AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Thanks mood. :thumb::thumb:
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I get that one often with Firefox. It has never caused any problem.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I always get the same popup while opening chrome. it doesn't like their reporter exe.
     

    Attached Files:

  4. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I assume you are running AppGuard in Locked Down mode. AppGuard will block all processes from executing from User Space in Locked Down mode - unless they are added by the user to the Guarded Apps list.

    The software_reporter_tool is [part of] the Chrome Cleanup Tool (formerly the Software Removal Tool). Please see https://productforums.google.com/forum/#!topic/chrome/bFhfVkR-ENo.

    Also, read about the Chrome Cleanup Tool here from official Google whitepaper: https://www.google.com/chrome/browser/privacy/whitepaper.html

    If you don't want to see it blocked, then you have to allow it (Software Reporter).

    To allow it, exclude its file path from User Space (NO) in the User Space list.

    Replace the version number in the file path with the * wildcard so you don't have recreate the exclusion if it is updated and the version number in the file path changes.

    The above is the best option. This is the option that I use for Locked Down mode.

    * * * * *

    Alternatively, you can add it to the Guarded Apps list instead of creating an exclusion for it in the User Space list. However, if you add it to the Guarded Apps list, you should keep an eye on it until you are sure that the Guarded Apps protections do not interfere with its functionality and operation.

    Finally, you can make it a PowerApp if you so wish - but that is not recommended practice. I only mention it to give you all the options.
     
    Last edited: Jan 22, 2017
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    thanks Lockdown :thumb:
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I should point out that adding software_reporter_tool.exe to the Guarded Apps may very be a viable option - I just never tried it. It depends upon what it does on the system. I will do it and report back.

    EDIT: I added SRT to Guarded Apps and ran Google for a while + executed SRT. Nothing seems to break, but then again, I can find no official documentation that fully explains when it is invoked nor exactly how it works\what it does. So adding it to Guarded Apps could still affect its operation under specific circumstances.
     
    Last edited: Jan 22, 2017
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Due to my hardened .xml, I am getting this block:

    01/23/17 12:36:20 Prevented process <reg.exe | c:\windows\system32\svchost.exe> from launching from <c:\windows\system32>.

    No idea what is triggering it. Should I allow it, or is there no harm in continuing to block it?
     
  8. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    @paulderdash also had the same issue had no idea what triggered it in the end I just ignore it...
     
  9. guest

    guest Guest

    I blocked reg.exe too, but never saw a block-message for it.
    At what time does it appear, directly after a reboot?
    But if nothing seems to be broken, i think you can leave it in User Space with Include=NoYes.
     
    Last edited by a moderator: Jan 23, 2017
  10. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I think I also encountered reg.exe block because I saw just recently that it was set to User Space=No, which is supposed to be Yes. So, I must have changed it to No to allow something, but I can't remember what triggered it and when. I changed it back to User Space=Yes already. :)
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    It happened randomly, I could not link it to any event or program ... haven't noticed anything untoward, so left it at Include=Yes, but you think change it to No?
     
  12. guest

    guest Guest

    :oops:
    Correction:
    I don't know why i wrote "No" before :doubt: , but it is now corrected.
     
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    reg.exe is placed in User Space (YES) as part of AppGuard's default policies; it is not in User Space (YES) because of the hardened xml.

    In the block event that you show, the parent of reg.exe is svchost.exe - so it is associated with a service\task. Check the process parent and other block events - immediately before and after the block in question - as they usually give you valuable insight as to what just happened on the system. If there are none before or after that you can associate the event with, then it comes down to knowledge of and experience with Windows and software.

    For example, Intel graphics runs a task once in a while that launches reg.exe. Reg.exe is also executed by some utilities - like MaceCraft's jv-series system cleaner - but you should notice the block when running such utilities.

    reg.exe is the command line utility for regedit.exe.

    You ignore block events unless something is obviously broken. That is the definitive standard to follow. When considering to allow something that is blocked, ask yourself: "Is something that I know to be safe\legitimate broken because AppGuard blocked it ?" If no - ignore. If yes - allow.

    It is an exercise in futility to try and second-guess every single block event that you see in the Activity Report.

    It is also futile to continuously harbor nagging doubts about block events. "Oh man, I got this block event and I just know something is being broken - but I just don't know what is being broken... it's going to cause some kind of hidden system malfunction or security bypass..."

    Really ? Stop that ! You will have greater peace-of-mind.

    Block events that you question, keep posting here for review. The answers here are good for learning.
     
    Last edited: Jan 23, 2017
  14. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Now I know what is triggering reg.exe to launch and be blocked by AppGuard in my laptop. It's the Discord app. I launched it, and reg.exe block notification popped-up. :D
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    I have and use several Chrome sandboxes so when I run one or all of them, software_reporter_tool.exe tries to run on every instance being blocked by AppGuard in Locked Down mode. This behavior is not new for me but I wanted to bring it up as I'm tired of adding ignore messages in AG. This is normal I know and I want to keep AG blocking it and shows an alert which I can easily add to ignored messages, however every time there's a Chrome update, the path changes and AG alerts once again, as expected.

    What I did is to use a wildcard (*) like this:

    software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe
    r:\sandbox\mrx\*\user\current\appdata\local\google\chrome\user data\swreporter\*

    where the first * is the Chrome instance and the last * is the tool version

    Problem is it does not work. I guess wildcards aren't supported in these messages.
     
    Last edited: Jan 31, 2017
  16. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Add Software Reporter Tool to User Space=No.

    c:\users\user\appdata\local\google\chrome\user data\swreporter\*\software_reporter_tool.exe

    Change "user" to your user account name.
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Thanks, but your solution is for:
    I want to see it blocked.
     
  18. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Compound use of wildcards is currently not supported.

    You will have to continue doing what you have been doing or alternatively use this file path:

    c:\program files\google\chrome\application\chrome.exe r:\sandbox\mrx\*

    software_reporter_tool.exe is a part of Chrome's protections - so I don't know why you would want to block it. I know one of its functions are to report on extensions that might be problematic. There isn't much official documentation on it, but I do know what it is not - it's not some kind of telemetry program designed to collect and report everything that is installed on the system.
     
    Last edited: Jan 31, 2017
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    See my reply. I edited it.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Thanks @Lockdown

    I want to block it not for those reasons but for experimenting reasons. I just want to know if it's possible to use wildcards in the lines. Perhaps for future use in other scenarios where I really want to block and ignore messages.
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Try using the command line to the 1st wildcard position. See my previous post.

    There's a bug in the Ignore Messages module. If you add things to it, then it might break the default Ignore Messages list and will start to get alerts for the processes in the list - like schtasks.exe.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Yes. I am reporting to you the first wildcard did the job, it's been hours since the change and no alert from any of Chrome instances.
    I've added many times the software report tool ignore messages and haven't seen alert like if it was broken.
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Thanks

    Good for you. On the other hand, Jimmy Fat-Fingers over here discovered a way to break it. I broke it by modifying some default Ignore Message settings. Since most users do not ignore additional messages beyond the defaults, the bug has flown under the radar and has been low priority for a fix.

    The fix to resolve the issue should be a single policy for all users. Expect it in the next release.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    lol at Jimmy Fat Fingers, new for me.

    But as you said, modifying some default settings causes the breakage. I've never modified and existing default policy, just added new ones.
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Jimmy Fat-Fingers = software breaker :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.