What is AppGuard

Discussion in 'other anti-malware software' started by trjam, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. 2good

    2good Guest

    Thanks Eric for the info.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Eirik,

    Seen the corporate business use, you need to include the advanced XML config file option, for the home users I would also use this XML, only with preconfigured softwares. For exception handling you will need a log file to. Access to MBR is so rare under normal circumstances, I would not let it be shut down with the installation protection.
     
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi Kees,

    Thanks for the feedback. I'd like to dig a bit deeper and clarify.

    Are you referring here to our adding a GUI and/or separate tool that eliminates the need to edit XML policy files so as to effectively administer multiple AppGuard installations (replacing AppGuard config files on computers with newly edited ones)? If so, I agree. For those interested, we do offer an admin guide, which aides in administering multiple AppGuard instances today.

    Yes, we encourage power users to do this to help their technically less-inclined friends. This too would benefit from some development.

    Are you recommending we enhance the existing use of the Windows Event Logs that AppGuard utilizes? We're definitely interested in suggestions for what other events should be captured and why. The 'why' is important so we can implement the additional event capture to solve the relevant problem (s).

    Cheers,

    Eirik
     
  4. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    You should consider covering more browsers by default. A well known web-browser like Opera which is what I use wasn't covered, so I'd to manually add it. That fact made me unsure if I want to use the software again in the future. Not that just Opera isn't covered - it simply indicates that many parts of my system might not be covered overall.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well I would like to know what tried to execute when user space protection was on, what accessed admin space with a write intend and when the MBR access was blocked.
     
  6. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    We have the first two and will have the third when MBRguard is folded into AppGuard in version 1.3.

    On the first one, however, personally, I'd also like to know, if practical, what spawned or triggered the blocked executable in user-space. For example, if one of the recent Internet Explorer exploits had been triggered, I'd like to have to have some indication as to what triggered some freaky executable like 23r98usdf.exe. This data, if/when available, would probably only be seen in the Windows Event Log, so as not to overwhelm those without an interest in such details.

    Cheers,

    Eirik
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You are right what triggered it is also very handy
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    kees, I am really liking AppGuard. So much so I added Windows Mail to it to be guarded. I figure betwen that and IE I am protected as well as with anything else. It is light as a feather. Of course MBAM for periodic scans.

    Any settings I should use.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    also add the cmd.exe to the protection list
     
  10. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Jose beat me to one of them. Here are two more, I recently sent this via email to someone:

    A few executables you might want to guard (full path will be needed):

    - Cmd.exe
    - Regsvr32.exe
    - Rundll32.exe

    Guarding these can interfere with legitimate actions. For example, legitimate software installations may use one or more of the above. So, initially, you should watch for disruptions to your normal usage.

    When installing ANY software, you’ll want to close all other software applications in case something nasty lurks within them at that moment, and then suspend all protections to install the software, allowing the above three executables to be used during the installation. Obviously, it’s not a good idea to do this in risky environment such as an airport terminal with wireless enabled.

    We may guard the above three executables by default but leave it to businesses to unguard as their administrators should have no problems doing so. BTW, businesses frequently employ start-up batch files that use cmd.exe.

    Please let me know if guarding these interferes with any legit activities.

    Cheers,

    Eirik
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    not to sound dumb but is the protection list where? Lol
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    that is where you find all aplication protected by appguard:) your browser etc:thumb:
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You can use it out of the box, when you have more disks or partitions, make sure these are mentioned in the user space protection.

    Must say your current setup is a bit light at the moment
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    your pc must be very fast at this moment;)
     
  15. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    It is to hard for me, as I never claimed to be as astute as the rest of you. It is a great program and for more novice, they will love it. For me, going back to the simple stuff that I know works.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    dont worry buddy use what ever you like to have;) if prevx is easy for you stay with it:thumb:
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is the whole issue of any security scheme. At some point, you must let your guard down to install/use some things. I don't see a way to really mitigate knowledge. AppGuard is probably going to be a very nice tool for beginners. But until the novice user begins to understand some higher levels of basic computer security, they will only open holes in thier protection and willing give admin rights to what they want. Game is over then.

    I don't know what the answer is exactly. How does one keep thier OS and critical files from being compromised and still install software, which is really why people like to use computers, because they can find something they want to use it for.

    I see the point of those who advocate not using software that does not run in LUA environment. I don't believe it is to the point yet (or even close) where one can expect that to be realized, but it could go a very long way to simplifying things.

    Sul.
     
  18. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    I just started using AppGuard recently. However, today I opened IE7 for the first time and got a message "AppGuard has blocked <Internet Explorer> from accessing the private folder: c:\documents and settings\user\my documents"

    Why would Internet Explorer need to access this folder? There was no problem opening Internet Explorer, just the above message.

