AppGuard 4.x 32/64 Bit - Releases

This is true.
I already said this (i.e. AppGuard blocking wrongly after some time) to Barb in our email exchanges in the past. I'm not sure if Barb actually understood this important info.
As for now, our email exchanges have stopped because Barb didn't go back to our exchanges.
@Barb_C

 

If they can't reproduce it, they can't investigate
I reported a bug (1 year ago + several weeks ago), that i can 100% reproduce but maybe they can't reproduce. Or it's not important enough to fix. I don't know ...

 

I'm wondering if somebody who is able to reproduce this problem (mentioned in previous 2-3 posts) would be willing to let someone from the BRN dev team to have a remote access (TeamViewer, etc.) to their system to collect the necessary details for reproducing this error? We've seen other developers in this forum suggesting similar things, so I am wondering if this might be beneficial.

 

From a technical point of view I'd say yes. I've had remote desktop sessions with BRN and they've gathered valuable information. Problem is many users wont' be willing to open their computers in such a way to anyone, besides on the other end (devs) might have caution on this delicate matter (for some people not me). For me remote sessions almost guarantee developers will find the problem and everyone gets benefited from.

 

I installed the Appguard 4.3.13.1 today and all went well
Looking at the uninstall instructions of the release, still no mention to need have internet connection on when doing that. No I did not uninstall, just "turned" off AG. And installed on top of existing one.

But maybe adding that to uninstall instructions to keep the license without needing to contact Blueridge support? Has happened to me only once that need. I think when reinstalling W7 back to factory settings like I did with my W10 try, you get back the trial option, so not that bad when having time to contact the support. Anyways Id like that information added to Help file.

 

So I looked at the procmon logs a bit more and ran it through a few other test runs. Sadly it seems what I saw is not exactly what Mr. X or others here have experienced. Instead it appears AppGuard is just lagging behind what is actually happening on the computer.

The PIDs it's reporting blocks for are actually the original set of java, not the second set I ran. In the posted logs the conhost.exe (PID:936) and java.exe (PID:864) are actually stopped and exited at 9:47:09 but are not being shown in AppGuard until after it is set to off (at 9:46:46). After AG is set to off and java was stopped they finally get added to the log over a minute later, at 9:48:17.

So while it looked as if it might be blocking the new java instance it is in fact just a delayed log/report from AG. Why it is getting delayed is another question entirely but I wonder if this is what some of the others have reported here without knowing it as well.

I'll try some more testing to recreate the issue Mr.X actually saw when I have some spare time but for now it looks like it may not be as easy to recreate as I initially thought.

 

Thank you for all your time, and effort trying to help solve issues like these that have been reported!

 

Thanks a lot syrinx, really appreciated. Wow!

 

Been reading some on this thread. Does it look like AppGuard it blocking unnecessary programs?

Code:

03/13/16 09:50:36 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 09:50:36 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_frank.dat>.
03/13/16 09:48:57 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_frank.dat>.
03/13/16 09:48:57 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 09:34:06 Prevented process <pid: 3120> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 09:32:35 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 09:26:24 Prevented process <pid: 2264> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 09:24:30 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:56:42 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_frank.dat>.
03/13/16 08:56:42 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 08:54:58 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_frank.dat>.
03/13/16 08:54:58 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 08:20:57 Prevented process <pid: 1956> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:20:24 Prevented process <pid: 460> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:19:51 Prevented process <pid: 2328> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:19:18 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:18:54 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:18:37 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:18:14 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:18:12 Prevented process <pid: 2292> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:17:42 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:17:06 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:16:13 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:15:25 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:13:15 Prevented process <pid: 2860> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 08:11:33 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0002\rescache.hit>.
03/13/16 07:07:15 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\lastwasdefault>.
03/13/16 07:06:08 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{4dc8b4ca-1bda-483e-b5fa-d3c12e15b62d}>.
03/13/16 07:06:08 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\_numaccounts>.
03/13/16 07:06:08 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 07:05:18 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\lastwasdefault>.
03/13/16 07:05:02 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\mediakeys>.
03/13/16 07:05:02 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_frank.dat>.
03/13/16 07:04:38 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\_numaccounts>.
03/13/16 07:04:33 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{4dc8b4ca-1bda-483e-b5fa-d3c12e15b62d}>.
03/13/16 07:04:32 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
03/13/16 07:03:24 Protection level is set to <protected>.

 

The blocks to the registry and blocked writes to rescache occur on my system as well. Nothing malfunctions.

BRN recommends that if nothing is obviously broken then just to ignore the block events.

 

Thanks

 

I used to get all bent out-of-shape about block events - thinking AppGuard was breaking something.

Nowadays I just don't pay attention much - unless it is plainly obvious that a malfunction is occurring. Then I 1st try to eliminate AppGuard as the cause by turning AppGuard off - and see if the malfunction persists.

On my system I will see more block events reported in Protected Mode versus Lock Down Mode. I am not sure why that is, but I suspect BRN has done it this way to avoid a flood of block events in the Activitiy Report. I could be wrong - I have asked for further details. No infos yet.

