AppGuard 4.x 32/64 Bit - Releases

Hello, I have just started using Internet explorer ( sandboxed ) for the first time in years. Firefox is running slow when using wireless. So when i close I.E it takes about 20 seconds for Sandboxie to delete the box. I get some alerts from sandboxie, which I believe are instigated from Appguard.
This is one instance, when running I.E only . Appguard only alerts on the box emptying

Spoiler

Code:

05/01/14 20:28:43 Prevented process <comctl32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac>.
05/01/14 20:28:43 Prevented process <uxtheme.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\calibre2>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\toshiba\bluetooth toshiba stack\sys\x64>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\toshiba\bluetooth toshiba stack\sys>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\windows live\shared>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32\windowspowershell\v1.0>.
05/01/14 20:28:43 Prevented process <dwmapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\calibre2>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <dwmapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32\windowspowershell\v1.0>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system>.
05/01/14 20:28:43 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <dwmapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\internet explorer>.
05/01/14 20:28:43 Prevented process <dwmapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system>.
05/01/14 20:28:43 Prevented process <dwmapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\internet explorer>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\windows live\shared>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\calibre2>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\user\current\desktop>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\windows live\shared>.
05/01/14 20:28:43 Prevented process <ksuser.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32\wbem>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\toshiba\bluetooth toshiba stack\sys\x64>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\toshiba\bluetooth toshiba stack\sys>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system>.
05/01/14 20:28:43 Prevented process <ieframe.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\internet explorer>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\user\current\desktop>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system>.
05/01/14 20:28:43 Prevented process <icmp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files (x86)\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\common files\microsoft shared\windows live>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\program files\internet explorer>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system>.
05/01/14 20:28:43 Prevented process <lz32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <rpcrt4.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <imm32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <usp10.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <lpk.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <gdi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
05/01/14 20:28:43 Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\michael\defaultbox\drive\c\windows\system32>.
They all relate to rundll32, which has start/run permission in sandboxie
Any advice ? Many thanks in advance

UPDATE
This is not happening on my desktop, which has the same appguard settings as the laptop

 

It is unlikely that this is adversely impacting anything, so the easiest thing to do would be to right-click on one of the alerts and create a generic ignore message rule to suppress all of these alerts. The ignored message fields would look something like this: -

Field1: *.dll | C:\Windows\System32\rundll32.exe
Field2: c:\sandbox\*

 

Hi

How i become this under Controll
i put yandex to guarded apps and firefox is still there
and flashplayer too.

05/02/14 07:54:04 <Firefox> Privacy Mode is enabled.
05/02/14 07:48:33 Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
05/02/14 07:48:33 Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
05/02/14 07:48:12 Prevented <Firefox> from writing to <\registry\machine\system\controlset001\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000>.
05/02/14 07:31:59 Prevented process <Yandex.Disk> from writing to <c:\windows\inf\setupapi.app.log>.
05/02/14 07:31:57 Protection level is set to <medium>.

 

All the blocks i'm seeing in your Event Log are normal. Unless you are experiencing a problem then you should ignore those blocks. Is Yandex working ok? If you are having problems with Yandex it would help if you right click on Yandex.Disk event entry, and click on message info. Then copy, and past the blocked application path of Yandex.Disk to your post so we can see where it is located. That will not be necessary though unless you are experiencing a problem with Yandex.

 

Can we have some update info about delay, please?

 

Thanks a lot Pegr, your advice is always very welcome. However i cannot stop the alerts from Appguard or Sandboxie.
I have downloaded Chrome and I am very pleased with it. It seems much faster than the problematic firefox, and I get no errors that i get with Internet explorer.
So i will use chrome form now on. Thanks anyway

 

I posted a question about email client protection. Not answered. It is I am not myself using any email client, only using web browser email. But if I was, lets say mozilla thunderbird that I used years ago. If a bad malware executable as stupid is opened from a mail attachment. Can any of you tell how much damage it can done to a computer system? For instance can it corrupt the mail folder? I know this is maybe a stupid question and maybe outside of AG protection, but I just want ask these stupid questions. If anyone can tell of course, please do

 

Feature request:
A pre-compiled list of Private files and folders with important information from popular applications;
It is not sensible to add IM's, browsers, mail programs for chat logs, saved passwords, email database etc, as these applications are usually Guarded, so they wouldn't be able to access it themselves unless Privacy flag is disabled, and if Privacy is disabled on every Guarded apps, it defeats the purpose.
However applications such as OpenVPN(for certificates, private keys), KeePass and other PW managers(for PW database), Cryptocurrency wallets etc are usually not Guarded and have important information so applications like these would be nice on the Private files/folders list.

 

@BoerenkoolMetWorst i like this Idea"A pre-compiled list of Private files and folders

 

It's not a stupid question at all. The short answer is yes, I believe it is theoretically possible that malware could corrupt the mail folder, but it would take a particular set of circumstances to achieve it.

First, the mail client should be running as a guarded application, so the mail attachment will have to be saved somewhere in user-space. If a mail attachment is a standalone executable file, AppGuard will prevent it from running from user-space and the threat is prevented.

Second, if a mail attachment is a data file containing embedded code, with an extension that is associated with an installed application, the attachment will be opened. It is therefore important that applications that open documents with the possibility of running code (scripts, macros, etc) are added to the Guard Apps list.

