AppGuard 3.x 32/64 Bit

It depends how you define HIPS. If by HIPS, you mean any security program that works solely by behavioural monitoring without using signatures then you could say that. It's still important though to make distinctions as to how various types of security software actually work to ensure like-for-like comparison. AppGuard is policy restriction based on the concept of a trusted enclave, which is a different security model to a classical HIPS like Comodo for example.

There isn't any free software that is functionally the same as AppGuard. The nearest equivalent to AppGuard functionally is DefenseWall and that isn't free either.

That's true of any security program if you use it as the sole means of protection; that's why layered security is usually recommended. For maximum protection, AppGuard is best combined with an AV and/or a light virtualization program of some kind, plus a router and firewall for inbound network protection. That said, AppGuard will stop most malware so the chance of a bypass, even using AppGuard as the only layer (other than a router and firewall), practically speaking is small.

That's your choice, which I respect. AppGuard is designed to provide strong security, silently blocking any behaviour that contravenes the policy in respect of untrusted processes without involving the user in decision making. For anybody who wants explicit control over their system and involvement in the decision making, a classical HIPS may suit better.

Files can be downloaded without disabling AppGuard protection but the AppGuard protection level has to be lowered to install new software. This is intentional and stops drive-by downloads from surreptitiously installing software.

Personally, I wouldn't call $20 for a 3-user lifetime license overpriced, considering that Blue Ridge Networks are still recouping their initial development costs, but you are free to disagree.

Kind regards

 

Me too - which is why I open the event viewer and clear down the application section whenever I am doing some system maintenance.

 

The only configuration necessary is to ensure that the Adobe Reader and Excel are listed as guarded applications. For best protection run AppGuard with the protection level set to High or Locked Down.

 

I just installed AppGuard on one of my Windows XP Pro PC's. Since I am using Sandboxie I applied the recommendations given here:

https://www.wilderssecurity.com/showpost.php?p=2101597&postcount=1455

What changes would I need to make if I want to run in "Locked Down"? Would I need to add my AV's exe to PowerApps?

Thanks in Advance.

 

thanks for the reply pegr, i am actually running this alone now,without an AV and have guarded my pdf reader and office application,i use corel word perfect !

I hope it protects me from pdf exploits !

 

Good Morning ! Well,while downloading Revo Uninstaller from Download.com the Snap Do Smart Toolbar installed itself on my Chrome and I.E.9 Browsers...I use Opera and it doesn't affect or is that infect...Opera...I left a Support inquiry with Blue Ridge...and since it's Sunday...I had a feeling they might not be available. I'll provide you with AppGuard's detection of the Toolbar path...09/30/12 10:02:44 Prevented process <msnsspc.dll - C:\Windows\System32\rundll32.exe> from launching from <c:\users\securon\appdata\local\smartbar\application>. As you can guess how do I remove this garbage from my system? Hopefully Appguard did it's job. I'd appreciate any help in providing instruction of it's removal. Sincerely...Securon

 

Windows 7 Home Premium x64 SP1, No AV, Google Chrome

Quick question, I selected to report all 4 alerts just to see what AG was doing. When I use Chrome and AG set to High, I get the following alerts:

09/30/12 09:12:21 Prevented <Google Chrome> from writing to <\registry\machine\system\controlset001\control\mediaresources>.
09/30/12 09:12:21 Prevented <Google Chrome> from writing to <\registry\machine\system\currentcontrolset\control\mediaresources\msvideo>.
09/30/12 09:12:21 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:12:15 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:12:10 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:12:04 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:12:02 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:11:31 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:10:56 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:10:14 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:10:08 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:09:58 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:09:54 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\microsoft\cryptography\rng>.
09/30/12 09:09:51 Prevented <Google Chrome> from writing to memory of <Google Chrome>.
09/30/12 09:09:50 Prevented <Google Chrome> from writing to memory of <Google Chrome>.


My question is, is Chrome somehow effected adversely by AG blocking its normal, and expected actions? Does it slow Chrome by doing this? I'm not really sure what the above alerts are trying to tell me, and they only show up after I check the Privacy Alert box.

Still trying to understand this program!

 

Good Afternoon ! Was finally able to remove Snap.do Smart(Malware) Toolbar from both I.E.9 and Google Chrome...thanks to Nick ADSL...Thread on Removal of Babylon Toolbar...same satisfactory result acheived in the removal of Snap.do...many thanks Nick...and this of course applies to all Fellow Wilderites...for future use. Lesson learn't...be very careful in downloading from Download.com...to align themselves with such border line organizations to fatten their download metrics...smells Big Time. Sincerely...Securon

 

I changed AppGuard's Protection Level from "High" to "Locked Down" while Firefox was opened and sandboxed. Then I opened and updated some Malware scanners with no issues and then closed these Malware scanners.

I noticed that AppGuard's log showed three entries two of which were related to AVG's Linkscanner not being allowed to access memory and the other was related to Firefox. I decided to change the Protection Level back to "High". The PC seemed to be locked up for a few seconds then started working OK again. I left the PC for a few minutes and when I came back I found that the PC had restarted with the error message about Windows having encountered a Serious Error.

What do you make of this restart? This PC is very stable and it has been years since this PC has made such a sudden restart (crash).

