AppGuard 4.x 32/64 Bit - Releases

No. That is just the way Florian from Excubits wrote his list.

Use c:\windows\*\vulnerable_process.exe. Some, like Journal.exe are not captured by that file path, so you will have to find it on your system.

Also, you cannot use wild-cards like this: c:\users\user\appdata\roaming\temp\AG-1028u40u-*; you can only use the wildcard to replace the entire string between the \ in the file path.

For example, c:\user\user\appdata\roaming\temp\*

 

The infos below are a combination of infos from Florian (Excubits) and JP (Japanese) CERT:

• Blacklist all occurrences of powershell.exe if you do not use it regularely,
• Blacklist or remove all interpreters (e.g. python, perl, ...) if you do not use them,
• Blacklist or remove all debuggers,
• Only whitelist required software, move not used software to the blacklist, and
• If there is software you only use once a year put it onto the blacklist and then temporarily put it on the whitelist if you really need it for the dedicated task.
• Also blacklist the following applications (executables) if you do not need them:

*Regsvcs.exe
*RegAsm.exe
*wusa.exe
?:\$Recycle*
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
*msiexec.exe
*bitsadmin.exe
*iexpress.exe
*mshta.exe
*systemreset.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
*wscript.exe
*cscript.exe
*iexplore.exe
*at.exe
*schtasks.exe
*mrsa.exe
*bcdedit.exe
*bcdboot.exe
*bootcfg.exe
*bootim.exe
*bootsect.exe
*ByteCodeGenerator.exe
*debug.exe
*diskpart.exe
*regini.exe
*regsvr32.exe
*RunLegacyCPLElevated.exe
*UserAccountControlSettings.exe
*wmic.exe
*regedit.exe
*regedt32.exe

* * * * *

*cmd.exe
*tasklist.exe
*netstat.exe
*net.exe
*ipconfig.exe
*systeminfo.exe
*qprocess.exe
*query.exe
*whoami.exe
*nslookup.exe
*fsutil.exe
*csvde.exe
*nbtstat.exe
*nltest.exe
*wevtutil.exe
*arp.exe
*sc.exe
*qwinsta.exe

* * * * *

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Tasks\*

I also suggest that you restrict write access permissions on

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Temp\*
C:\Windows\Tasks\*
C:\ProgramData\*

 

Currently running all above except restrict write access permissions on C:\ProgramData\*. I'm in Locked down-mode.

Sc.exe is trying something every 30 min, probably some normal behavior. I suppose you get full of events like this in your log as well?

 

sc.exe is used during system automatic maintenance at idle.

 

Thanks!

I can see why that is a way into the system for malware. I'll see if I'll keep processes like this in the User-Space (blocked) or if I just switch to Protected mode instead of Locked Down so the processes at least can start, but are guarded.

Do you usually ignore similar events?

08/12/16 13:03:58 Prevented process <sc.exe | c:\windows\system32\svchost.exe> from launching from <c:\windows\system32>.

 

The above is for system automatic maintenance.

There's a bug that will break Ignore Messages if you add anything to the default list.

As far as adding sc.exe to User Space (YES), I don't. I just add it to Guarded Apps so as not to get the alert.

That being said, if a malware were to ask for elevated privileges and you allow it via UAC prompt, even as a Guarded App sc.exe can create new services.

There is a difference between creating a new service and actually getting that service to run. To get it to run needs a system reboot.

I have submitted a bug report on it, but it isn't much to worry about.

 

Hi @hjlbx

I like to manage and protect vulnerable processes with NVT. In fact I use to add them to Vulnerable Processes list. So those large lists you've published recently is comprehensive and updated? I guess it is. Anyways I copied-pasted in just one large list your own lists. Is it good? Does it needs special adaptation for NVT?
I use AppGuard too, is it better to manage them with it?

