AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Doesn't (NO) mean ignore? Am I missing something?

    Robert
     
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Yes. I made a mistake. Sorry. I have fuzz on the brain at this very moment...

    What version of Windows are you using ?

    * * * * *

    You don't need to exclude cleanmgr.exe from User Space.

    Create this exclusion instead of excluding cleanmgr.exe: C:\Users\User\AppData\Local\Temp\*\dismhost.exe
     
  3. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Clean Install of Win 10 Pro x64 Version 1607 Build .693 . Yeah, that's the one I was looking for (dismhost) as I saw it posted awhile back. Anything else I need to exclude?

    Thanks,
    Robert
     
  4. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Are you running in Protected or Locked Down mode ?

    On Windows 10, virtually all the Microsoft processes that run from User Space are digitally signed. Therefore, you do not need to create any exclusions if you are running in Protected mode; you will need to create the exclusions if running in Locked Down mode.

    The one exception is onedrivepersonal.cmd which is in Windows Explorer in the file system tree.

    * * * * *

    For opening OneDrive from Windows Explorer (in both Protected and Locked Down mode):

    c:\users\user\appdata\local\microsoft\onedrive\onedrivepersonal.cmd

    For manual updates of Windows Defender (in Locked Down mode only):

    c:\users\user\appdata\local\temp\*\mpsigstub.exe

    c:\users\user\appdata\local\temp\mpam-*.exe
     
  5. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Thanks, Lockdown. Have from the beginning always in 'Lock Down' mode. Yep, about OneDrive. Will add your suggestions and nothing else in 'User Space'.

    Thanks again,
    Robert
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    No problem. If you run into any issues just post here please.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Here is a similar block.

    c:\users\achilles\appdata\local\google\chrome\user data\swreporter\17.95.0\software_reporter_tool.exe
     

    Attached Files:

  8. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Thanks, but that is not the Service Worker folder. I am searching for blocked writes to the Chrome Service Worker subfolder\sub-files.

    Software Reporter is different than Service Worker.
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I suppose ideally you mean something like Excubits CommandLineScanner, but NVT ERP event viewer and Process Lasso actions log sufficiently do the job?
     
  10. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    cmdScanner is best since it will log during boot time. SpyShelter is good too - but it isn't going to capture boot time in my experience with it. There are other utilities out there. System Explorer will capture command lines under History, but it will occasionally miss one. NVT ERP's Active Process list worked very well when I used it. It's a matter of personal preference. I personally like light on resources.

    Never used anything like Process Lasso.
     
  11. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I'm getting that a lot too! But I suppose it's an expected event.
     
  12. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Yes, that's expected. That's why you may want that to be set as system space application by setting it as User Space=No. :)
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    That particular block was from Chrome attempting to update. AppGuard was blocking Chrome from updating. I have Google as Trusted Publisher. I was in Locked Down Mode though. I always operate in Lock Down Mode.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    In Locked Down level and Excubits CmdScanner just logging, I'm getting lots of these blockage events:

    01.png
     
  15. guest

    guest Guest

    If Tray.exe is running, after each block-event of cmdlinescanner (Tray-icon = red), C:\Windows\system32\cmd.exe is being executed which is querying the service.
    Command-line: cmd.exe /c sc query <"insert Excubits-driver here"> and it seems that cmd.exe wants write to the registry.
    But AG is preventing cmd.exe from writing to the registry = Event in the Activity Report.

    I have added it to Ignored Messages:
    Field 1 = *
    Field 2 = registry\machine\software\excubits\*

    Edit: tiny fix
    Even if it is blocked from AG (as expected), the tray-icon is working as it should.
     
    Last edited by a moderator: Mar 16, 2017
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks @mood

    So I guess this should be fine:

    02.png

    To be honest I knew how to ignore messages but wondering whether the blockages could cause cmdscanner malfunction in any way.


    Edit: see next post for a typo in one line.
     
    Last edited: Mar 16, 2017
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Something I noticed, you wrote:
    Field 1 = *
    Field 2 = "registry\machine\software\excubits\*


    Guess you mistyped " character, so this would be:
    Field 1 = *
    Field 2 = registry\machine\software\excubits\*

    Now is quiet, peace. LOL

    Thanks @mood
     
  18. guest

    guest Guest

    The typo is now gone :)

    I didn't notice any malfunction of the tray-icon or cmdlinescanner.
    Both are working as expected.
     
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    That is expected.

    cmd.exe is a Guarded App so it will be blocked from writing to protected areas of the registry. I use cmdScanner too and see the same blocked writes to the registry.

    Ignore it.
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499

    what exactly is that program you are using ? Please give website.
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Excubits Commandline Scanner. Florian named the driver "cmdScanner" - and so I use it as it is easier to type out "cmdScanner" instead of "Commandline Scanner"...
     
  23. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    I have Edge as a Guarded App. I set Privacy to ON like with other browsers. When I check later, I find that Privacy has been changed to OFF. Is this a known issue?
     
  24. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Privacy Mode for Edge does not currently work in AppGuard.

    Fix... no ETA.

    It's not that big a deal since Edge runs in AppContainer - and since it does run in AppContainer the issue has been assigned a very low priority for a fix.
     
  25. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Ok, thank you.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.