AppGuard 4.x 32/64 Bit - Releases

@Cutting_Edgetech

This was about solving the OP's problem and not a general discussion whether the container folder should be added to user space or not. I for one find it beneficial to add it because it can stop malicious dlls from running inside the sandbox. Yet the OP had a problem with programs not working because the dlls could not launch and adding the container folder to user space clearly does not solve this problem.

 

Great explanation CE, thanks a lot again. Hopefully Barb_C will read this posts and we'll see what happens? In the meantime I can contact BRN as advised by you.

 

Actually his initial question was does it pose a security threat to not add the sandbox folder to the user-space. The following is his initial question from post 2414, "I managed these issues by NOT adding c:\Sandbox folder to User Space. Does this setting pose a security risk?" In my opinion this does pose a security risk, but it could also be considered not having the added protection of AG. Not adding the sandbox folder to the user-space means AG will not block executions in the sandbox such as drive-by-downloads from browsers, and the execution of other malware from other sandboxed applications such as email clients, etc. Unfortunately AG is not adding much protection if the sandbox can not be added to the user-space. The only protection AG is adding in this case is if some malware is able to break out of the sandbox. AG may be able to prevent it from spreading to critical system resources. The 2 options I gave him do work for most other users. I still think problems like these should be reported to BRN. They may be able to use this information to find fixes, or make other changes that would lead to AG being a better product. Maybe Barb will see the post soon, and respond.

 

No problem! Sorry I could not find a fix. How long have you been using Sandboxie?

 

Just to make things clear, I also advise adding the container folder to user-space.

For one it is a more convenient option then start/run restrictions because it only blocks drive-by downloads and lets system space files launch, whereas start/run restrictions would block these as well unless they're listed as allowed. Further it blocks the launch of malicious dlls, against which start/run restrictions are only of limited use, at least to my understanding, because you can only allow or block rundll32 and the likes, whereas AppGuard makes a distinction from where the dlls are launched.

 

Oh, don't be, sometimes problems are beyond our scope. I've been using SBIE for 1 year only. With basic settings (not advanced settings nor advanced knowledge of it) and AppGuard barely 2 months. Besides I am a n00b in security.

 

We all had to start from somewhere. I'm definitely no professional, but I have accumulated a lot of knowledge over the years. I work more with hardware, but I stopped building machines 4 years ago. The technology has already changed so much. It's a constant struggle to keep up with advances in technology.

 

I was wondering if anyone could double check my most recent find.

I've found that after setting the protection level to off temporarily then setting it back to locked down or medium results in the 'Guarded Execution' and 'Privacy Mode' menus of the notification tray icon vanishing until a reboot. (While a guarded app is running even if it is launched after protection is rearmed.)

It's not a huge deal as previously I never saw (and have never had reason to use) these at all as I used runas a limited user in combo with sandboxie 3.76 which also resulted in not showing the menus as expected. I just noticed it now as I have upgraded to sandboxie 4 and started to see the menus appear as they are meant to. They just never return after it is set to off then rearmed.

 

I don't see it either.

 

Nor me.

 

@ pegr

Has it already been investigated why AG failed to protect against the "hollow process" test? Or perhaps it didn't actually fail?

 

I think this is a question that only Blue Ridge Networks can answer.

As I said previously in the other thread, although MemoryGuard didn't stop the HMPA "hollow process" test when I ran it, I would nonetheless expect the other features in AppGuard to contain the payload from a real attack using the process hollowing technique.

 

Re ancient technique known as process hollowing:
AppGuard completely contains any guarded process and child processes.
AG will allow a guarded parent to spawn a child process and inject into it. Nothing is broken by allowing this as the child process is guarded and therefore completely contained.
If AppGuard did not allow this, how would a browser be able to open a new tab, or open a link in a new instance of itself?

AG will not allow any guarded process to inject into the memory space of any process that it is not the parent of.
No guarded process can write to system space, therefore any malware you throw at AG is completely contained.

 

We have confirmed that AppGuard does protect against this attack (at least against the versions of the malware that we've been able to obtain).

 

I always thought it would do, but it's good to see it officially confirmed against live malware.

 

Yes of course, but it should stop any attack related to code-injection/process manipulation, so that's why I'm checking.

Actually, I thought that "process hollowing" is a newer technique that's being used nowadays. I also didn't know that code-injection is allowed from parent to child process if it's a guarded app. Then it makes sense that it didn't stop the HMPA test.

Can you give some more info, what malware was tested against AG, and how was it stopped? To clarify, I was talking about the HMPA testing tool. According to pegr, AG didn't stop it from injecting code into calc.exe.

 

As I said in the other thread, calc.exe was started as a child process of the HMPA testing tool, which I assume is why MemoryGuard didn't stop the code injection. This is the same point that stackz made in his reply above.

 

Yes I saw it, but does it make sense to allow a parent to inject code into a child process? It's a bit confusing to me.

Actually, I thought that they tested it against the malware that you encountered. Like I said before, I would like to know how AG stopped it, and with what message.

 

I've been running AppGuard in lockdown mode. What are the disadvantages to this? Thanks

 

@ Peter2150

Please not this stuff again, the question is directed to the developer, let's see what she got to say. Like I said, I initially thought that you supplied the malware sample to her, but apparently they decided to test some other malware that's using the "process hollowing" technique, so it would be interesting to know how AG blocks it.

 

Hi. I'm just beginning to use AppGuard and I have a few questions
Gooogle Chrome was set by default:

http://i.imgur.com/dzsQIET.jpg

Pages others load, but however, I am disturbed by the entries in the "Activity Report":

http://i.imgur.com/xo8htbL.jpg

Whether to ignore it or add something in the settings?