What is AppGuard

Eirik,


Apguard applies its protection on driver level, differently from UAC/SRP

Would it be possible to stretch AppGuards protection using the source blockade of Vista (see pic when you click properties of a download):

1. Check whether execution is NOT in user space Deny Execute
2. Check whether this program is NOT in AppGuards guarded programs list
2. Check when this downloaded attribute block bit is on (see pic) : Apply Vista virtualisation automatically when this source is executed (for x32 executables only).

For downloaded files in a directory which is allowed to execute under normal rights by AG:
-> Vista does write changes outside the UAC protected area by AppGuard
-> AppGuard's driver level protection would not kick in (because the object is not protected by AG normal rules).
-> Program would run with virtual admin rights (= much more secure than real admin rights)

Any thoughts on this?

 

Hi All,

AppGuard support for Windows 7 is here.

This is a pre-release to seek out bugs and user issues. General availability will be soon.

MBRguard is not yet integrated into AppGuard. We expect that in September.

As always, please let me know if you have any questions.

Cheers,

Eirik

 

Eirik,
AppGuard 1.2.7.3 running real smooth on Windows 7 build 7600 for me (at least so far). Can't really tell it's even there. No browser opening lag...nothing. Very nice. And I like that Privacy Mode feature as well. A nice thing to have should you wish to protect a second hard drive for instance from unwanted access. Haven't really looked at the Drive-by Download Protection Extension yet...but I will.

Later...

 

where is appguard?where is Eirik?any news/updates/upgrades?is the 1.3 version ready?thanks

 

Hi Jose,

Things have been relatively quiet at Blue Ridge regarding AppGuard lately because we've had to attend to other products. Except for another round of bug fixes, we've finished that enterprise EdgeGuard development sprint, which created some minor capability that will be folded into AppGuard. The development sprint that will consume most of September and perhaps some of October, updates our BorderGuard VPN Client. Despite these two development sprints, AppGuard work has been underway. Its looking like AppGuard 1.3 will be released mid to late September. AppGuard 1.3 will formalize Windows 7 support, add minor enhancements, and fix a few bugs. Regrettably, we probably won't fold MBRguard into version 1.3, simply because it would substantially postpone version 1.3.

Last week was pleasantly intense for me. I worked on revising the administrator's guide for EdgeGuard. Some may find this as hard to believe as I do: I actually enjoy working on that manual.

Cheers,

Eirik

 

Eirik nice to see you again and thanks for keeping us inform about appguard

 

Eirik: Will 1.3 have the password lockout feature mentioned a while back?

 

If they could only do 64 bit. Geez. Damn Best Buy salesperson.

 

Hi HAN,

I had originally planned for version 1.3 to be focused on improving the end-user experience, far more so than adding additional zero-day malware protections. The password protected settings was to be included.

However, instead of growing our endpoint security engineering team at the top of this year to support our broader product line, we froze its size due to the economy. As such, the AppGuard engineers have twice recently been pulled away to work on other product priorities.

This last and current one concerns thousands of US Defense Department and federal civilian remote access VPN users that have/are migrating to Windows Vista/7 who urgently need an Active Directory related feature previously only available on XP.

The feedback from Wilders and elsewhere regarding password protected AppGuard settings has been loud, clear, and placed into the top rung of AppGuard priorities. Unfortunately, we cannot implement it until version 1.4. That development sprint is scheduled to begin the first week of October, give or take a week.

I sincerely apologize for our not having implemented password protection by now. Please know that we too feel it is long overdue and it will be implemented in version 1.4, which I hope to release in November - December.

Cheers,

Eirik

 

Thanks for your feedback Eirik. No need to apologise, your current version works fine and does what it is supposed to do.

 

Agreed! I appreciate the update!

 

Eirik,

thank for a great product it works great.

i have one Question, how does a user know there is a update of appGuard? does it check or alart the user for updates of the app?

thank you
Brock

 

AppGuard does not yet feature an auto-update alert. If I cannot get this in release 1.4, I ought to be able to get it into version 1.5. As for an auto-update (download and install), there are so few updates per year (no definitions or application-specific rule libraries, etc.) that I may not press for this capability for a while longer.

Though, when we do, I would hope we leverage the Microsoft BITS update facility. This is what all Microsoft applications and operating systems utilize. They employ sound cryptography to establish authenticity and integrity, unlike the majority of software auto-update mechanisms around. I wrote an article on this on our blog (www.blueridgenetworks.com/securitynowblog/). In my opinion, if more vendors did this, not only would there be less man-in-the-middle attack risks exploiting auto-update flaws, but securing endpoints would also be a little easier because fewer processes would legitimately be altering system/application space.

