AppGuard 4.x 32/64 Bit - Releases

Everything taken care of. Sorry if I was misconstrued.

Thanks,
Robert.

 

Can someone confirm this ?

1. Add a process to User Space (YES); I used c:\windows\*\net.exe

2. Execute net.exe using WIN + R; it doesn't matter how you execute the process

3. AppGuard will generate a block notification (pop-up, toast, or blink tray icon - dependent upon your AG config) and record the event in the Activity Report

4. Goto the Activity Report.

5. Locate the block event (for net.exe) line item and right-click, select "Ignore Message"

6. In the "Ignore Message" window, enter:

1st Line Item: net.exe

2nd Line Item: *

tick - Disable Display Status

tick - Apply to All Users

7. Select OK

8. Execute net.exe

9. AppGuard will still generate a block pop-up, toast and blink the tray icon; there should be no alerts for net.exe

10. Other block events - such as for schtasks.exe - will now generate block pop-up, toast and blink the tray icon; there should be no alerts for schtasks.exe

NOTE: You might have to wait for a long while before schtasks.exe launches on your system.

11. Also, the position of net.exe jumps between the 1st and last position in the "Ignore Messages" list - after editing it and closing the AppGuard GUI.

To confirm all of this, just launch cmd.exe, then execute wmic.exe or schtasks.exe. It will generate block alerts when there should not be any.

 

It depends what message you get from AG.
Can you give an example of what AG doesn't want to hide?

07/12/16 12:12:38 Prevented process <pwcreator.exe | c:\program files\totalcmd\totalcmd64.exe> from launching from <c:\windows\system32>.
You have different ways to ignore it. A specific ignore or more general. The process itself, parent process, file-path...
Field1: pwcreator.exe | c:\program files\totalcmd\totalcmd64.exe - Field2: c:\windows\system32
Field1: pwcreator.exe | c:\program files\totalcmd\totalcmd64.exe - Field2: *
Field1: *pwcreator.exe - Field2: c:\windows\system32*
Field1: *pwcreator.exe - Field2: *
Field1: *totalcmd64.exe - Field2: c:\windows\system32*
Field1: *totalcmd64.exe - Field2: *

 

The procedure I outlined above produces the undesired behavior; block alerts will be generated for processes which should not have any block alerts.

It's a bug - at least on W10...

If you add another process to Ignore Messages list, then afterwards, block alerts for other processes in the list will generate alerts.

For example, wmic and schtasks will product AG block alerts when launched - despite the settings in the Ignore Message list.

 

Oh, you updated your post with more information. I'll have a look...

 

I can't confirm it. Then it's a Win10-specific bug.

The same goes for the User Space List and Publisher List.
All user-added Entries are jumping back&forth every time. But this is nothing new, it's one of these old, rusty bugs.

-------------
Is someone using Administrative controls?
If you have to enter the password at "Privileged operation" the password is not hidden with **** as you type it in.
That's not ideal.

 

I used this once just for testing and confirm your statement.

 

My custom AppGuard config - combined with TinyWall - smashed Kovter, Poweliks, malicious *.vbs, malicious macros, etc - even when using "Allow User Space Launches - Guarded."

Some of the malware dropped some *.bat and *.dlls to AppData - but that is inactive\inert on the system - so no big deal. Just delete the offending files while in Protected on Lock Down mode.

* * * * *

Ransomware remains a problem since AppGuard does not prevent hollow process - even when a file is executed Guarded. The only counter-measure that AppGuard offers against most ransomware is Lock Down mode against digitally signed ransomware and Protected mode against unsigned ransomware.

Protected Mode is vulnerable to digitally signed ransomware that uses hollow process.

Also, both Protected and Lock Down modes are vulnerable to any ransomware - signed or not - if you use "Allow User Space Launches - Guarded."

You guys don't do such things - like use "Allow User Space Launches - Guarded" -- do you ?

If you do, it is a big risk...

 

Are these cases of parent-to-child injections, which AppGuard does not block by design?

 

@FleischmannTV - Yes.

AppGuard's Memory Protection is side-by-side and not in-line (parent-child). BRN will not implement in-line (parent-child) memory protection. It is their position that it will break too many things and just plain cause them a massive headache.

AppGuard does prevent one running process from memory code injection\memory scraping of another running process.

However, as you already know, Hollow Process is different. It entails a parent process starting a child process in a suspended state - and then unmapping the child process from memory and replacing the child's code with its own code.

 

It's sad that they removed the MBR protection long time ago: "MBRGuard"
With malware encrypting the MBR this protection could be useful.

