AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. lucien_phoenix

    lucien_phoenix Registered Member

    Joined:
    Oct 20, 2012
    Posts:
    134
    Location:
    Germany
    yesterday Night appguard autoupdate no Problems on my windows 7 32 Bit Machine
    now on: 4.1.44.3

    Greets from good ol Germany :cool:
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    That's good to know. Thanks for sharing. :)
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ pegr and chris1341

    I'm not using AG at the moment, but I am trying to figure out how it exactly works, out of interest. And it´s not about me saying that AG is not effective against exploits, that´s not the point. The point is that I´m seeing people claim stuff that probably isn´t correct.

    But like I said, it would be nice if a developer like Barb_C could provide some more info about the "Memory Guard" feature. Based upon from what I´ve read, I don´t think it´s blocking exploits. And I would also like to know about what "high risk" activities AG is capable of blocking. For example, HIPS like Comodo and SpyShelter will let you exactly know what they can block. :)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    At the moment there are only 3 apps that I know of that provide true "memory exploit mitigations", namely EMET, MBAE and HMP.A, so this automatically leads to my conclusion that AG doesn´t block exploits, but it can block the payload.

    So this discussion is not about whether AG is effective or not, because blocking payloads will probably stop most exploits. But when it comes to purely blocking exploits (not malware), AG is not as advanced as the 3 mentioned apps. :)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I do run EMET, but having played with the other two mentioned, I would still stick with Appguard. Whether it's a "payload" or "exploit" if it can't write to system areas, then that is all I care about. I've tested appguard, and so far have found it does everything it claims.
     
  6. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Greeting!:thumb:

    On AppGuard Activity Report,

    what is the best to fix this below what would you suggest?

    08/03/14 06:52:00 Prevented process <epicupdate.exe | c:\windows\system32\taskeng.exe> from launching from <c:\users\michael\appdata\local\epic\update>

    So that I know what to do in the future?


    Kind regards,:confused:
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    First question is it breaking anything. If it isn't I wouldn't worry about it. If it is then go to the guard apps tab, and click on settings. Add the folder shown above with the exceptions setttings to read/write.

    Pete
     
  8. chris1341

    chris1341 Guest

    Actually its far more advanced but lets leave it there before it becomes A vs B vs C & D. Pointless. They all try to achieve the same goal by different routes. Just because you want AG to be a bog standard whitelister does not mean it is.

    Interesting that you're now saying exploits actually do work by manipulating the memory of other processes (what AG Memory Gaurd is designed to prevent). Therefore as a parting comment I would ask you to consider what EMET does (by way of example) and ask yourself why AGs Memory Guard wouldn't help with achieving the same thing. I've noted a few EMET protections I remember just of the top of my head as I no longer use it.

    EMET applies ASLR. Why? Simple it makes it harder for exploits to access the memory of vulnerable applications by randomising the location.

    Another example, EMET applies DEP. Why? DEP undertakes additional checks to protect against non-authorised execution in memory.

    Yet another, Heap-Spray protection. Why? Attackers 'spray the heap' to identify the location of data to run an exploit against without crashing the application.

    ROP protection (in version 5?). Allows attackers to execute code in non-executable memory bypassing security mechanisms.

    The list goes on and on. These and many others show how exploits function and is why AG's Memory Guard can provide additional protection against the exploit itself - not just the payload.

    EMET, MBAE, HMP.A etc try to recognise behaviour in memory and block it if it matches the pattern of exploits. However, like it's anti-executable feature, AG does not care if the memory access/read/write is good or bad, if it comes from a threat-gate (guarded app) it's blocked.

    In that way it may help block the exploits described above much higher up the chain than a standard AE would. Simple as that.

    I know you won't agree so won't comment further (really this time ;)).

    Cheers
     
    Last edited by a moderator: Aug 3, 2014
  9. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Peter2150!

    Thank you!:thumb:
     
  10. Krond

    Krond Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    56
    I´m on stable Version and no beta - 4.0.17.0. When I click on "about" then appguard tells me, that a new version exists - 4.1.41.2. But when I click on "Download", the existing 4.0.17.0 will be downloaded. How will I get the latest stable build?
     
  11. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    I would wait it popup on the official website http://www.appguardus.com/support/products/AG4/files/
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´m not an expert, but like I said before, I see it differently. AG´s Memory Guard is not designed to stop memory corruption/exploitation, instead it´s more of a containment feature. With that I mean, if malware is already running on a system, it can stop them from injecting code into browsers and other Windows system processes. This is a standard feature in all HIPS/behavior blockers, I don´t know how to explain it in a different way.