Spoiler: Vuln

*regsvr32.exe
*InstallUtil*
*Regsvcs*
*RegAsm*
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*PresentationHost.exe
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*\at.exe
*mrsa.exe
*bcdedit.exe
*bcdboot.exe
*bootcfg.exe
*bootim.exe
*bootsect.exe
*ByteCodeGenerator.exe
*debug.exe
*diskpart.exe
*regini.exe
*regsvr32.exe
*RunLegacyCPLElevated.exe
*UserAccountControlSettings.exe

*Regsvcs.exe
*RegAsm.exe
*wusa.exe
?:\$Recycle*
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
*msiexec.exe
*bitsadmin.exe
*iexpress.exe
*mshta.exe
*systemreset.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
*wscript.exe
*cscript.exe
*iexplore.exe
*at.exe
*schtasks.exe
*mrsa.exe
*bcdedit.exe
*bcdboot.exe
*bootcfg.exe
*bootim.exe
*bootsect.exe
*ByteCodeGenerator.exe
*debug.exe
*diskpart.exe
*regini.exe
*regsvr32.exe
*RunLegacyCPLElevated.exe
*UserAccountControlSettings.exe
*wmic.exe
*regedit.exe
*regedt32.exe

* * * * *

*cmd.exe
*tasklist.exe
*netstat.exe
*net.exe
*ipconfig.exe
*systeminfo.exe
*qprocess.exe
*query.exe
*whoami.exe
*nslookup.exe
*fsutil.exe
*csvde.exe
*nbtstat.exe
*nltest.exe
*wevtutil.exe
*arp.exe
*sc.exe
*qwinsta.exe

* * * * *

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Tasks\*

I also suggest that you restrict write access permissions on

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Temp\*
C:\Windows\Tasks\*
C:\ProgramData\*

 

1. Remember in AG that Guarded Apps list over-rides User Space (YES) = you must un-tick any process in the Guarded Apps list that you add to User Space (YES)

2. On the Guarded Apps list I add regsvr32.exe, cmd.exe, powershell.exe to User Space (YES).

3. I add Flash to Guarded Apps list.

4. If you disable cmd.exe, then there is no need to add any of the command line utilities below it in the list; I add them anyway because sometimes I will temporarily enable cmd.exe.

5. You don't need to do anything with the c:\windows\* folders since they are already protected by AppGuard as a part of protected System Space.

6. I make c:\program data\* a Read-only folder in folder exceptions; it works OK on my system as I do not have any softs that write to it. If you have softs that write to it, then you probably cannot get away with making it a Read-only folder in folder exceptions on Guarded Apps tab.

7. It's the most update list.

8. Ignore the * as this is just the way Florian composed it; I suspect the * symbol has significance for Excubits products which do not apply to AppGuard.

9. I do not include sc.exe in User Space (YES), but instead add it to Guarded Apps; as you know there is an issue when sc.exe is run with Admin rights - which BRN is aware of. It's little to worry about when running in Locked Down mode, but it does need a fix.

10. Configuring the list is somewhat trial-and-error since it is dependent upon what softs you have installed.

11. On my system I virtually never need any of the interpreters or NET Framework objects unless I run a specialized utility like Win10Privacy or Macecraft jv16. In those cases, I just drop AG to Off temporarily, do what I need, then set AG back to Locked Down mode. I don't connect to the internet using a program while AG is set to Off.

12. To save a lot of effort, use c:\windows\*\vulnerable_process where you can. There are only two exceptions to the c:\windows\*\ file path that I recall: journal.exe and hh.exe.

13. For NVT ERP it is just a matter of adding them to the Vulnerable Process list.

14. In NVT ERP do not use "Allow Trusted Vendors" and "Allow Protected System Processes."

15. That being said, NVT ERP makes it easy to use a vulnerable process when you need it as you aren't completely disabling it as you do in AG; that's the advantage of using NVT ERP as you imply.

 

I'm getting ready to leave, but I thought I should comment on this. This has never been the case on my machine. I will check this when I get back to see if something changed in the last build. If powershell.exe is on my Guarded List, and also added to the user-space then powershell.exe will be blocked from running at all which indicates the user-space policy is taking precedence over the Guarded Apps List. If powershell is only Guarded it will be allowed to run with limited rights.