    Also, just before opening Internet Explorer for the first time, I performed a Windows Update (IE7 Cummulative, Windows Defender). I Suspended AppGuard first, did the update and restarted the PC. Does AppGuard automatically go out of Suspended during a PC restart? Also, If AppGuard is Suspended and you restart the PC, will AppGuard allow the Windows Registry changes (caused by the Windows Updates) to occur during the PC restart process.

    Thanks in Advance.
     
    Last edited: Jul 28, 2009
  19. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    There is an unconfirmed supposition that if a person has performed an upload or download via Internet Explorer in a previous session. Then, Internet Explorer at the beginning of a new session, when it is seeking its Internet cache, starts at the location where the upload or download occurred earlier before it goes to where indicated in the Internet Options settings. Again, this is unconfirmed.

    A suspended protection will automatically re-enable after a prescribed time or as a result of a Windows restart.

    In the next AppGuard release, we'll add one or two more capabilities. First, users can choose to suspend something "Indefinitely". This would continue through a Windows restart. AppGuard would periodically remind the user of this suspensions with an option to snuff out the reminders at any time one of these reminders appears. The second new capability is an interrogative wizard of sorts that is loosely referred to as "Install/Updates" mode.

    The point of this 'tool' is to walk users that do not and do not want to understand how AppGuard protects them and what the consequences to their computing behavior that protection imparts. It asks the user what he/she wants to accomplish and follows up with additional questions and then adjusts AppGuard accordingly and does what it can to make the install or update more convenient to the end-user. There's a possibility this second capability may fall into a later release.

    The answer varies with the individual update binary from Microsoft and the particular method (automatic update or Internet Explorer 'Windows Update') the update was implemented. Sometimes (infrequent) AppGuard has interferred with updates that conduct write operations upon Windows restart. We're looking at ways to further minimize this interference as well as with Internet Explorer initiated updates.

    Cheers,

    Eirik
     
  20. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    How would I know if a Windows Update did not install properly? Would I go to Windows Updates through Inter Internet Explorer and check for updates and Windows Updates site would inform me?

    What is the estimated release date of the next version of AppGuard?

    For updating AppGuard, do you uninstall, restart and re-install or do you just install over the existing installation?

    Thanks in Advance.
     
  21. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Yes, while there you can "Review your Update History". It generates a table where one of the columns covers the "Status" of each update indicating either "Succeeded", "Cancelled", or "Failed".

    September/October. We delayed the AppGuard 1.3 sprint to work on an unscheduled EdgeGuard sprint that some very large enterprise opportunities require. We may do a mini-sprint just to get a pair of already built capabilities (MBRguard, "exclusion" folders, which allows user to specify exceptions that allow a guarded app to write in places it otherwise could not. For example, some users keep their user-documents in "C:/MyStuff" instead of %My Documents%. Without this, AppGuard would not allow a guarded app to write into the MyStuff directory.) into AppGuard move the originally intended work of 1.3 into 1.4.

    Just run the setup/install file for the newer version and it replaces the older version.

    Cheers,

    Eirik
     
  22. chipo

    chipo Registered Member

    Joined:
    May 2, 2009
    Posts:
    41
    Location:
    Spain
  23. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi Chipo,

    From the graphic you posted, its not perfectly clear to me what is deleted. I suspect you're indicating that the default XML policy file is being deleted by KIS. There should be another XML policy file in a documents and settings directory per your login name. Are you seeing a change in your guard list as viewed from the AppGuard GUI? Are any other symptoms apparent (AppGuard appear to be operating normally?)?

    If you wouldn't mind gathering some additional observations, your windows event logs, generating an msinfo file,and emailing this to appguard@blueridgenetworks.com, I could get some engineering feedback next week.

    Cheers,

    Eirik


    System Information File
    - Start Menu, select "Run"
    - Type msinfo32.exe, click "OK"
    - In System Info application, select from "File" menu "Save"
    - Name, save (no type change), and email the file


    To generate an AppGuard Windows Event Log file:
    - Control Panel
    - Administrative Tools (may need to be logged in as admin?)
    - Click on 'Event Viewer'
    • Click on to highlight “Application” in left-hand pane, then
    • Event Viewer menu “Action”, select “Save Log File As”
    • Name it, change type to .csv
    • Save and email it
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    hi Eirik any updates/upgrades to appguard?thanks
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Eirik,

    MBR Guard allows backups of MBR and does not interfere when (off course :blink: ) backing up from rescue CD. My image backup/recovery software does not allow MBR recovery on the fly/hot recovery, so I have no problem with MBR guard :thumb: :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.