    EMET (and the other 2 apps that I mentioned) are able to stop/disrupt exploits in a much earlier state, and they also try to stop exploits from bypassing stuff like ASLR and DEP. So that´s why I believe that you seem to misunderstand the "Memory Guard" feature. But I might be wrong, so perhaps a developer can give some clarity. :)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, at the at end of the day all that matters is how good it is in blocking exploits, and I´m sure that AG performs quite well when it comes to this. But if I would choose to use AG, I would prefer to use it combined with EMET, if you´re not into MBAE and HMP.A. ;)
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I have the latest Appguard beta, and also just upgraded to Emet 5.0. I also have NVT ERP and SBIE on board. They all play very well together.
     
  15. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Memory Guard is absolutely designed to stop memory corruption/exploitation. I'm not sure why you think otherwise. AppGuard will indeed stop malware that is running in a Guarded application from writing/reading (i.e. corrupting/exploiting) the memory of all other processes in the system. I'm not sure how to explain it more clearly than that. It may also be a standard feature in all HIPS/behavior blocks, but I don't understand why that is relevant.
     
  16. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Really, you're getting an indication that there is a new version from AppGuard 4.0.17? That shouldn't be happening. Did you ever install a 4.1 version?
     
  17. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    @Barb_C

    I think Rasheed wants to know if memory guard is preventing exploits in a guarded application. For example I visit an infected website with Firefox which aims to give the attacker the ability to execute code in Firefox's memory. Does AppGuard prevent that? From my understanding it just prevents the Firefox from manipulating the memory of other processes.
     
  18. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Your understanding is correct. Thanks for clarifying.
     
  19. chris1341

    chris1341 Guest

    As noted won't discuss the Memory Guard issue, hopefully Barb_C / Fleischman have clarified that stuff but this statement's not entirely accurate. It depends where malware is running. If the malware is running in system space AG won't prevent it injecting code into system processes.

    So if it's a social engineering scenario where you've installed it deliberately or it's already on the system before AG is installed where a standard HIPS/BB might alert to suspicious activity regardless of where it's installed AG may not. If it's in somewhere like Program Files or the Windows folder or other place designated system space AG won't alert or block.

    AG blocks anything untoward from getting to system space in the first place but if it's there already it will run completely unrestricted. Think of something running outside the sandbox in SBIE or as trusted in DW. AG is much more akin to SBIE or Defensewall than standard HIPS/BB IMO. Restriction of threat-gates only, the rest of the system runs without interference.

    Apologies if you know that but your posts don't make it clear how clear you are on the whole trusted enclave approach used by AG. Guarded or in user space is restricted, nothing else is. It is the basic fundamental of how AG works and again makes it different from other HIPS & AE.

    Cheers
     
  20. Krond

    Krond Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    56
    No, never been on 4.1. I have this update-message on two PC´s - first is on Win7 x64, second PC is on Win8.1 x64.

    Looked at Win8.1 now: There is a message of new Version to 4.0.17.1 --> That´s funny. Have you changed anything on your updateserver?
     
  21. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Greeting!;)

    Anybody know the answers to they questions below:

    Question # 1. How do you make “My Documents” folder a private folder, in AppGaurd?

    Question # 2. Can you install AppGaurd,Shadow Defender and SandBoxie on the PC. Without any conflicts?
    And then run SandBoxie and Appguard at the same time? And then run Shadow Defender and
    AppGuard setting at medium without any conflicts?

    Kind regards,:thumb:
     
  22. guest

    guest Guest

  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well what is there to discuss? With the help of FleischmannTV, Barb_C has finally given some clarity about this "issue", and turns out I was right. So I hope that you now know what I meant. About the rest of your reply, I did know about the basic concept of AG, but it was still helpful.

    However, I want to clarify some things, what I meant was that if AG was bypassed by some zero day attack, then it should be able to stop code injection, at least in theory. Also, why I keep referring to HIPS is because this same "anti code injection" feature that Memory Guard provides is nothing new. However, exploit mitigation apps like EMET are relatively new, and old skool HIPS (behavior blockers, policy/virtualization based sandboxes etc.) never provided true "buffer overflow" protection. :)
     
  24. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    @GrafZeppelin,

    Q1= Quick and too the point! Many thanks! Kind regards!:thumb:
    Q2= Maybe somebody that have all 3 install can answer.

    Kind regards,;)

    Question # 2. Can you install AppGaurd,Shadow Defender and SandBoxie on the PC. Without any conflicts?
    And then run SandBoxie and Appguard at the same time? And then run Shadow Defender and
    AppGuard setting at medium without any conflicts?

    Looking forward to hearing the answer:)
     
  25. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I run Appguard and sandboxie with Shadowdefender on demand. I haven't noticed any conflicts. Now I haven't really run a lot in shadow mode but the few times I have I didn't notice any conflict.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.