AppGuard 4.x 32/64 Bit - Releases

It's a pain in d'arse...

 

I have to ask. How do I use wildcards in latest version of AG? I browsed to file I wanted to use wildcards on in appdata\local\temp , dism in this case. put the wildcard and tried to save path, but it reverted back to original path.

 

Where are you trying to use the wild-card ?

Adding file path to Power Apps ?

 

What? I mentioned this bug over 1 year ago to BRN via email

Subject: Bugreport: AppGuard 4.2.8.1beta - 'User-Space Policy Wildcards'
with the response: "Thanks for the detailed bug description. We'll look into it."

I thought this was already fixed

 

User space or Power Apps

 

Hmmmm... you are having problem then -- because I can use wildcard (*) for both User Space and Power Apps.

I copy the file path, paste it, then delete the portion I wish to replace with wildcard (*).

I also type the file path in directly - replacing the portion not wanted with wildcard (*).

* * * * *

You CANNOT navigate (browse) to the file path and then try to modify it; it will revert to the original file path.

You have to copy-paste or type in manually...

 

If bug reports aren't submitted directly to BRN, then then in all likelihood any bug reported on this forum will NOT be fixed...

Anyhow... you DID submit it to BRN and it still didn't get fixed -- that is no surprise.

I have found that you have to keep asking whether or not something has been fixed.

 

Should i write a reminder every month until i get a email like this: "Yes, your reported bugs are fixed in the next version", or ...

If i report a tiny GUI-bug or something like that and they "forget" to fix it or give it only low priority, then that's maybe ok.
But i think this wildcard-bug is much more than a tiny bug.

 

Works perfectly. Thank you

 

Wildcard bug is bad ju-ju. I have been playing around to see if I can get something to execute. So far, so good...

* * * * *

I think a lot of us are frustrated with reported bugs not being fixed in a timely manner... if I don't hear anything back after a few months, then I follow-up with a WTF ?

 

A very minor bug: the pop-up reminder of AppGuard when it's Off for several minutes would say something like "return to medium or lock down mode", instead of "return to protected or lock down mode".

 

Thanks for the tip!
I suppose there is no 'harm' in adding the vulnerable processes to AG User Space, as well as having them already defined in NVT ERP (in case I ever remove the latter soft)?

 

I have never encountered dismhost being blocked ... is that because I am only running in Protected Mode?

 

Yes. dismhost.exe runs in AppData (User Space). If you run in Lock Down mode it will be blocked.

 

I don't even mess with NVT ERP anymore. Personally, I am not too sure it will be updated any time soon.

I have all the vulnerable processes added to User Space. I never get any alerts of blocks... they're just abused by malware. No malware = no abuse... LOL.

 

The good thing is, this wildcard-bug is finally fixed
Now I added new wildcards-entries and deleted the old ones. The list looks clearer now.

 

@mood @hjlbx
Have you added c:\windows\*\cmd.exe and rundll32.exe to User Space also, or have you left these processes as default Guarded?
Would adding those to User Space not cause problems?

Also no big issue, but I can't seem to delete c:\windows\system32\schtasks.exe and at.exe (Delete button is greyed out - no such problem for syswow64 entries) when trying to create wildcard entries for these ...

 

I leave both just as Guarded Apps, but adding cmd.exe to User Space shouldn't harm anything. Rundll32.exe in User Space might break some things. It depends upon what you have installed. For example, Webroot uses rundll32.exe if I recall correctly. You can always add it, if it breaks something, then remove it from User Space...

* * * * *

Hmmm... I was able to delete them and then add wildcard file paths. Could be a bug, but not entirely sure...

 

Thanks @hjlbx. I think I will just leave those as Guarded als
Another question: In ERP I have msiexec.exe as a vulnerable process. I guess this is best also avoided in User Space? Or will Allow Installs take care of it?

 

msiexec.exe is command line utility. I have mine in User Space. I never need it.

 

Can others confirm this bug in any version of 4.X.X.X ?

1. Execute any process - for example, cmd.exe or powershell.exe - by using WIN + R > ENTER.

NOTE: You need to untick in Guarded Apps list -- if you use a Guarded App for this bug confirmation test.

1.1 Exit process before proceeding to step 2.

2. Now move the process from step 1 to User Space (do not forget to untick it in Guarded Apps list); use C:\windows\*\cmd.exe for example.

3. Reboot system.

4. As soon as desktop appears -- immediately use WIN + R > ENTER to run the process (the process should already be loaded in the Run field).

5. (BUG) The process will launch before the AppGuard GUI appears in the Task Bar - even though the process has been added to User Space.

* * * * *

Next, try the very same steps above - but use a process that you have never executed on your system before using WIN + R.

The process will be blocked before the AppGuard GUI appears in the Task Bar.

 

I leave rundll32.exe untouched, but i need cmd.exe sometimes. So i doesn't add c:\windows\*\cmd.exe it to User-Space.
I added it as a vulnerable process in ERP.

 

This bug has been officially confirmed; on BRN's TO DO\bug tracker.

 

A question on wildcarding e.g.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe
etc.

Should this be C:\Windows\Microsoft.NET\*\*\csc.exe or is C:\Windows\Microsoft.NET\*\csc.exe sufficient?
Or will both work?

 

C:\Windows\Microsoft.NET\*\csc.exe should be enough