What is AppGuard

Discussion in 'other anti-malware software' started by trjam, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
    Haha ya. :D

    Maybe i should try defensewall thn we will havs almost the same setup. ;)
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    yeap:D
     
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi Criss,

    Is AppGuard generating any log events that are explicitly related to Sandboxie (status window or Windows Event Log Viewer)?

    Other than IE7, is anything else relevant guarded by AppGuard ?

    Thanks,

    Eirik
     
  4. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
    I don't think there are any. You can also check in the log that i had sent u. :D

    To your 2nd ques, i get that message whn i open either FF or chrome sandboxed not sure with IE7 (Will try it ltr, i am at a different computer now :p )and nothing esle is opened.

    Criss.
     
  5. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    I was testing AppGuard against some malware that I have and working very good at stopping them from running :thumb: Looking forward to the next version!

    TH
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    yeap,me too i tried it againts some new ones and pass it;) at leat 90% of my test
     
  7. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    That's what we're shooting for in terms of positioning: stop 90% at 10% the effort of a full-blown HIPS, which with sufficient effort and skill a full-blown HIPS product could stop closer to 100%. Or to paraphrase what Sully said offline about AppGuard, 'a [zero-day] security product that anyone can use'.

    Eirik
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    yeap the other 10% thats my job(10% that is not hard indeed)just kidding,let prevx deal with the 10%
     
  9. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    I thought the next version of AppGuard was suppose to be released today. Been waiting all day. ;). Eirik?

    Later....
     
  10. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi All,

    AppGuard Version 1.1 is released.

    Because of our enterprise committments, your new AppGuard will require a product code to use for more than 30 days. AppGuard 1.0 users will receive an email within the next 24 hours. If you would like to upgrade sooner, you can download from here but you'll have to enter an email address and check: personal, enterprise, or both, nothing more. You can enter the activation code after you receive your email.

    Those interested in trying AppGuard for the first time can use the above link as well.

    What's new in version 1.1 is listed in this earlier post, plus we added the enhanced USB malware defense.

    Cheers,

    Eirik
     
  11. 2good

    2good Guest

    Eric what is side by side error I keep getting after installing application guard or edgeguard solo ?
     
  12. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    I'm afraid I don't understand. Could you provide some more detail?
     
  13. 2good

    2good Guest

    I'm sorry I should be more specific in the event viewer windows XP home edition I get error code 59 & 32
     
  14. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    I tried to install the new version of AppGuard but after reboot and accept to trial it on XP SP3 crashes with BSOD so I had to uninstall it can you PM me an address where I can send Minidump files?

    Thanks,

    TH
     
  15. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Running fine here in Vista (32 bit).
     
  16. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    Will AppGuard run on Windows 2000?
     
  17. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    No, I'm afraid not. It officially runs on 32 bit versions of XP and Vista.
     
  18. PoetWarrior

    PoetWarrior Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    345
    So far so good on Win 7 beta :thumb:

    This might be just what I'm looking for in addition to the UAC.


    Edit: Checked a little more and noticed tabs missing in the program. So now I doubt a complete install occurred successfully. I was hoping.
     
    Last edited: Feb 27, 2009
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Anyone else having problems with XP Pro SP3 32bit and AppGuard?

    TH
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Finally, a trial version has been released today! Thank you Blue Ridge Networks!
     
  21. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    The problem has been found by Eiriks Team! :thumb: It was a conflick with AppGuard & SUPERAnti-Spyware Pro everything is working fine now but without SAS installed!

    TH
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I'm evaluating on WinXP SP2, with no additional security running other than a firewall.
    I am interested primarily in remote code execution protection. From a couple of tests
    I would say that this is a very nice little application indeed!

    REMOTE CODE EXECUTION: DRIVE-BY DOWNLOAD

    My first test used the old MS06-014 drive-by download exploit which downloads an executable,
    copies it to another location as svchost.exe, and executes. Partial code:

    ms06-014Code.gif

    The file AstroExp.exe downloaded:

    cache-astro.gif

    This means that the file would stay in that location until the user discovered it. It is a bit disconcerting
    that a piece of malware could possibly hang around unbeknownst to the user.

