AppGuard 3.x 32/64 Bit

Thank you for answer

So I assume that there is a security hole as well? Because I have my browser in "user space" and other programs in "user space" instead of "system space"?

 

Same here! My browsers, .tmp and .temp are located on partition "J".

Best regards,

 

I am not sure what to think of this:
08/02/12 09:07:50 Prevented process <Dropbox> from writing to <c:\aaa\test2.txt>.
Should I allow this process or create a rule? I have not seen this before, and I have dropbox on another machine, with Appguard. This process tries to run once a minute.

 

3.4.2.3 is the latest version. I'll have to let the development team know that they must have missed some cases where the parent process is not getting reported in the event.

Is your Program Files folder located on "D:\" or do you have other programs on the D: directory? Did you exclude the "D:\" directory from User-Space?

I don't know if what is going on is malicious (and it isn't a stupid question - in fact it is a FAQ). The following is from the FAQ in the help file which gives our explanation on whether a block is a result of malware or not and what you should do:

If AppGuard reports a block, how can I tell if it’s malware?
Without doing extensive analysis of the events and files involved, you really can’t know if AppGuard is blocking malware or whether it is blocking a legitimate application operation. AppGuard does not make a distinction between malware and legitimate applications - it just blocks suspicious behavior. That is one of the reasons that AppGuard is so effective. AppGuard is designed to stop applications from performing high-security-risk activities. These high-security-risk activities are often exploited by malware as entry vectors into the system, and that is why AppGuard blocks these operations – usually with no adverse side effects. These activities may be the result of a legitimate application having been exploited by malware or it may simply be the result of the application programmer not adhering to best programming practices. In the latter case, the legitimate application may be requesting privileges that it really doesn’t require (for instance it may indicate that it requires write access to a system directory when in fact it only requires read access). In this case, AppGuard will block the write access (which is suspicious) and allow the read access to proceed. Fortunately, most of the time, these types of blocks do not result in any side effects even though AppGuard reports the blocking event. Occasionally, where an application actually intends to make changes to the system, such as self-updating programs, AppGuard may block a legitimate action.

What should I do if AppGuard reports a blocking event?
Usually AppGuard blocking events can be ignored unless you’ve noticed that an application is not performing an operation that you’ve initiated. The detailed explanation follows:

There are two major classes of AppGuard blocks:

1. AppGuard prevented an application from launching: This is usually because an executable file (i.e. program or script) is trying to run from a user-space location (desktop, My Documents Folder, USB Thumb Drive, etc.). Normally programs are not installed into these locations and it is suspicious whenever a program is launched from user-space so AppGuard will block these programs from running. Some legitimate programs do install into user-space (especially if they are being installed by a user that does not have administrative privileges). Google Chrome is an example of this type of program. In this case, the application can be added to the AppGuard Guard list and it will be allowed to launch from user-space. If you weren’t trying to launch one of your programs and you are seeing this type of event, then it may be the result of malware. Since AppGuard blocked the program, the malware has not been able to damage your PC, but you may want to use an Anti-Virus program to clean it up (provided that the AV is aware of this particular virus – it may take a week or so for AV software to detect the newest viruses). If you don't have an AV, we recommend Microsoft Security Essentials. It's a free download.
2. AppGuard prevented a Guarded application from reading or writing a protected system resource. This block could be due to one of the following:
   • AppGuard is blocking a non-compromised application from performing a suspicious operation. In most cases, the block does not affect the application’s operation and can be ignored. If the block is affecting the application’s operation (and you don’t suspect malware) then you can temporarily lower the protection level or suspend AppGuard protection and retry the operation.
   • Malware exploited a legitimate application and is attempting to make changes to your system. In this case, AppGuard has protected your system and no action is required. Although it is difficult to know whether the block was due to malware or one of the above cases, if you do suspect malware you should:
     • Quit the application, the sooner the better.
     • Note, whatever files are open via that application, particularly those opened for the first time such as an email attachment or a downloaded file (i.e., most likely suspects).
     • If you don't need to save any changes, then don't. If you must, note that you did so. It's possible that the malware that compromised this application can implant something into your open documents.
     • You may want to use an Anti-Virus program to clean up the malware.

​

Again, if you suspect malware, you may want to do a full Anti-Virus Scan. If you aren't already using an AV, we recommend Microsoft Security Essentials because it is a free download.

 

You can easily extend system space, but before I give you the steps, let me review AppGuard's definition of System Space so that we're on the same page:

1. System Space refers to the computer storage space that is typically not accessible by non-admin Windows users. This usually includes all folders on the the system volume (usually the C: drive) with the exception of the user's profile directory.
2. AppGuard blocks Guarded Applications from writing to System Space.
3. AppGuard allows applications to be launched from System Space.
4. AppGuard does not Guard Applications located in System Space unless explicitly specified in the Guard List.

With that definition in mind, you can extend system space as follows:

1. Exclude the partition from User Space protection.
2. Add the partition as a Protected Resource on the Guarded Applications tab.

