AppGuard 4.x 32/64 Bit - Releases

Depending on the use of the word "isolation", AppGuard may be termed as using isolation in its protection model. It isolates Guarded apps to only work within bounds. It also isolates the system space from attacks originating from the user space.

And yes, even BRN uses the word "isolation" to describe how AppGuard works. I think the word used is "micro-isolation", which refers to MemoryGuard.

But, overall, I agree that AppGuard isn't an isolation software, but an SRP.

 

Yes i saw too, i think it is just a language figure, not really about the isolation mechanism itself. I would rather use "restrict" instead of "isolate" which is more appropriate.

I 'm not sure what Rasheed meant by "isolation" but if he meant isolation a la Sandboxie , this isn't correct because Guarded Apps doesn't isolate as a sandbox does... i will be more than happy if it was the case

 

LMFAO, yes I recall writing that was back when I still trusted AG. I suppose even now, 99% of the time it is still a great piece of software when applied correctly aside from this hole.

I certainly began loosing faith when I saw how AGs BFE dependencies failed in certain cases and instead of an actual fix we got it to recognize and issue an 'alert' -ONLY WHEN THE RULES ARE FIRST PROCESSED OR LATER REFRESHED (eg change of mode). Better than nothing for sure but to me that's like expecting your anti-virus software or firewall to play by the same set of rules and just tell you that suddenly it might not be able to do its job (but only at startup or after you change the mode it operates in) because something else didn't register in an expected manner with the Windows Base Filtering Engine...because yup, every piece of malware, every script and exploit will do everything by the book to ensure they do just that.
/cough, umm nope sorry...doesn't work that way.

If they introduced code to handle such events rather than just 'tell us' upon a refresh or startup [which would basically require an entire re-write and introduction of it's own fallback methods- v5 would be a prime candidate but so far all we've got is the silly new licensing] I'd be all for it again. For now I just don't trust it to do what it's supposed to all the time anymore.

 

Not sure to get what you meant. if you could explain?

Actual "v5" was just introduced to adapt to the new licensing system , which obviously couldn't be related as v4 and its "version lifetime" licensing. However , the real deal will be the next stable v5, and from what i heard, will have more improvements.

 

Barb=Windows API (GetVolumePathName(driveletter)) to query the ram disk, we do not get a valid path back
Me=https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-173#post-2562400
Barb=More on the ImDisk issue: We did find a bug at our application layer in this case. So not an issue with the way ImDisk is interfacing with the Filter Manager. Hopefully will have another beta for you to try tomorrow or Monday.
Barb=Another update on the IMDisk issue. It seems that there is something non-standard about the underlying naming of the ram disk that is causing AppGuard to have problems. We'll enhance our program to at least warn when this is the case.
Barb=It looks like you well be able to use ImDisk with AppGuard together, but you won't be able to set the disk as a protected resource. AppGuard will be updated to warn you when you try to add it as a protected resource. It looks like AppGuard will treat it as user-space and prohibit exe's from launching out of the ram disk, but unfortunately if you try to exclude the ram disk from user-space protection, AppGuard does not honor it. This has to do with the way the volume is named. Unfortunately there is no quick way to get in a warning about the user-space rule. We'll incorporate the user-space warning in a future release.

Me=Yet they never addressed the sound card dll issue which caused standard protections to fail which as it happens is 'sortofkindof' related. Adding an alert didn't really change anything with how the issues are handled and didn't fix anything because they didn't catch it all.

Keep in mind I'm drunk (again-what's new) and talking about an issue that's haunted me for over a year without actually playing w it again so I suppose it's possible I've skewed things out of proportion over time relying on even older drunken recollections.

 

@syrinx so basically a very specific issue about the volume path. I also had an issue related to paths and manage to found the cause ; it will be fixed in next (real) update.
Btw, i guess you tried with v4.4.6.1 (aka v5) too ?

 

Pretty sure I did, but can't recall with certainty. Very specific, yes, thus the 99% of the time it's still good comment.

In fact even SBIE currently has a small 'potential security issue' atm concerning certain APIs available to a sandboxed program via a dll which *might* aid in an escape though it SHOULD require a user to click 'certain things' after the APIs are used to load something with a malicious payload [outside of the box, yes you read that correctly, it can't do it by itself {from inside} but the wrong click from a user will finish and allow such an escape]... It also is a very specific scenario (perhaps a bit dramatized here) yet happens to be a bit easier to reproduce than the ones mentioned above with AG. I love SBIE, but if after a time they haven't corrected things from their end, I'll be bugging them on their forum and complaining here to no end in related threads as well until it does get resolved.

