AppGuard 4.x 32/64 Bit - Releases

This is false alarm because of a program "helper.exe" that was part of AppGuard 4.0 used for the initial license activation (and included in the AppGuard.msi). It is removed in AppGuard 4.1 (not because of the false alarm, but because of a different technique we're using). The files can be quarantined and AppGuard will still work. The helper.exe program is only used during license activation. Upgrading to version 4.1 should remove the files and you should be good to go.

 

Thanks!!!! We have worked hard over the past 5 or so years to try to find the sweet spot between significant protection and usability. I think we're close, but can always improve!

 

Okay, now for the real reason that I came onto this thread on a Saturday...

I have a customer who is asking about recommended AppGuard settings with respect to Steam and Origin. Since I'm unfamiliar with those programs I thought that someone here could help me out. Should they be Guarded? Can they be? Or should I just tell him to exclude the directories from user-space?

 

Barb

Since you are not using this technique any longer, can I ask what was being attached to or and injected into for this activation process?

Thanks

 

Thanks again everyone for coming to AppGuard's defense! I'm sorry that I was away for so long, but we had another release of Tech Fortress (no new features - only additional support URLs in the About Box - they're expanding their marketing to the UK) and then I got sick. Also with Blue Ridge's vacation schedule, I've had to support some of the other products that are usually covered by someone else. Enough excuses. I'll try to be more present in the future, but it's nice to know that you have my back when I'm not around.

 

We were using a 3rd-party product and this was the response that I got from the vendor when I asked:

The wrapping engine included in the Licensing Wizard has sophisticated encryption and other features to make it difficult for a hacker to figure out how the protection works. This behavior sometimes trips up anti-virus tools as a false positive virus.
​

That and the fact that we did not digitally-sign this file is probably what caused it.

 

That´s the thing, you would expect it to break lots of apps. For example, Sandboxie will simply virtualize apps, so most apps will work correctly, while keeping the system clean and safe.

I´m not really into AG, but I´m trying to figure out how it works, and why it´s quite popular on this forum. I personally prefer other tools, like EXE Radar, Sandboxie and HIPS.

 

ya well wutever

 

I have a simple advice for situations like Steam and others that are known to be good programs (flashplayer for example, uses random directory locations) - why not use publisher information as a validation criteria to allow the program's activities? That way you don't have to keep whitelisting every piece of file/path it wants to write to, but as long as the publisher info is verified, it can write to C:\programs folder as needed without any trouble.

 

Thanks for investigating. That's too bad. A program shouldn't write to its own program files directory (even we did it in some of our older products though - it WAS how things used to be done). Now programs should be writing to appdata folder.

 

Hi Barb,

first, my apologies if the question I'm about to ask has been answered in this extensive thread.

What I'm seeing quite often are write-blocked PID's that aren't showing in Process Explorer's PID column. Example is in the attached screenshot. It seems in all cases there is no application path for the blocked PID, nor is there a parent process listed for it. The protected resource path is, however, shown. Do you know why this would be? Thanks for any feedback you can provide.

 

AppGuard already allows users to whitelist applications by digital certificate. Adobe's digital certificate comes whitelisted by default. The user can add additional digital certificates to suit their own needs. Are you informing BlueRidge Networks to facilitate whitelisting by digital certificate, or informing the users to use that method which already exist in AG? I remove most digital certificates that come with AG by default for a little added security. I don't know anything about steam. I don't even know what it is. What is it? Is it some sort of a game? It brings up games when I do a google search. Steam gets mentioned often here, but I don't even know what it is. Is it digitally singed?

 

I'm a HIPS guy also. HIPS performs the same task AE's do, but with added control of other system components. I think I have been using Online Armor since like 2004. I just wish Emsisoft would give more priority to it, and not neglect their OA users. I don't use any of their other products. In the past OA has performed better against other HIPS products against their own test. OA blocks executions sooner than any other product I have tried. I just wish they would start development on it again. I especially wish they would upgrade the Firewall capabilities. IPV6, create more complex firewall rules, ASLR, DEP, etc.. I have been using OA, and AG together for years. They work great together. I have rarely ever changed anything to my security setup. The fact is AG works great with all the other security products I have tried. I always use a layered security approach. Ok, that's enough about OA. I don't want to steer the thread off course. Sorry for my rambling!

