AppGuard 4.x 32/64 Bit - Releases

Yes, you can try that.

 

I have received some weird Appguard alerts lately where certain DLL files are denied to execute. The files all belong to an AMD Catalyst Beta Driver package 13.11 beta 7. The strange Thing about this is that Appguard keeps blocking These DLL files although they are no longer on the Computer/ inside the specified path.

As an example:

12/20/13 22:16:27 Prevented process <mfc110u.dll | C:\Windows\System32\rundll32.exe> from launching from <d:\downloads\amd_catalyst_13.11_betav7>.

setupresources.dll ; sqmapi.dll ; setupengine.dll ; setupui.dll

the same alert for These DLL files. However as I mentioned the specified path does no longer exist on my Computer.

 

How do you know those dll files are not present in your system ? The alert means that the file is trying to execute from the d:\downloads\.. folder. Does not necessarily mean its present in that folder. Use Search Everything from void tools to locate those dll files. Also on what condition does these alerts trigger ? You can safely ignore this message if its not breaking anything.

 

the Thing is the whole Driver is no longer present on my System. I just updated to the Catalyst 13.12 chipset Drivers and graphics Drivers as well like 2 days ago. Appguard however keeps telling me that something inside the old Driver package is trying to Launch. That doesn't make sense. The whole Directory is no longer there and I haven't found the dll file on my System either. I have searched it with Windows built in search.

 

Some applications create temporary folders and place executables (dlls) in there on the fly. Could this be the case?

 

If you set AppGuard to Off, the tray icon is correct, but the GUI still shows Install, because there are no visuals for the Off level.

Barb, could you reply to my question in the v3.x thread?
https://www.wilderssecurity.com/showthread.php?t=294876&page=140

 

Hello, is there any plan in a standalone MBR Guard?

 

I get the following message

Code:

Prevented <pid: 2412> from writing to <\registry\machine\software\classes\wow6432node\interface\...

How would I go about allowing access to this particular item?

Thanks

Edit: Nevermind. User space, system space is all very confusing. Went ahead and purchased ERP instead which has more options and more intuitive.

 

Sorry that you found this confusing. If you private message me, I'd like to find out more about how you feel we could improve AppGuard. Also, if you email AppGuard@BlueRidge.com. You should get a fairly quick response to your support questions (usually within 8 hours - but can't quite promise that during the holidays).

 

I just did. It's at the top of page 141.

 

Many of us know that IOBit products install other products sneakily. Recently I installed AdvancedSystemCare. I have Appguard in locked down mode, so nothing should be installed unless I change the security level. There are products like Driver Booster and Protected folder which doesn't get installed with ASC. Only when you click on the program name in the toolbox they get installed. Even though I had AppGuard in locked down mode, it still managed to install those programs in my system. AppGuard did show me some alert, which I dint bother to look at because the program already got installed in my Program Files folder and started running. Maybe some file in temp folder must have been blocked. Why dint AppGuard protect me ?

NOTE: I have UAC disabled (which should not matter for AppGuard).

 

You mentioned you've already had something from them installed. That means they already had access to system-space. Being located in system-space means the applications are not guarded by default, hence they would be able to install something else into system-space as well. This is the reason why programs like internet browsers, e-mail clients and documents readers are already in the guarded applications list. They are in system-space as well and otherwise wouldn't be guarded.

The application should have been added to the guarded apps list after installation to stop it from downloading and installing anything else afterwards. Then again I doubt that said application would have continued working properly, because I can hardly think that something which calls itself "system care" can work without access to system-space.

AppGuard did not fail in this case, you have simply misunderstood how it protects you. Guarded apps are not allowed to write into system-space. Hence they can only download something into user-space. On locked-down, anything downloaded into that location wouldn't have been able to start at all. On medium, depending on the presence or lacking of a digital signature, it would have been able to run, but guarded, or wouldn't have been able to run at all.

In your case system-space was already compromised because you have voluntarily installed an untrustworthy application. It then was able further compromise system-space because it was not guarded. If it can't run guarded and you don't trust it, don't use it.

 

Thanks. That makes sense now.

 

My mind is getting a little fuzzy, I guess. Thought I had it pretty well figured out, but I guess not. So how do you add a program to system-space?

 

TomAZ, I understand your question but I am not sure what you are trying to achieve.

 

I was trying it after they had some giveaway. But after this experience I removed it from my system.

 

Actually, I'm not sure either . Here's the deal. I have a VERY OLD Netscape Browser/Email combo suite (XP). It's really a Mozilla package that's been rebranded with the Netscape brand. I don't use the browser, but I still use the e-mail client (which I like a lot and is probably an old version of Thunderbird). It still meets my needs extremely well and has been incredibly stable (I've never had one problem in years of use).

Everything appears to reside in the Netscape folder within the "Program Files" folder. However, when I add it to the Guarded Apps tab, I can no longer access the program. I get some error message about not being able to access the profile because it is already in use.

I'm really careful with e-mail attachments, but what I'm trying to do is protect myself from the likes of CryptoLocker, if I happen to slip up.

 

Hi, am running AppGuard at Medium protection level.

I have my OS - Win 7 x64 - and programs installed on C: (browsers included, that is Chrome and FF both in Program Files), all data on a separate partition D:

My Downloads folder is also on D: and in AG I have set it set as Exception Folder, allowing Read/Write access. The browsers have the Privacy flag set to on.

I am running in the following problem: if I set the whole D: partition as a private folder, FF is able to download to the Downloads folder, but Chrome is not. To have a successful download, I need to set AG in Install mode, or unmake D: as a private folder.

I don't know if this is relevant, but every time I start Chrome I obtain the following reports in AG:
12/28/13 13:43:38 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
12/28/13 13:43:35 Prevented <Google Chrome> from reading memory of <Windows Explorer>.

 

NVT ERP lists about 3 or 4 entries on their website that should be added to AppGuard's Power Apps if using both of these programs together.

Are those entries still needed in AG 4.0?

 

Is there any plans to release a new build anytime soon? I know there are still a few minor bugs that have not been addressed like the problem with Opera not being added to the guarded application list unless you do it manually, and then you have to add it again each time Opera is upgraded to a new build. Also the GUI only shows install, and does not show off like the tray icon does (maybe it's intended to be like this ). Does AG now support unicode? Are there any other known bugs i'm not mentioning? I would like to get an early start on testing any new builds when they come available.

I hope I don't seem picky. I just hold AG in such high esteem that I want to make sure it offers better protection than most other products on the market. I only say most because I believe there are a hand full of products on the market that offer very similar levels of protection, and sometimes they compliment one another well. Sometimes you have to give credit where credit is due.

 

Without seeing the applications, I can't say for sure. If they are located in system space, then most likely they do not need to be added as Power Applications with 4.0. If they are in user-space or they launch programs in user-space that need to access memory of Guarded Applications, then they need to be added as power applications.

 

Perhaps Outlook is considering the pst file to have originated from another PC after the restore? In that case Outlook may treat the pst file differently and as a result AppGuard may behave differently (this type of behavior has happened mostly on Windows 8.1, but perhaps there are some nuances in Windows 7 as well that might be occurring). We have been able to fix the issues on Windows 8.1 and these fixes will be include in a release sometime this quarter (hopefully).