AppGuard Beta is Live (64 Bit, MemoryGuard)

Unless I've completely misunderstood the way AppGuard works, I don't think it tries to classify applications into good and bad in the way that an AV/AM would do. It's rather a kind of software restriction policy where the whole point is to enforce a pre-defined set of rules on applications that must by their very nature be regarded as untrusted because of the risks they pose. This is in the main Internet facing applications such as browsers, mail clients, etc. This puts AppGuard in the same software class as programs such as DefenseWall, GeSWall, etc.

If I've understood it correctly, MemoryGuard extends the protection for guarded applications by preventing ALL processes from doing code injection into the memory space of a guarded application in order to further protect the guarded application from interference by other processes running on the machine. Of course AppGuard has no way of knowing whether the other processes are legitimate or not; it only has a concept of guarded versus unguarded applications. This is why I believe that an exceptions tab will be necessary for MemoryGuard in a similar manner to the exception tabs that enable the default file and folder permissions to be overridden for guarded and unguarded applications.

 

In case I forgot to thank you...thank you. I forwarded your suggestions to engineering.

Eirik

 

This is why we are conducting betas. This is our third for MemoryGuard. Many things worth having require much effort to get right.

Please keep sending us Windows Event Logs. They help us make refinements.

Cheers,

Eirik

 

Very important observation!

Ideally, an exceptions capability for MemoryGuard would be unnecessary. We'll try to avoid it, but ...

Eirik

 

In order to avoid it wouldn't that mean having to build (and maintain) a whitelist of applications that are allowed to bypass MemoryGuard's protection?

For example, on a friend's machine, MemoryGuard is blocking Prevx from injecting itself into Firefox. Presumably, Prevx would need to be whitelisted within AppGuard or am I missing something here?

 

Yes, multiple approaches will ultimately contribute to refining MemoryGuard.

Cheers,

Eirik

 

thanks Eirik

 

Eirik,

I would suggest the following. Drop the memory guard protection of what guarded aps do to other aps, only protect the guarded aps from tampering. The guarded aps are the most likely entry points of intrusions. When you stop it there, it is game over for most intrusions. The Memory Guard protection of what IE does to others is more or less redundant, because guarded applications are not allowed to change HKLM and Program FIles.

Since AppGuard provides UAC like protection (what guarded applications can do to core components), the memory guard should only focus on what 'others' can do the these threatgate programs (like mail, webbrowser).

This looks like reduction in scope, but in practise will provide pragmatic and solid protection (pareto's 80/20 rule). Keep the USB protection of memory guard, because USB and Mail and Browsers account for the majority of malware entrypoints. I would also add the possibility that USB launched aps are not allowed to change HKLM and Programs FIles.

KISS (keep it simple stupid)
Earliest intrusion step (inject code)
Memory Guard = Internetfacing Aps + USB = target protection prevent (high risk entry point attacks)

Second intrusion step (drop executable)
Optionally a Deny execute on user space (+USB) = target protection of LUA / user space, practically implementing a deny execute SRP (prevent drive by attacks)

Third intrusion step (try to get access to admin space)
Traditional AppGuard protection = Windows + Program FIles + HKLM + Startup entries HKU = source protection

Fourth intrusion step (steal confidential data)
Optional Confidential folders (like E-mail and pictures which are allowed access by Mail and WMP, but not Webbrowses and USB aps) = sophisticated source protection of user folders


Regards Kees.

 

Eirik, are ya'll sure this top warning dialog does not belong to AppGuard? Also, any news for me about the IE8 writing to memory of IE8 situation that I am having? I did some testing by uninstalling everything except Comodo Time Machine which I needed for quick restoration from the testing and I IE8 still doesn't open up with MemGuard enabled for IE8. If needed, I can uninstall CTM. I would like to hear from any users that are running CTM and AG to see if they experience this.

 

Mea culpa!!!

It appears your last email with the requested information never left my individual email account. I failed to forward it to engineering. I am very sorry!!!

The top dialog certainly looks like a Windows dialog triggered by AppGuard Privacy Mode. If I'm incorrect, I expect the engineers will point that out. They usually like doing so.

I've read through all of their emails to date on your ticket and they hadn't figured out how to replicate your observations, which is why they requested the registry data. On removing the other security applications, except CTM, may we assume you restarted your PC before making further observations? As for CTM, yes, please try without it. Personally, I don't know why there would be any impact. But, doing so would eliminate another potential variable.

Cheers,

Eirik

 

Engineering characterized your recommendations as 'very thoughtful'.

I'm a bit confused about what tweaks to MemoryGuard we'll be doing next because I've been distracted with other matters. I have noticed the engineering team having quite a few discussions of late, sounds like they're having one now.

Cheers,

Eirik

 

Greg,

What is modifying these prompts (see below)?



Cheers,

Eirik

 

I'm liking the new beta. Would Appguard and something like MBAM Pro be pretty solid protection?

