AppGuard 3.x 32/64 Bit

Agreed. AppGuard for system-wide policy restriction also combines well with Returnil or Shadow Defender for system-wide virtualisation.

I use Sandboxie for browser protection but Shadow Defender for testing software that doesn't require a reboot. To me, it just feels more natural than launching applications from inside a sandbox and, unlike Sandboxie, it also allows testing of software that installs drivers or services.

 

Any word on the Change in Licensing Eirik?

im talking about the future like you stated before with a possible PRO etc?

 

What I would like a software which would allow you to reboot with a 100% success rate to return everything back to normal if the software was malicious. That would allow me to install anything and still be able to restore what was damaged. Shadow Defender resets everything on reboot. Ordinary back-up software does not provide 100% success rate when restoring a back-up, since root-kits may still be active. Shadow Defender on the other hand protects you agains these... but then again, everything is reset upon reboot.

 

it is ok as long as you get the protection you want

 

There are no plans for a "Pro" or other descendant of "AppGuard". Someday there could be. I was only making a theoretical point that licensing terms generally do not extend to what amounts to a new product (e.g., Microsoft Office 2010 vs Microsoft Office 2003) that is substantially different (new capabilities). By this definition, it would not have been unusual in the software industry for Blue Ridge to go with a "Pro" product instead of a 3.x release as we did. We chose not to.

Cheers,

Eirik

 

Hi All,

Our Chief Software Architect personally investigated this and cannot confirm any of the observations. This could be due to our inability to get precisely the same malware sample. He found the closest match based on the poster's description. Unfortunately, no further identifying information about the malware was available to eliminate doubt as to whether we had the exact same sample. Barring more information, more samples, we can conduct no further penetration testing.

All test cases conducted on the sample we acquired failed to penetrate system-space with AppGuard. Note, some malware can appear to infect a host in "Medium Protection" mode but their effects disappear with a system restart.

As someone pointed out earlier, user-space malware is a good incentive for taking advantage of privacy mode, which restricts access to documents inside designated folders. The downside to privacy mode is inconvenience. A user must right-click, suspend privacy mode for a specific application to access such documents. Until technology can unerringly answer when a legitimate application has become hijacked, this 'inconvenience' remains. We can improve our implementation perhaps.

There are two environmental factors that are also relevant however. First, there were three other security software applications:
- Avira Premium Security suite
- SpyShelter Premium
- Hitman Pro

It is possible there was a software conflict that impaired AppGuard, though unlikely on 64 Win7. However, we do not have these products in our lab. We have no other reports or indications of problems. Please let us know if you're using this combo.

The second relevant factor may be Acronis. Again, this is not a high probability. Generally there are no problems. However, Acronis does manipulate the GUIDs that the operating system issues for mapping hardware to things like "the C drive", etc. Some advance uses of Acronis can result in mapping errors that confuse AppGuard and everything else, which can impair AppGuard protection.

I'm afraid I wrote this post rather hastily while several people came into and out of my office for urgent matters. I apologize in advance if I have been unclear or if I misstated something. I'll be online off and on today for follow-up questions. If anyone would like to send us more samples, please zip with password and email to appguard@blueridgenetworks.com

Cheers,

Eirik

 

Hi Eirik,
My situation is I have a laptop with one drive and multiple partitions, which I use for testing (among other things) C: being OS. however D: E: are programs I always need and use but don't want to reinstall every time I clean house with C: via image backup.

Similar with my main PC I have four HDD's one has the games on it(it's a pain reinstalling games), the others sometimes have test programs on them. Likewise I have backup images of C:

That's why I run programs from non system drive...

 

Hi Brocke, and Everybody Really,

I couldn't say anything until a decision had been finalized regarding a refinement to our change in licensing terms announced at the end of March. I got a phone call with that decision this afternoon.

The licensing refinement:

From now on, all those folk with AppGuard licenses (new system) issued prior to the license policy changes on April 1st are entitled to free software updates beyond AppGuard 3.x into 4.X, 5.x, 6.x, etc. ​

BTW, this refinement is very much a nod to the Wilders community that has been so kind and helpful to the AppGuard team. Although we do not always do as you ask, we always listen, and we always try to accommodate your wishes, suggestions, and ideas.

Cheers,

Eirik

 

Sweet! That means my 6 licenses are valid for the coming versions! Very generous for a total of 50 dollars!