    Next the code attempts to copy the file as svchost.exe to C:\ and is blocked:

    Code:
    Prevented process <Internet Explorer> from writing to <c:\svchost.exe>
    When the code attempted to execute the file, a popup message displayed that AstroExp.exe was not a valid Win32 application. There was no Status Event entry. It was also blocked when using a different file extension: .scr

    I did the same test with a MSWord document using rundll32.exe to load a DLL. Both the DOC and DLL files downloaded to the cache but were prevented from copying to C:\

    Code:
    Prevented process <Internet Explorer> from writing to <c:\svchost.doc>
    Prevented process <Internet Explorer> from writing to <c:\hmmapi.dll>
    Same observation about malware remaining in the cache.

    END RESULT: AppGuard successfully prevents malware executables from running via a Drive-by Download exploit.


    REMOTE CODE EXECUTION: USB - AUTORUN.INF

    Using Autorun.inf from USB yielded mixed results here. Upon plugging in a flash drive,
    there was a Status Event entry:

    Code:
    Prevented access to <f:\autorun.inf>
    This drive is not a U3 type so AutoRun.inf would not work anyway, but it shows that AppGuard monitors for that file.
    Attempting to run AstroExp.exe by clicking on its icon also failed:

    Code:
    Prevented launching from Removable Mass Storage Device
    However, when I connected my USB external HD, there was no alert and AstroExp.exe launched via the AutoRun.inf command:

    Code:
    [autorun]
    shellexecute=AstroExp.exe
    mpts2.gif

    appg-usb-astro.gif

    I also was able to launch the executable by d-clicking on the icon directly.

    Likewise my MSWord document ran, loaded the hmmapi.dll, launched Internet Explorer and connected to the internet:

    Code:
    Shell "rundll32.exe hmmapi.dll,MailToProtocolHandler %1"
    appg-usb-hmmapi.gif

    I chose AstroExp.exe because it is a stand-alone executable and does not make any changes to the system.
    Likewise, the dll that loaded does not make any changes.

    This is to illustrate the potential for malware to collect data and send out to a server without making any changes to the system, therefore not be flagged. The old Switchblade USB exploit did this. Also some viruses are file infectors and could do damage in addition to making changes.

    So, even though security like AppGuard or UAC can alert when something attempts to make changes to the system, the most secure protection is preventing the executable from running in the first place. Hopefully the reason for this breach will be determined.

    Another test was to have Autorun.inf start a VBScript file. From my USB External HD the autorun.inf file attempted to run the VBS file but a popup box appeared with a VBS error. There was no Status Event entry recorded.

    END RESULT: Inconclusive; different results on two USB devices.

    Two side effects:

    • I have two versions of MSWord running. AppGuard put my older version on the Guard List, so I added the newer version to the List. However, I could not run that version. The Status Event entry:

      Code:
      Prevented process <Microsoft Word for Windows> from writing to <c:\mus\musrcc\monstrose.doc>.
      
    • Attempting to run the Help file from the System Tray icon displayed a AppGuard GUI error and the GUI exited, requiring a restart.

    CONCLUSION

    From the standpoint of Remote Code Execution: Drive-by Download type: AppGuard seems to be a winner.
    Although it doesn't have Copy (Download) Prevention, it successfully blocks executables from running.

    For the USB type: It's possible that the glitch that occurred with my USB external HD is fixable, or specific
    to something local here. I don't have any other USB devices to check/verify. Assuming this will be corrected,
    protection against remote code execution from USB would also seem to be solid.

    Nothing has been said about AppGuard alerting to AutoRun.inf on CD/DVD drives. To check, my AutoRun.inf test
    for launching AstroExp.exe ran successfully from a CD.

    ----
    rich
     
    Last edited: Feb 28, 2009
  23. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Rmus,
    Have you ever tried these tests with DefenseWall?
     
  24. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
    Wow it's finally out. :argh: Going to try it now.

    Criss.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    No. but aigle probably has. I send him tests and I don't think that there are many products he hasn't tried!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.