 

Fine, I admit I did not read all the manual of Appguard, and it already use publisher rules. However, the problem is why you users still get so much trivial problems even when dealing with legitimate programs. In fact, it was the mentioning of someone has trouble installing /using Stream that led to my curiosity: why there are still so much trouble even there are already publisher rules existed? Isn't it a demonstration of lousy coding skills? I could not imagine a Windows admin will still be able to keep his/her job if such nonesense keep happening and you don't which program is going to be in trouble next.

I don't understand your mindset. maybe that's why there are groups of fanboys in this world. Making big fuss out of nothing. Frankly, how Appguard users struggle to get their programs to work under the "monitoring" of Appguard has nothing to do with me. I am a happy user of Windows OS security feature itself, Applocker+User account control, and I don't have to go through all these trouble getting legitimate program to run as you "genius" has to go though with Appguard. Just hilarious. I am sorry I could not help laughing you fanboys wasting your time dealing with unnecessary trouble. It always amuses me, lol.

OK, now I'll stop. I will never use such sort of "revolutionary" third party program like I did a couple of years ago, period. Most of the times, what such kind of programs do is to use fancy terms to bombard you, so that you believe how "revolutionary" and advanced they are, while most of these concepts behind the fancy terms are already used by the OS itself. Once you are getting familiar with Windows admin skills, you'll know how naive these kind of programs are. To be honest, using such boasted programs will be an insult to my intelligence.

And finally, fine, you got what you want, I'll shut up.

 

Maybe you don't realize this, but this is also used as the beta test thread for testing beta builds of AG. Many of the problems you are seeing posted here are due to reporting bugs in the beta releases. You are exaggerating the number of problems users run into with AG. You also are trying to give the impression that users will not run into similar problems when using AppLocker which is not true. AG offers protection similar to AppLocker for users that lack the system knowledge to configure AppLocker, or for those that simply prefer to use something else. Yes, AppLocker offers more system wide control, but the level of protection against infections is still similar. They can even be used together. There is a free trial so the user can try it for free to see if it's for them. If not then there are many other options out there. Sorry, but running at the mouth about something you have never tried seems unintelligent to me.

 

I have a Windows 8.0 64 bit Laptop and was considering upgrading to Windows 8.1 64 bit. Should I hold off on the upgrade until this bug is resolved?

 

In this particular case I find that highly unlikely as the program in question was actually my fw/hips software. (Agnitum Outpost Security Suite) It runs at boot so there would be no parent processes up the line. (also on win7-not 8 =( ) It hasn't happened since (but after reviewing logs it seems it WAS updating near this time) and seemed to have no affect on the operations despite claiming to have stopped the changes but I just wanted to mention it here in case any others had similar incidents where it DID have a negative impact...

 

Oliverjia we get it, you have the best security setup ever and will not get infected or be exposed to an exploit that can bypass your protection even before an update is issued by microsoft... but seriously dude, I'm glad that your setup works for you! I can't argue that it is effective to a degree. However even using UAC with a LUA and SRP does not prevent 'an allowed application' from reading or writing to other processes memory further increasing the chance that an exploit will be able to make use of a flaw or bypass the built in security of windows before you receive an update. This is the main reason I use AppGuard~to guard internet enabled apps (memory guard).

I have a modified windows installation with MANY components removed/disabled to reduce the attack area even before updates for those components I never use are made available. I also use a FW to control inbound/outbound communications w HIPS and further restrict its interaction with the system (this includes ms stuff). On top of that all non-os internet facing apps are sandboxed to prevent permanent changes should anything ever get a hold temporarily. I also use Realtime AV w exploit protection and am testing MBAE/EMET. Theres even a few more I won't mention here that overlap a bit but each has something the other doesn't. Sure it could seem like overkill but I'll bet the chances of one of those measures stopping a new exploit from unloading a payload or shell command is much higher than sticking to MS built-in safeguards.

I won't say AppGuard alone is enough, but then neither are your rules. Discounting AppGuard because you can achieve part of what it does with AppLocker alone is a mistake that I can only hope you'll never regret. Dissing the user base (which *could* appear to be your goal) is pointless as they either understand how it works (and mock you~which is not what I am trying to do, I think I know where you're coming from) or they are (currently) clueless and are learning (struggling as you put it) or trust the judgment of someone who suggested it and will most likely never see this thread anyway. I think you may also be struggling here as you fail to see how it could aid in a secure setup.

