AppGuard 3.x 32/64 Bit

Did you send the crash info to AppGuard@BlueRidgeNetworks.com? If not, do you still have any minidumps on your machine?

Following a BSOD, the file is typically located in C:\Windows\Minidump\Minidump.dmp. It may be in another location, so try using the search function in Windows to locate Minidump.dmp.

 

Hi Barb,

Do you think AppGuard developers could implement default permissions for Microsoft Windows Media Player [on Win 7, 32-bit] for it to access some paths on a Windows installation so the AppGuard user doesn't have to be guessing which ones and how many locations need to be excluded in order for WMP to be able to play video files without being blocked?



Thanks,


Carlos



EDIT: Just noticed AppGuard Beta is blocking Microsoft Windows Defender from applying new anti-spyware definitions. It looks kike AppGuard is "seeing" those definitions as a AM Patch 1.123.XXXX.0 and it's blocking them from being installed and applied to WD.

 

I think so. I was planning on checking with the developers at tomorrows Engineering meeting.

What OS? What protection level? What are the blocking messages?

 

The SAM issue was present in all protection levels of AppGuard on 32 bit systems. The problem was because some old PIDs were not getting cleared from the data that was passed to the driver. If the old PID matched an existing PID in the system, that process would become Guarded. A process becoming Guarded is not an issue unless that process requires access to the Guarded directories. So in other words several planets had to align in order to actually see affects from this particular bug.

Re MBRGuard being optional at installation, we can't get that feature into the next release. Originally MBRGuard was optional during install, but it caused other problems (I'll have to look back in my files to remember why - or bother the developer). I'll ask them about it for a future release.

 

Hi Barb,

The O.S. is Windows 7 Professional SP-1, 32-bit. AppGuard protection level is set to High. The blocking message is somewhat vague as I cannot reproduce it right now. It happened earlier today when I tried to manually update Windows Defender from its GUI and the defs. update was downloaded and ready to be applied.
Apparently, AG "sees" [so to speak], WD anti-spyware definitions as a patch to the program. The program being patched by an external agent, perhaps. It's not "seeing" it as just a database update.

Hope this helps.

Carlos

 

I'm saying that if you only define an application as a Powerapp and nothing else then it does not grant that application privileges to read, and write to the memory of a guarded application. For instance.. I defined WSA (Webroot Secure Anywhere) as a Powerapp, and AG still blocks WSA from writing to the memory of Firefox which is a guarded application. Only after I define an exception for WSA in Memory Guard will it be allowed to read, and write to the memory of guarded applications. This is the behavior i'm consistently seeing on my XP Pro x 32 machines. Is this expected behavior?

 

Okay, Zyrtek or Stackz, would one of you perform the following experiment: remove all the "desktop.ini" file exceptions from AppGuard and see if WMP still works. The developers do not think that the blocks to "desktop.ini" should have any adverse side-effect. We'd like to verify whether we can add only the first exception to the default policy or if the desktop entries are also required. It's odd that we still haven't been able to replicate the problem here.

 

I'm already able to do this by defining an application in the trusted publishers list with the following settings Guarded: No, Privacy: No, Memory: No, Install: Yes. Would allowing applications that are spawned by power applications to automatically inherit the Power application be less secure than adding it to the trusted publishers list? I think it would be if malware designed specifically to bypass AG, and similar security application was able to infect C:/programs/Blue Ridge Networks. It could easily spread to other areas of the system then since nothing spawned in the userspace from the Power application would be authenticated then. On the other hand it would be easier for less knowledgeable users if Powerapps allowed full access to pretty much everything on their machine including the memory. Then again I would think most users that use AG are not novice since they are looking to alternatives or enhanced protection over a traditional AV. You also run into a problem if the application's drivers are not signed. Then you could not add an exception for the application in the trusted publisher's list to allow processes to be spawned in the userspace so giving a Powerapp pretty much full access to your machine would be a work around for that issue. I'm not really sure what the best solution to this is. I'm interested in hearing what others have to say on this matter. I like just adding them to the trusted publishers list when possible. I would not object to giving Powerapps more privileges if it was as secure as adding them to the trusted publishers list with the settings I described above. I don't want to sacrifice security for convenience though. Also, its my understanding that exceptions can be made to the userspace or anywhere else for that matter using Powerapps. So i could set an exception to any path or directory I want using Powerapps including an external drive as well. Am I correct in thinking this? I believe that is what I read in the release notes.

 

Barb,


Did so, per your suggestion and, videos would load and be played at the beginning [the very first or even the second video file would load on WMP without being blocked]. Although, subsequent video files would fail to play.


Regards,


Carlos

 

My observations on Win7x64, protection level High:
*Without all the exceptions, then any update to the media library will be blocked.

