AppGuard 4.x 32/64 Bit - Releases

Adding a system-space folder to the User Space tab and setting the Include flag to Yes (where allowed) applies user-space launch protection but it does not make the folder writeable for guarded apps. The only way to make a system-space folder writeable for guarded apps is to add the folder as an exception folder in the Guarded Apps tab.

I think the GUI encourages confusion because it leads people to think that if they add a folder to the User Space tab with the Include flag set to Yes, it gives the folder full user-space permissions, but it's not true. As I said in post #1197 on page 48 of this thread, folder write and launch permission properties have to be adjusted separately in order to fully move a folder from one space to the other.

In a momentary lapse of concentration, I too made the same mistake in post #816 on page 33 of this thread. On that occasion, Barb_C corrected my error in her reply in post #818. I've previously exchanged PMs with Barb about ways in which the GUI could be simplified to make it more intuitive.

 

you are right,AG has a wide Range of Power to Protect the System. I get use to it sooner or later.For now i have to buy a License.Today is my last evaluate Day.

Now i have buy a Appguard License.

 

Hi Pete,

I agree that AppGuard does take a bit of understanding. I would urge anybody new to AppGuard to read posts #5 and #1197 in this thread. Once the concepts of system space and user space are understood, people shouldn't have any trouble knowing when folder customisations are needed and how to make them via the GUI.

Kind regards
pegr

 

No, I was referring to Comodo Kill Switch, Autoruns, and CCE. I mainly only use Comodo Kill Switch, but the other tools come with Kill Switch as a bundle.

 

I think they probably did not have other security apps in mind when they wrote that, but I could be wrong. I think guarding security apps is asking for trouble. It will definitely make the possibility of conflict much more likely. I think someone that knows what they are doing can assume the risk if they like, but I would not recommend this to users with a lower level of computer knowledge. If they start having problems they may not realize the source of the problem. I think the best option is to move it to the system space, or exclude the folder if it's a portable version. There's not a great chance of that 1 folder becoming infected, but moving the app to the system space is the safest.

 

I agree that security apps should not be guarded and have never suggested otherwise. What the help file is saying is that it is not a good idea to allow unguarded launches from a folder that has write permission for guarded apps.

This is exactly what adding a user-space folder to the User Space tab with the Include flag set to No does without also making it a protected resource in the Guarded Apps tab, and is therefore something to be avoided.

Security programs belong inside the trusted enclave, and not in user-space which is for data. In the case of trusted portable apps that can be run from anywhere, locating them in system-space is more secure than locating them in user-space then setting the Include flag to No in the User Space tab to allow them to run unguarded.

 

I think unguarded launches of a security application poses a very low threat. At least in comparison to not guarding other application types. If it were any other application type I would not recommend it at all unless that was the only way that application would function. Then I would ask myself is this application something I really need.

 

You're missing the point. It isn't the security application running unguarded from user-space that you've got to worry about. It's the fact that you've given every guarded application the means to write executables to a user-space folder that can subsequently be launched unguarded, thereby bypassing AppGuard drive-by download protection and creating a backdoor into system-space that could potentially be exploited.

Why would anybody choose to do that when there exists a perfectly safe alternative of locating the security application within a system-space folder that doesn't need any AppGuard customisation to make work ?

 

Wouldn't that require a specific targeted attack for the guarded application to find the path of the excluded folder?

 

Even if the risk of a targeted attack from user-space is small, I don't see the value in undoing standard user-space protection unnecessarily. The official advice contained in the help file advises against customising AppGuard to allow unguarded launches from user-space folders.

Trusted applications that run unguarded belong inside the trusted enclave, which means installing them into system-space wherever possible. User-space, by definition, lies outside of the trusted enclave.

Personally, I prefer to stick with the official guidelines for AppGuard deployment, as set out in the help file. Others are free to do as they wish.

 

I don't disagree with you on that. I already stated that moving it to the system space was the safest, and most secure method.

 

The reason I wondered about this is because in post #1235 on page 50 you appear to be recommending the use of user-space with launch protection disabled.

 

I wold recommend the exclude userspace option if running from system space was not an option. Your right I did recommend that. I explained the system space option was the more secure method in a later post. I should have explained it then. I actually have an application in the userspace that I have to exclude which would be of a higher risk because all other methods have failed. I'm going to contact Boleh VPN soon to see if they believe their client would function ok from the system space. I'm not sure it can be moved. Their old client use to install to the system space, but you had to right click on the executables to give them admin privileges.

