AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    The messages that you are seeing in the log related to Chrome are not "errors" per se. They indicate that AppGuard blocked some risky activity that is being performed by Chrome. Chrome is using rundll32.exe to launch some dlls that are not digitally signed (otherwise AppGuard would have allowed the launch). The reason that you may not see the dlls in the directory when you look for them is that most likely Chrome downloaded these dlls and then deleted them when it could not launch them. If Chrome is functioning correctly, just ignore these messages.

    Regarding the event indicating that Chrome was being blocked from writing to the memory of Chrome. AppGuard is blocking one Chrome process from writing to the memory of another Chrome process (ie. two different processes running the same applicaton).
     
  2. delah

    delah Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    81
    Location:
    Ireland

    Will do, Cutting_Edgetech :thumb:

    Thanks Barb_C, I have succesfully added a folder using that method.

    That is viable!:)
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thanks Delah! I'm still using build 3.2.0.0 until they get the bugs ironed out of this new release. Several users here at Wilders are reporting similar problems that i'm having. I hope these bugs are found, and fixed soon.
     
  4. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Hrmm, ok. Still puzzling, I feel like there must surely be some functionality that is being blocked by blocking these DLLs.

    I have 2 feature requests after my first couple of days trying AppGuard:
    1) Have you thought of allowing right-click functionality from the AppGuard event log to create exceptions? This would make sorting out teething issues a lot easier (in lieu of a 'learning' mode).
    2) I feel naked when I set the protection to Install. It would feel much better if I could just run whatever I wanted to install with 'Install' privileges, but still protect the rest of the system as normal.
     
  5. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Unless I'm missing something, I'm not sure what the advantage would be to reverting back to the 3.2 version. There is really only one new bug in this release that isn't related to power applications. And that new bug (related to the browse dialog entering blank folder entries) is more of a nuissance since we've identified a work-around. The power applications bug only affects 64 bit systems and only if you try to add a 32 bit application that doesn't have a corresponding 64-bit version of the application. All other bugs that we're working on are also in the 3.2 version.

    Here are the bugs that we've identified to be fixed in 3.4:

    1. On 64-bit systems, Power Applications located in the “Program Files (x86)” directory were not always being recognized as power applications.
    2. Sometimes when adding Power Applications, User-space folders and Guarded Application folder definitions, blank entries were being added.
    3. In the previous versions (including 3.2), Guard List applications were only partially MemoryGuarded (i.e. read protection was in force) in the Locked Down protection level. With the next release, all Guarded applications are fully MemoryGuarded in the Locked Down protection level.
    4. In previous versions (including 3.2) when a blank suspension timeout value was entered on the AppGuard User Interface, AppGuard would continually prompt for the end-user to enter an integer between 0 and 1440.
    5. In previous versions (including 3.2), AppGuard’s protections interfered with the audio function of several 64-bit versions of Microsoft Applications (Word, Internet Explorer, Windows Media Player). We've identified a potential fix for this, but are reviewing with Microsoft because we feel it might open up a security hole.
    6. In previous versions (including 3.2), even though the Click to Run virtual drive (usually “Q”) could be specified as a user-space exclusion, AppGuard did not recognize the exclusion folder because of the drive’s permissions.

    Also, in 3.3 we've fixed several bugs that were present in 3.2 as well as enhanced the protection policy (by denying at.exe and schtasks.exe) so my recommendation would be to use 3.3.

    Of course if you want to wait for 3.4 to come out, I certainly understand. Hopefully 3.4 will be out next week - we're just waiting for Microsoft to get back to us about item 5.

    I really don't mean to sound defensive here - I just want to know if we've overlooked something (which is certainly possible). Please let me know if there is another bug that we've overlooked so that we can address it in this release.
     
  6. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    BTW, in addition to the bug fixes identified above, we're also adding the ability to customize the alerts that AppGuard provides. The Alert Levels are gone, but you can select which types of events you want to alert (i.e. blink the icon), display and/or log:
    alertstab.PNG
    We've also added a parental control for power applications.
     
  7. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    We have thought about doing the first feature you've sggested - just a matter of getting around to it.

    I like the second feature that you suggested - I feel the same way when I have to reduce the protection level. It would be great to add that as part of the "right-click" feature that several have requested where you use file explorer and right-click on a file or folder and you would see several AppGuard menu items such as:
    1. Add to Guard List
    2. Add to Protected Resources
    3. Exclude from User-space protection.
    4. Include in User-space protection.
    5. Add Privacy Folder
    6. Add Exception Folder
    7. Allow Installation.