 

Thanks again. I'll just ignore it unless it "breaks" something.

 

Maybe someone using SBIE and AppGuard can help me.

I have only ever used SBIE (paid) for browsing (Firefox) and haven't had any real issues.

But now I tried running Windows Explorer sandboxed and AppGuard (Protected Mode) threw up 3 blocked messages:
Prevented process <msvrt.dll> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>
Prevented process <hmpalert.dll> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32> (I have the HitmanProAlert template in SBIE).
Prevented process <user32.dll> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>

Looking at the Activity Report, I see a few more:
03/14/16 12:14:01 Prevented process <a2hooks64.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\program files\emsisoft internet security>.
03/14/16 12:14:01 Prevented process <combase.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
03/14/16 12:14:01 Prevented process <shlwapi.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
03/14/16 12:14:01 Prevented process <imagehlp.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
03/14/16 12:14:01 Prevented process <msvcrt.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
03/14/16 12:14:01 Prevented process <user32.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.
03/14/16 12:14:01 Prevented process <hmpalert.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32>.

I have c:\sandbox as User Space Include=Yes and as an exception folder under Guarded Apps tab.

There have been conflicting opinions about the User Space=Yes setting so tried removing that in AppGuard (without rebooting) but still got the above issues.

Any way around this? Should c:\sandbox\xxxx\defaultbox\drive\c\ be set to Include=No in User Space?

Edit: I should add that a sandboxed Explorer does open, but not populated and unresponsive.

 

I can't run it too.
But in my case AppGuard threw no errors (User Space - Include=Yes), but Sandboxie does.

A sandboxie-window is opened: "RunDLL - Can't start shell32.dll"
If i turn AppGuard off, Explorer is started.

I think i'll do some more tests in a VM.

Edit:
Starting of sandboxed Explorer (AG=On):
Windows XP = ok
Windows 7 = ok
Windows 8+ = "RunDLL - Can't start shell32.dll - Access denied"
Edit 2:
I saw no AppGuard-Messages, because i ignored rundll32-messages.
I fixed it now
Excluding specific directories in AppGuard that are now mentioned in the Activity Report, solved the problem of rundll32-errors.

 

@paulderdash
@mood

You have exclude <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32> from User Space.

Then when you try to execute Windows explorer.exe sandboxed there will be additional blocks.

Determine what directory is being blocked by reviewing the Activity Report.

You have to exclude those directories from User Space as well.

If you do this, it will work.

If I recall correctly, there were three or four directories I had to exclude from User Space - but I can't remember which ones. Plus, I don't use SBIE at this moment.

 

I excluded <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32> and <c:\sandbox\xxxx\defaultbox\drive\c\program files\emsisoft internet security>
I get the same block pop-ups and prevented processes in the Activity Report.
It seems to retry this several times (the block pop-ups and prevented process lines keep repeating 6 or 7 times) but eventually sandboxed explorer opens, no problem.
Guess I'll have to live with that.

Win 8.1. I am connected to Internet ...
Running in Protected Mode.
I do have drop my rights ticked, but had the same problem with it unticked.

 

Exactly. 5-7 times and the explorer finally opens.
But after clicking on a drive or on the left tree it happens again, but "only" 2-3 times..

Thanks, Explorer can be started now without errors.

Several weeks ago i decided to "ignore messages of this type":
Prevented process <c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\*>
and therefore i saw nothing in the Activity Report today
After removing it, i can see these rundll32-messages.

 

Pity. I would also have expected excluding <c:\sandbox\xxxx\defaultbox\drive\c\windows\system32> from User Space would do the trick for me, but I still get the errors, even though Explorer does eventually open.
Maybe the difference is due to my running in Protected Mode ... I think @hjlbx and @mood are running in Locked Down mode.
Maybe I will try some other stuff, else also 'ignore messages of this type'.
Until now I have been primarily interested in only browsing with SBIE.

Edit: Doh. Found my problem. I added those paths forgetting to click 'Apply'. Works perfectly now.
Apologies for wasting time. Ageing grey matter.

Edit 2: And yes @hjlbx was right, I further had to exclude
c:\sandbox\xxxx\defaultbox\drive\c\program files\common files\microsoft shared\ink and
c:\sandbox\xxxx\defaultbox\drive\c\windows\winsxs

 

Switch to Lock-Down mode.

Execute Explorer.exe in the sandbox.

Carefully review the activity report.

I think you are missing some directories in User Space exclusions; I remember 3 or 4 different directories had to be excluded.

Perhaps Protected Mode logging isn't capturing the block in the Activity Report ?

Please let me know...

 

i still wonder why people keep the sandboxie container folder on C instead of moving it to another partition...

 

I used to place it on R: where R = RAM Disk drive... then I got bored, changed things, and then got lazy in rebuilding config.

SoftPerfect's RAM Disk worked perfectly.

 

See my edits in above post. Problem solved