 

Thanks for clarifying. I agree that each situation has to be judged on a case-by-case basis. The default position of running trusted applications from system-space is only a general guideline.

P.S. Good luck with Boleh VPN!

 

I just downloaded the latest installer for Boleh VPN Client, and they still do not give an option to change the installation to the system space. I doubt they will change their client just for me. I don't have any choice, but to exclude it's folder if I want to use Boleh VPN.

 

I think the vast majority of malware will try to download to a userspace path/lcoation that is present on all Windows machines. My documents, profiles, downloads, app data, etc.. There are a lot of common userspace paths that are present on Windows. That's why I brought up the targeted attack being less likely.

 

In addition to adding the Boleh VPN folder to the User Space tab with the Include flag set to No, if you also add the folder to the Guarded Apps tab as a read-only protected resource, you've moved the folder from user-space to system-space without changing its location in the file system. If there are any individual programs within the Boleh VPN folder that need guarding you can then add them to the Guarded Apps list in the usual way.

Might be worth a try.

Regards

 

I actually did not know that you could exclude a folder from the userspace, and make it a protected resource. I just did that, and it worked. Thank you! Now all I need to do is test to make sure it is only allowing read access. I actually started a support ticket on this as a possible bug, or maybe a lack of knowledge on my part. BRN never recommended this to me. They only spoke of possibly having to make changes to AG's policy to facilitate Boleh Client functionality. I will report back if AG starts blocking Boleh, but it connected fine. Boleh would be blocked before it ever had a chance to connect before. Does this offer the same protection as actually moving the installation folder to the system space. I will bring this up to Barb. Thank You!

 

Btw.. I had tried making Boleh a trusted publisher, adding it to the guarded apps list, and making it an exception folder in the guarded apps list. None of those worked. You can't make it a power app of course since it is in the userspace. None of those worked.

 

Why would not Boleh VPN install in under program files, ie. system space?

I have used 2 other VPN programs and the default install was in system space. At the moment I am not much trusting in any VPN stuff as they add adapters/drivers on our computer. And how much to trust that stuff in general.

But what I have read it is somehow a reputable one among wilders users. Perhaps you try uninstall what you have and try install again.

 

Yes, it does offer the same protection. As I said in post #1197 on page 48, the implementation of system-space and user-space is not so much about where the folders physically reside within the file system, but rather about how folder write and launch permissions are set in relation to guarded apps.

A major factor in why I wrote the getting started tutorial in post #5 of this thread then followed it up with post #1197 is to help people gain an understanding of this. I noticed that the same questions about folder customisation come up time and time again in the AppGuard threads.

What BRN have done is to apply sensible defaults for which files and folders are considered to be system-space and which are considered to be user-space, and have set the folder permissions accordingly, but this can be changed by customisation.

It is always possible to move a user-space folder to system-space by disabling launch protection and enabling write protection as you have now done for the Boleh VPN folder. You can also go in the other direction and move system-space folders to user-space, providing they are not core components of the trusted enclave.

System-space folders can be moved to user-space by enabling launch protection (User Space tab with Include flag set to Yes) and disabling write protection (Guarded Apps tab exception folder). AppGuard will not allow Program Files and Windows directories to be moved to user-space though, and will display an error message if an attempt is made to do this.

Barb is already aware of my thoughts on this. She and I have previously exchanged PMs on this subject and she did say that BRN are looking at ways of simplifying the GUI in 4.1 to make it more intuitive and easier to understand and use.

 

I downloaded the latest installer, and it did not give me an option to install in the system space. You would have to ask Boleh that. Their old client use to install to the system space.

 

The strangest thing just happen with Boleh. I just opened Boleh VPN, and it said an update was available which required a complete uninstall of the current client. I uninstalled Boleh, and installed the new build. Boleh now installs to C:\Program Files (x86)\BolehVPN in the system space. I think Boleh may be reading our AG thread lol The Client has been installing to the userspace for about 3 years now. Is this just coincidence?

 

This build of Boleh actually fixed a GUI bug I reported that I thought they were never going to fix.