Your setup is a good start. It's secure to a degree. I like to think my setup is good as well but even with my overlapping components I know that it is only 'more' secure in a matter of degrees. If it can be written by man, it be can broken man. Relying soli on the OS protections only makes it easier for an adversary to bypass your security.

After all that the only thing I have left to say is Stop talking and TRY it before you continue...PLEASE.

 

Since I see my id is called upon, I'll try to reply to your post.

First off, no need to get emotional. I never said my setup is perfect or immune to malware. In computer security, all it comes down is statistics and probability, nothing is 100%. I also have KIS 2015 installed, and EMET5.0 at max security settings as well for extra security. As for the logic of trying it in order to know how it works, it's flawed, since you don't need to drink poison in order to know that it is poisonous.

I see your point - once a malware is allowed to run, Appguard will be able to "contain" it to limit the potential damage. Appears reasonable. However,

1. Being behavior-based, Appguard also do this "containing" to legitimate programs, which can cause a lot of trouble.

2. as I mentioned before, the battle between malware and security apps ultimately comes down to which process (the process from malware or security apps) has higher privilege. If a malware obtained system privilege, it could very likely uninstall or disable any security products you installed on your system, no matter how many layers of security you think you implemented to your system. Number of layers does not matter, privilege of process matters.

3. The kernel of Windows x64 is protected by PatchGuard. For Windows 8.x, currently there is no known method to break PatchGuard, which means the Window Kernel is safe, therefore no catastrophic system damage will occur by malware, because user mode execution does not have privilege to write directly to paging and other programs' memory. You see, PatchGuard already provided very strong system level protection. Even Antivirus vendors have had no way to patch the x64 kernel anymore, because MS locked down the kernel with PatchGuard. Have a brief read in the below link and please notice the different levels of computing system:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx

Appguard works in user mode (same as antivirus software and most malware), while PatchGuard work on Kernel mode. Applocker enforcing is also in kernel mode: http://technet.microsoft.com/en-us/library/hh994614.aspx, which is why it's almost impossible to be exploited. AppGuard is working on Windows API and application levels. As with all other third party Applications, it has much higher risks of being exploited by malware. I am sure you see the difference by now. So NO,your claim of "However even using UAC with a LUA and SRP does not prevent 'an allowed application' from reading or writing to other processes memory further increasing the chance that an exploit will be able to make use of a flaw or bypass the built in security of windows before you receive an update" is wrong: 1. I use Applocker, not SRP. 2. Currently no known method to break PatchGuard, therefore no exploit will bypass PatchGuard in Windows 8.x, therefore no system damage will be done (although there could be application level damage). 3. please read a bit about Windows Programming: http://en.wikibooks.org/wiki/Windows_Programming/User_Mode_vs_Kernel_Mode. A bootkit can relatively easily compromise Appguard, while it will be extremely difficult to penetrate PatchGuard and Applocker, especially when you have Secure boot enabled in UEFI BIOS.

I hope you understand by now why I don't have to install Appguard to know that it will have less security than Applocker, because user mode is always less secure than kernel mode, it's in the design of Windows OS.

And, I stand to be corrected, as I am no experts in IT security. Any argument based on facts are welcome.

To address your concern, I don't work in the IT field. I am a chemistry research professor at a University. Computer security is only a hobby of mine. And, I am not against Appguard, because it sure does add an additional layer of security. For ppl who don't have access to Windows 8.x enterprise version for Applocker, AppGuard is not-bad choice. The reason I started this thread crapping is mainly because of the boastful language on AppGuard's website. As a researcher, I natively feel sick of using fancy terms to create a hype as mentioned in this article: "There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”)." http://www.techsupportalert.com/best-free-hips.htm

So yes I was thread crapping for the sake of my principle, not for making money by bad-mouthing some security product. In fact, if AppGuard used some different wording on its marking language with some basic description of its working principle to justify their wording, I might have recommended it to ppl who have no access to Applocker. But now, I read its website and I feel AppGuard is THE ONE that will cure all types of malware attacks. At least very misleading to me.

 

Quick question. In v4.0 I needed to uncheck "enable protected view" in MS Office 2013 x64. I am now running AP 4.1.45.1. Can I re-enable protected view?