AppGuard 4.x 32/64 Bit - Releases

AG newbie ~ Barb says Hi Wilders.
Is the logic to expand user space and restrict guarded apps or expand guarded apps and restrict user space. Or, expand both.

 

So, the term User Space has a different connotation than say ERP whitelist running processes.
I added C:\Sandbox to User Space. I guess, that's all I may add. Interesting. So, I may / should expand Guarded Apps then ?

 

Good for you, now you decided to use AG. I make use of the dynamic duo too lol sbie + appguard

 

I would not add any folders to user space, unless there is some need. Even Sandboxie container folder does not exactly need to be added to user space. It is sufficient to make C:\sandbox an Exception folder with Read/Write access. That folder will then belong to neither system nor user space.

It is recommended also to add that folder to user space with Yes include flag to have AppGuard guard the executions in that folder.

My advice is to add all untrusted and internet connecting apps to Guarded list. Not all apps can be added, like my VPN program for instance.

 

As Peter2150 said, the terms system-space and user-space have fixed meanings. System-space is everything on the system partition (usually C: drive) except for the current user profile folder, which is user-space. User-space is everything that isn't system-space: In other words the current user profile folder, all additional volumes, removeable media, network drives, etc.

The way AppGuard's protection model for guarded apps works is that each file and folder has both program launch and file access permissions associated with it, with different defaults applied to system-space and user-space. Where the default permissions for a file or folder don't give the desired outcome, they can be changed (where allowed) using the User Space and Guarded Apps tabs.

With Sandboxie for example, if the sandbox container folder is in its default location of C:\Sandbox, it is in system-space. As guarded apps running in a sandbox need to be able to write to the sandbox, the Settings section of the Guarded Apps tab is used to define C:\Sandbox as an Exception folder to allow write access. This setting will be inherited by all sandbox folders within the container.

If a sandbox is only used for activities such as web browsing, the user might also optionally decide to restrict program launches from that sandbox. This could be done by adding the sandbox folder within C:\Sandbox to the User Space tab with the Include flag set to Yes. Note that by doing this, the sandbox folder is not really added to user-space; it remains in system-space, but user-space launch restrictions are applied. You would not do this for any sandbox to be used for software testing.

Further detail can be found here: AppGuard 4.x 32/64 Bit

 

Hello
I have some messages show for bold is normal but when leave pc for 10-20 min then show 4 messages. I use AppGuard and this folder is {8d4f7e26-a274-487a-89ff-02b26828f01b} from Adguard.

Code:

01/11/15 10:26:59 Prevented process <inventorui.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{8d4f7e26-a274-487a-89ff-02b26828f01b}\setup>.
01/11/15 10:26:59 Prevented process <osetupui.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{8d4f7e26-a274-487a-89ff-02b26828f01b}\office.en-us>.
01/11/15 10:26:59 Prevented process <ezavlic.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{8d4f7e26-a274-487a-89ff-02b26828f01b}>.
01/11/15 10:26:59 Prevented process <videoc.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{8d4f7e26-a274-487a-89ff-02b26828f01b}\setup>.
01/11/15 09:04:49 Protection level is set to <medium>.

 

That is good point you made. I don't really want to argue about semantics. To me what acts like system space or user space is it. And also you might know more about what is going behind than me.

But yes, for testing software it might be better to have that special sandbox subfolder be having an include flag No. Than allow user space launches Guarded or unGuarded from the tray icon.

Jarmo

 

When AppGuard is first installed/started the XML comes with *some* special entries that are processed and the paths discovered on your PC and converted to the 'User Space' entries that you normally see in the list. This includes the user path/programdata.

Without these all of C:\ (or whichever drive the OS resides on) would initially treated as system space. So any user added entry in the User Space tab set to Include=Yes is treated by AppGuard exactly the same as the program added entries except (aside from manually editing the xml after disabling protection) these cannot be edited through the interface.

Any user added entries, while they may not qualify as belonging to the 'default' areas we may define as user space in our heads, do then become User Space so far as AppGuard is concerned.

 

I completely agree with you. Just to clarify this, there are two ways of looking at what system-space and user-space represent. The two ways are similar, and for most purposes interchangeable, but they are not identical.

The first way is the way BRN describe it in the help file where system-space and user-space are defined to be fixed entities that the user cannot alter. Which files and folders belong to each space is pre-defined. What the user can do is to use the GUI to alter the permissions that files and folders within each space have in the way in the way they behave with respect to guarded apps. This view is enforced in the way the GUI is organised. One implication of this is that any given file or folder will always fall into one space or the other, according to the definition given. There is no room for ambiguity.

The second way is to view system-space and user-space as moveable entities, defined in terms of the permissions applied to files and folders. Looked at this way, files and folders can be moved from one space to the other by changing their default permissions. It's quite an intuitive way of viewing things, but isn't particularly well represented by the GUI, as evidenced by the fact that it is a two-step process, using both the User Space and the Guarded Apps tabs, to move a folder from one space to the other. Also, it is possible for a file or folder to belong to neither system-space nor user-space in terms of permissions, something that isn't possible with a fixed definition of the two spaces.

