AppGuard 4.x 32/64 Bit - Releases

A breath of common sense. I've used a wide variety of security programmes over the years but AG has me scratching my head at times. Outside the rarified world of Wilders this prog must be a complete mystery. Following the help file is rather like playing an adventure game; interpret and solve one clue before tackling the next one!

Has Blueridge ever tested the GUI and terminology on outsiders to see if it's understandable. I think not.

 

AG is a bit complex, it's true. However, whenever I have encountered an AG issue that I did not know how to handle, all I did was to right-click the corresponding entry on AG's activity report, & then click Help. So far I have found that the resultant contextual instructions are always clear and directly applicable to my issue at that moment.

 

Yes it is complex - but worth persevering with. However, for somebody unfamiliar with the programme, statements like this one from the help file are meaningless:

• "If MemoryGuard interferes with a User space application or if you want to access a Private Folder with a user space application, add the application to the Guard List and set the MemoryGuard and Privacy Mode settings accordingly".
  My point is, just what does "accordingly" mean in this context?

Plenty of other examples like this in the help file.

Regards

 

Okay, got your point, did not know it was that funny and meaningless

 

IMO, "accordingly" means that (rightly or not) the help file is assuming that the reader already knows the basics of how to enter settings for a guarded folder.

 

Exactly the point I was trying to make, albeit clumsily. Too many assumptions about the ability of the average (i.e. non-IT or Wilders savvy) user to grasp the concepts of AG while it is wrapped in a bunch of uniquely-named concepts.
Frankly, I don't know how to simplify the learning curve unless all options are taken away as VoodooShield has done, for example - but that's not feasible I think.

 

Well, with new trusted vendor signing feature and applying Memory Protection only on Browsers (with flash, shock, PDF, Java and Silverlight and Libre/Office aps), I think they could launch an install and forget application for Home Users.

I would opt for allowing trusted vendor aps installations only and drop the allowing signed aps feature to simplify things in guarded mode.

 

So if you´re using EXE Radar you don´t really need AG and vice versa, I guess?

Yes, but isn´t that the same as what other HIPS also offer? With that I mean, trying to stop malicious apps from injecting code into other processes? This doesn´t sound like true anti-buffer-overflow protection, like EMET and MBAE offer.

 

I'd take AppGuard over an anti-executable any day, because it offers memory guard and restrictions of apps, which are already running, as well.

 

I would prefer using them together, or with a good HIPS. AG provides additional protections as already mentioned that are not provided by an AE alone. AG also utilizes ASLR, and DEP protection.

 

What is the difference between AppLocker and AppGuard, they seem to be the same thing of the same coin, similar to SRP, DEP and HIPS combined-I still don't know why AG is better in what way, maybe because it's more all-round application as others mentioned (more all-round than NVT Exe Radar Pro, although I decided to use both NVT and AG at the same time on my computer), however I like AG's approach the way it's protecting my computer, and that's why I'm using it.

 

Does anyone know if AppGuard is compatible with Logmein?

Thanks...

 

Just a quick question.

I am currently using a VPN client which is installed in regular system space at C:\Program Files\... .
I have noticed that, even though I run it from there, it needs to drop and launch an executable from C:\Users\Username\AppData\Local\Temp\ocr19A6.tmp\bin\ . The bold location is ever changing.

Naturally it breaks everything if user-space launch protection stops it or if it is guarded because this process needs to write to the location of the installation folder in system space in order to function properly. Hence I have added the parent application as a power app, because I didn't know what else to do.

 

Not really related as you've tracked the reason's down here but I've had problems with AG & VPN services in general. Currently (temporary?) not using AG & I have no issues. They manifested themselves in a number of ways but always either impossible or very difficult to connect out. I could not really track them down just they worked with AG turned off and didn't even on install. Didn't add as power app basically because I don't really want to have any power apps.

With Mulvad I think it might have been to do with the program using cmd.exe (always guarded) to launch open vpn. With Security Kiss it may well have been to with temp files created when trying to connect. Not sure.

Anyone else have issues with those 2 (or others) and resolved it?

Thanks

 

If this is PIA let me know; I've come across a solution for this and I'll post it here.

 

Yes it is PIA.

 

Have you tried temporarily suspending launch protection from the tray icon before starting the VPN then immediately re-enabling launch protection again as soon as the VPN is up and running?

If that works, it could be an alternative to making the parent application a Power App.

 

Two solutions. Either add the local\temp folder to user space with a NO to include
or
See this post in the PIA forum. It's a bit long-winded but it works. It solved a similar issue I had with Outpost.

EDIT: Wrong link!

 

I'd rather make the parent process a power app than excluding the primary drop and launch location of malware from AppGuard's user space launch protection. Alternatively I would use the original OpenVPN client with the preconfigured profiles supplied by PIA, but thanks anyway

 

Yes, now that I think of it, EXE Radar is not only about stopping exploits, it´s also about locking down a PC to protect against less knowledgeable people, so why not use them both.

 

Has anyone tried to inject P2P apps into AppGuard yet?
I gave it a shot, both AppGuard and the P2P app throw up errors. However the downstream and upstream still work properly... added an entry in User Space ("Roaming" folder in User Profile with Include set to No) and in Guarded Apps (3 On's).

 

I have the Torrent Client Tixati on my guarded apps list with memory read/write protection, and privacy mode enabled. Tixati is working flawlessly, and I have not even seen any blocked events from Tixati in AG's activity report. I guess the developer of Tixati follows good security coding practices for there not to be any blocked events in AG's activity report.

 

Sweet, I will give it a shot and see if I can bask in the glory of no blocked events!

Now, another question, which has to do with Firefox 29.0.1 in a Sandbox on Windows 7 Home Premium 64bit...
This isn't much of an issue for me, since it is the first time I have actually clicked on this button, and I doubt I will ever click on this button again. I just wanted to mention it here to see if any settings in AG can be tweaked.
In a non-sandboxed Firefox, when I go to "Open File" it pops up with a dialog box, naturally to open a file. There is also a button in the dialog box called "Organize". When clicking on it, it pops up with a dropdown like this.

​

When I try to click on that button in a sandboxed Firefox, it tries to expand but doesn't, also causes Firefox to stall and I see the following errors in AG:
-------
Prevented process <a2hooks64.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\program files (x86)\emsisoft anti-malware>.
Prevented process <sechost.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <advapi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <usp10.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <lpk.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <gdi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
-------

Any ideas?
I saw some comments in previous posts about rundll32 and browsers, but the ones I read were related to emptying a sandbox after browser shutdown. Not really the same thing here since I don't get issues when emptying sandbox at all. I run AG in Lockdown Mode.

 

What sandbox application are you using? What button are you talking about clicking on that you probably want click on again? I don't use any sandbox applications, but we have a lot of user's here that use Sandboxie with AG. It looks like you are using a sandbox with EAM from the event logs. I did not know Emsisoft had a sandbox with EAM. I may have to install EAM to see if I can help you if that is the case.

 

The sandbox application is called "Sandboxie" - http://www.sandboxie.com/
The button I am talking about is seen in Firefox... click on FILE and select OPEN FILE. The dialog box that pops up looks like this:

​

Emsisoft does not have a sandbox with EAM or with Online Armor. I think EAM is trying to inject a hook. Since the highlighted button does work outside of the sandbox, but not in it... I guess it's a sandbox issue. 'Cause it works out of the sandbox properly, I can assume the event logs can be ignored?