AppGuard Beta is Live (64 Bit, MemoryGuard)

Depending on how guarded applications are configured, I think it can make a difference.

With High protection level, Privacy Mode and MemoryGuard are automatically enabled for all guarded applications, irrespective of how they are configured. With Medium protection level, Privacy Mode and MemoryGuard run as configured for each guarded application individually, which means they can be disabled if required.

 

Hi DJG, I manage the AppGuard development team at Blue Ridge and I'm not sure I understand what you mean by the above. Would you clarify?

Having IE in the list of protected applications should not affect your ability to block it. You cannot remove IE from the AppGuard list, but if you uncheck the box next to it, AppGuard will no longer Guard it.

Yes, you can remove IE by modifying the AppGuardPolicy.xml file, but this is not recommended.

 

Okay, this might be hard for me to explain, but here goes: The event shown in the screenshot of the Windows event log is NOT the same event that was selected to be ignored. It is a summary event that occurs when any event occurs multiple times within 2-3 seconds. In a future release, we will enhance the "ignore" message feature to also ignore the summary message associated with messages that are set to be ignored. I hope that makes sense.

 

Greg, I'm not sure what is causing IE from crashing - I don't think it's AppGuard (unless you have set messages related to IE to be ignored). I think that the AppGuard blocking messages that you are seeing related to "Windows Problem Reporting" are actually occuring after the crash and are due to AppGuard blocking the Microsoft process that is trying to create the crash dump information that is created when a Microsoft product crashes (and you see that annoying message asking whether you are willing to send the information to Microsoft). For example:



This might actually be considered a beneficial feature , but if you'd like to allow this, check the event log for the actual name of the application that was blocked and add it to the MemoryGuard exception list.

 

AIGLE, thanks for the information.

Blocking DLL loads based on their location is not currently a feature of the consumer version of AppGuard (it is part of our enterprise solution). However, if a DLL is loaded by a Guarded Application, then as a child process of the Guarded Application it is automatically Guarded and therefore is blocked from altering critical system components. Restricting the loading of DLLs based on location is an enhancement that we will consider for the next release of Consumer AppGuard.

When AppGuard is in High protection level, cmd.exe and rundll32.exe are Guarded so although you may have been able to run Conficker, it should have been Guarded and therefore should not have been able to alter critical system components.

Regards,

Barb

 

Ok, thanks for explanation. Just two questions:

1- If a dll is executed from a USB memory stick via .lnk exploit( a real world malware scenario), will AppGuard intercept it.

2- Why don,t you people add a window in main console that will show the processes running as guarded, in real time?

Thanks

 

Barb, thanks for the explanation. Seems like the criticism in this post and another that was started may have been a little pre-mature......

 

Hi Barb,

Yes, that makes perfect sense now you've explained it. Many thanks.

Regards

 

Thanks All for the replies.

Barb C

I tried the various options on IE and they all allowed it to run, so I thought that the only option left was to remove it from the list which I found was not possible.

I hope that makes it clearer.

 

Thanks Pete

Yes that would stop it connecting out but would not prevent it loading/running internally. On second thoughts I maybe wrong - will have a play with it later

 

Thanks for clarifying; now I think that I understand your concerns. The consumer version of AppGuard is not intended for use to block applications that are located in "System Space" (i.e. Program Files and Windows directory). AppGuard's purpose is to "Guard" the most vulnerable applications (i.e. the applications most targeted by malware) that are located in System Space (or those that you might want to add from "User Space"). The idea is that the software located in "System Space" is protected by other mechanisms (for instance user accounts can't alter this space). Also, AppGuard prevents Guarded applications from altering System Space. This leaves "User Space" as the most vulnerable area on your system where something bad might be dropped onto your computer. In the high protection level, AppGuard prevents all applications running from user space. In the medium protection level, AppGuard will automatically guard applications launched from user space so that they cannot alter system space. Anyway, it's hard to explain (Eirik does a much better job of it), but the combination of Guarding your most vulnerable system space applications and not allowing user-space applications has proved effective in preventing malware from infiltrating your PC.

 

I beleive so, I've forwarded this question to one of my engineers that has previously experimented with the .lnk exploit to get more details on his findings.

Good suggestion. We'll consider for a future release.

 

Thanks for that explanation.

Not sure about that - I would prefer to totally prevent IE from loading.

I assume that the same applies to OE?

 

Just tried that Pete and IE will still load.

 

This from my Engineer: If LNK is exploited manually via USB/rundll32 etc. AG will not intercept the DLL loading. But the consecutive actions (like IE compromised due to malicious DLL (.LNK) or Word/Excel due to embedded icon on a document etc. or special DLL initiates the execution of previously executed malware) of the compromised process will be contained so that such process would not be able to harm the system.

 

Thanks. Not sure if I can get it all though.

 

I am having problems getting a program called Weather Display to run. It launches via a bat file which involves getting a log etc. from a serial device.

I have tried the folder to the exemption folders list but that does not enable it to run. Is there a way to add bat files.

 

Hi DJG05, excluding the folder from user-space definition should have worked. Are you sure that you changed the "Include" setting to "N" for the folder as shown below?

 

Thanks Barb C

That has sorted it. When I read the help file I did not pick up that it should be on the User Space tab.

A further question. I have successfully set up Sandboxie with my browsers to work with AP, but my mail program Pocomail is not run through SB and connects direct. AP allowed it to connect directly - I expected it to be blocked but was allowed to connect out. It is not listed in AP at all.

 

Where is Pocomail installed? If it is installed in Program Files, then AppGuard will not block it; if you add to the AppGuard Application list, then AppGuard will Guard Pocomail so that malware can't use it as a vector into your system. If Pocomail is installed in user-space and you are running high protection level, then Pocomail should have not been launched.

 

Hi,

Why are some AppGuard actions not logged, as seen by the high level & denied action in the screenshot below? In general, admin actions, which are blocked by AppGuard are blocked but not logged & are sometimes difficult to troubleshoot.

Thanks!

 

Thanks

So it would seem that unless you are running in High mode, pretty much anything can run.

I do see that putting Pocomail in the User Space does control it, but if you use the GRC leaktest, put it in the Pocomail folder and change the name of Leakest to Pocomail then it can run unchallenged. It would appear that AG only checks on the file name and nothing else.

 

I have a license question. I just purchased the lifetime license for 3 PC's, and i was sent the same license key I already had that I had purchased for version 1 a few years ago. Does BlueRidge Networks treat this as an upgrade? I would have thought I would have received a different license key.

 

AG blocks windows from executing other similar funtions. I have to lower AG's protection level to medium in order to change some windows settings at times. I have reported a few of them. Yes, it can be difficult to trouble shoot when AG does not inform the user it is blocking windows from executing Windows functions. I'm sure AG will get better at resolving these issues over time. It is impossible to discover all of them during beta with such a small amount of test users. I'm sure all experienced user's already know this though.