AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    AppGuard is software restriction policy; there is no HIPS functionality in AppGuard and there never will be. The only alerts that AppGuard generates are blocked execution, Windows Installer reads of *.msi\*.msp files, and denied access to Private Folders. There are no code injection nor registry alerts.

    AppGuard blocks malicious service/driver loading, incoming/outgoing connections, registry key creation, etc, etc by blocking the initial malicious process execution in the first place.

    If you block a program from executing in the first place, then you need not concern yourself about what it would have done on the system had it executed.

    Using a HIPS like SpyShelter, if you do not select Terminate in the Action Type 53 - Execution of an application - but instead allow the malware to run - by the second or third HIPS alert it very well could be too little, too late to prevent malicious actions on the system. You can ask Datpol. What is recommended is to block execution in the first place - which means terminating an unknown\untrusted\unexpected process in the very first Action Type 53 alert.
     
  2. guest

    guest Guest

    @Rasheed187 care to use AG before talking about its cons & pros...:rolleyes:
     
  3. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    There isn't much the industry can do about that. I know there are many that think the industry should do absolutely everything and anything that it can to create a default-allow model that covers this scenario, but the reality of it is that despite the industry's best efforts those efforts have amounted to an exercise in futility. Users always manage to find a way to shoot themselves in the foot - regardless of the installed security solution. The industry simply cannot completely protect users from themselves.
     
  4. guest

    guest Guest

    I can't find the quote now, but Rasheed187 don't have to install applications to know how these applications actually work :isay:
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    +1
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No need to actually use it, it's already clear what are the pro's and cons. Besides, most of the time I get a headache of this thread, and with ERP + SS I can achieve almost the same as with AG.

    LOL, yes exactly.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, the first goal is always to identify and to block malware. Sometimes they can block malware from executing at all, but often they can block malicious actions to minimize or completely contain the damage. Again, that's the whole point of HIPS/BB. If they will always be successful, that's a different story. Think of companies like Invincea, CrowdStrike and SentinelOne.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think you misunderstood my post. Obviously, AG is not a behavior blocker and doesn't alert about stuff. It's mostly meant as protection against exploits. However the MemGuard and data protection options will most likely also protect against user launched malware. So they are basically HIPS-like technologies. That's why I asked if it could block Dridex from injecting code. I believe that AG's approach of simply blocking memory reading/writing is a better approach then trying to monitor and alert about all type of code injection methods like HIPS do.
     
  9. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    It is pointless to debate about security solution X versus security solution Y.

    A user that knows how their security solution works, has at least a basic understanding of malware and other malicious things, and security conscious is more than likely going to protect their system using software X or Y.

    Let's consider this... you get an alert out of nowhere that file "Microsoft Application ath.exe" is either blocked or attempting to execute - the vast majority of informed users are going to keep it blocked or block it within an alert, and then investigate. The file name above is an obfuscated *.hta downloader that uses the Unitrix left-to-right exploit to "hide" the *.hta file extension. It's the same concept used by the Microsoft Office exploit creating all the recent hoopla on the forums lately.

    Each user has to decide what works for them personally on their specific system. There's a lot of options on the market so just about anybody should be able to find a configuration that works for them.

    In case anybody did not know, I use SpyShelter Firewall along with AppGuard. SpyShelter has a decent command line logging module and it works for me. It does what I need. It is easier to use than SysMon, Auditpol, etc, is problem-free, and very convenient.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's why I said you misunderstood my post, because it wasn't really about A vs B, I was trying to explain that AG is better in certain areas, and why some people would still choose to use HIPS either with or without AG. BTW, I thought you had dropped SS.
     
  11. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I understand.

    AppGuard is SRP. It does not prevent exploits. However, if an exploit does occur or post-exploit payload\user introduced malware does run, then they do so with restricted privileges.

    The MemGuard and Private Folder protections will protect against specific things, if:

    1. AppGuard is in Protected mode and malware that is digitally signed is executed
    2. The user runs malware via "Allow User Space Launches - Guarded"
    3. An application in the Guarded Apps list is executed

    I recommend Locked Down mode (equivalent in SpyShelter after all rules have been created > Block all malicious actions).

    Those settings solve a ton of "what-ifs, what-nots, and what-fors" in a single move... instant enforced "check-mate."
     
  12. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    What can I tell ya about SS... in my experience Datpol doesn't appreciate accurate, detailed reports and more than a few replies that I have received from them are beyond abrasive, live-in-denial and ignorant. I initially thought that it was a language thing, but I don't think so at this point. Some staff there are just plain difficult (and I am being nice in my description). That being said, I am not going to drop SS because of Datpol's bad behavior. The command line logging is extremely useful to me - and its better logging than any of the utilities that can be currently had. I could cop a resentment towards Datpol and not use SS, but that is biting off my nose to spite my face.