And older AG-versions had IMO a stronger Memory Protection, but the user had to configure "Memory Guard Exceptions".
They removed it with AG 4.0 (year: 2013)
"AppGuard 4.0 has the following new features:
<...>
3. Improved MemoryGuard policy
4. Eliminates the need to configure MemoryGuard exceptions"
5. Reduces the need to configure Power Applications.
The goal of this version of AppGuard 4.0 is to reduce the customization required by the end-user <...>"

Features are being removed to get fewer support requests.
Or they are hidden (Locked Down was removed from the GUI)

 

Check this file path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard - there should be a folder "MBRGuard." It contains the MBRGuard *.dlls.

It was only removed from the GUI...

However, MBRGuard has not been tested in a long time. It needs a test against Petya, Satana, and similar.

* * * * *

You can block write access to most of User Space (c:\Users) within AppGuard - it is just a bear to configure. This will prevent hollow process ransomware from encrypting User Space files. System Space files are protected. The only thing not protected are directories needed for browser operation, settings files, profiles, etc.

It ain't absolutely perfect - but it will work fairly well with some initiative.

I suppose MemProtect would work better = prevent child process unmapping.

 

Today is very first time that I have seen browser attempt to access MyPrivateFolder - out-of-nowhere...

Cyberfox.

 

Are you really sure? With earlier versions a special driver like "mbrguard.sys" was installed to accomplish this.
And the MBR protection is "prohibiting any application from writing to the Master Boot Record."
How can the user disable it, if it's removed from the GUI?

Ahh, after searching i found it:
Posted Oct 2013:

#3143

 

BRN figured users would screw it up... so they removed it.

Not sure how BRN implemented MBRGuard after removing MBRGuard.sys driver. I can only locate the *.dlls.

 

I don't understand the obsession with this feature. Standard user account doesn't permit these operations. No toys needed.

 

True... but BRN never thought people would use the Standard User Account. That's why they don't have the export\import settings & config feature; user has re-create AppGuard config in SUA.

 

@mood, @FleischmannTV , @Peter2150

Barb states: "No MBRGuard is no longer part of any of the AppGuard products. The MBRGuard folder is a left over from the days when it was part of the product. It still contains needed DLLs, so it can’t be removed. I guess at some point we should rename it to avoid confusion."

Better stay in Lock Down mode. "Allow User Space Launches - Guarded" will not protect system against Petya or Satana type ransomware.

HMP.A 3.5

 

No, I won't say that and I accept your point.

 

To manually update Windows Defender, add these two directories to User Space (NO):

c:\users\user\appdata\local\temp\mpam-*

c:\users\user\appdata\local\temp\*\mpsigstub.exe

The above will allow Windows Defender modules to be updated.

 

Can someone confirm this ?

Guarded Apps can write to drive root, e.g. - C:\ ?

I would think that wouldn't but be permitted, but it doesn't really matter as long as the newly created directory is treated as User Space.

 

Does anyone else have issues when adding onedrive to guarded apps. OneDrive keeps disappearing (taskbar icon) and have to launch OneDrive mannually even though I have added exception to c:\onedrivetemp\s-1-5-21-319083326-1511775871-3679585971-1001\fs-temp-test and c:\onedrivetemp\s-1-5-21-319083326-1511775871-3679585971-1001\. Appguard still prevents <Microsoft OneDrive> from writing to <c:\onedrivetemp\s-1-5-21-319083326-1511775871-3679585971-1001\fs-temp-test>.

Edit- I'm in lockdown mode, also I think this happens on/off as yesterday worked without issues and no activity report for OneDrive , strange?

 

i can't confirm:
07/16/16 22:20:01 Prevented process <Google Chrome> from writing to <c:\appguard 4.x 32_64 bit _ page 226 _ wilders security forums.html>.
But if you declare C:\ as User Space, Guarded Apps can write to it, sure.

 

I just tested various malwares. Lock Down mode. "Allow User Space Launches - Guarded."

Malicious files executed as Guarded can create new folders at drive root... e.g. C:\ - by calling cmd.exe mkdir... LOL.

AG treats any newly created drive root folder as System Space = Guarded Apps cannot write to it, but files can execute from it !

Here is very simple test:

1. At drive root, use explorer.exe to open un-elevated cmd.exe

2. mkdir TEST

3. C:\TEST will be created

4. Move any PE32 file to C:\TEST

5. Launch the file moved to C:\TEST

6. The file can be executed \ will execute, even in Lock Down mode !

I can write a simple script that creates a new folder at the drive root, drops files to that directory and executes the dropped file(s)... malc0ders can surely do the same - or worse.

All you boys and girls out there should add cmd.exe to User Space (YES). However, you still are not completely secure since AppGuard policy does not prohibit creation of directories by Guarded processes by other means - like WINAPI CreateDirectoryEx or .NET Framework Directory.CreateDirectory (string).