AppGuard 4.x 32/64 Bit - Releases

Hi Pete
Hopefully my expectation becomes true, as a Xmas present?
I don't complain about protection so far and I know it does it well. And I will continue running AG as one of my main sec apps...

 

I think maybe you misunderstood me. I'm saying I don't know of any Policy AE's, or Whitelisting AE's that don't offer blacklisting in some way. Some are even Hybrids of both methods. Bouncer is a Hybrid. Bouncer uses hashing, and policy to blacklist files. I think adding a simple blacklist feature to AG would not be too difficult. I already have a large list of executables I blacklist with Bouncer, and ERP.

 

Hi, thanks everyone who is sending suggestions and bug reports directly to AppGuard@BlueRidge.com. We've had a few reports that AppGuard is still blocking after it is turned off from the AppGuard tray menu. So far it seems that this only affects Windows 8.1 and above. Is that true? In addition to asking the test team to try to recreate this issue, I've asked one of the developers to review the code in this area. He reports that when AppGuard is turned off, that all protections with the exception of self-protection are disabled. So if you see messages related to AppGuard memory, registry hive or AppGuard files, that is to be expected otherwise, there is a bug that we are having trouble identifying.

If you see this problem, It would be very helpful if you would send your Windows Application Event log to us and indicate the timeframe that you saw this. Once we can identify the type of event that is still being reported that will help isolate the issue. Also let us know which OS you are running and whether it is 32bit or 64bit.

 

Merry Christmas (I think!). I have gotten approval to release a beta this week with some new features. It may slip into next week because of our engineers/testers holiday schedule, but I'm actually hoping that they can complete it by Wednesday. When we're closer to having the release finalized, I'll provide a list of features that made it into this release.

 

Of course a Merry Christmas Barb_C !
Thank you so much for these great news indeed!
See? This is the response of a great software company, you've never disappointed me you just were waiting for December for such surprise gift! LOL

 

12/21/15 13:36:52 Prevented process <Sandboxie COM Services (CryptSvc)> from writing to <c:\windows\rescache\rc0025\rescache.hit>.
12/21/15 13:35:05 Prevented process <Sandboxie COM Services (CryptSvc)> from writing to <c:\windows\rescache\rc0025\rescache.hit>.
How do I tell if AG is blocking a legitimate operation.

 

Thank you for the update Barb! I did not expect a release so soon. I thought development was getting ready to start. I did not know development had already been going on.

 

I don't use Sandboxie, but have you tried making the Com Service a Power App? I think I remember seeing a Com Service belonging to Sandboxie in the Program Files installation folder.

 

Well, there was mention, I don't need Sandboxie exe's as PowerApp. #3865

 

Sandboxie, and AppGuard behave differently together on different systems. Some users don't need to make Sandboxie exe's Power Apps, but sometimes they do have to be made Power Apps. It looks like you need to make the Com Service a Power App, but maybe there is a better option. What OS are you using? Maybe someone will come along that uses Sandboxie, and AG together on the same OS as you with better advice.

 

W8.1 ~ There are 5 Sandboxie COM Services. Maybe, I can Ignore. Just not in the know.

 

bjm, I think the message you got is for Sandboxies Cryptographic Services (cryptSvc).
http://www.sandboxie.com/index.php?ServicePrograms#crypto

Bo

 

It is probably a guarded application trying to write to rescache, but because it is also running in Sandboxie, it may look like a Sandboxie process is trying to write to that folder, at least from AppGuard's point of view that is. Maybe, if you click on 'message info' in AppGuard, you can see which application it actually is.

 

I can live comfortably without any of these being implemented. Most of the technical ones here are already covered by apps like ERP and SpyShelter; apps that people already make use of. That list can be cut in half by making use of an existing installed application, or sourcing one that is already out there and most likely freeware. There is no need to crap where we sleep; that is why the toilet was invented. So let it go... this smells like an attempt to get AG to be AIO. The requests are not working in the NVT thread, so I guess now it is AG's turn to feel the power of the feature request post tsunami's...

 

Yes, I know....what's <c:\windows\rescache\rc0025\rescache.hit>.

 

Okay, I hear ya'. I'm not questioning you or your setup. I'm wondering what harm to PowerApp an xyz file...?
As to SBIE working as supposed to. I'm not qualified to make that determination. That's like users posting HMP.A is working great. Working great because 25 real world attacks were intercepted. Or, working great because no obvious conflict. SBIE feels okay is all I can claim. Are my Direct Access working as supposed to. IDK for every scenario. Are my sandbox restrictions working as supposed to. IDK for every scenario.
When I run unknown program in test sandbox. Will SBIE work as per design. I hope so.
Sandboxie working as it's supposed to assumes facts not in my crystal ball.

 

@bjm_

Regarding rescache, it's actually Firefox that's trying to write to that directory. If you ran Firefox outside of Sandboxie and guarded by AppGuard, the message would be:

 

I sort of agree with you.

 

Okay, what is that directory. <c:\windows\rescache\rc0025\rescache.hit>.
What data is Firefox trying to write to that directory.
Why does AG care about Firefox writing to that directory.
What's downside to cryptSvc as PowerApp.

 

On my end I'd be happy just get the PID issue resolved at this point and have it show the exe name again all of the time. There are other things I'd like to see and new features I wouldn't mind seeing but this PID thing has started to grate my nerves while trying to figure out what program it points to when it's no longer running.

 

A simple search of this thread for the term "rescache" would show you that this drama is not new. There are posts from 2013 mentioning rescache, and the program culprits range from Firefox, Plugin Container for Firefox, Microsoft Office Word, Sandboxie Crypto... I think it is more of a Windows thing than anything 3rd party.

It might be worthwhile taking ownership of rescache and deleting everything except "ResCache.mni". That's just a recommendation I found doing a quick search. Another said to do the chkdsk stuff (blah), and one said it was VC++ 2008 related... It turns out I did this in September (cleaned house on rescache - only was up to 004, not 025... wow), and the .mni file is the only one that is there as of current days... original timestamp remains.

Some links for ya' to confuse you more... lol
1 - https://social.technet.microsoft.co...hit-used-for?forum=windowsserver2008r2general
2 - http://virtualcustoms.net/showthrea...cache-in-Windows-7-so-it-easier-to-apply-mods
3 - https://helgeklein.com/blog/2012/08/windows-7-default-file-system-permissions-listing/