    You gotta have really thick skin to be in the game.

    This is just my personal experience. Rasheed asked a direct question and I gave him a direct answer. So if any SpyShelter fanboyz are inclined to jump into this thread and start defending SpyShelter or Datpol - I'm telling you don't.
     
    Last edited: Apr 15, 2017
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Blocking by default is the only protection model that has been proven over time to prevent a very long list of potentialities and problems. That protection model doesn't work for everybody, but what I can tell you is that we configure it on Enterprise systems - and on those systems the clients do everything that they need to do with only very rare issues. However, what the workstation user themselves cannot do is behave like a typical user, download and "use stuff" - because they are locked out of the system and cannot modify it.

    I have my usual softs that I always use. I know the installers are safe. I clean install the OS, install the drivers, install my softs and then lock the system down with AppGuard. I only change what is installed on the system when required. So I'm one of those that pretty much maintains a static system most of the time.
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    +1:thumb:
    Keep the system locked down is always best. With a great backup system off local disk. I was a big advocate of reformatting a system and reinstall Windows and all software until these new great backup programs came along. That was back in the rootkit days.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    +2 here also. Very simple, and totally effective.
     
  16. guest

    guest Guest

    You can have a general idea sure, but this won't answer some of your questions and you won't see the full picture and its precise behavior. Like on the post earlier, if you were using it, you would know you don't have to care about reg modification, firewall rule or drivers installed by a malware executed on the system; because all those can't be even done if the source is blocked.

    Of course with ERP + SS you can get the same result, and it is great, would be sad for us to have AG as the only solution able to do it...i like competition between vendors, all benefits for us users.
     
  17. guest

    guest Guest

    +3 , same here. In fact, those are corporate habits: static locked system ( opposed to home user's dynamic open systems).
    I guess because many of those using this kind of model worked at some point as IT or similar position in a company.

    i do exactly that : clean install > update OS > install vital drivers > do a classic system image > install Rollback RX > install Appguard > install vital softs > update RX's baseline > now i can do whatever i want without endangering my system because i can rollback to clean slate anytime and AG locked my system.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have started using a program called HD Sentinel and on reboot I always get this:

    Prevented process <cscript.exe | c:\program files\hard disk sentinel\hdsentinel.exe> from launching from <c:\windows\syswow64>.

    Block seems to have no ill-effect, but I guess there is no way to allow this instance of cscript.exe?
     
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Just change cscript.exe from YES to NO in the User Space list.

    You cannot allow cscript.exe only when hdsentinel.exe launches it; the two options for User Space are to allow it always or disable it always.

    An alternative...

    If you are really paranoid about cscript.exe, then try adding it to the Guarded Apps list and see if everything works OK with hdsentinel.exe. You might see cscript.exe block events in Activity Report. Those logged events will give you a better idea of how cscript.exe is being used.

    Either way it is your choice. If there is no breakage you can leave it disabled in the User Space list or add it to the Guarded Apps list.
     
    Last edited: Apr 17, 2017
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Yes, I've done that now but I thought cscript.exe and wscript.exe were particularly vulnerable?
     
  21. guest

    guest Guest

    You "have to" change it from YES to NO if you want to allow HD Sentinel to execute cscript.exe.
    If you change it to YES, you are well protected but all instances of cscript.exe are blocked.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    See edited post.

    Allowing only what is needed by legitimate programs is very unlikely to result in complete compromise of your system.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have a similar issue with powershell and (I think) Lenovo System Interface Foundation, but in that case I'd rather keep the block.

    I suppose I could uninstall that Lenovo program on my ThinkPad Yoga but not sure if it can safely be uninstalled.

    Edit: I suppose I could also go back to only guarding powershell.
     
    Last edited: Apr 17, 2017
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I added cscript.exe to Guarded Apps (Microsoft Console Based Script Host).

    All I see now in Activity Report is: 04/17/17 17:40:23 Prevented <Console Window Host> from writing to memory of <Service Control Manager Configuration Tool> so no issues.

    And the previous block event was probably not an issue.

    Edit: I have now also moved powershell back to Guarded.
     
    Last edited: Apr 17, 2017
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If there is any application that should be disabled, it is PowerShell.

    You didn't bother to research Lenovo System Interface Foundation service ?:

    From Lenovo support website...

    Lenovo System Interface Foundation facilitates communication between the desktop and the following Universal Apps.
    • Lenovo Companion 3.0
    • Lenovo Settings 3.0
    • Lenovo ID 1.0
    All of it is bloatware and absolutely not needed, but it is your choice what you want to do.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.