What is AppGuard

Eirik,

Question regarding MBR Guard.

My image software can backup/recover the MBR. How do I tell MBR Guard it is okay to access the MBR, when it has no GUI?

Regards Kees

 

Good question! I know Eaz-Fix's Image/Restore(not snapshots) offers to fix MBR upon restoring an Eaz Image when Eaz-Fix is still installed and from my understanding it has to because of the way Eaz-Fix snapshots are stored. If it's not allowed to fix it, I'm locked out. The only alternative in my case would be to use the OEM restore disks first and then use Eaz-Image Restore which would be a long process. With Eaz-Fix supposedly still installed when restoring an image, XP recovery console is not an option because Eaz-Fix won't allow it to run and if it was an option would MBR Guard prevent it from fixing it.

 

Hi all,

Sorry I didn't reply sooner. My laptop had a hardware issue, rendering it unusable (problem solved).

So, there are several options we need to weigh. The simplest from a development perspective is to enable a user to suspend MBR protection via the GUI. With "Suspend All", an AppGuard GUI option from the tray icon, I wonder if 'Suspend MBR protection' should literally be included? I'm leaning for not doing so, keeping it separate. The rationale is that rarely does a user intend to suspend this protection. And given the increasingly clever Trojan software proliferation, one might as well protect the MBR during all software installations unless the user chooses otherwise, because installs should rarely (extremely so) touch MBR. Thoughts?

Another option would require an 'advanced setting' whereby a user identifies a trusted process that may alter the MBR at any time. We'd have to bury this somewhat so as not to frighten newbies.

There is one more option that would not be available in the next one to three releases. It involves AppGuard possessing a trusted 'power application' list. For this to be safe from abuse, it would have to leverage hash checksums. Let me just say that we've planned for this as some of you have noted from looking in the XML policy files. However, we have not yet scheduled the necessary additions to this framework.

Any other recommendations for how we ought to accomodate 'image' recovery/restore software?

Have you identified any other class of software adversely impacted by MBRguard?

Has anyone attempted any penetration testing versus MBRguard with some variants of KillDisk or other MBR attacks?

I've got a 'perspective question' for you all. If one has MBR protection, why does one want automated MBR restore capability? Is the answer to this question that there is always the possibility that the MBR protection can fail and the MBR restore is needed to mitigate that possibility, and that the PROBABILITY of that failure is high enough such that the 'restore capability' is required?

Thanks for your inputs,

Eirik

 

Hi All,

I was just asked to ask you all two more questions.

Should suspending MBR protection REQUIRE a password, or should this be optional?

When suspending MBR protection, and given how your imaging software operates, do you require that the suspension of MBR protection last through one or more PC restarts? Automatically re-enable after 3 restarts in case user forgets? Never automatically re-enable; leave it to the user?

Thanks,

Eirik

 

So SpyWall has sort of morphed into Appguard.

I remember visiting http://www.trlokom.com/product/spywall.php?osCsid=04bbf998d781b049373aa89138f1b457 but never got round to trying it out.

I just had a peek at some of the older threads on SW https://www.wilderssecurity.com/search.php?searchid=2998341 As it happens, SW is still available and on sale.

As for AppGuard, i might just give it a whirl.



I would definately expect settings such as, Suspending MBR protection to REQUIRE a password.

Here's an idea for you. You could have an MBRP icon that appears and/or changed colour in suspended mode, and/or flashed when loading to alert the user.

 

@StevieO did you say spywall and appguard related?spywall is now appranger

 

jmonge

You're right ! and thanks for pointing it out. Sorry to anyone who didn't notice. Easy mistake though as the names have the same beginning. Must try harder lol.

 

and some thing to tell you appguard and appranger are very similar apps but appguard is very simple to use and still strong,now appranger has a scaner it is very unique application but i always will prefer some thing simple put your licence key and forget about it out the box easy for families type of program

 

hi Eirik any news on appguard's new version?

 

I am thinking about giving AppGuard a try. Please answer the following questions:

1. Is AppGuard Windows 7 RC compatible?
2. What is the licensing? Yearly? Lifetime? Free Updates?
3. Are there any "Home" License Discounts?
4. Does AppGuard work with Sandboxie?
5. Is it possible to disable the protection long enough to install a Windows Service Pack?

Thanks in Advance.

 

Not at the present time. Apparently they are aiming for compatibility once Windows 7 is officially released.

According to Eirik,

It did on one of my computers.

 

Hello, i´m using new version of Kaspersky, KIS2010. This new version makes a folder where you can run applications in sandbox mode. Well, Appguard doesn´t protect this folder even if you included it in deny under Drive-by download settings.

this could be fixed in newer version? Thanks.

Greetings

Ps. In Deny option appears this as the kis sandbox folder:

::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{047DDC7E-F9C2-11DD-A093-79D855D89593}

 

If I still remember, I think you can choose the amount of time for the protection to be disabled.

But, personally, I'd like to see AppGuard automatically allow Windows system, and other applications, updates.

It's a boring task to always have to disable protection. I also believe that people won't just be updating their systems and applications. They will also be searching the web at the same time. So, disabling AppGuard protection is dangerous, in my honest opinion.

AppGuard should allow Windows updates and verify what other security applications are installed, and automatically make exclusions. It could also have a list of other applications, like e-mail clients, web browsers, etc.

It's something that needs time to create a white list, but it should be done, in my opinion.

 

Hi All,

I just returned from time on a beach. Still have the shiny nose and all.

