AppGuard 3.x 32/64 Bit

I have been noticing some odd behavior when leaving my computer to idle for a while, it's happened on 3 occasions and it's worrying me. I'm using an SSD if that makes any difference, here are the messages:

07/29/12 22:55:00 Prevented process <pid: 2132> from writing to <c:\bootsqm.dat>.
07/29/12 22:55:00 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.
07/29/12 22:48:00 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\appcompat\programs\recentfilecache.bcf>.

Could anybody shed some light on this? Sorry if it's a stupid question or has been answered already, little things like this worry me a lot probably for no good reason.

Great product by the way, it's easily my favorite security product right now.

 

Yes, would also like to know the implications of Appguard on SSDs and TRIM.

Best regards,

 

Another bug, and it seems that implementation of Appguard on x64 is somewhat lacking. See image, both the Antilogger.exe and MCShieldRTM.exe are located at Program Files (x86) and not Program Files which it reverts to after a while.

Best regards,

 

that's a known bug. In order to get it working you should install those applications to c:\Program Files\ not Program Files (x86).

 

It is ridiculous for a program to have so many known bugs. For the MBRGuard bug, I had to restore to an earlier point where I didn't have Appguard installed to have it working after wasting lots of time on it.

It is ridiculous to install non x64 programs to x64 area for Appguard to work properly.

The implementation of Appguard is not somewhat lacking as I mentioned earlier, it is truly lacking. The whole world is moving to x64 OS due to impeding introduction of Windows 8. The x86 OS is becoming the system of the past for the massive users.

Best regards,

 

In locked down mode, AppGuard prevents Memory Reads as well.

 

I was just discussing this with the Program Manager on Friday. I think if we're going to appeal to computer novices (vs. security experts) we will need to provide automatic exclusions for the most widely used Security Products.

 

I agree. If we're going to add exclusions for popular security products we will have to figure out how to do it in such a way as to not become overly bloated. Perhaps we will scan the computer for the security products during installation and automatically add the ones we find to the power applications policy. Anyway, if anyone has some clever ideas, they would be most welcome.

 

Aladdin, there is no bug. The bug that Arcanez is referring to was fixed (that bug was in 3.3 - a Beta version of the program).

Even though the display is indicating "Program Files" vs. "Program Files (x86)", AppGuard is not confused. It is using a folder map internally and is finding the power apps (and guarded apps) in the appropriate Program Files directory. On the display, "C:\Program Files" is used to refer to both the "C:\Program Files (x86)" folder and the "C:\Program Files" folder. I agree this is confusing and will be enhanced in the next release so as not to be so confusing."

 

@Barbara.May I just suggest No auto exclushion For the following reasons.
1.AppGuard is very unlikely to be seen on a average user machine.
2.Bloat
3.More bugs introduced.
4.work on any current bugs.
5.Not another whitelist scanner.

I am sure I can think of other reasons but thats my short list and finally the old say - Let Sleeping Dogs Lie.

 

Thanks for your input, djohn. Let me address your concerns:

1. Unless we can make AppGuard useable for the average user's machine, we won't be able to justify sustaining AppGuard Consumer as a product line.
2. Bloat: In what way are you concerned about this? Performance? Policy/Program Size? I think that we can add this feature without affecting either. If we do an auto-exlusion, I think it would most likely work off a list of commonly used security products and their likely installation paths (most average users would probably not change this). Whenever AppGuard started, AppGuard would do a search for these files and automatically add any it found to the power app policy. I don't believe that it would be a big performance hit like a whitelist scanner. I think the list of security products would be fairly small - limited to those that are widely used by novice users. It woudn't contain every security product known to this forum - that might effect performance. So this feature should not be a big performance hit. Maybe, I'm being too naive to think that novice users are sticking pretty much with McAfee, Symantec, Microsoft Security Essentials, AVG and a few others.
3. There's always the risk of introducing bugs, but I don't think that should prevent us from adding new features and evolving the product.
4. All known confirmed bugs have already been addressed and their bug fixes will be included in the next release.
5. Adding this feature will not make AppGuard another whitelist scanner. Nor should it decrease performance.

Based on your concern, I'll suggest that if we add this feature, we should also include a mechanism to turn it off.

 

Thanks barbara sounds good then.

 

I think you would also need the option to manually scan/re-scan in addition too the one at installation time.

 

That explains it, thanks.

 

Hi Barb,

Two days ago, I sent you my answer about Flashplayer installer, please check your mailbox.

 

Sorry, I forwared your question to one of the developers (and he responded promptly), but I just got back to it a few minutes ago (as a result of your reminder - thanks). You should have my response in your inbox.

 

Yes, I received your message.

 

Same happended to me last week (7x64, but no SSD here).
I would also like to have an answer on this...

 

These events are created when a Guarded Application tries to write to a System Space folder (c:\ and c:\windows are considered system space folders). RunDLL32 is only explicitly Guarded in Locked Down protection level, but if it is launched from a Guarded Application it will also be Guarded in other protection levels.

I've inquired about this to our QA department and developers and they have not seen these events. They also mentioned that it appears (based on the format of the events that you reported) that you are using an older version of AppGuard. The latest version should provide more information about what might be launching pid: 2132and RunDll32.

To provide further information about what might be going on, I would request that you upgrade to the latest version of AppGuard (so that we can determine which Guarded Application might be trying to do these system-space writes). Also, have you added any Guarded Applications or are you running Applications out of User-space?

BTW, from what I understand, bootsqm.dat gets created during a CHKDSK operation.

Also, I'm glad that you like AppGuard.

 

I'm running version 3.4.2.3 (that is the latest right?) in Locked Down, no extra guarded applications (Firefox has always been open though which is run in Sandboxie) and yes I have programs running from D:\ if this counts.

Do you think this could be malicious at all? Probably a stupid question, I'm just concerned.

 

Livix,

My version is 3.4.2.0 and it's the latest version according to the program.

I don't know where you get this version, 3.4.2.3

 

According to the program mine is also 3.4.2.0, I got the number above from add/remove programs, I remember a conversation on here where that number was requested.

 

When one right clicks on the file properties of the Appguard installer, it says v3.4.2.3, but it installs as v3.4.2.0

Best regards,

 

Hello!

I have got question about "system space". My programs are installed outside Program Files folders, they are on another partition made directly and only for installing programs.

Is there some kind of way to extend "system space" to another partition?

Right now it is kind of annoying to add all programs to guarded apps and excluding couple of folders from "user space" to have all programs running without complication.

 

No, there isn't. I've been asking for this feature for as long as I can remember. I have a recovery partition that I would like to include in system space. AppGuard automatically treats all additional partitions as extended user space, without an option to override the default. This is incorrect because it can't automatically be assumed that an additional partition is being used to hold data; it may be holding files that belong in system space.

I really do hope that BRN will finally take serious note of this request. I've asked for this on more than one occasion, but so far no joy.

Kind regards

P.S. Welcome to Wilders.