AppGuard 3.x 32/64 Bit

Hi Dave,

Thanks for sharing this. I must confess these appear odd, triggering my paranoia.

I'm curious why a security product would place a DLL into user-space and allow its critical components to load something from user-space. I would hope such components check such DLLs for digital signature and integrity prior to use.

Was this a standard, uncustomized installation of the product? Are other folk here seeing root directories and/or DLLs created in user-space also?

I heartily recommend that you right-click on the DLL, select properties, and check to see if Windows says that it's digitally signed by the vendor. Please sift through the vendor's GUI/log to look for any indications of something abnormal.

Assuming it is digitally signed, I would add the vendor to your Trusted Publishers list. This would allow it to launch from user-space.

If it is not digitally signed, and that you feel you can trust it, you could add the DLL or its folder to your user-space exceptions list.

Cheers,

Eirik

 

Hi Eirik,

It was a standard installation of NIS on Win7x64 and the cceraser.dll is digitally signed by Symantec.

A quick Google search found the following thread that may be helpful:

http://community.norton.com/t5/Nort...h-more-specific-information/td-p/24797/page/2

Maybe this is just some anomaly with yesterday's virus defs - who knows?!

I will do a little more investigating when I have the time.

Thanks!

Dave

 

Just a FYI -
iTunes also occasionally uses executable files located in C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}

 

Great info, thanks! I'm pleased to have read that this use of user-space was not a preferred but contingent method and that it appears cryptographically validated.

And thanks to Stackz regarding iTunes.

Cheers,

Eirik

 

I just ran a quick scan with NIS on my WinXP 32-bit machine and had the same block as I did on my 64-bit machine.

07/15/11 15:18:03 Prevented process <cceraser.dll> from launching from <c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110715.004>.

Obviously, I can tweak AppGuard's settings to get around this, but this is going to be more problematic for the non-techies.

Dave

 

Just an additional note to the above. I can eliminate the block by excluding the appropriate folder from user space, but adding Symantec as a trusted publisher did not prevent the block.

 

Hi Dave,

Our present definition for "Locked-Down" protection mode w.r.t. "Trusted Publishers" does not allow "Trusted Publisher" executables to launch. Shifting to "High" protection mode should accommodate the launch.

My quick take from that Symantec forum was this all of this is occurring because the intended service that would perform this function could not. So, one wonders what may causing this. Have you tried adding this process/service as a MemoryGuard exception policy?

This and a few others raises an interesting question to Wilders AppGuard users. What do you think of our modifying the "Lock-Down" protection definition to allow launches (guarded) of trusted publisher executables in user-space? This is one of the questions implied in an earlier post of mine asking inputs on the protection-definition table on page 4 of the release notes. In asking these questions, I'm trying to avoid my questions themselves bias the would-be answers in any way...not that I am terribly influential.

Well, I've got to get back to work on some documents.

Cheers,

Eirik

 

Hi Eirik,

I was only using the high level of protection (not locked down), and that is supposed to allow trusted publishers, but did not work for me when adding Symantec to the list. Only when excluding the folder that the .dll is in was I able to eliminate the block. I haven't tried excluding the process yet. I wonder if there is a bug in the high setting since that level is supposed to allow trusted publishers "as configured".

Dave

 

I suspect a bug as well and will relay to engineering.

Thanks,

Eirik

 

I not sure what to think about the current version of "Lock Down", but with essentially nothing allowed it's extremely restrictive. There are people like my father-in-law who really need to be "locked down", but struggle with having to jump through any special hoops to update Windows, their browser, Adobe Reader & Flash, AV program, etc. It would be nice if the essential programs could be added as trusted publishers and eliminate (or at least greatly minimize) their need to understand how to change settings in the program. Is it unrealistic to hope for at this point?

 

During boot this morning the AppGuard service didn't start properly. I was able to start the service from the services.msc without a problem after boot. Here are the two error messages from the event viewer.

Log Name: System
Source: Service Control Manager
Date: 7/19/2011 6:19:03 AM
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXXXXXX
Description:
A timeout was reached (30000 milliseconds) while waiting for the Blue Ridge AppGuard Service service to connect.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2011-07-19T12:19:03.542630000Z" />
<EventRecordID>77621</EventRecordID>
<Correlation />
<Execution ProcessID="952" ThreadID="956" />
<Channel>System</Channel>
<Computer>XXXXXXX</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">30000</Data>
<Data Name="param2">Blue Ridge AppGuard Service</Data>
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 7/19/2011 6:19:03 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXXXXX
Description:
The Blue Ridge AppGuard Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2011-07-19T12:19:03.542630000Z" />
<EventRecordID>77622</EventRecordID>
<Correlation />
<Execution ProcessID="952" ThreadID="956" />
<Channel>System</Channel>
<Computer>XXXXXXXXXX</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Blue Ridge AppGuard Service</Data>
<Data Name="param2">%%1053</Data>
</EventData>
</Event>

 

Eirik,

Buckled up AppGuard again. Wondered why Chrome.exe (in that case all P2P, IM, Browsers, are candidates) was not on the list.

