AppGuard 4.x 32/64 Bit - Releases

I copy the ones from Users directory, mainly LUA version and Admin Rights version. The one that is located in Program Files is Restore version.

 

What would Guarded Apps Firefox write to Guarded Folder c:\windows\rescache\rc0025\rescache.hit were if not for AppGuard default policy. And why does AppGuard default policy care about rescache.hit presume HitPlayer.
I tried google: what is rescache.hit

 

I think BRN should look to adding changes suggested by Cutting_Edgetech and others in this thread. Whilst not essential, they would be useful additions IMO.

 

AppGuard Locked Down > Prevented process <npe.exe | c:\program files\norton security with backup\engine\22.5.5.15\nsbu.exe> from launching from <c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nsbu_22.5.2.15>.
Curious observe, when trying to run built-in NPE tool with AG Locked Down. NPE website opens.
Imagine NPE website is Norton work around.
Anyone think prevent npe process launch is simply AG doing AG business or should I PwrApp Norton. Which is not practical as there's no way to grab Norton folder.

Maybe, add c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7} to User Space No...?
Comments ....? Thanks
Update:
add c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7} to User Space No will satisfy launch NPE.
Note: I had tried AG Medium with AG default Symantec Corporation L=Santa Monica -- No Off On/Off with no joy.
Tried refresh Publisher with Symantec Corporation L=Mountain View -- No Off On/Off.
And AG Medium + Mountain View + Memory Off will satisfy launch NPE.
Time to Export #3921 credit pegr #1973

 

That's what I've done in the past. I have a number of such User Space = No entries.
But others may have a more elegant solution?

 

I don't think there is, since ProgramData is hard-listed as Yes; therefore allowing stuff through requires specific entries in User Space with the No entry attached.

Maybe your issue could be made a whole lot easier if the hard-listed ProgramData entry could be changed from Yes to No whenever user requires such a change. At the moment, the value cannot be modified. Damn.

 

It looks like you need to make nsbu.exe a Power App in the Program Files Folder\norton security with backup\ from looking at your Activity Report. That should allow nsbu.exe to launch whatever it needs to in the user-space. Have you already tried that?

 

Yep, NSBU launch/run okay with all other modules appear to function normal without NSBU as PwrApp. NPE is stand-alone and since Norton v22, NPE built-in launch from Norton GUI. That said, finding where NPE rides in File Explorer is no joy. And who knew default Publisher did not render current certificate. I had Reset AG to default recently so, imagined default Publisher list would pick up Mountain View.

some notes testing...before 'Medium' sort.
Prevented <Norton Power Eraser> from reading memory of <Windows Start-Up Application>.
Prevented <Norton Power Eraser> from writing to <\registry\machine\system\controlset001\control\wmi\autologger\npetracesession\{c38af496-fdad-460a-9ed0-febdd490ff89}>.
Prevented process <Norton Power Eraser> from writing to <c:\windows\system32\drivers\smr501.sys>.

 

I would turn memory protection OFF for Norton in the Publisher's settings. I'm not sure why AG is blocking Norton from writing to the registry unless Norton is using CMD to do it which many applications do use CMD to writing to the registry. I can't see the actual executable being blocked from writing to drivers\smr501.sys. Maybe try making it a Power App if needed. Maybe BRN should install the same version of NIS you are using on the same OS, and make their own recommendations. It's hard to say when i'm not running the same setup as you, and you keep getting so many blocked actions in the Event Viewer. Are you seeing any adverse affects on Norton Internet Security (or whatever they are calling their product now)?

 

Yes, Off was part of my sort.... #3931
Only Activity Report(ed) for Norton is/was NPE launch.
notes in #3935 were while testing before Medium sort in #3931
AG Medium + Mountain View + Memory Off will satisfy launch NPE.
I had to update Publisher certificate + Mem Off.
aside: rescache.hit Alerts on occasion. I've Ignored two rescache.hit
head scratch on rescache.hit #3928

 

Yeah, I was playing with Customize to learn. Medium + Mountain View + Memory Off satisfies NPE launch for me. I was thinking to delete Publishers as not knowing why I'd need and then stumbled on NPE scenario.

 

I have a question about about:config settings in Firefox...

If all entries with the word "memory" in them are set to false or 0, is there a need to keep MemWrite and MemRead for Firefox set to On?

 

Question:
added Guarded Folder c:\users\user\downloads -- Private
and cannot download into Firefox sandbox. I had one sandbox'd FF session where I had AppGuard dialog and could by-pass AppGuard with Medium + Suspend and was able to repeat download CCleaner installer into FF sandbox. Now, I cannot download into Firefox sandbox even with AppGuard Off.
I have c:\sandbox as Read/Write.....
What's it take for AG to consistently communicate in sandbox.
I have to delete c:\users\user\downloads and start FF with clean sandbox to download CCleaner installer into FF sandbox.
Comments...?

 

Shouldn't c:\users\user\downloads already be in User Space, since c:\users\user\ is already in there and cannot be removed? Maybe set Include to No and try again.
CCleaner should be able to be downloaded into FF sandbox and be recovered properly if you include c:\users\user\downloads in SBIE Quick Recovery tab.

"added Guarded Folder c:\users\user\downloads -- Private" <-- if you want to keep it in Guarded Apps tab, then setting it to Private will not allow you to see this download folder because most likely you have set Firefox to Privacy = On, as the explanation in the dialog box states - Private: Guarded Apps with Privacy set to On are prohibited from accessing these files/folders. You might want to keep Privacy On, but set the folder to Exception (R/W).

