AppGuard 3.x 32/64 Bit

let us know please peter

 

Did you have to add Sandboxie's C:\Sandbox to Guarded Apps>Folders as an Exception (Read/Write permission)?

It seems their automatic USB loading policy has changed. Before in version 3 AppGuard prevented it. Now it is permitted. The new version is running very well on my PC (Win 7).

Thanks.

Later...

Bob

 

Did AppGuard report any blocking events? If so, please let us know.

Also, if you set AppGuard protection to "Off" do you still observe these symptoms?

Thanks,

Eirik

 

What protection mode are you in when you see these observations?

Are you manually launching an executable from the USB device? Or, is something automatically launching without user-initiating it (just device insertion). This could be an important distinction/observation.

In "high" protection mode or less, with the 'Trusted Publisher' capability, a user should be able to manually launch a digitally signed (by one of the trusted publishers) executable from a USB device that would have previously been blocked by version 3.0.

 

Eirik,
My protection mode is High. I'm just inserting a USB drive and Windows offers to open it. No execution of any application is involved. Sorry if I was unclear. If I recall correctly, in version 3 AppGuard disabled autorun and would not allow even Windows to offer to open the inserted USB drive. I would have to go into Computer to access it.

Thanks for your inquiry.

Later...

Bob

 

Peter, we have verified in the lab that there is a bug and autorun.inf is not being blocked on USB memory sticks. Thanks for the input!

 

I found a bug with the systray icon. The icon will not change back to enabled, the green check, when the protection level is off and you make changes in the customization window and AppGuard turns the protection level back on. Here are the steps I took to create this condition...

1) I changed the protection level to "off" to test if a program was being blocked by AppGuard.
2) When I saw that this was being blocked by AppGuard, I open AppGuard and went to customize and then User-Space tab. I added a folder to the User-Space tab and change include to no.
3) I clicked apply and AppGuard said that it had to re-enable the protection level.
4) I exited out of the interface and the systray icon was still showing off.

I have included a picture to show you what I am talking about.

 

Bob, our lab has verified that there is a bug in the beta. Autorun.inf is not being blocked on USB memory sticks. Thanks for alerting us!

 

I have a feature request.

Here's the deal, I have a program that on execution creates a temporary folder in user-space and runs a few separate .exe files from that temporary folder. The folder is deleted on close of the program. It would be nice if you could free enter a path that you could add to the user-space area.

 

Hi Jerick, Thanks for testing AppGuard. I have tried to replicate your issue and it is working okay for me. Would you try the following:

1) Check the status display and see if there are any messages saying that the service has stopped. If the GUI Interface detects that the Service is not running, it will change the icon to a red X. Perhaps that's the issue.
2) Check the Services control panel and check if the "Blue Ridge AppGuard Service" is running.
3) Can you do something that AppGuard should block to see if AppGuard is really in High protection level?
4) Lastly, try exiting the GUI and then restart it. If that clears up the issue, let us know if AppGuard gets in that state again.

 

Good idea. I'll see if we can get that into the final release.

 

XP Pro X32 SP3. I did a complete uninstall of the latest non beta version, and then installed the beta. I noticed a few things right off the bat. I will make separate post on all of them to make it easier to follow along. First I am concerned that Sun Miscrosystems Inc, and Adobe by default settings are not protected applications. If the default settings are not changed then could Adobe, and Java exploits bypass AG's protection? Adobe, and Microsystems Inc make applications that are regularly used as a vessel to exploit users OS's. I would recommend those applications be protected by the default settings.

Edited: 7/08/11 @ 7:25
Also Mozilla, and Google are on that list which I forgot to mention.

 

Here are the answers to your questions....

1) The AppGuard interface show that everything is normal.
2) The service is still running.
3) AppGuard did block an action that it normally will.
4) Exiting the GUI and reopening seemed to have fixed the red x on the icon.

 

Correct me if i'm wrong, but I believe i was informed in the last phase of beta testing that this is not expected behavior. Appguard is blocking XP Pro X 32 SP3 from checking for windows updates when protection is enabled. This is not particular to this beta. It is also present in the latest final release. As shown below windows is unable to check for updates when AG protection is enabled. If AG is changed to install mode then XP can then check for windows updates. AG event logs is showing a lot of actions being blocked when checking for updates when protection is enabled. There is one difference pertaining to this issue in this beta release, and the last final release. In the last final release XP was being blocked from checking for updates even when in install mode on my test machines. Now it is not. I did not have this problem during the last phase of beta testing with Windows 7. It was only present with XP. Is this expected behavior? Take a look at the attached AG event log below for more info.

 

Does that mean that I get the Golf shirt that Eirik mentioned (x-large, please)? Or another free AppGuard registration key? I already have one but another would be nice. You know...relatives and all.... . .

BTW, don't take me seriously. I'm just pulling your leg. Eirik's leg, not yours, Barb (that wouldn't be proper... ).

Later....

Bob

 

This is something very minor, but may be worth mentioning. After the installation was complete AG was showing a memory guard rule for Prevx in C:\programs directory. I have not had Prevx installed on this machine in a long time. I did a search for any orphaned files left from my past Prevx installation, and none where found. I only checked C drive, and not the registry. I'm pretty sure I had removed this rule from memory guard months ago. I'm just wondering where these settings are stored. Are they stored in the policy file or the registry?

 

The Guard List policy takes precedence over the publisher list so since Mozilla and Acrobat Reader are in the Guard list, they are automatically Guarded. The publisher list only applies to the applications found in user-space. Anyway we will certainly consider changing the default trusted publisher policy for the release. Thanks!

 

Hi Cutting_Edge,

When protection is enabled, AppGuard will interfere with updates when they are done from I.E. There is actually a help topic on this subject.

In this release, we have changed the Install Mode setting to UnGuard the browsers since many users try to install programs directly from the browser. Hopefully I've addressed your questions, but it is Friday night and I must confess that I have had a glass of wine.

Thanks for your feedback.

 

Bob, Funny! I mentioned to Eirik earlier today that he should give you a Golf-Shirt for this find. The shirts are actually very nice.

 

Hi again,

The prevx entry must be coming from a previous policy file (not stored in registry), but I will pass this along to our install developer to make sure that things are getting cleaned up properly. Did you over-install or uninstall and re-install?

 

And that's what I find most disappointing about the way this feature has been implemented.

What I would like to see is a way of automatically trusting digitally signed applications from trusted publishers, irrespective of whether they reside in user space or system space. The applications that I want to automatically trust and exclude from AppGuard protections all reside in system space. This would have reduced the number of MemoryGuard exceptions that have to be manually added for system utilities and other security applications.

Another thing I find disappointing is that there is still no way to exclude additional partitions containing system objects (e.g. recovery partitions, secondary system partitions, etc) from User-Space and move them back into System-Space. Folders can be moved from System-Space to User-Space by adding them to the list in the User-Space tab but there is no way of going in the other direction. Setting "Include" to "No" against an entry in the list in the User-Space tab tells AppGuard to ignore the folder entirely; but it doesn't move it back to System-Space with the associated protection that defines System-Space.

Given the basic conceptual framework that AppGuard uses, there should be a way of overriding the default definition of BOTH spaces, not just User-Space.

 

I uninstalled, and reinstalled. Enjoy your Wine, and thanks for taking the time to reply on a Friday night