 

About sandboxie, i use it now only for its "Forced Folders" , my main sandboxing application is ReHIPS (which will introduce the said feature on a later version)

 

OK cool, so it's indeed possible to basically make AG act like a HIPS that auto-blocks memory modification. The only thing I don't like is that it can only be done if the app is trusted/digitally signed. It's weird, I couldn't find anything about this in the help-file, perhaps it's from an old version.

No, it's not. Of course they are not using home user HIPS that alert about everything. But they will monitor new apps being introduced on endpoints, that's what all the big corporations are using, at least if you look at the client list of the big "next gen AV" companies.

Yes exactly, AG basically tries to block exploits with AE + isolation features. So if malware is able to run (in-memory or not), AG wil try to stop it from taking over the system, and that's isolation to me.

Thanks will check it out.

 

the help file is not very detailed. i almost never used it, mostly leat AG by myself or via forums.

ok, so i see your point but personally no serious admin should allow installation of applications in endpoints by the user...

 

Lol I'm sort of sysadmin, although very serious, who restricts users to install unauthorized apps actually any sort of apps to my clients, sohos with less than 15 or 10 pcs not a huge enterprise or corporations. They look stranged to me and ask why my policy and I say prevention better than remediation whenever possible, take it or leave it.

 

+1

 

I believe the goal is to even monitor trusted apps that might be exploited. Those type of HIPS will basically try to make sure that no malware is running, and if even if they do, the HIPS/BB should be able to spot and interfere with malicious behavior. Even M$ has jumped on the bandwagon with Win Defender ATP:

https://blogs.technet.microsoft.com...corporate-networks-with-windows-defender-atp/
https://blogs.technet.microsoft.com...-process-injection-with-windows-defender-atp/

 

Tell them like it is... you want me to come back ? It might cost you a little, it might cost you alot, but it will cost you... one way or another, it will cost you.

By the way, I opted not to disconnect the SSD and run bcdboot ?:\Windows. Why ? I have 6 drives installed and do not want to open the case and mess with cables. It was a PITA getting all that stuff in there in the first place. If I go in and mess with the cables, then I have to re-shuffle. I learned what I need to do when, and if, I want to get the other drive back in the BIOS boot priorities. The current setup allows me to fast-switch, so it is sort of a convenience.

 

Unfortunatelly some of them said: I don't like your policy, I leave.
Bosses/owners want their employees to be free to install a program when needed without calling me. Problem is they install whatever they like leaving the machine open to infected keygens or pirated software compromising it somehow. Then they call me to remediate the situation and I have to work (many times to reformat/reinstall/re-image) a lot but they don't want to pay a lot. They don't see advantages of a locked system, doh!

 

put a disk-killer malware, put the blame on the user and then they will listen you

 

Typical user mentality. "I am User. I want to Use Stuff... make it so we can do it as we want."

Next...

"I am infected. I want you to fix all workstations completely for 380 Pesos."

 

yes lol , i used to do that too with forcing them to use SUA +UAC at max , but i still charged them

 

True, very true.

 

The worse was a customer writing every steps i did on his machine, i guess he wanted to do it himself the next time... but i used some very dedicated tools he won't even understand

 

BTW, about Memory Guard, how exactly does it work? Most HIPS will monitor for various code injection techniques, but I assume AG removes the ability to interact with memory of other processes? I can't fully picture it, so more info is welcome.

 

It is not so hard as you think.
The witing to (or reading of) the memory of other processes is blocked.
This can be changed for each Guarded App (MemRead On-Off / MemWrite On-Off) or Publishers in the Publisher List (Memory On/Off)

 

"...removes the ability to interact with memory of other processes" is essentially correct.

We will not provide any more in-depth infos than that.

 

Yes I know, but I wondered about how this is done on a technical level.

I just realized that MemProtect and Sandboxie are also doing this, so I will look for some info. It's probably related to blocking all forms of interprocess communication. Strange that not all HIPS provide this function, but I guess it needs to be implemented in a way that doesn't break normal app behavior, so perhaps it's not that simple.