 

Thanks to BlueRidge and Eirik in particular; nice to see a company listening to their user base and acting in their favor.

 

This is a fair compromise. I think it will deter new users to some extent but honestly the price is not out of line considering the market. Regardless, it is indeed fair and I want to give a big thanks to BlueRidge Networks for considering your testers and forum users opinions; and your willingness to make adjustments.

 

Erik,
Wonderful news. Thanks to Blueridge Networks for trmendous program and looing forward to future improvements. And, thanks, to a wonderful security forum in Wilders community.

Gary

 

I have a quick question to ask regarding Appguard. I'm assuming that this is a general discussion thread?

I have SAS and MBAM installed as on demand scanners. When I try to run a scan with either of these Appguard tells me that it has:

Prevented (MBAM/SAS) from writing to memory of <Run DLL as an App>

Both MBAM and SAS successfully complete scanning. This alert just appears at the start of a scan.

Should I be adding to exclusion lists or can this alert be disregarded as the programs complete scans without issue?

 

Agree 100% Thanks Eirik. This is actually my prefered Security Software.

 

@crapbag
Just add mbam.exe and sas process to memory guard exclusions. I had to do this to most of the ondemand scanners I have tested.

@eirik
I would like to thank BRN for listening to the userbase and honoring our request!

 

Thanks!

 

Thats just the answer i was wanting to hear! Thanks for the support and product Well Done!

 

The implementation can indeed be improved. Just add a separate checkbox for the control of user-space launches, which can be toggled on or off independent of the protection level.

As I've already said, for reasons of convenience I choose to apply Privacy Mode only to the higher risk guarded applications that don't normally need access to private data: i.e. browsers and email clients. This means using the Medium protection level, which also allows guarded application launches from user space.

The point is that I don't want to allow user space launches while AppGuard protection is enabled, whilst retaining full control over Privacy Mode. This is how AppGuard used to work and now is not possible, even as an option.

 

AppGuard can prevent new drive-by cache attack ?
More information about this attack can be found here.

 

Hello All,

I am a first time Windows 7 64bit user.

Anyone have problem running both AppGuard (Protection Level : High, Exception Folders: c:\sandbox) with Sandboxie 3.54, Firefox seemed to slow down tremendously.

I have tried disabling either AppGuard or Sandboxie, then Firefox appeared to run normally.

Prior to this 64bit new laptop, I was using a desktop (Windows 7 32bit) & didn't have any problem using the same settings.

Thank you very much for your help.

 

Yes, and the technique of executing from the cache is not new.

Back in 2006 there was an exploit against IE (MS06-014) that downloaded a file to the cache, and then executed it.
This corresponds to the steps outlined in the article you cite, at this point:

http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html#drive-by-cache

One additional trick the older exploit used was to rename the cached file to svchost.exe to fool people into thinking it was legitimate.

I did a test against AppGuard simulating a Drive-by Cache exploit using MS06-014 code.
In this screen shot the file, astroExp.exe, is cached by the browser:



This shows the file, astroExp.exe, in the cache:



Acctually, the script never had a chance to complete its actions, as AppGuard blocked the executable from leaving the cache:

Code:

Prevented process "Internet Explorer from writing to c:\svchost.exe"

(That action is the second and third red lines in the above code)

The distinction the article makes between Drive-by Download and Drive-by Cache is to suggest weaknesses in AV and Behavior-based detection.
From the article:

This distinction between Drive-by Download and Drive-by Cache, of course, is of no concern to products that watch for unuthorized executables.

regards,

-rich

 

Try the latest Sandboxie beta and see if it makes any difference. I was having some Firefox issues with Sandboxie 3.54, which Sandboxie 3.55 beta resolved.

http://sandboxie.com/phpbb/viewtopic.php?t=10200

 

Dear Eirik:

In a matter like this, I wish you to recomend me what other well-know anti-virus software and the other relevant anti-malware software certainly should be used for maximizing the Windows 7 (x64) protection with the Appguard. I seldom using the IE without the firewall and the antivirus programme. Because I may install a malware that I might reckon it good while swithing the Appguard into the "installation mode."

Regarding the price policy over the Blue Ridge Networks, Inc., it can be feeling good if the future price be going as other brothers longing for: however, I'll be paying fine more if your Appguard get achieved in a great deal. This also is my private view yet.

 

id use MSE or Avast both are pretty good free AVs