AppGuard 3.x 32/64 Bit

Pegr, you can now override the definition of System Space (I think we added that capability based on your previous suggestion). On the Guarded Apps tab, click on the Folders Settings button. Add the folder and then change the "Type" of the folder to "Read Only". Guarded Applications can no longer write to them. I suppose we could improve the process in the future so that it isn't a two-step process (i.e. you have to exclude the folder from user-space and then add the folder to system-space), but this is a good first step don't you think?

We'll consider extending the publisher list concept to System Space in an upcoming release.

 

Thanks!

 

Great! I look forward to a feature like that.

 

Hi Barb. I just had some windows update download and say they were ready to install. I actually had to set protection level to off so that they would install. These were downloaded via windows updater and not the browser. Any thoughts? Thanks.

 

Hi Barb,

Thanks for explaining that. It hadn't occurred to me that it could now be done via a two-step process and yes, I agree this is a good first step, although it could perhaps be implemented in a simpler and more obvious way.

Thank you for also considering extending the publisher list concept to System Space. It would substantially reduce the number of unnecessary MemoryGuard blocking events in relation to trusted, safe applications, without requiring entries to be added manually to the MemoryGuard exceptions list to achieve this.

Regards

 

I'll check with one of the developers on Monday. Can you provide more info (OS, which updates, what blocking events was AppGuard reporting?).

 

The last final release of AG is blocking Microsoft Word 2010 from opening on my laptop which is running Windows 7 X 64. Is anyone having problems opening Microsoft Word 2010 with the current beta?

 

Yes. Same in both versions. The way 2010 works on this work laptop, I see no way of overcoming it. I'm having to turn protection off to launch.

 

The more I use the new beta-version, the more I want trusted 'publishers' to be allowed in user space and system space rather than only in the user space. Fix this, and I'll be happy as a child on Christmas eve (yes, I'm Swedish).

 

I just tried launching Microsoft office Word on one of my desktops with windows 7, and it launched right away. AG protection was set at high. The copy of Microsoft Office was a trial version, and it had expired. I'm not sure if that had anything to do with it. Probably not.

 

From my own investigations, this is usually rundll32.exe
The reason you don't see it is because once it has done its task, the instance of rundll32 exits.

____________________________________________________________

The tray ToolTip for Install displays as <Intall>

 

Hey Eirik/Barbara,

Installed the beta yesterday, today I got this a few minutes after booting my machine:


07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\root\ms_l2tpminiport\0000>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\root\*tunmp\0000>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\pci\ven_8086&dev_2841&subsys_022e1028&rev_02\3&2b8e0b4b&0&e1>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\pci\ven_14e4&dev_4315&subsys_000b1028&rev_01\4&17e2aef6&0&00e1>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\htree\root\0>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\root\acpi_hal\0000>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\acpi_hal\pnp0c08\0>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\acpi\pnp0a03\2&daba3ff&2>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\pci\ven_8086&dev_283f&subsys_022e1028&rev_02\3&2b8e0b4b&0&e0>.
07/11/11 13:40:13 Prevented <Host Process for Windows Services> from writing to <\registry\machine\system\controlset001\enum\pci\ven_11ab&dev_4354&subsys_022e1028&rev_12\4&29faf7b2&0&00e0>.
07/11/11 13:33:59 Protection level is set to <locked down>.

Anything I should be concerned about?

 

Greg, what are the blocking events that you're seeing when trying to launch Word? Word 2010 works fine for me on Windows 7 64 bit.

 

Hi Brandon, did AppGuard display any blocking events while this was going on? Are you still seeing an issue?

 

How are you determining whether MBRGuard is enabled? Check your Advanced Settings tab. If the button says "Disable" then MBRGuard is actually enabled. We've had some confusion in the past where users thought that this was a "status" indicator. I hope the problem is a simple as that, but if not, please let us know and I'll check with engineering to see what other information we need.

 

This is probably nothing to worry about, but please check the path of the service. This can be done by selecting the blocking message, right click and select "Ignore Message...". This will bring up a dialog with the path that <Host Process for Windows Services> is referring to. After you get the path, just click on the Cancel button so that you don't actually ignore the message (or OK if you want to ignore it).

 

I'm sure this is not a problem with AppGuard. This work laptop has 2010 starter on it which is on a partition that is untouchable, by me anyway. I haven't found a way to add or exclude the partition or files due to a serious lockdown of security for that partition.

Code:

07/11/11 19:27:53 Prevented process <winwordc.exe> from launching from <q:\140066.enu\office14>.

 

Thanks. Path is c:\windows\system32\svchost.exe.

 

I am wondering why I get the yellow exclamation point flashing alert when I launch IE 8 browser on my WinXP machine using this beta. I did not have this with the previous release version. I have alerts on normal and protection level on high, but I have observed the same thing at other protection levels.

Here are some of the events:

07/12/11 09:21:40 Prevented <pid: 10> from accessing <\registry\user\s-1-5-21-3641286714-682077043-2835237553-1006_classes\javaplugin.160_26\clsid>.
07/12/11 09:21:40 Prevented <pid: 28> from accessing <\registry\user\s-1-5-21-3641286714-682077043-2835237553-1006_classes\clsid\{8ad9c840-044e-11d1-b3e9-00805f499d93}\inprocserver32>.
07/12/11 09:21:40 Prevented <pid: 28> from accessing <\registry\user\s-1-5-21-3641286714-682077043-2835237553-1006_classes\clsid\{cafeefac-0016-0000-ffff-abcdeffedcba}\inprocserver32>.
07/12/11 09:21:40 Prevented <pid: 28> from accessing <\registry\user\s-1-5-21-3641286714-682077043-2835237553-1006_classes\clsid\{cafeefac-0016-0000-0026-abcdeffedcbc}\inprocserver32>.

There many more events like the ones repeating above. Any idea what's going on with this?

Dave

 

Hi Barb and Eirik,

I wanted to report that the "Install" protection level seems to work much better in the beta version. I could never get it to work in the previous versions of AppGuard I tried.

Jeff

 

Agreed. So far, the 'install mode' seems to work better. Not sure if any changes were made to this mode though.

 

Hi All,

We've received some interesting anomaly reports of delays in the launches of different software applications when AppGuard 3.1 is installed. Different apps have been observed in this manner. Other factors may be at play here. Nonetheless, we're investigating.

Meanwhile, I'd like to ask if you are observing any App launch delays. If so,

Does it only happen the first-time the app was launched since 3.1 was installed?

Or, does this happen every time you launch an app?

Do you see a delay again after a system restart, only to not see it again in subsequent launches during the same PC session?

We appreciate your sharing observations.

Cheers,

Eirik

 

Hi All,

There has been interest expressed in applying some "Trusted Publisher" automation to apps/processes located in system-space. I'd like to gain a better understanding.

I suspect folk would like to be able to exempt any widget from a designated security vendor such as Prevx, Symantec, etc. The net result would be that these would be treated as MemoryGuard exceptions and would not be blocked from injecting code into other apps.

I also believe folk do NOT want to literally trust apps from designated publishers and let them run unguarded from system-space. This would defeat the purpose of the eponymously named AppGuard (wondered if I'd ever use that vocabulary word in a sentence ).

So, please let us know what else you would like to see or NOT see in the way of some kind of trusted publisher automation.

Cheers,

Eirik