AppGuard 4.x 32/64 Bit - Releases

I am thinking about trying WinAntiRansom Plus in the near future. What special AppGuard Settings would I need for compatibility with AppGuard?

 

With AppGuard - especially in Lock Down mode - you have no absolute need for an anti-cryptor, but you can add one to your system if you like.

In Protected mode, AppGuard would allow a digitally signed cryptor to execute - but it will protect files in your My Private Folder or any other folder with Privacy setting enabled. Plus, it will block the ransomware from making system changes that enable it to auto-start and deny access to System Space folders. So, in other words, only data in User Space might be encrypted.

I have only seen a user report a digitally signed cryptor one time - but they refused to provide the sample. So, I have not had opportunity to test a digitally signed ransomware.

I am not sure if Protected mode will stop Hollow Process of any trusted Windows processes - like explorer.exe. I suspect it does not based on one video released by BRN a few years back that shows what would happen if digitally signed ransomware were, indeed, executed in Protected mode.

So, I suppose if you are going to run AppGuard in Protected mode, then adding an anti-cryptor might be a good idea.

Any how, it is best to get @Barb_C to provide an official response.

 

It depends on how the process hollowing is applied. If it tries to attack an already existing instance, then this attempt would be blocked. If the ransomware launches another instance of explorer or svchost, then memory guard should allow it, because parent-to-child injections are allowed. On the other hand, this hollowed process would inherit the same restrictions as its parent and that would mean privacy mode: on, so it could not write to private folders. But before all that it would have to be digitally signed to even launch at all.

 

@FleischmannTV - that is my understanding.

AppGuard has side-by-side memory protection and not parent-child memory protection.

The above would apply for a digitally signed ransomware.

 

Cruelsister tested AG for me a couple months ago with signed crypto-malware in Medium Protection Mode. The malware was unable to do anything. AG blocked the malicious .dll that needed to run in the first sample, and the .tmp file that needed to spawn as a child in the second sample. She tested with a few other signed samples, and AG blocked them all in Medium Protection Mode. AG did not allow any samples to run in Locked Down Mode, but that should be expected since signed files are not permitted to execute in Locked Down Mode.

 

Thanks for infos @Cutting_Edgetech

 

No problem.

 

An AppGuard update has been published. You should get see an announcement soon (if AppGuard is configured to check for updates). The version is 4.3.14.5. This basically fixes the update issues that we had when we rolled out 4.3.13.1.

1. There are a couple policy changes:
   1. [LocalAppData]\apps\2.0 is excluded from user-space. These are where click-to-run applications are stored.
   2. [LocalAppData]\apps\2.0 has been added as a protected resource.
   3. Schtasks blocking messages are now ignored.
2. *.cmd files can be added as user-space exceptions.
3. As many of you reported, when we published AppGuard 4.3.1.13, the auto-update was too silent. It basically resulted in AppGuard being turned off and there was no indication that the installation was successful or complete. The reason was that the install was considered a major upgrade by the OS which turned off our service. Our update logic didn't handle it properly. Though the update was successful, there was no indication it was and AppGuard was turned off. We recalled the update (from the perspective of automatically updating, the release is still good and can be installed - just not through our auto-update feature). Anyway, we think this version will properly alert you that the update occurred and will prompt you to reboot.
4. A few minor bug fixes:
   1. The GUI was crashing adding c:\windows\assembly as user-space folder (why you would do that, I don't know).
   2. AppGuard was blocking but not reporting a user-space folder that had a wild card in the policy.
   3. Signed applications were not being permitted from a user-space folder that had a wild card in the policy.
   4. If a sub-directory of c:\windows was added to user-space, AppGuard was permitting unsigned applications to launch (but they were Guarded).

If for some reason you don't get the announcement you can download the new release here: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup_4_3_14_5.exe. No need to uninstall the previous version.

If you see any anomalies with the update process, please email me at appguard@blueridge.com.

 

I received a prompt asking if I would like to download the update, and I chose no. I was then given the same prompt immediately so I changed my mind, and tried to use the autoupdate feature. I never did get a message after that saying the update was complete, or in progress. I then went to the Advanced Tab in the GUI, and clicked on the button, "check for updates now". A few minutes later I received a toaster message stating the update was complete, and I needed to reboot. The update completed successfully after rebooting.

This update added all the Trusted Publishers I had removed back to the Publisher's List. It's not a big deal, but worth noting. I would consider that a bug with the update process.