Work on AppGuard version 1.3 has been suspended temporarily so that we can accomodate some urgent development work to its sybling EdgeGuard, in response to several large enterprise requests necessary to close big sales. Also, summer vacations contribute to development slow down.

I expect work will resume at full throttle in August on AppGuard version 1.3. The primary focus is making the user experience simpler with the present feature set. However, we will be adding some additional protections such as MBRguard.

BTW, if anyone whose tried MBRguard has any feedback, I'd love to get more. Thus far feedback on penetration testing has been all positive but I fear we haven't exposed MBRguard to as diverse an environment set as I'd hoped. The primary purpose of this mini-beta was to uncover any unexpected software conflicts, perhaps with back-up software.

Cheers,

Eirik

 

All of BlackCat's answers were excellent. I'll add a two or more points.

I've just requested a schedule update from engineering and will relay something to you all ASAP. We intend to do a beta prior to the general release of Win7. I can report that AppGuard has been working fine on Win7 in the developers' environments.

I would like to ask, perhaps best addressed elsewhere, what you all think of Win7, how does it compare to Vista, and what your expectations are regarding migration to it?

I wish to make an announcement on at least one of the above soon. I can't say any more than that right now.

In version 1.3, we're looking at making some changes to how one suspends AppGuard for updates and installations. First, we're considering an install/update mode, or wizard. Second, we're looking at adding a 'suspend indefinitely' option for pro-longed installs. AppGuard would periodically nag the user every 30 minutes or so unless the user clicks on a 'leave me alone' checkbox. This, so folk don't forget to turn it back on. This 'indefnite' supsension is necessary for some major but rare Microsoft updates that require AppGuard suspension following a restart. Third, I hope we'll add a countdown timer to indicate precisely when a timed suspension will end and so one can easily 'hit the snooze' button to extend it when necessary.

Each of the above was mentioned in at least one email from a Wilders poster: thank you!

Cheers,

Eirik

 

I've asked engineering to implement default deny executable launch on all of user-space. I refined my definition of user-space to 'those directories whereby a process launched by limited user account (LUA) user can write: add or modify files or directories. With version 1.3, I expect the 'hole' you are asking about will be plugged. All this is my long-winded way of saying: yes.

Eirik

 

I consider better, more convenient accomodation of legitimate software updates to be one of our top challenges. Of course, knowing which ones are legitimate is the challenge. Presently, our shortcoming with Microsoft updates are with those initiated or facilitated by Internet Explorer or in rare updates that must perform substantial write operations immediately following a restart.

As for non-Microsoft updates, the challenge is even greater. Different vendors leverage different crypto-systems. That's not to say we check the crypo for Microsoft updates. Rather, we know its robust, so we are more trusting of its processes.

BTW, according to a Black Hat research paper from last year, most vendors implement rather flawed crypto-systems for their self-updates. I've considered writing a blog post advocating that vendors leverage the Microsoft BITS framework already present in all Windows machines. As that researcher of that Black Hat paper said, BITS is probably the most robust of the main stream examples of self-update crypto-systems. If/when we add a self-update for AppGuard, we will probably leverage BITS.

Anyway, the challenge in endpoint zero-day protection is discriminating between legitimate and illegitimate system changes. Some of you have probably found one or more examples of security vendors ignoring the issue for the sake of simplicity. I won't mention any names!

So anyway, this is why we're interested in an update/install wizard/mode that would assist folk, particularly the less technically sophisticated.

And yes, people running other software, particularly web surfing, while AppGuard or any other security software is suspended/disabled to allow an installation or update is very risky. I highly recommend that people close down all other software during a software update/installion. Who knows what might be crawling around inside a guarded application right before its sprung loose?

Eirik

 

Eirik welcome back and dont forget to put cream on your nose

 

My visiting mother won't let me forget.

 

cool,by the way is a new edgeguard solo version to try ?thanks

 

Hello,

Now that you've mentioned it, I believe that's something I suggested quite some time ago. If not to you (and for AppGuard), then it was to someone else and for something else.

Enormous thread to look for my past post.

I guess I need to write down what I suggest and to whom. lol


Regards

 

We will not release a new Solo this summer because we have EdgeGuard 2.4, AppGuard 1.3, and a new BorderGuard Client (VPN) to do this summer, plus supporting Win7. There's actually yet another product that may also be granted immediate priority. We have quite a diverse portfolio for a company our size. I'm afraid resources around here haven't loosened up yet since the economy nose-dived in the last quarter of 2008. I will submit a request for Solo resources targeting a fall release. Unfortunately, I'm unable to make any promises.

Eirik

 

thanks Eirik for the information

 

I wonder if someone could be kind as to tell me if Edgeguard solo could be used with OnlineArmor or is it an overkill .

 

My understanding of OnlineArmor is that it is a robust and sophisticated HIPS product. Thus, properly configured, Online Armor should be able to block all of the vectors that EdgeGuard Solo can defend.

The point of EdgeGuard Solo and AppGuard is not to protect PCs from attacks that a full-blown HIPS product cannot but to protect PCs from the vast majority of zero-day attacks but with far less set-up, maintenance, and distraction as compared with a full-blown HIPS product.

So, my recommendation, assuming OnlineArmor is what I believe it to be, do not add EdgeGuard Solo, and take advantage of the knowledgeable OnlineArmor user community to ensure your system is configured properly.

The same would apply to AppGuard, however, there might be an exception if OnlineArmor cannot deliver something like what we call 'privacy mode'.

Cheers,

Eirik