    For some reason, our lead software architect has been reluctant to permit the addition of these shell extension features to AppGuard (not sure why), but perhaps a near-term compromise would be to have an "Install" button in AppGuard that brings up a browse dialog where you can browse to the installation package that you wnat to execute. I'll run it past the Engineering team.
     
  8. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Thanks Barb, good stuff. Will be watching development with interest :)
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Barb, Thank you for the update! I'm in the middle of a big move right now, and I had to put all 8 of my Workstations in storage until I figure out my living arrangements. I'm having to make this post with my iPhone. The bugs I was referring to are from other recent post in this thread that are similar to the one I'm experiencing on XP x 32 SP3 except they were using W7 x 64. I will get on my laptop ASAP when I finish with this move and reference each of the post for you to make sure those are not bugs you have already listed. I do not believe they were. Unfortunately AG still will not allow me to add a power application by browsing to the application path on my 2 XP machines. I was able to add them by typing in the application path, but not by browsing to it. The 3.2.0.0 build is working fine on the rest of my machines so I want to be sure those possible bugs have been resolved before upgrading. I want have access to any of my test machines for an unknown amount of time, but I hope to be back up and running soon. I will reference those post for you as soon as i finish with the move. Its difficult to do on my iphone. BTW.. The new alert system you posted above rocks!! Lol It's much better than the old system!
     
    Last edited: Apr 27, 2012
  10. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    +1 :thumb:
     
  11. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    yesterday I wanted to add some more applications to powerapps but then the appguard service completely turned off and I was locked out of the system pretty much. I rebooted and everything was fine but the apps that I added to powerapps were missing.

    Also is there a way to get Process Explorer working with Appguard?? The Problem for Appguard with it is that PE creates a new exe file on launch (procexp64.exe) located at a user space folder (C:\Users\xxx\AppData\Local\Temp) and Appguard blocks this file. Process Explorer itself is launched from system space and should be allowed, also adding process explorer to powerapps doesn't help...
     
  12. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    I just installed process explorer on W7 64 bit ,and I cant replicate this problem with appguard (set on high).I extracted the process explorer zipped files to desktop in a folder I made called process explorer and then launched process explorer for the first time.Appguard didnt block anything ,there wasnt any file created in the path folder you mentioned.The new process procexp64.exe did however appear in the folder upon the fist launch ,and is still there.I then just moved the whole folder to my program files and made a shortcut to the procexp64.exe on my desktop.It launches fine and nothings blocked by appguard.I dont have UAC enabled and i run as administrator on this laptop ,so im not sure whether that has something to do with it?
     

    Attached Files:

  13. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    I am also experiencing this problem, I thought it's just with my set-up :D. Service won't be turned on until a reboot. Running any apps will result on something like Windows doesn't have access...
     
  14. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    try it on lockeddown mode, it won't work because Appguard blocks the procexp64.exe launched from user space although you have defined that file to be a powerapp. I think Appguard keeps a constant connection to the files added to powerapps so when you close ProcessExplorer and that procexp64.exe gets deleted in User Space Appguard loses track of that powerapp and blocks it the next time it is once again created and launched from the same location. That would explain why I can run ProcessExplorer the first time without a prompt but after closing it and then again launching it Appguard blocks execution.

    Too sad I wanted to replace the lame taskmanager with process explorer with an image hijack but Appguard doesn't like that. Tried setting it on High and it works but you know I want the locked down mode to be honest :D :D
     
  15. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Process explorer still runs fine on my system with appguard in lockdown mode.I also dont have process explorer in powerapps.Just default.I havent put any rule or anything in for procexp64.exe at all and it runs fine.I still dont get the procexp64.exe being created in the appdata/temp folder either.Now im wondering whether theres something wrong with my setup or yours :doubt:
     

    Attached Files:

  16. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    seems to work for me only when I run ProcessExplorer as administrator. procexp.exe itself located in my program files directory is allowed by Appguard but there are problems with that procexp64.exe that's created on every launch.

    Strange thing is Appguard blocks only on the second launch most of the time. On the second launch the procexp64.exe is blocked in my user temp directory.

    Try running process explorer without admin rights, then close it and run it again and again. Appguard should interfere.

    I replaced my taskmanager with process explorer but when I press Crtl+Alt+Del or Shift+Crtl+Esc Appguard always blocks PE.

    EDIT: would help to see what you have defined as User Space to be comparable. C:\Users\Myname\ = user space for me and therefore execution from there is denied.
     
