AppGuard 4.x 32/64 Bit - Releases

Definitely optional. In the AOL version, it is the default setting (and can be changed in the GUI), BUT I believe that we will keep it as the non-default setting for our version - perhaps have the user make the choice when installing?

 

why is safer for the user to have feature off by default

 

1) moving thebat to system space and folder to read only results in:

03/10/14 19:41:44 Prevented process <thebat.exe> from writing to <m:\internet\email\the bat!\mail\test.tmp>.
-Something in the activity report for a change.

2) having changed mail directory to user space i get:
no event in the log and thebat does not launch. (does not go as far as with just step 1 the splash screen stays with the error)

3) not moved any of the other programs on M: into system space as yet so skipped.


Some moderate progress but no solution as yet

 

I agree it is progress of a sort because the activity report proves that The Bat! is starting but then isn't able to run properly for some reason.

I will reinstall The Bat! on a non-system partition on my Windows XP system tomorrow and have a play with it. I'll let you know what happens.

BTW Have you tried using Sysinternals Process Monitor to trace what is happening?

 

Maybe you could try an older version?

I am using v1.62r (not willing to pay for an upgrade)

 

I have process hacker running and can see that the bat appears in the task list and then disappears immediately.

Is that what you mean or something more in depth?

 

With tampering protections on for Addguard, you can set it so people cannot change the TIMER for resume of the protection. (Medium -> Install back to Medium).

However there is STILL a checkbox at the front of the interface, even with Privs on, which allows them to permanently disable protection timer countdown. Is this an oversight, or a bug?

I have protection privs on so my son doesn't tamper with stuff, and I continuously find he has disabled the product by this checkbox!

 

Because the user could be performing some risky task when it decides to switch to installation mode to allow something on the Trusted Publishers list to update.

 

ah that makes sense ofcourse thanks for explaining

 

Any news about 4.1 release date?

Have you thought about making 2 notifications?
One for blocked files and one for files executed with limited rights (Guarded).
IMO, that would improve the usability.

 

Try to add thebat.exe to the Guarded Apps and set On MemWrite/Read protection, after this add mail folder into Exception Folder (Read/Write).

 

I have now tried The Bat! v1.62 and can reproduce your problem. For whatever reason, v1.62 won't start as a guarded application, even in Install mode. It tries to start then immediately exits, just as you've described. I haven't been able to work out the cause but the lack of entries in the activity report suggest that the problem could be registry related, possibly a restriction in writing to the HKLM registry hive on startup.

Interestingly, the latest version, v6.2.14, doesn't have this problem, but you've already said that you don't want to upgrade. It appears though that v1.62 will run as a guarded application at the Medium protection level once it is up and running, so I suggest trying the following.

First undo all the customisations that I suggested in post #896 above. These work well with v6.2.14 but not with v1.62. In the interests of simplicity, leave the entire installation of The Bat! in User-Space on the M: drive and remove The Bat! from the Guarded Apps list.

Now before launching The Bat!, with the protection level set to Medium, right-click on the AppGuard tray icon and from the menu select Allow User Space Launches->UnGuarded. Once The Bat! has started, right-click again and select Disable User Space Launches to resume Guarded App protection.

I have tested this and it allows v1.62 to run as a Guarded App, but as I don't use The Bat! I don't know if you will encounter any other problems while it is running as a Guarded App. Try it and see how it goes. The only other choices are either to run v1.62 as an Unguarded App or upgrade to the current version.

 

I have been trying to help trott3r with this and have tried every customisation I can think of, but nothing works. v1.62 won't start as a Guarded App, but it appears that it may be able to run as one, once Guarded App protection has temporarily been suspended on launch.

 

I think trott3R should send a bug report at this point if her, or she has not already done so. If it is due to a bug then BRN needs to know so it can be fixed. If it's not a bug then BRN will at least be able to give good instructions for what is needed. BRN may even need to add a feature to better facilitate exceptions for applications like Thebat without compromising security.

 

thanks for your help.

I will try it when i register the apps.
The trial expired yesterday so i cannot experiment anymore.

I am impressed enough with the app to register it soon.
Just other things are a priority today.

 

Peter:

except it could affect other programs in the future so best to fix when possible.

 

It would be a shame though if the update does not work, and they could have fixed it if it was reported.

 

Writing to HKLM is exactly the problem. I just set up and reproduced this behaviour with The Bat! 1.62.
Interestingly, I found a way to run TB by just adding it as a guarded app and making a registry modification. Due to limited testing I can't guarantee that this modification won't break some functionality with The Bat!
So with that in mind, if you decide to try this, export and save a copy of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\The Bat!
Verify that it saved correctly, then simply delete the key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\The Bat!

Let me/everyone know how it goes.

 

Thanks for confirming that writing to HKLM is the cause of the problem.

 

That particular feature will cause AppGuard to automatically lower protection to Install whenever a user-space program digitally signed by a trusted publisher is executed. Most savvy security conscious users would prefer to have more control over when AppGuard's protection is lowered. BTW, it only works when AppGuard is running in Medium mode. Locked Down is still Locked Down.

This feature is useful for people like my husband who forgets to lower protection when he updates TurboTax or Quicken.

 

ah I understand thank you for explanation

 

I think this is an oversight. It does make sense that if you don't want non-Super users to modify the timeout value, then the checkbox should not be an option if they lower protection. Since that checkbox is only visible if AppGuard is turned off or the protection is lowered to "Install" I'm assuming that you want your son to be able to change the protection level, but not to be able to change it indefinitely.

 

I'm not sure what you mean by notification? We have added a message box that gets displayed when AppGuard blocks an execution. The "Guarded Execution" blocks get displayed in the AppGuard activity report.

 

pegr: thanks for the Allow User space unguarded solution.

I tried it now after registering appguard and it works great

Thanks for your help
Martin