I have to leave for some school stuff. I hope to be back in a few hours.

 

Yes, I think the same way on this.

Correct.

Yes. I did this a long time back.

Thanks mate.

 

If it does not function this way on W7, then it is a bug.

On W10, unless the user un-ticks a Guarded App on the list when adding it to User Space (YES), the Guarded Apps tab is designed (by intent) to over-ride the User Space (YES).

 

Thanks a lot for your help!
~ Off Topic Image Link Removed As Per Policy ~

 

Glad to assist.

~ Off Topic Remarks Removed ~

 

@XhenEd, @Mister X

How are you using IDM ? When I add the download link to IDM as a URL - it just saves the URL as an *.htm.

Can either one of you explain how you're using IDM. I used it once many years ago and I don't have time to play with it to figure it out. Can anyone give me the basic download procedure - or is it integrated into your browser ?

 

If I right-click AppGuard's download link in your signature and choose "Download with IDM", IDM adds the link properly and opens a new little window to save the exe file. If I just click on the same AG's link IDM's integration catches the link properly then same little usual window. As you can see I use IDM integration to Chrome. Can you do same?

 

I've not integrated IDM with anything. I am trying to write a procedure to replicate an issue XhenEd reported - whereby AG set to Install, blocked the installation of CCleaner.

I can't even remember what IDM is... is it standalone or does it have to be integrated into the browser ?

 

Both. Second one is optional afaik.

 

You're right!
I think it's because the link is currently "invalid". The latest regular version (5.21) has been released, and so the Slim version will take awhile to be released. It will be posted in this link: http://www.piriform.com/ccleaner/builds

Edit: I think you can just test with the regular CCleaner version. But it comes with a bundle (PUP/PUA).

 

How is IDM supposed to work ?

When I add the download link to the IDM URL manager, all it does is saves the URL, but the actual download is done by the browser (Cyberfox).

Is IDM not working ?

Appears to me IDM does not function properly -- In fact, the manual add of URL is not even part of the manual and has been taken down by the IDM publisher...

 

Try this: http://download.piriform.com/ccsetup521.exe
Right click the link, then choose Download with IDM.

 

OK... I see. IDM cannot resolve explicit file URL from download link URL.

Man... IDM only makes sense if you do a LOT of downloading... LOL.

Any how, I am working on replicating it. If I can, then I will write up procedure to replicate and submit. I bet I can replicate it...

Thanks @Mister X, @XhenEd

 

@XhenEd

What IDM components did\do you add to Guarded Apps - only IDMan.exe ?

When you set AG to Allow Installs, ccsetup521.exe will not install ?

ccsetup521.exe is digitally signed.

AG is going to allow it because it is digitally signed.

CCleaner slim is usually digitally signed ?

I cannot replicate without more infos...

 

Yes, only IDMan.exe
CCleaner setup won't install because AppGuard prevents it to "write" to something.
The Slim version is digitally signed.

I'll reproduce this again later.

 

I get these block events, but CCleaner will still run - even after setting AG back to protected mode.

That being said, these block events are unacceptable:

08/16/16 23:32:43 Prevented process <pid: 1352> from writing to <c:\windows\wininit.ini>.
08/16/16 23:32:43 Prevented <pid: 1352> from writing to <\registry\machine\system\controlset001\control\session manager>.
08/16/16 23:32:10 Prevented <pid: 1352> from writing to <\registry\machine\software\wow6432node\google\google toolbar>.
08/16/16 23:30:49 Prevented process <CCleaner Installer> from writing to <c:\windows\wininit.ini>.
08/16/16 23:30:49 Prevented <CCleaner Installer> from writing to <\registry\machine\system\controlset001\control\session manager>.
08/16/16 23:30:37 Prevented <CCleaner Installer> from writing to <\registry\machine\software\wow6432node\google\google toolbar>.

I am using the manual method to download CCleaner.

Did you use CCleaner Slim or the Desktop version ?

Did you see just block events or a complete inability to run CCleaner at all ?

 

This is what happened: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-233#post-2606955