 

I agree that protection should focus on guarded applications but this doesn't eliminate the need for exceptions to be made. As I've already reported, Prevx is being blocked by MemoryGuard from injecting code into browsers. I'm guessing that the purpose of the Prevx code injection is likely to be associated with the workings of Prevx's SafeOnline browser protection.

I suspect that Prevx is not the only security program that may need to inject code to function properly. These kind of trusted security applications either have to be whitelisted by Blue Ridge or some provision has to be made for the user to create their own exceptions list of trusted applications.

Sorry to keep coming back to this but I think it's important. I've also had to turn off MemoryGuard completely because of conflicts with the Comodo firewall.

Another possibility could be to allow the user an option for digitally signed applications to override MemoryGuard's protection. This could be handled by means of a check-box within the settings. This would allow the user some additional control without unduly complicating the user experience.

 

I have one question: the new feature of appguard (memoryguard) will be compatible with comodo memory firewall, or be redundant?

Thanks

 

Those pics were taken with everything restored back to original snapshot. The extra titlebar buttons are from 4t-Tray Minimizer which is unrelated, I'm pretty sure. Reason being, I didn't have 4t installed in the past when I've questioned the same about the top warning dialog in the pics. I'm not too concerned about the top dialog, more curious than anything. The top dialog will eventually go away as it has done in the past. It only re-occurs when I install AG from scratch as in uninstall previous version and remove all traces of AG from HD and Registry before installing latest AG version.


I will uninstall CTM and see how it goes.


One more question. My AG install files are located on USB HD and this may be the answer to my question. If I'm launching the AG install file from another HD, why is a copy of that MSI file always stored in this Downloaded Installations folder? See pic below

 

Both. Blue Ridge will whitelist what we know and allow advanced users to add their own (e.g., Prevx, etc.). Technically this feature is a "stretch" item for the final release this month. I wish we had time for the 'trust digitally signed...' approach. We'll keep it in mind.

Cheers,

Eirik

 

We have no reports of problems. Unfortunately, we have no EXPLICIT reports of coexistence either. As far as I know, the MemoryGuard conflicts with CIS were pretty much taken care of with beta 3. If not, please tell us. Lastly, if we manage to get the user white list stretch feature into the production release, that might take care of any lingering issues.

Complimentary.

MemoryGuard might actually be more aptly called a Memory Firewall than Comodo Memory Firewall. This is not meant as derogatory. If I'm correct about CMF, it strives to prevent a vulnerability exploit such as a buffer overflow. However, I do not believe it blocks a code injection from one process into another.

MemoryGuard on the other hand, does not attempt to prevent the vulnerability exploit, instead relying on programmers to further use DEP, ASLR, SEH, and 64 bit registers when relevant. And, AppGuard does not trust applications, assuming some programming mistake will inevitably occur. And when this happens, it does so in the context of that hijacked process, which is restricted in what it may or may not do regardless.

So, CMF strives to keep a process from being hijacked by stuff that exists within that process. MemoryGuard essentially erects a wall between two processes, blocking one from writing into another. In that narrow, simplistic sense, MemoryGuard is more of a WALL.

Cheers,

Eirik

 

a Wall like DefenseWall , maybe you guys change the name to AppWall

 

Thanks Eirik. It's good to know that this will soon be resolved.

Regards

 

Hi Eirik,

I reported a problem in post #186 in this thread affecting beta 3 on XP. After some email correspondence between us, the engineers reported back as follows: -

"Based on msinfo, it seems the user installed other security software like comodo and prevx. We suspect that 3rd party software actually injects code to AppGuardAgent, and the injected code tries to inject code again to firefox from AppGuardAgent, which was blocked by AppGuard. To verify this, we need to inspect dlls loaded by AppGuardAgent."

I supplied the requested information. On inspection it appeared that AppGuardAgent hadn't loaded anything by Prevx but it had loaded guard32.dll, which is part of CIS. I didn't have any other security software running at the time that could have interfered with the proper functioning of MemoryGuard.

I didn't hear any more regarding the outcome of the investigation but are you now saying that CIS was subsequently eliminated by the engineers as the cause?

Regards

 

I have a simple request, PLEASE change the icon.

Sometimes, unless you look really close you can't tell if you are looking at the green icon for enabled or the one for suspended. Both of them are too small.

But honestly, AppGuard needs a better looking icon too, time for a face lift is what I say!

 

agree with you my friend

 

Personally, I like the current icon but if it is to be changed perhaps that could be done as part of a complete overhaul of the GUI in a future release to make the relationship between system space and user space clearer, as previously discussed.

For the moment though, my preference is for the engineers to focus all their energy on getting MemoryGuard right.

 

Sure focus on making the program right, but making an icon change isn't that much work for a professional graphic designer to do.

An Ant is as big as that green check mark area and I don't have Eagle eyes, LOL...