In my reply to bjm_ above, I used the official, fixed definition of system-space and user-space as given by BRN, but in many of the posts I have written in this thread, starting with post #5 on page 1, I have talked about moving files and folders between the two spaces. In the end, I don't think it really matters providing that the usage is clear from the context. I agree that understanding how AppGuard works and how to customise it is what counts, not semantics over the definition of terms used to describe it.

 

See my reply to Jarmo P above.

 

Yeah, I was unsure as to adding sanbox to user space and only did after reading a post here offering that was the way to go. A member had added sanboxie to power apps and was advised exceptions and user space satisfy. Use SBoxie for browsing. So, do I leave in user space....or, does exceptions satisfy. I wanted AG to react to events in sandbox. IDK if I'm thinking in AG terms yet....

On the other issue of user vs system. My mind is still thinking in terms of whitelisting processes e.g: ERP
So, system space is foreign to me. Guarded Apps sounds like user space in anti-executables.
So, as Guarded is at default. With IE, FF, M$ Register Service, Command Processor, host process (rundll32) and Media Player. Have I basically covered all with rundll32. Do, I add programs. I mean don't I want to guard all applications ? I mean don't I want AG to guard all apps. But, as AG works on permissions then. I'm gonna' need help understanding. Are all my apps guarded by default even though not listed in Guarded Apps.

With ERP. I whitelist all running processes. How does that play in AG where the execution is not the flag but, permissions are ?

 

So, exception satisfy ? No need for user space ?

 

As I said in post #2557 above, the only thing you must do is to add C:\Sandbox as an Exception folder in the settings section of the Guarded Apps tab. The AppGuard support page is telling you only what you have to do to get Sandboxie to work with AppGuard if the sandbox container folder is in its default location in system-space. (If the sandbox container folder is located on an alternate volume, it is in user-space and you don't then need to add it as an Exception folder.)

With a sandbox used for web browsing, it is sensible to apply start/run restrictions to prevent any executables downloaded into the sandbox from running. If the sandbox folder is added to the User Space tab in AppGuard, all programs already installed on the system will automatically be allowed to run, but anything downloaded into the sandbox folder will have AppGuard launch restrictions applied. Using Sandboxie start/run restrictions, each program allowed to run has to be whitelisted separately within Sandboxie. Both methods work: The choice is yours.

With a sandbox used for software testing, the situation is different. You wouldn't want to apply start/run restrictions to a sandbox folder used to install and test software.

 

If you haven't done so already, I suggest reading post #5 on page 1 of this thread where I've tried to give a simplified explanation of how AppGuard works for new users. It may help to clarify things.

 

Thanks pegr, brilliant as usual. btw could you (I know it is much to ask for and nagging you) to add an "advanced topics", so to speak, in order to centralize all your amazing and priceless info spread throughout the entire thread?
Many valuable info is "out of sight" in hidden corner of a post in this thread.
TIA

 

Removed SBoxie from User Space. Will follow up with careful read of page 1. Had an interesting AG event while in Locked Down. Norton wanted to install FF Toolbar compatibility patch. AG advised Install mode. Install > Norton run LU > Installed patch. AG returned to Locked Down (20min). What excited me is that Norton is not in User or System by my hand. AG simply seemed to prompt on permissions.
EDIT: Pulled text copy and pdf ~~~ THANKS !!!!!!!!

 

Has anyone tried making Windows temp folder part of the user-space? Would that prevent applications with certificates on the trusted publisher's list from updating in medium mode of protection? Some whitelisting solutions like VoodooShield already block executions from Window's temp folder by default. AG will not allow guarded apps to write to Windows temp folder though, so adding Windows temp folder to the user-space may not offer any significant gain in protection unless the user has web facing applications that are not on the guarded apps list.

 

Is it even possible to make that folder part of user-space? AFAIK it can't be done with Windows folders.

 

You can easily move temp folders location via environment variables to every location you want.

@Cutting_Edgetech: Yes, I set my temp folder (c:\temp) to user space. Only problem with one application that copys there exe files there and then runs form there. But for that i made a per file user space exclusion.

 

Thank you SLE! I tried making the Windows temp folder part of the user-space last night while I was in Shadow Mode, and I did not run into any problems. I was hoping someone had already been doing this for a while so I could see if they had experienced any adverse affects. It does not seem like their would be much added protection though if the user has all of their web facing applications on the guarded apps list. Web applications would not be able to write to Windows temp folder to begin with. I also made C:\users part of the user-space instead of only C:\users\currentuser, which is AG's default settings. I just tested to see if AG would allow a guarded app to write to C:\users without it being part of the user-space, and AG blocked Firefox from writing to C:\users anyways so it looks like there would not be much added protection by making it part of the user-space. AG's seems to have covered just about everything with the policy's being enforced by AG out of the box. The user just needs to make sure to add all of their web facing applications to the guarded apps list.

 

So, why not run MBAE as it protects web facing apps. A friend makes the assertion that MBAE is superior to AG and or ERP. Also asserts HitmanPro and Alert v AG + ERP ?

Not sure how to counter ?

 

They can't be comparable...

They complement their features...