 

Always choose advanced install when installing anything. Its really common for software providers to try to sneak in additional junk software.

 

I know that we tested AppGuard with Windows 8. I will check with QA to determine if they verifired MBRGuard as well.

Recently we saw one issue with MBRGuard not installing on Windows 7 64 bit. In that case we suspect that another security application interfered with its installation.

If you email AppGuard@BlueRidgeNetworks.com, I can send you some instructions that will help us isolate the issue.

Is AppGuard interfering with Deepfreeze's installation? If so, did you try reducing AppGuard's protection to Install?

 

If you are not noticing any issues with Chrome, it is most likely not being affected by these blocks.

Usually AppGuard blocking events can be ignored unless you’ve noticed that an application is not performing an operation that you’ve initiated. The detailed explanation follows:

There are two major classes of AppGuard blocks:

1. AppGuard prevented an application from launching: This is usually because an executable file (i.e. program or script) is trying to run from a user-space location (desktop, My Documents Folder, USB Thumb Drive, etc.). Normally programs are not installed into these locations and it is suspicious whenever a program is launched from user-space so AppGuard will block these programs from running. Some legitimate programs do install into user-space (especially if they are being installed by a user that does not have administrative privileges). Google Chrome is an example of this type of program. In this case, the application can be added to the AppGuard Guard list and it will be allowed to launch from user-space. If you weren’t trying to launch one of your programs and you are seeing this type of event, then it may be the result of malware. Since AppGuard blocked the program, the malware has not been able to damage your PC, but you may want to use an Anti-Virus program to clean it up (provided that the AV is aware of this particular virus – it may take a week or so for AV software to detect the newest viruses). If you don't have an AV, we recommend Microsoft Security Essentials. It's a free download.
2. AppGuard prevented a Guarded application from reading or writing a protected system resource. This block could be due to one of the following:
   • AppGuard is blocking a non-compromised application from performing a suspicious operation. In most cases, the block does not affect the application’s operation and can be ignored. If the block is affecting the application’s operation (and you don’t suspect malware) then you can temporarily lower the protection level or suspend AppGuard protection and retry the operation.
   • Malware exploited a legitimate application and is attempting to make changes to your system. In this case, AppGuard has protected your system and no action is required. Although it is difficult to know whether the block was due to malware or one of the above cases, if you do suspect malware you should:
     • Quit the application, the sooner the better.
     • Note, whatever files are open via that application, particularly those opened for the first time such as an email attachment or a downloaded file (i.e., most likely suspects).
     • If you don't need to save any changes, then don't. If you must, note that you did so. It's possible that the malware that compromised this application can implant something into your open documents.
     • You may want to use an Anti-Virus program to clean up the malware.

 

Wow, thanks for that Barb. Everything works great for me, but I was just being me, and being curious at what AG was doing so I enabled all alerts. Your explanation was very helpful, thank you!

 

Adobe reader and Office* Applications are protected by AppGuard as soon as AppGuard is installed without changing any settings. If you are using other applications to open these files then you can add those applications to AppGuard's Guard List (Guarded Apps tab on the Customization interface).

*If you are using the 64-bit version of Office, then we've had reports that AppGuard has trouble finding these applications. In that case you will have to manaully add the 64-bit version of Office applications to the AppGuard Guard list. If the applications are listed in the AppGuard Guard List (Guarded Apps tab), then you can be assured that AppGuard is Guarding those applications.

 

I would recommend adding Corel Word Perfect to the AppGuard Guard List.

 

Click on "None" and "Apply" on the Alerts tab. That will stop the reporting of "AppGuard Action" (i.e. AppGuard blocking) events, but "AppGuard Configuration" events will still be reported. I'll propose to Product Management that we allow a configuration option to not report any events to the Windows event log.

 

I've asked the developers to look into MBRGuard and Windows 8. Since two of you are reporting this, there may be an issue that our QA department overlooked.

 

thanks for replying,yes i have added Corel office to the guarded apps lists now.

 

Do you think that the Serious Error that I got was because I had Firefox open and sandboxed when I made the Protection Level changes? It seems like it is a good practice to leave programs closed when making changes in Protection Levels.

 

Any comments/suggestions?

 

All i did was to change the container folder of sandboxie to another Drive and no probs with appguard whatsoever!
Assuming you have a different drive/partition just go to sandbox option and select set container folder,and change to a drive other than C.

I run SBIE with appguard in lockdown mode.

 

I am using AppGuard for two weeks now and I just noticed something. Everytime I start my laptop, an instance of msiexec.exe is running. So I checked it out on Services(services.msc) and found out that it was set to manual. I decided to disable the Appguard Service and I rebooted. msiexec.exe didn't start anymore. But I set the Appguard service to Automatic again and msiexec.exe was running again when i rebooted. Any help? Thanks!

 

I have noticed the same thing,but i am not sure if appguard needs that paticualr service for something...

 

It's not running on my Windows 7 X64 Home Premium machine.

 

That's odd. I don't think AppGuard is relying on msiexec.exe to be running. Could it have been due to a program update vs. AppGuard? BTW, I'm running Windows 7 Ultimate on 64-bit and I am not seeing msiexec.exe running.