AppGuard 3.x 32/64 Bit

Ahh-sooo. . . I see. I should have just tried that, I guess .

 

i was kind of hoping i would not be able to.

if i can install a plugin in Locked Down mode, what's to keep a drive-by exploit to deliver its malicious payload?

 

For clarity, the add-on I installed while in Locked Down mode to test this was an extension, not a plugin, but the same general principles should apply to both.

In order for a website to install a plugin or extension into Firefox, it would either have to run a separate exe file, which AppGuard's drive-by download protection should prevent, or it would need to inject code directly into the memory space of Firefox, which MemoryGuard should prevent. In any case, as Peter2150 said, Firefox should also challenge the install.

Whilst nothing is certain, the practical risk of a browser borne exploit getting past AppGuard and installing a malicous add-in into Firefox appears to be minimal. I also combine policy restriction with virtualization, either Sandboxie or Shadow Defender according to my mood (Layers as Pete said). Plus I keep backups of my Firefox profile so that I can always restore it if anything untoward happens.

 

thnx to both peter and pegr for the detailed explanations.

 

Can't remember whether or not I've already asked this, but here goes anyway.

I'm using AppGuard 3.5 along with Sandboxie 3.76 on Windows XP. If I upgrade to Sandboxie 4.04, will I need to make any changes in AppGuard -- or should it be okay the way it's currently set?

 

I didn't have to change anything. Sandbox container in user space and sbiectrl.exe (Read), sandboxierpcss.exe (Read & Write) and sbiesvc.exe (Read and Write) Memory Guard exceptions is what I've used since SBIE 3.7xx and still works fine on 4.04.xx (and the 4.05.xx betas)

Cheers

 

easy, safe, light, fast, etc.

 

going to try this...windows 7 ultimate, 32 bit, I did not have good results with applocker, so will see how this turns out...any suggestions as to initial set up?

 

The beauty of it is there isn't really anything to set up. Just install and keep it at High or Locked Down unless you need to install something. If an app you use keeps getting blocked, just add it to Power Apps. Other than that it is very easy to use.

 

The only thing I would add to this is that the use of the Power Apps feature is best restricted to other security applications. It shouldn't be used as a general workaround, only where necessary. Most blocked events can be resolved by AppGuard configuration without exempting the application from AppGuard protection.

 

I tried High with MemRead protection enabled, no side effects so far

 

I get red warning messages that Chrome is trying to write to the registry and update. How do I make sure products are able to update properly and keep them protected at the same time? Will flash, java, etc all be blocked when trying to update?

 

I don't understand why I have the following messages for SpyShelter and Malwarebytes Anti-Malware since both are added to the Powerapps list :


"10/02/13 11:02:43 Prevented <WMI Provider Host> from reading memory of <SpyShelter GUI>.
10/02/13 11:02:43 Prevented <WMI Provider Host> from writing to memory of <SpyShelter GUI>.
10/02/13 11:02:43 Prevented <WMI Provider Host> from reading memory of <Malwarebytes Anti-Exploit>.
10/02/13 11:02:43 Prevented <WMI Provider Host> from writing to memory of <Malwarebytes Anti-Exploit>.

 

If you want to update a program you have to set AG to install mode, this is a policy-based program, so it makes no differentiation between good and bad, which gives great protection, but is a little less convenient.

SS and MBAM aren't being blocked, WMI Provider Host is. If you're using version 3.5, Powerapps are now being MemoryGuarded afaik.

 

So do most Appguard users also use one of those all-in-one update checkers so all needed updates for different programs can be installed at once?

 

Don't know about most but I do, not only because of AG but also I spend a lot if time in Shadow Mode with Shadow Defender. No point going through auto updates that don't stick. Normally check for updates weekly.

 

If the plugin installs with an exe then, as some others have posted, AppGuard will prevent it in Locked Down level. If it is running within the browser, then AppGuard will contain it within the browser and no persistent damage can be done. If Firefox is installed in program files, then when you stop and start Firefox whatever bad stuff was running in Firefox should be eliminated. If Firefox is installed in user profile (not sure if this is an option, but I know that Chrome can be installed there) then perhaps add the Firefox program directory as a protected resource on the Guarded Apps tab.

 

Note to self: We should add a similar page in 4.x as this is no longer available in 4.0. There will be info in the help file but not as easy to get to.

 

Sorry to alarm you with my honesty (perhaps Blue Ridge shouldn't allow an Engineer loose on these boards), but right now we are focusing on the 0-day attack entry points into the system (i.e. 0-day vulnerabilities in the most widely used applications). I believe that AppGuard (even without MBRGuard) provides the best 0-day protection out there. We believe that if it had wider adoption it would go a long way to preventing malware from spreading in the world. Many of the attacks that you read about (including the one in the news this week regarding I.E) are stopped by AppGuard.

BTW, if you are willing to beta test the 4.0 product you will get a free license. If you are running on a 32 bit machine, I think that I can provide you with a separate install package for MBRGuard. I believe we have one for 64-bit ready as well, but it hasn't been through QA yet.

 

We're shooting for Oct 15 for the official release. I hope to have the beta be blessed sometime over the weekend. Monday at the latest for a short beta. The 4.0 version has been in our QA for over a month and I think it is solid. The main testing that is going on now is with the new licensing mechanism.

BTW, I would recommend downloading and saving the latest 3.5 version of the install package so that you can revert back to 3.5 if you don't want to keep 4.0 after the Beta. I know some of you want the old MemoryGuard policy (and MBRGuard) and you will not get those in this version of 4.x. We'll try to provide the controls for MemoryGuard in a future release and most likely MBRGuard will be a separate product in the future. After the 4.0 is officially released, I'm not sure that 3.5 will be available from our web site.

Also, with our new MemoryGuard policy, although we have somewhat relaxed the policy as far as "trusted" applications (i.e. those programs that aren't Guarded), we're increasing the Guarded applications' default MemoryGuard policy (i.e. the previous version of AppGuard Guarded Applications were not configured for MG read protection except in the Locked Down level).

 

I concur with Peter and I am looking forward to the 4.0 Beta as well.

 

I see the license is $20 for 3 PC's. Is the license for one year or for the version 3's or something else? Also, if a license is purchased now will there be a free upgrade to version 4 when it is released?

FWIW - I know others may not favor this, but I like video tutorials of products if that's possible.