AppGuard 3.x 32/64 Bit

You are absolutely right, which is why programs like AppGuard are best used in combination with other approaches, such as anti-malware, light virtualisation, sandboxing, imaging, etc.

 

I've installed dozens of rogues in SBIE with drop rights enabled. Most are able to run as a limited user simply by executing from Program Data and using some temp files in the Users directory. Never seen one escape from SBIE though including MS Removal Tool

As for the AppGuard issues I was 'lucky' enough to get a MS Removal Tool sample from a colleague who brought me his machine to fix when he ran into this little nasty. AppGaurd blocked execution on my Win7 64 bit machine on default settings (High).

I'd be interested to hear what functional advantages there are to running AppGaurd at Medium though.

Cheers

 

I didn't mean to imply that the rogue I experienced in the SB sandbox escaped; I didn't think it would run as well as it appeared to while being completely contained and its rights lowered. I wouldn't expect a rogue, even MS Removal Tool, to run as well as 3TAMMUZ suggests it did, assuming of course the rogue was running guarded. I didn't really consider the SB rogue a failure as SB did exactly what it was designed to.

 

Was Tamperguard by chance disabled?

 

Hello 3TAMMUZ,

I'm sorry to learn of this adverse experience. We appreciate your taking the time to share this so we can all learn from it, and however appropriate do something to improve AppGuard.

What if anything can you tell us about how the rogue Malicious Software Removal Tool entered your system? Was this an executable that you explicitly launched from user-space? If so, could you PM this to me so we might re-create the environment?

Could you tell us more about what you mean by "bleached"? What changes to your system GUI, settings, file system, services, and other things did you see? Did you also observe these symptoms following a system restart?

Was Acronis actively running on your system at this time? If so, are you using Acronis for simple back-ups or complex ones (e.g., multiple mappings for different 'states').?

Thanks again for sharing. We appreciate your insights and deeply regret the inconvenience and disappointment you are feeling. We have an engineer lined up to take a careful look into this.

Cheers,

Eirik

 

A launched executable in user-space would be capable of launching an executable already in system-space. However, the launched application would be guarded and unable to place anything into system-space.

"High" mode, which we'll be re-naming "Lock-Down" mode, leaves less attack surface than "Medium".

Medium mode blocks script launches from user-space.

"Privacy Mode" can counter the risk to user-content from malicious executables launched from user-space with the "Medium" protection mode whereby such executables are 'guarded in privacy mode'. So the more user-content that is within folders designated as private, the less exposed one is from user-space executables in "Medium" mode.

Cheers,

Eirik

 

"Medium" mode affords users more convenience than "High", which is generally unforgiving in that it requires that users place all executables that must be allowed to launch on the 'guard list'.

Functionally, user-space executables 'under guard' cannot write into system-space, launch scripts, inject code into other processes, read the memory of other processes (i.e., RAM Scrapers).

An executable can place something functional into the Application tray. However, after a system restart, it would disappear. If something were to remain in the Application Tray after restart then AppGuard would have failed.

Cheers,

Eirik

 

Understood, was not criticising just pointing out that while rogues/malware don't burrow quite as deep when running LUA a limited number can still run. The ones I've seen are more a PITA when run with limited rights (multiple pop-ups, web site redirects, toolbars etc ) than truly malicious. Easier to clean too!

Cheers

 

Interesting, medium is kind of policy restriction but I'll stick with 'high' as I prefer default deny. I'm pretty careful about new executables so don't mind turning off to install etc. then sliding back to 'high'.

Thanks for replying.

 

I too prefer "High". Giving executables no chance is better than very little!

Cheers,

Eirik

 

Eirik, do you recommend people using a malware scanner in order to distinguish between good or bad executables before lowering AppGuard protection? Is it your belief that it's absolutely necessary if you want to be 'sure' that lowering protection of AppGuard is a wise decision?

 

I'm not much of a proponent for malware scanners whether checksum or 'generic' signature based. They do help but altering an executable's checksum to elude detection is made easier every day by readily available tools.

So what to do when in doubt? Why would one be in doubt? First, we should only install stuff from repudiable sources. How do we know what we got from the repudiable source is what its supposed to be? Digital signatures are getting more common. AppGuard will further embrace the concept of trusted publishers this year. But even digital signatures has its limitations...another topic.

When these precautions fail or simply do not apply, that's when one needs a sandbox or virtual machine. However, be careful not to be overly confident. I'm not casting doubt on any tool's ability to contain, though that is a fair concern. No, I'm casting doubt on the user's ability, and the tool's ability, to ascertain if the executable did something malicious in the sandbox or virtual machine during testing. In other words, be sure you know you can detect foul play in the test, otherwise it does not serve you.

When I'm asked about why one would want Sandboxie and AppGuard together, this is one of the reasons.

However, the point I'm making is to be careful about re-locating what you ran in Sandboxie into your real machine. Just because Sandboxie didn't beat you over the head with an alert doesn't mean something bad isn't inside. This is not a slight to Sandboxie or other tools. If anything its a slight against people, including myself. The tool might tell you something you don't understand. So, if you do not consider yourself an expert in telling 'good' from 'bad', avoid the decision and compartmentalize when you can (i.e., keep it in the box). I'm not such an expert so I prefer to compartmentalize.