 

Hmm, leaning by trial and error. Took Sandboxie out of the equation and c:\users\user\downloads blocks downloads at Locked Down. And no matter how I re-configure away from Locked Down downloads are blocked. Don't know where downloads go because Norton toaster reports on the download but, download does not arrive. Am I locked out of downloads....? Is avoid downloads folder in Help. Is there a key to unlock downloads and where may I find what not to do...
EDIT: okay downloads okay after remove c:\users\user\downloads
Why is it okay to Private Documents and Picture but, not Downloads and maybe not Desktop...?
Wonder what happens if I Private AppData....

 

Yeah, I was able to download into sandbox one session...even repeated downloads into Quick Recovery.
Then upon new browser session retry to duplicate. Downloads were lost to the ether. I assumed AG lost communication with SBIE. Then I tried without Sandboxie. Downloads went somewhere out of sight. Presume in memory. AG Off downloads still blocked. To resume downloads as normal I had to delete c:\users\user\downloads. With downloads at R/W why add downloads in the first place. I was imagining by downloads Private that unknown downloads would be blocked as a good thing. And I'd have manual override for known downloads.

 

Not going near Nortons... lol what are you using, is it an antivirus or something? 360?

 

Does AG conflict with Norton...? Does Norton conflict with AG...? Do you Private users\downloads...?
How does AG block for example drive-bys. In Locked Down. I can update Firefox. I can download from Firefox. Firefox seems normal in Locked Down.
What does Norton have to do with....

 

why would you that ? if you private it , Guarded apps set on Privacy mode won't access it. Since browsers are on Privacy (Chrome, etc...), you can guess they won't access it , so do the downloaded files.

• Locked Down: Virtually eliminates the risk of drive-by download attacks by only allowing user space applications specified in the Guard List to run. All Guarded applications are MemoryGuarded independent of how they are configured on the Guarded Applications Configuration Tab.

• In the Locked Down setting, ...Only installation files (*.msi and *.msp) digitally signed by Microsoft are permitted.

no offense but i think you should really take times to read the help file , i can see you lack some understandings about AG.

 

I'm sure you're correct. I mean about not understanding. I've taken time to read the help file. Since, only installation files (*.msi and *.msp) digitally signed by Microsoft are permitted. It's head scratch for my limited gray matter as to why Firefox updates install. As to why Firefox extensions install updates. Since, legit extensions update. Then mal extensions can install/update in Locked Down. Then mal scripts can run in Locked Down. So, I tried to create criteria in the Guard List to satisfy my limited gray matter understanding. And since User Guide shows c:\users\public\music as Private, why not c:\users\user\download as Private and why did c:\users\user\downloads work as I expected for one browser session. AG works on paper. Kinda' want to see AG work on my setup. https://en.wikipedia.org/wiki/Experiential_learning
If you are a visual learner, you learn by reading or seeing pictures.
If you are a tactile learner, you learn by touching and doing. You understand and remember things through physical movement. You are a "hands-on" learner who prefers to touch, move, build, or draw what you learn, and you tend to learn better when some type of physical activity is involved.
No offense taken. Your skills are evident by your signature. I'll yield to knowledge. As I misstep n' work through my head scratch.
BTW ~ I have c:\users\user\documents and pictures as Private. Why not for example downloads and desktop.
"AppGuard enables the user to specify a set of Private Folders that are not accessible to Guarded Applications running in Privacy Mode."
BTW ~ AppGuard has blocked a Guarded application (process_name) from writing to a protected folder (folder_name). Usually this message can be ignored, but if the blocking event is preventing a legitimate operation then you can choose to temporarily UnGuard the application or configure AppGuard to allow this operation:

• Temporarily UnGuard the application:
  • If the application was launched from user space, then follow these steps:
    1. Terminate the application.
    2. Select "Allow User Space Launches->UnGuarded" from the AppGuard Tray menu.
    3. Re-launch the application
    4. Re-enable user space protection (select "Disable User Space Launch" from the AppGuard Tray menu.)
  • If the application is on the Guard List, then follow these steps:
    1. Select "Guarded Execution->Suspend < application_name >" from the AppGuard Tray menu.
    2. Re-enable Guarded Execution of the application from the AppGuard Tray menu when the blocked operation is complete (select "Guarded Execution->Enable < application_name >").

 

You're not alone, limited grey matter at this end too! LOL

A while ago I had the chance to read most of this thread (very long indeed) to catch up some valuable posts, here are some of them:

Spoiler

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-12#post-2307841
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-12#post-2307767
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-13#post-2307848
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-102#post-2444659
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/#post-2298875
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-48#post-2363971
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-7#post-2301338
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-11#post-2307064
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-12#post-2307796
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-14#post-2308582
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-15#post-2309407
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-15#post-2309749
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-17#post-2314414
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-20#post-2317783
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-20#post-2317799
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-23#post-2324391
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-33#post-2345776
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-72#post-2395706
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-103#post-2446329
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-118#post-2468108
https://www.wilderssecurity.com/threads/appguard-3-x-32-64-bit.294876/page-79#post-2163749

HTH

 

the problem is we have not your full system under hands so quite hard to duplicate your issues, we don't know what you installed and how you set AG...

also why would you "private" desktop or Download (user-space folders)?! if you do it , on lockdown mode only unguarded apps are allowed to read/write on them and guarded apps are only allowed by you. so no browser reach them; so pointless...

 

Well, Barb_C tells me BRN does not test in-house and I should reach out to Wilders. As to "why". Thinking I'd see if I could Lock Down Firefox updates/installs.

and yet Firefox updates. Firefox behaves same w/wo AppGuard.
Why would I want unguarded apps to r/w on Firefox.