AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Just tested a few min. ago and AG didn't block a .reg file run from user space.
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Well, not that bad for me as I use ERP and regedit is a vulnerable process now.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    sadness = can't find directory path
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Code:
    C:\Windows\regedit.exe
    C:\Windows\SysWOW64\regedit.exe
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yes, that's where I've looked...
    Update: me find....looking on right side (D'oh!) found regedit.exe.
     
    Last edited: May 5, 2016
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Q: IE11 + User Space c:\sandbox Yes

    Prevented process <combase.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <shlwapi.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <imagehlp.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <msvcrt.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <user32.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.

    What do think about Field1 * with Field2 <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Or, individual Ignore
    Or, c:\sandbox No
    Or, ?
    Firefox and Chrome sandbox = no issue with c:\sandbox Yes
     
    Last edited: May 5, 2016
  7. hjlbx

    hjlbx Guest

    Use * at end of file path.

    After excluding the file path from User Space, there will probably be additional blocks.

    You will have to use * at the end of those file paths as well.

    It takes about 3 or 4 tries of launching IE before all the blocked file paths are excluded from User Space.

    After that, no problem.
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    LOL you have a funny and strange way of talking and writing :argh:
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I did > Field1 (just) * with Field2 <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32> (no *).
     
  10. hjlbx

    hjlbx Guest

    Use: c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\*
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Hmm,. AG seems satisfied (for now) without *. I'll add \*
     
  12. hjlbx

    hjlbx Guest

    Could you please explain what you mean by Field1 and Field2 ?
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  14. hjlbx

    hjlbx Guest

    You input in wrong place -- unless this is what you wanted to do. Those fields are for ignoring block events. So those items are still being blocked by AG, but just not recorded in Activity Report.

    If you want items to execute from User Space, then you have to add file path to User Space and select "No." Selecting "No" = exclude from User Space.
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Oh, I was following balloon hint to Ignore. Aha, so I may exclude from User Space. Hmm.
    AG and IE seem okay with Event > Ignore.
    I'll try add file path to User Space No. Thanks!

    Edit:...so, User Space c:\sandbox Yes can co-exist with c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\* No
     
    Last edited: May 5, 2016
  16. hjlbx

    hjlbx Guest

    Yes, it will block everything from launching from C:\Sandbox but allow c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\*
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I've added c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\* No.
    Now, Sandboxie Control cannot delete IE sandbox and also > Prevented process <comctl32.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb>.

    Balloon hint points to Protection too High. Head scratch.
     
  18. hjlbx

    hjlbx Guest

    You have to also exclude

    c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb

    from User Space.

    You have to do this three or four times until all the blocked file paths are excluded from User Space.
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Okay, I started over. Now, I'm following you. I have c:\sandbox Yes + c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\* No....Okay.
    So, do I wildcard <c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb>.

    Is all this needed if AG and IE afaik seem okay with Ignore.
    Or, maybe c:\sandbox Yes is too much for IE. Firefox is primary, while IE is for testing.

    I'll try to do this three or four times until all the blocked file paths are excluded from User Space.
    Interesting exercise. Then, I'll backup AppGuardPolicy.
    I'll report progress. Thanks!
     
    Last edited: May 6, 2016
  20. hjlbx

    hjlbx Guest

    I used to run IE from C:\Sandbox. C:\Sandbox was included in User Space (Yes). So I had to exclude a number of file paths from C:\Sandbox so IE would run.

    Use * wildcard at end of file path when multiple items are being blocked from the same file path - like here:

    Prevented process <combase.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <shlwapi.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <imagehlp.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <msvcrt.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
    Prevented process <user32.dll | c:\windows\system32\rundll32.exe> from launching from <c:\sandbox\bjms\internetexplorer\drive\c\windows\system32>.
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yes, I realize now, I was mixing up Ignore balloon hints with these "launch from User Space" balloon hints.
    ----------------------------------------
    I tried without * with got message no path. So, I added \*. I can try again without * or maybe just \

    1) c:\sandbox\bjms\internetexplorer\drive\c\windows\system32\*

    2) c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\*

    3) c:\sandbox\bjms\internetexplorer\drive\c\program files\internet explorer\*

    4) c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\*
    ----------------------------------------------------------
    and maybe _none_\* is okay....
    c:\sandbox\bjms\internetexplorer\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_\*
    ___________________________________
    Note: Interesting exercise.., never would have figured on my own.

    And small voice in my head is asking.
    Since, AG policy blocked/Prevented process, should I just Ignore...?
    Comments...?
     
    Last edited: May 6, 2016
  22. hjlbx

    hjlbx Guest

    Ignore Activity Report block events unless something is obviously broken\does not work.

    Block events like writing to registry, logs, dat files, xmls, memory, etc don't break anything.

    For the most part, it will be quite obvious when something isn't working correctly.

    * * * * *

    Other times it might be more subtle and difficult to figure out exactly what is happening. It is rare, so I wouldn't worry about it.

    Sometimes there are weird\unusual block events that show up in Activity Report, but I haven't seen them break anything.

    I have reported them all to BRN. We are trying to figure some stuff out right now -- so we will have to wait and see.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    IE seemed okay with Ignore and seems okay with User Space No for these c:\sandbox events.
    Maybe, I'm not in IE enough to judge one way or the other.
    Okay, we'll wait and see. Regards
     
  24. guest

    guest Guest

    why people keep sandboxie's container on C drive... still a mystery to me; it is like keeping your trashbin in your sleeping room...
     
  25. hjlbx

    hjlbx Guest

    When you exclude blocked file paths from User Space, then AG will not log launches in Activity Report. In other words, you don't have have Ignore rule for excluded file paths.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.