When reducing AppGuard down to "Install" mode, I encourage folk to close as many applications down as practical, lest something nasty be lurking inside one of those apps just waiting for its shot. It only takes a few moments to restart a web browser. One could take this to greater extremes but I usually don't bother myself.

I hope this helps.

Cheers,

Eirik

 

i noticed that im getting antimalware scanning is being block by AG in IE9.

shouldnt that not happen?

 

I have the whole of My Documents designated as Private Folders. I use the Medium protection level because I got fed up with having to disable Privacy Mode for MS Office applications every time I want to access a document or when using iTunes which needs to access its music libary (located in My Music). I have Privacy Mode enabled only for browsers and email clients, which for me represents an acceptable trade-off between security and convenience.

However, I would still like the option to be able to deny the launch of applications not explicitly in the guard list from user-space as well as having granular control over Privacy Mode. This used to be the default behaviour in the previous version of AppGuard, but is no longer possible.

IMO it should be possible to start from the Medium protection level and selectively add options until ending up with some or all of the protections that the High protection level provides. The user should not be forced to select the High protection level in order to prevent user-space launches. This should be a separate configurable option. The High protection level should be a matter of convenience to enable all protections to be quickly enabled, not a necessity.

 

I agree, good idea. Instead of Medium settings it should be called Manual or Custom, since virtually everything in AG would become adjustable at that point.

 

Would you mind posting sample log events and anything unique about your policy?

Eirik

 

First, thank you for reading my appeal.

The Appguard can never be easy to be used if I am to run a certain program from drive D. It's then working as a pure anti executable software. That was the reason I've let it run at the medium level security.

However, I was disappointed at the fact that the Appguard got turned off all of sudden, although it said from the log that the **. exe was failed to write. It just meaned that its self-defense mechanism went amiss. This rogue probably got into the temp folder accidently while doing the Intenet search through the Google search engine - I often look for a certain PDF document to read - because I remember it was first stopped by the SpyShelter Premium or shall I say it was questioned by it. But when to face this sort of situation a novice like me not making a good judgement. Isn't that why we rely on the software like the Appguard, even willingly paid for.

After all, the Malwarebytes seemed dominant over this sort of malware, as always, and yet the Himan Pro looked useless against this rogue attack unlike its general accountability. (In addition, I had to have the Himan Pro run in forced and it still failed to delet even the bad cookies that it detected, unusually, under this pressure.) However, the other two software appeared all right.

Because of this rogue, I could hardly do surfing the IE 9, and the rogue kept poping up for lasting its survival, well. For whenever I clicked the IE 9, it failed to load on but the rogue program only began to run.

From my experience I know the Farconics Anti executable well, but I decided not to use it because it made often a legimate software dead, which can be a serious matter to a just normal user, as someone notified it beforehand. Like updating some software could not be accomlished, but it worked out good when to have rather uninstalled it. Maybe, it's not right for a user to expect that this software run prettey well for itself without a proper instruction. You see, most of Windows user around the company and the school just install the anti-virus software for believing that it certainly does a job fully, automatically.

Pardon me saying, 'my OS got bleached.' It might sound unduly terrible. But I was at a loss what to do, then. There was no way to surf the Internet, just then. I wonder, then, it is because of my Windows 7 x64.

And Eirik, thank you for a tip regarding the Arconis back-up system and I only used its basic function. I periodically back-up the image and use it in an unpleasant occasion.

 

I take it that drive D is NOT the system drive where the OS is located.

If by 'never easy', novice users may not be comfortable adding the "certain program" to the 'guard list' so that it may launch in "High" protection mode. Or, that an end-user may not be comfortable adding an exception folder to the user-space policy that tells AppGuard to ignore launches from that folder. Frankly, I don't like this approach myself as it could be used to host malware.

At present, we do not enable end-users to define system-space exceptions that add select folders to system-space. This would result in preventing changes to your "certain program" by anything guarded.

Would you please help us understand why you run your "certain program" from a non-system drive? Our interest here is better knowing how we might accommodate customer needs by understanding them better.

As well one should be disappointed if malware turned off AppGuard protection. We hope to test this sample thoroughly. It's also possible, though unlikely on 64 bit Win7, that the presence of multiple security software applications on your system caused AppGuard to malfunction. I hope to examine this as well.

Would you please elaborate as to why you could not surf? What were you observing? Were browser windows or tabs opening? Changes in the Windows GUI?

Very important question, did you restart your system and observe these symptoms continue to manifest? This would represent a system penetration.

We are grateful to you and others that can assist us in our investigation. We take this seriously. And whenever AppGuard fails, there's no reason we shouldn't learn from our that to make it better.

Cheers,

Eirik

 

I also agree that this would be a much better approach.

 

Pete, when running AppGuard and Sandboxie together, do you sandbox the browser too or do you only use Sandboxie for new, unknown software to test it before you install it outside the Sandbox?

Sandboxie together with AppGuard seems to be the best overall protection available at the moment. The traditional AVs have a highly doubtful protection against malicious software.

 

Thanks. Good to know the 'gamer' perspective. They're targeted more and more.

Eirik