 

"C:\ProgramData\Blue Ridge Networks\AppGuard" - copy the xml file somewhere before upgrading. After upgrade completes, either boot up normally once, then boot into Safe Mode OR boot into Safe Mode on first reboot (not sure if a standard reboot is required), and proceed to replace newly generated xml file with the one you copied earlier.

This will return things to norm; 1) BlueRidge is the only entry I have in Trusted Publishers, 2) User Created Alert Messages repopulated

 

In regards to "parent-child memory protection"... isn't anything a parent spawns called child, and hence protected as well? I think that is how I am understanding things. Please clarify if I am wrong (or am I getting confused with SBIE?).

eg: If Firefox triggers plugin-container.exe to run, doesn't that inherit all FF protection settings, so no need to guard plugin-container.exe?

 

@Barb_C any news about protecting non-system partition located apps?

I just installed via GUI, no issues so far.

From my understanding, in AG, if parent is protected, child is as well .

 

Upgrade to AppGuard version 4.3.14.5:

I received a prompt asking if I would like to download the update. I chose yes. The message that states something about not to turn off the PC or Reboot until the update process is complete stayed up for several minutes until I decided to close the message box. I moved the mouse cursor over the AppGuard System Tray Icon which made the message to Reboot showed up, but only while I had the mouse cursor over the AppGuard System Tray Icon. I then Rebooted the PC. So far, I have not seen any issues with the latest version of AppGuard.

 

My experience upgrading AppGuard.

After knowing the new version I downloaded it via web link. Then I restarted the machine and at startup AppGuard immediately informed about the new version (including the right version number) offered to update and said no. Next I run the installer I already got and the upgrade went all smooth and good. Then restarted the machine and all went well, no issues at all but that minor inconvenience as @Cutting_Edgetech and @marzametal have already stated: Trusted Publiser list repopulated and User Created / Modified Alert Messages are lost.
I said minor inconvenience at least from my personal point of view, perhaps others will see a major inconvenience depending on how heavily xml file was modified. Then I think this xml file shouldn't be overwritten by new upgrades, better if AG offered a restore to defaults button instead so the user have options.

 

Barb_C reply via email:

 

There is a restore all settings to default button in the Advanced Tab below the Power Apps list. Are you talking about something else?

 

Yes I'm talking about a similar button for Alerts and User Space tabs.

 

My update was automatic and nothing changed - no changes to Trusted Publisher list, Alert settings stayed the same; didn't have to "reload" settings .xml.

Looks like loss of settings after update is not universal.

 

I'm using Windows 7X64. My Trusted Publisher's List was not preserved. It was repopulated with the default Publishers I removed, but it preserved the one's I added. I have not discovered any other issues so far.

 

Which tickbox is responsible for showing up "04/02/16 22:31:10 AppGuard stopped <25> suspicious activities while active." popups from-time to time?

 

I don't know if anyone has seen this: -https://www.youtube.com/watch?v=KinwLc4SqpQ

It looks like someone has successfully exploited Appguard, while it is the version previous, I wonder of this has been patched.

 

Thank you for the heads up! It appears that it bypassed AG because Powershell was not on the Guarded Apps List so AG allowed Powershell to write to the System Space. If Powershell is on the Guarded Apps List then the bypass should not be possible. I have brought this up in the past, and I believe I was informed that Powershell scripts should not be allowed to run, or they will be Guarded even if Powershell is not on the Guarded Apps List. I will make sure BRN is aware of this. I will send them an email in a moment. In the mean time make sure that Powershell is on the Guarded Apps List, or add it to the user-space. I have Powershell added to the user-space with my config. Just about everyone here at Wilders had Powershell on the Guarded Apps List, or added to the User-space.

 

Thanks for explaining how to prevent the exploit. I've just added Windows Powershell to the guarded list.

 

No, Problem. There is actually another bypass for AG on that user's channel. I'm sending an email to BRN about both of them. If you are on a 64bit OS make sure to add Powershell.exe, and Powershell_ise.exe from the System32, and SysWOW64 Folders.

The second bypass is not as clear to me, but it appears it could be a bug on AG's part. I need to watch the video again, but I may need the sample to be sure what happened. It looks as though AG allowed wscript.exe to run in Locked Down Mode, and I don't think that should be possible. AG is suppose to block all scripts in Locked Down Mode, and allow them to run Guarded in Protected Mode. I hope they did not change this without our knowledge.

 

It is not a script exploit, but instead a simple bypass that utilizes a *.lnk to Powershell and a writable directory in System Space.