Suggestions

1. Offer two operating modes
a) the slider for easy mode
b) advanced mode, in advanced mode user can set the individual options (system space protection, user space protection, memory protection) seperately

2. Trusted installers should be an option automatically set in the (easy mode) slider, or chosen as options (custom list, build in list, off), allowing signed executables (on/off) in the advanced mode.

3. List of guarded aps. Please provide an option to look for candidates at install (or as an advanced option), so all vulnarable applications are guarded (e.g. Firefox, Opera, Thunderbird, Windows live mail, etc).

4. Chromium runs well with memory read protection, so I added it. Looking at all the default NO's.\, I though why bother with this option when it is set to NO by default. As far as I remember AppGuard was intended as set and forget. This implies that memory read protection is NEVER set and forget )

Regards Kees

 

Hi Kees,

Great to chat with you again. Excellent feedback, thanks.

AppGuard can be a little misleading with the Guard List insofar as it doesn't actually represent the defaults. If Chrome or Opera or other apps on the list are not found by the agent, they are not listed. If Chrome.exe was already installed when you observed its absence in the Guard List we either have a bug or it may have been located in a directory where it typically doesn't look.

I heartily agree with this. I haven't been able to get this into the development sprints yet.

I'm glad you brought this up. There are default policies in the beta that I personally question and have been hoping for voluminous discussion/feedback.

I understand your point regarding trusted installers. Note to all, 'signed executables' are not synonymous with those signed by 'trusted publishers'. I have a question for you and others on what you feel ought to be the default settings for signed executables in the 'easy mode' protection mode options/slider:
- "Locked Down"
- "High"
- "Medium"
- "Install"

I feel the same; I also want this in our enterprise versions too.

I get your point. We need to re-examine the data and solicit feedback regarding the harmless noise we MIGHT generate by shifting to a default of 'Yes'. If I recall correctly, Office 2010 may have inspired us to stick with 'No' and leave it to users to change it. What do you think of "Locked-Down" going to 'Yes' for Memory read protection on all guarded Apps? I'll set it to 'Yes' on one of my virtual machines for a look myself.

Well, it's a pleasure as always.

Cheers,

Eirik

 

'Final Release' Update:

We were unable to schedule our internal review with senior management this week to get their approval for release. I hope to get this into their schedule for late next week. I apologize for the delay. I am however grateful to senior management for getting even more involved with verifying that we've properly dotted our i's and crossed our t's prior to release.

On the plus side, I personally noticed a spelling error in the GUI that will thus be corrected prior to production release. If you're curious, when one mouses over the AppGuard tray icon, it reports its protection mode, if there are no recent blocking events. I noticed for "Install Mode" that it was spelled "Intall Mode". If you see other misspellings, please drop us an email at appguard@blueridgenetworks.com.

Cheers,

Eirik

 

I would settle for more descriptive settings
Lock all - deny all installations
Trusted- allow trusted vendors only
Safe - allow signed programs only
Install - install protection off

In regard to the Memory Read protection. I think it is a bad move to combine it with locked (to much noise of programs causing problems would effectively reduce usability to zero) it would be better to provide defaults with the recognised executable (e.g. yes for chromium, no for office). I would only use it for the most vulnarable entry points like webbrowsers, e-mail, etc.

Yes I have my chromium somewhere in user space.

 

Hi Eirik,
Any word on the final release?

 

Found a few more bugs we want to squash, including one that Pete reported to us. This has delayed our internal readiness review. So, I seriously doubt we can release this week. And out of left field, the AppGuard engineers will soon get pulled to work two to three weeks on an urgent need from a large organization requiring a new capability (not related) ASAP. If the engineers squash the bugs before they're pulled, then we only have to complete the readiness review. I'm sorry about this delay. I'll try to keep you posted.

Eirik

 

Better to be safe than sorry. Wait until it's right before you release it.

 

Did the engineers squash the bugs?

 

Hello Eirik,

Almost two weeks since your last word on the Forum. Any good news soon?

 

I reported an incompatibility bug over a month ago, and I have not heard nothing back from anyone at Blue Ridge Networks. I reported it to Barb. I sent her a personal message over a week ago, but I have no heard back from her. If someone could get back with me on that it would be greatly appreciated!

 

AppGuard 3.1.6.2 has been released.

Download page
Direct Download
Release Notes

 

Great to hear.

 

i may try it again