At present, the latest version of AppGuard is 1.2.7. We'll see version 1.3 later this month barring testing delays.

Until we have an auto-update alert feature, one can check this page for the latest version information as well as install file checksum.

AppGuard Support Page
http://www.blueridgenetworks.com/support/appguard.php

Cheers,

Eirik

 

thanks for the value info Eirik

 

Eirik: A couple thoughts on the update process.

I am not big on using the WU/BITS process. I wouldn't stomp my feet and get mad if you do go that way but I don't feel it's the best approach. While many users leave WU on all the time, many users don't (including me) for some very valid reasons (bad MS patches causing bad Windows issues being a BIG one.)

Adding to this, it would be great if the update process had user control, i.e., 3 settings. Off, Auto check and Manual check. Hopefully this would give everyone what they are after...

 

Eirik, thank you for your time,

@HAH - Windows updates are very important they fix issue and blog hole from explots getting in.

Watch this video it will show how important it really is.

http://www.youtube.com/watch?v=1roTgk_SrMw

 

Thanks for the feedback HAN. We're not set in our ways at this point.

If anyone is interested in knowing more about the hijacking of software auto-updates, there is a DefCon 2009 presentation that provides some insight. I don't believe they have gone public with the full list of vendors with loose auto-update cryptography.

Now, if there were only ONE process allowed to update Windows or Program Files content, then security software and policies could block all other attempts by other processes, making life simpler. I shouldn't be specific, so please bear with me, I know of two familiar security products (as of around April 2009) that by default endow applications with the trust they require to update themselves. Presumably, they do this as a convenience to their users, quite understandable.

Combine this with the flawed cryptography of reportedly 'over 200' software applications (courtesy of the DefCon 2009 presenters linked above), including security products, we have some heavy risks.

AppGuard does NOT trust auto-updates because of this. I do hope that in version 1.4 we will implement an AppGuard feature that assists non-technical folk with their software installations and updates, however.

Thanks for the feedback HAN and Brocke.

Cheers,

Eirik

Cheers,

Eirik

 

Don't misunderstand, I do WU. I just don't like running WU/BITS on full auto mode.

At home, I wait to update Windows until a couple of days have passed from the normal 2nd Tuesday Updates.


Eirik: Thanks for listening!

 

Yes, i did misunderstood i thought u didnt install them.

no problem tho. thanks

 

i tested Braviax.exe/Antivirus Pro 2010 againts AppGuard and it blocks it very easilly
09/16/09 13:18:47 Prevented process <install[1].exe> from launching from <c:\documents and settings\xxxxxxxx\local settings\temporary internet files\content.ie5\1dfzqwm1>.
09/16/09 13:00:31 Prevented process <Windows® installer> from writing to <c:\windows\installer\86039.msi>.
09/16/09 13:00:14 Prevented process <Windows® installer> from accessing to <c:\documents and settings\jose monge\my documents\my pictures>.
09/16/09 13:00:12 Prevented process <Windows® installer> from writing to <c:\msi8123a.tmp>.
09/16/09 13:00:12 Prevented process <Windows® installer> from writing to <c:\msi8123a.tmp>.
09/16/09 13:00:12 Prevented process <Windows® installer> from writing to <c:\documents and settings\all users\start menu\programs\administrative tools>.

this tool is good for people that likes to click all links without care

 

Might be worth pointing out that Appguard does not need updates as much as other security products as it does not use virus defintion files.

just in case thats what the poster a few posts back thought.

 

exactly,plus it is anti-executable and pc stays fast and stable

 

hi Eirik where are you?any updates for appguard or edge guard solo?thanks

 

Hey Jose,

I've been working on marketing stuff lately, just revised the AppGuard Technology white paper and posted it; making preparations for updating our endpoint security web content and datasheets; tweaking a product improvement survey to build on some of the insightful feedback from yourself, Kees, Sully, and others; and getting ready for next week's release of AppGuard version 1.3.

AppGuard 1.3 officially embraces Windows 7 (32 bit), allows users some customization of what guarded applications may do (same rules apply to all guarded apps), and fixes some bugs.

I expect that MBRguard will be integrated with AppGuard/EdgeGuard the next release. Meanwhile, some rather interesting groups are evaluating MBRguard. As some of you may know, this standalone utility is the ultimate in minimalization: small CPU footprint, no GUI, no alerts, no logging; it just blocks the attacks.

Cheers,

Eirik

 

cool thanks for the info Eirik