require .net framework so installed it on a second pc used for testing. That did not work either. Kind of stuck. No unusual events in event viewer. Application just fails to work. What am I missing? Any other services that need to be running?

    Thanks
  23. AvinashR
    Offline

    AvinashR Registered Member

    Better safe and secured than sorry...:D
  24. AvinashR
    Offline

    AvinashR Registered Member

    Kindly re-install it on a clean copy of XP and see if problem persists or not? I am not sure if it require any .net framework, because nowhere it was mentioned, not even in their website.
  25. pegr
    Online

    pegr Registered Member

    Posts #457 thru #462 on Page 19 of this thread relate to this issue and may be of help in pinpointing the problem.
Thread Status:
Not open for further replies.