*On closing WMP, WMP will not exit (the GUI closes, but the application is still active) for around 30 seconds as these locations are constantly trying to be written to. Finally the time out for trying to perform these writes is reached and WMP will exit.

 

It is not expected behavior. Exactly the opposite - at least that was my understanding. I've forwarded to the developers and QA. Are you sure that it isn't a child process of WSA Power App that is getting blocked (I know - not an easy question to answer since we changed the alert level policy)?

 

Thanks!

Can I assume that with all the exceptions entered into AppGuard, subsequent videos do not fail?

 

Thanks! We'll look into having all of the exceptions added to the default policy.

 

We're really hoping to appeal to the mass market eventually so we want to appeal to novices as well as advanced users such as yourself.

I'm not sure that I understand what you're asking. Power apps are simply immune to all AppGuard protections. So one should be very careful about defining power apps.

The released version will add protection to the xml policy file so that a AG targeted attack cannot easily add power apps.

 

Would that cover a situation where say an AntiVirus spawns an instance of rundll32.exe to launch an injection dll, that then injects into an Email client?

 

I will double check when I get back in town. To the best of my knowledge it was no child process.

 

The behavior im seeing is a Powerapp is still not able to spawn a child process in the user space, and it is not able to read and write to the memory of a guarded application. That has been the case on the two XP Pro x 32 test machines I'm using. I'm out of town on my iPhone so I can't send logs now. one particular case was I defined Hitman Pro as a Powerapp but it could not update with AG enabled. It was blocking Hitman Pro from creating a child process in the user space. AG was also blocking C:/Programs/webroot/WSA.exe from writing to the memory of Firefox. It was not causing any problems with WSA that I know of but it was in Windows alert logs.

 

Hi Cutting. The developers confirmed. This is not expected behavior. Will you send us a copy of your policy file (C:\Documents and Settings\<user_name>\Application Data\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml) and your Windows Event Log (to AppGuard@BlueRidgeNetworks.com)?

 

Okay, I think that my own ignorance has mislead everyone about Power Apps. When I said that Power Apps were immune from all AppGuard policies, I should have said that they are immune from all AppGuard post-launch policies. So it is actually expected behavior (at least by the developers) that a Power App is not able to spawn a child process in user-space unless there is policy allowing that application to launch. So you must have a policy in place that allows any power-app-required-user-space applications to launch. There are a few ways to do this:

1. Add the user-space application to the Guard List.
2. Add the user-space's application's publisher to the trusted publisher list.
3. Add the user-space application to the user-space exception list.
4. Add the user-space application as a power app.

Only number 4 will work in the current beta, but in the next release when a child process inherits power, the other three will work, and I think from a security perspective, number 1 would be preferred. That way if the application is launched by something other than the power app, it will be Guarded. But if the user-space application is launched by a power application it will become a power-application (i.e. unGuarded).

AG should not have blocked WSA.exe (if it is a power app) from writing to the memory of Firefox so I'd still like to see your policy and event logs regarding that.

 

I just got back from a long trip, and I have to work so I hope to have time to recreate this tomorrow. I have rolled that machine back to an earlier image 3 times since AG was blocking WSA.exe from writing to the memory of Firefox. I will do my best to get the data you need. I will just send everything per usual. BTW.. my preference for allowing a Powerapp to spawn a process in the user space it to add the application to the trusted publishers list.

 

Is it expected behavior for AG to block XP from checking for updates? I believe its blocking the active X components in internet Explorer that their site utilizes for an update check. It blocks the update check on XP, but not W7. This was the case for me also during the last beta test period. It blocks the update check on medium, high, and lockdown. I would have just sent a ticket on it, but I don't want to waste their time if its expected behavior.

 

what i would like to see is for exclustions is a single area or tab in which you can set everything from memory to folders,etc and the settings from there carry over to the other tabs.

does this make sense?

 

I also got the 1 and 0 error, but I have not been able to recreate this again. I'm not sure what triggered it. The only thing significant was I had just updated the .Net framework on XP. If I can recreate it then I will send a bug report. It disabled AG's protection, and it took a reboot to enable the protection. There was nothing in Windows alert log on it, and I have not been able to recreate it since. I'm trying, but it looks like one of those possible bugs that happen on rare occasions. That is if there's not a problem with my windows installation. If i can narrow it down then I will send a bug report. Got to get my 2 hours of sleep before I go back in to work.

 

Just a suggestion regarding the tray icon tooltip.
When you mouse over it, it will show the current protection level, but if there's been a blocking event then the tootip will show the blocking event.
It would be good to be able to left click on the tray icon after a blocking event and the tooltip change back to displaying the protection level.
Thoughts on this?

 

Yes as long as the dll is not from user-space or protection level is not “lock down”, the injection should succeed.