AppGuard 4.x 32/64 Bit - Releases

Power Apps is meant to be used only in the case of breakages and all other steps have failed to resolve the issue.

You will have to contact NVT support and ask Andreas why he specified those exceptions in that NVT ERP user guide.

 

No is not required. I've been using ERP on Windows 8.1 x64.

 

I do not know of anyone who has had to add those NVT ERP processes to Power Apps.

That guide is years old by this point.

In testing, NVT ERP worked as intended without adding any NVT ERP processes to the Power Apps list.

 

Good to know, thanks.

 

I'm not following, both VS and ERP could block the payload delivered via the kernel exploit, so why couldn't AG do it? Normally speaking, AE like VS and ERP will simply block processes that are not on the white-list. And they will also block or alert about so called "vulnerable processes" that can be used to run malware. So would AG have blocked WannaCry or not?

 

1. AppGuard is not anti-exploit software; AppGuard is software restriction policy
2. AppGuard does not parse the command line; VS and NVT ERP do parse the command line
3. AppGuard blocks the WannaCry and DoublePulsar executable files as reported in early May

This is the only response that this topic is going to receive.

 

OK, point number 3 is what's the most interesting part to me. I think guest meant that AG couldn't block the kernel exploit, but most security tools can't do this either. But you should at least be able to block the payload from running, or to block malicious behavior from the payload if it's able to run. And in this case the payload was WannaCry.

 

No reply?

 

Basically, the EULA is like every other EULA in that the software is offered "As-Is" with no guarantees.

If someone asks for support, we request logs. If the logs reveal KMS and other sketchy activations along with associated errors, then the user needs to fix those issues first. Troubleshooting very often is a process of elimination - so it is logical to address the problems on the machine that are unrelated and\or not caused by AppGuard itself.

Except for basic configuration of AppGuard, our troubleshooting support is for AppGuard itself - and not any other software, hardware, etc.

This is the only reply that will be given regarding this matter; see the original post on this thread.

 

house1, post: 2681099, member: 137356"]I will assume the answer is no.[/QUOTE]


Hmm. iffy.

 

thanks! yes I removed kis and vs from power apps. hope to get thru the manual tonight (first (re)-read). for now all settings default. I relocated killswitch into the correct space and no alerts, all is quiet, safe secure serene...

 

not using hmp.a or sandboxie. I may play with rehips this weekend if there's time. thanks!

 

PS I used to have "special setup" for sandboxie with AG on my olde_time machine, and still have notes and email how-to's -- nice to be back and see progression of improvement

 

SHvFI some "confusion" on this point... both guest and Lockdown say do not put kis in power application. So short time span, I had kis in power apps for a day or so and now kis removed from power apps. so far seeing no problems with kis removed from power apps. I guess if and when I see a true problem then maybe I put kis back into power app...

 

I need to understand this comment better, is it explained in the manual?

 

It's not documented...

1. Uninstall AppGuard so that it preserves the license activation
2. The license does not have unlimited activations
3. If you clean install Windows without uninstalling AppGuard first, that will "consume" an activation
4. If you clean install Windows too many times, then all the activations will be "consumed" and the AppGuard license will be deactivated; you will have to
contact AppGuard support to re-activate the license

 

thank you

 

It is not mentioned above, but while deinstalling of AG it is phoning home to decrease the number of activations.
If you are not online while deinstalling AG:

 

Thanks for pointing it out. Good catch.

 

thanks!

 

to illustrate, the full chain is :

1- infect a machine in a given network via malicious file or infected mail or other method available.
2- use EternalBlue to exploit smb1.0 and compromise other machines in the same network.
3- exploit those other machines' kernel via injecting DoublePulsar into lsass.exe and create a permanent backdoor.
4- create a shell (cmd.exe ) via rundll32.exe run at the highest privileges (aka System), which connect to the attacker metasploit platform (Kali in our case)
5- once attacker get the shell , he can upload and run whatever malware/malicious tools , in wanacry it was a ransomware but it could be a keylogger like minikatz.

by default setting :
- Anti-exe with command line monitoring like VS or NVT ERP , will kicks-in at step 1 , 4 and 5
- SRP like AG Consumer or Applocker , at step 1 and 5.
- for HIPS i don't know. probably same as anti-exe due to their full monitoring.
- anti-exploits (HMPA, etc...) may block all step i guess.
- firewalls with IDS/IPS should block step 2

i don't have the sample , so i can't be 100% sure for HIPS and anti-exploits.

 

Yikes, that would need to be quite a few images .
Let me first experiment with removing C:\Sandbox from User Space. I originally included it in User Space and just left it like that because it didn't cause problems.

 

Or instead of removing it completely, you can try to add a specific sandbox to User Space.
C:\Sandbox\Browser (Include=Yes)
Now applications within your Browser-sandbox are protected with AG. All other sandboxes are not affected (Unguarded).

 

I didn't really mean removing the C:\Sandbox entry entirely from User Space tab. I just meant changing from Include=Yes (current setting) to Include=No to see the effect.
But yes, I could change C:\Sandbox to C:\Sandbox\nnnn\Firefox to be more specific, but I think then the imapct for me would be the same as my current setting.
The only other sandbox I have is an 'on-demand' sandboxed File Explorer.