The first step will allow applications to launch freely from the partition. The second step extends AppGuard protection to the additional partition.

As mentioned above AppGuard does not auto-guard applications in System Space - just those in the Guard list. So once a partition is excluded from User Space, you will need to add each program that you want to Guard to the Guard List.

I'm sorry that you find this annoying and I would welcome your suggestions on how we could improve the user-experience in these non-standard cases.

 

Don't worry, you have the latest version. It depends on where you look at the version information. The application will only report the first 3 digits, while the control panel will report 4 digits.

 

Aladdin, thanks for answering!

 

PEGR We added this feature in version 3.1. See my post above: https://www.wilderssecurity.com/showpost.php?p=2095586&postcount=1381. I think I have to retract my job offer

 

There is no security hole. If your programs are in user-space, AppGuard automatically Guards them.

 

I do have a program files on D:\ which is excluded, also my sandbox is on D:\ used for my browser.
I've scanned with emsisoft, comodo, hitman pro, mbam, tdss killer and nothing is found. I use CIS + EAM in realtime.

 

Thank you Barb_C for explanation. Right now I configure AppGuard as you said.

I am thinking about making AppGuard somehow user-proof (to install on my parents laptops). And there is a problem:

I am downloading program in my browser. I can not save it into Windows or Program Files directory and it is good. Then I can not run this program from my Download directory and it is ok. But when I copy paste it into Program Files I can run it and it is completely unguarded. Am I right? If so there is really bad if user really wants to install something like "Free_music.exe" etc, because it can be done quite easilly.

Best regards

 

Dear Barb_C, sorry to fire more questions at you. My trial is going well, Appguard that is ( not the murder charge )
I will almost certainly be purchasing a license. As a average user, i find this program easy to use, but have little idea what its actually doing. With Sandboxie i know all the settings/restrictions etc, but not appguard.
I also know folk have tested about everything in Sandboxie, do you test against all the latest malware ?
Anyway my reason for posting was two entries in events
08/02/12 17:05:13 Prevented <Avira Updater> from writing to memory of <Google Chrome>.
08/02/12 18:39:58 Prevented <Malwarebytes Anti-Malware> from writing to memory of <Google Chrome>.


Do you advise making Avira and MBAM power apps, I don't want these two programs prevented from doing anything really, or should I just ignore them. Cheers

 

Hi Barb,

Look at this

AppGuardGUI.exe Properties screen

and AppGuard About screen

 

Look at this aladdin :


Something is wrong

Installer version: 12.0.0.58851

 

Hi Barb,

I tried following your instructions but AppGuard doesn't allow either of my additional partitions to be added as exclusions to user space. I can click on the Add button and browse to the root folder of the volume to be excluded but clicking OK does nothing; the folder doesn't get added to the user space list.

Kind regards

 

Pegr,

See my screenshots below :

 

Dear Ashanta,

You are right that something is wrong. See the below image as it shows the product version to be v3.4.2.3

 

Aladdin,

What's more bizarre is that I donwloaded from BRN webpage.

Is it the installer version or the exe file version ?

 

AppGuard is designed to protect the PC from malware - not the end-user doing something they shouldn't be (i.e. copying untrusted programs into Program Files). Perhaps you could provide your parents with user accounts vs. admin accounts. That way the OS provides some level of protection (they will not be able to copy programs into the Program Files directories).

As far as running programs out of a download directory (vs. cutting and pasting to Program Files directory), you can temporarily suspend user-space protection via the AppGuard tray menu. If you don't want your parents to be able to do this, you could also enable AppGuard Parental Controls (but in this case I guess it would be AppGuard reverse Parental Controls ). If you run in High Protection Level, then digitally signed applications are allowed to run from user-space and they are automatically guarded.

 

If you don't want AppGuard to prevent either of these Applications from doing something, make them Power Applications.

 

I'm not sure why the French version of the OS is not reporting the correct product version. This is what I see:

 

Try selecting the folder and double-clicking on it to get it to appear in the edit box before clicking on OK. If it won't appear by double-clicking, just type in the folder ("f:\").

 

I think the French OS is having a problem extracting the correct product information from the file. Other than that nothing is wrong. The Installer Version is 12.0.0.58851. This is inserted by InstallShield - the product we use to create our install package. My understanding is that when you click on the Properties menu item on a file, the OS is extracting version information from the file. If the French OS is not picking up the correct product version from the file but the English version of the OS is displaying this info correcty, then that would indicate that there is a bug in the French OS.

 

Thanks for replying, Ashanta. Pegr, as you can see, it is possible to add a partition to user-space policy etc.

Ashanta, I have one recommendation. You may want to set the access type of the partition to read only (vs deny access) if you truly want to treat the partition as system space. It may be okay to leave as is, but deny all will make the partition unreadable from Guarded Applications as well protect it from being written to.

 

Thanks Barb for your explanation

It was set up on 'Deny Access' because I was on my user account and I couldn't modify on 'read'.

I logged into my admin account to change this.