AppGuard 3.x 32/64 Bit

Hey Barb_C I have an odd issue I am seeing with APPGuard. I basically have a 2nd drive on my desktop where I install all my games. It seems that sometimes when I resume from sleep I get a bunch of process .dll blocks from rundll32 to my various game folders. Odd thing is none of these games are active. This doesnt look like something that should be happening..

 

I too am seeing odd behaviour involving a rundll32.exe DLL blocked launch that occurs when deleting browsing history on exit from IE8 on Windows XP: -

08/09/12 02:15:25 Prevented process <ntshrui.dll - C:\WINDOWS\system32\rundll32.exe> from launching from <c:\documents and settings\administrator\desktop>.

I understand that AppGuard (at High protection level) appears to be blocking what it sees as an attempt to launch an unsigned executable from user space; but ntshrui.dll isn't located on the desktop: it is located in the C:\WINDOWS\system32 folder, which is in system space. I'm not sure if the two issues are connected but I thought I'd post this anyway in case it helps to diagnose the cause.

 

That does seem odd. How do you know the games are not running? Is there perhaps a game process that is still running after you've closed down the game?

 

The message indicates that AppGuard is blocking the dll from be launched from user space (on the desktop). Perhaps the OS copies the dll in question to the desktop prior to launching?

 

Nope there is definitely no process running, I even checked the sched tasks to make sure there wasnt any behind the scenes updating going on.

 

Maybe, but there is no hard evidence that this is happening and I'm not sure why the OS would need to do that. Are you sure this isn't a bug within AppGuard?

 

There's one way to find it out. You can monitor what happens with Sysinternals Process Monitor. If such actions do happen, then you'll see it happening.

 

I've already done that but the process in question runs so quickly that there is no time to monitor it before it terminates. Process Monitor does confirm that every other DLL loaded by IE8 that is located in C:\WINDOWS\system32 runs from its original location though without being copied to the desktop.

 

Have you tried the option to monitor the full session? I don't recall exactly the steps, but you can configure it to monitor the session of a specific user account (also with specific processes, etc), and log it to a file. Then, you can load the log into Process Monitor, and you'll be able to see what happened post mortem.

You may have to log off and log back in, I think... or even reboot, actually.

 

How should I install Appguard? Is there a picture guide on how to do it?

I just bought a license and for $20 it's good value.

 

Thanks for the information and for your assistance.

Process Monitor is reporting that rundll32.exe is attempting to open ntshrui.dll from the desktop. Even with AppGuard disabled the attempt to open the file from the desktop fails because ntshrui.dll is located in the system32 folder. rundll32.exe then successfully opens ntshrui.dll from the system32 folder anyway.

Although it's strange behaviour by rundll32.exe, AppGuard is monitoring and handling the behaviour correctly.

Kind regards

 

I've been getting a lot of rescache.hit blocking messages, they seem to be more frequent recently eg:

08/13/12 22:52:24 Prevented process <Skype> from writing to <c:\windows\rescache\rc0005\rescache.hit>.

Tends to be when I open Skype or go to a webpage with flash content, now it's more frequent I thought I'd stop by here in the hope someone can explain to me better what might be going on.

 

Hello. I've started a thread in another section about this issue, but since AppGuard is involved I want to post it here too in case you can reproduce or make sense of it.

Since I reinstalled Chrome a few days ago, and it updated to 21, a couple times a day I get events like these in AppGuard:

08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Task Scheduler Engine>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <KeePass Password Safe 1.23>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Host application>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Monitoring program>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <AppGuard GUI Application>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <avast! Antivirus>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Windows Explorer>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Desktop Window Manager>.
08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Host Process for Windows Tasks>.

Can you figure out why Chrome is doing this?

 

I just thought of a reasonable explanation for Brandonn's logs. Does anyone know if Chrome has a helper object or funtion that checks applications on the user's machine that are known to have plugins for Chrome. Chrome could be checking for compatibility, and changes made to those applications like checking to see if those application have been updated since Chrome last accessed them. It could also be sending feedback to the Chrome development team to improve Chromes efficiency, and compatibility with those applications. I would be willing to bet that is why Chrome is communicating with all those applications, and thus AG blocking Chrome from reading to the memory of those applications. I don't think Chrome needs to be able to read the memory of applications to accomplish this so its just forcing Chrome to operate safer. That's basically how AG operates to enhance your security. It forces applications to follow safer practices or to run in a safer manner. You can't always depend on coders to follow best security practices. Security may not be their #1 priority or goal in mind. In windows case it is usually usability, and appeal which equals more money. This takes priority for many developers instead of safer practices for securer applications. AG is essentially protecting your system by not allowing applications to execute risky behavior. Exceptions should only be made if it is causing a known issue with your system.

 

Also, I reinstalled it today, but this time I got it from Google, instead of Softpedia, and it has yet to do it...

 

It's just teasing you, those memory logs will soon appear.

 

It's pretty straightforward. Just launch the install program (run as administrator) and follow the instructions. If you need further instruction, email AppGuard@BlueRidgeNetworks.com and I will send you detailed instructions.

 

PEGR, Thanks for getting to the bottom of this. I didn't think that AppGuard had a bug in this area, but I hadn't had a chance to follow-up. Me thinks you're after my job again Seriously, I really appreciate the assist!

 

Thanks, Cutting! You explained this better than I could have.

 

Well it did do it again. But you are saying it is not a big deal?

 

Unless you are experiencing problems in functionality with Chrome then it should not be a problem. You could contact the Chrome development team if you really want to know why Chrome want's to read the memory of all those applications. Is Chrome able to update ok? When I use to use Chrome that was an issue for a while until a fix was found.

 

I tried to find it and couldn't. I ended up making a post on the Chrome forum but haven't had any replies. What is their email?

 

I would just post in the Chrome forum. I don't know of an email. Many developers make up the Chrome team so it may be best to post in the forum anyways.

 

Am I right that AppGuard does not substitute firewall? That is if I want to be AV-less with AppGuard I must install additionally some firewall, is it right?

 

I'm interested in AG. Is it needed with my setup? What more can AG offer that apps in my setup already do not? Will my other apps like AG if I try to insert it in the setup- that is any compatibility issues?

Best Wishes,
Amit