  17. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    I only have administrator account on this laptop(whether that makes the difference i dont know?)I can run procexp64.exe from program files just by clicking it ,with no interference from appguard in lockdown.I can also right click the file and "run as administrator" from the contect menu...again no interference from appguard.I have the same as you C:\Users\Myname.
    I have noticed that I am unable to change the yes to no like the first 4 entries though.Perhaps thats part of how appguard works?.
     

    Attached Files:

    Last edited: Apr 29, 2012
  18. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    you can change it just click on the writing "No" and you will get a dropdown menu :)

    EDIT: oh you mean these entries, no these are "locked" to yes for security purposes I guess :D
     
  19. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Have you had any luck yet?.As i say it process explorer working fine with appguard here.
     
  20. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    no not working if you launch it without admin rights.
     
  21. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    It looks like the service crashed when you were adding power applications. We were able to reproduce this here. Can you confirm the number of Power Apps that you entered?

    I'm running procexp64.exe on my PC and I'm not seeing the same behavior (where procexp64.exe is launching another app from user-space). How are you launching it? I have procexp64.exe running under "Program Files" directory and launch it from File Explorer.

    You can try adding "C:\Users\xxx\AppData\Local\Temp\<application_name>" as an exclusion to User-Space. This will enable ProcessExp64.exe to launch the temporary exe file (hopefully it's not some random name). If you make the ProcessExp64.exe a power application under system space, when it launches the temporary user-space program, that program should also become a power application.
     
    Last edited: Apr 30, 2012
  22. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    417
    Location:
    Event Horizon
    I gave up on that. I can't get PE to work with AppGuard. I run in LockedDown mode and have extracted procexp.exe to D:/Program Files (belongs to system space although it's not the system partition).

    On the first launch Appguard doesn't do anything because procexp.exe creates a new procexp64.exe in the same directory and launches it from there (system space, so it is allowed). I guess procexp.exe detects first which OS you're running and if it's x64 it extracts that procexp64.exe and launches it instead.

    However when you close your first launched PE and start it again Appguard does interfere because the newly created procexp64.exe is now created at a User space location. ( I think because the first procexp64.exe is not deleted yet automatically and procexp.exe can't overwrite it)

    So from my perspective it is not AppGuard's fault that procexp.exe somehow creates a file at the temp folder which is Use space. AppGuard seems to work correctly for me.

    PE does only work when you wait until the procexp64.exe is deleted in the directory. Otherwise it created the same on at User Space temp folder which causes the conflict.
     
  23. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I didn't realize that you were launching procexp.exe and then procexp64.exe was getting created subsequently. For some reason procexp64.exe already existed on my computer and I was launching it directly without any problem.

    After some experimentation, I think I know what PE is doing and what the correct AppGuard settings are. When you launch procexp.exe on a 64 bit machine, it tries to extract procexp64.exe to the directory you launched out of. If procexp64.exe already exists, procexp64.exe gets created in the user profile temp directory. Now if procexp64.exe gets created in a system-space directory, then all should be well. AppGuard will not block the launch. If procexp64.exe gets created in a user-space folder, AppGuard will block the launch in locked down mode unless it is set to a user-space exception. In high mode, AppGuard will allow, but procexp64.exe will be Guarded unless it is set to be a power application.

    Once PE is launched, it will be blocked from reading the memory of any Guarded application. To allow PE to read the memory of Guarded applications, it must be made a power application (or memoryGuard exception).

    To get PE to work without AppGuard blocking anything, I had to make the following customizations to AppGuard policy (assuming that procexp.exe is in directory C:\procexp):

    1. Add c:\procexp\procexp.exe as a power application.
    2. Add C:\Users\Barbara.BLUERIDGE\AppData\Local\Temp\procexp64.exe as a user-space exception. This rule is only necessary if running in Locked Down mode.

    The following two rules must be added because of a bug we discovered in the current release where a child process of a power application is still being MemoryGuarded.

    1. Add c:\procexp\procexp64.exe as a power application.
    2. Add C:\Users\Barbara.BLUERIDGE\AppData\Local\Temp\procexp64.exe as a power application.

    When we release 3.4, you should be able delete the last two rules. I hope this helps.
     
  24. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    As you discovered, any User-space policy that is included as part of the default policy cannot be changed.
     
  25. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    We have found an issue with AppGuard if you add more than 8 power applications. How many power applications have you tried to add?

    We will increase the limit to 16 power applications in the next release, but power applications should be used very sparingly (the lead developer could not believe that anyone would have added more than 8 :cool:). There will also be an error check to make sure that the limit is not exceeded to avoid a crash situation.
     
    Last edited: May 1, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.