However, in the second case, it is possible that some damage to user-space data could occur. To mitigate against this possibility, browsers and mail clients should be run in privacy mode. Folders containing important data should be defined as protected folders in the Guarded Apps tab, which denies all access to guarded applications. This protects most data that needs to be protected but can't be used to protect the mail folder itself, as the mail client, running as a guarded application, would then have no access to the mail folder.

In any case, as Pete said, it is important to backup up important data on a regular basis to guard against data corruption or loss from whatever cause.

Interesting, Sandboxie has a feature that AppGuard lacks. With Sandboxie, it is possible to apply a restriction on the mail folder that denies all access for every sandboxed program other than the mail client. With AppGuard, protected folders apply to all guarded applications running in privacy mode, so access to the mail folder cannot be restricted to the mail client in this way.

 

Thank you pegr and Peter.

This question came to my mind because my father got a new laptop with of course that darn Win8+ he does not understand a bit from the XP usage. He is not at the moment able to cope with SBIE problems with the latest updates for sure, needing to install betas etc. I see the old age in his understanding things creeping more and more and I do hope I can someday recommend SBIE back to his system. Living 300 kms away and not able to go and help him right now is a big problem to me.

He got the old mail posts fixed to his email client ISP service provider by my nephews help installed on the new thingie and wants to keep using it. AppGuard would be pretty much a no brainer as I can't imagine myself able to help him get his mail client sandboxied properly from distance. But then maybe he is safe with the preinstalled Norton sigh.

Another reason for my question was some post I replied on Sandboxie forum.

 

I've just edited my previous reply to make it more accurate. I was originally suggesting that the attachment might get executed directly from the mail client, which is unlikely to be the case. It's more likely that the attachment will have to be explicitly saved to user-space first then opened separately.

If the concern is in relation to your father's system, the simplest option would be for him to use AppGuard in conjunction with a real-time AV. I think that this is what BRN would recommend doing anyway. I believe they see AppGuard as well positioned to deal with zero-day threats in order to give the AV time to play catch-up and remove any malicious files.

 

I must say that IMO this whole system and user space stuff, is making it more complicated than necessary. This was a big turn off for me.

 

Mmmm. Each to their own I suppose. It's the one thing that makes AppGuard so great for me. Why worry about system space if nothing started in user space or guarded can write or execute there? Add in blocking memory read/write on threat-gates how does anything malicious get into system space? I'd be interested if you can you give me an example of a threat that is not spawned by a guarded app, originates from user space or relies on memory exploitation. AppGuard prevents all of that.

If you're sure your systems clean AG will keep it that way.

Cheers

 

I´m not saying that AG is not a good product (to clarify), but I just don´t like to concept, it´s not that easy to understand.
But besides me being stupid , I think it´s probably because of I´m more into classical HIPS, where apps are either "Trusted" or "Restricted".

 

You say AppGuard's concept is not easy to understand, yet as an opposite example you list HIPS. If you want a HIPS to be able to reasonably protect you, be it by answering its pop-ups correctly or setting up the rules, you'll have to be a real systems expert. If you already find AppGuard too complicated, you are certainly not competent enough to handle a HIPS.

 

I honestly do not think there is any replacement for AG. Not for me anyways. It blocks attacks before they ever have a chance to start by blocking the behavior that could lead to an attack. AG forces applications to operate in a safe manner.

 

That´s not what I meant, it´s not about answering alerts, which is indeed not that hard, if you´re an experienced HIPS user. Like I said before, perhaps it´s me being stupid, but I think AG is making things too complicated. And how must I look at AG, is it an anti-exe, or behavior blocker, or perhaps both?

I like the concept of classical HIPS more. With EXE Radar Pro + SpyShelter + EMET, you can get the exact same protection, actually, you get even more. But it´s a matter of preference and needs, let´s not get emotional.

 

I am pleased with AG. Its only surpassed by DefenseWall but that's now classified as 'tales of the ancients' when things were 32 bit.

 

One does not have to understand all the fine mechanics of how AG works to reap it's benefit. You just need to understand enough to know how to configure it for you particular setup.

 

I'm not sure if you are saying each one of those products provides more protection than AG, or if you mean collectively as a whole. I'm assuming you mean collectively. There is one point I would like to make though about Anti-Exploit based on my understanding from reading through the Anti Exploit thread. I don't want to say anything bad about Anti Exploit, and I know it's a good product. It just seems that it requires constant maintenance to make sure it is blocking all the latest exploits, and also to make sure it is not blocking legitimate applications. AG does not require continued maintenance in order to block the latest threats, and if AG is blocking a legitimate application the user can configure it to allow that application instead of having to wait for an update from the developer. So that cuts out the time of having to report the legitimate application being blocked, and waiting for the update. AG also blocks all attack methods instead of just exploit oriented attacks. That is my reasoning for using AG, but I understand that all products are not for everyone. I'm sure Anti Exploit is a great product if AG is not the product for you. I don't think there would be any benefit in adding Anti Exploit to one's setup though if they are already using AG unless they wants MBAM's real-time signature based shield, and IP blocking. If someone already using AG is also already using MBAM premium version, and wants to upgrade to MBAM V2 then I could see their reasoning since it already comes with Anti Exploit.

 

Has anyone been updated on a potential release date of the next build of AG, and the first beta of Fortress? Barb usually sends me an email in advance telling me when the next beta is gong to be released. I'm sure she is under a lot of pressure with making sure Fortress is up to par for it's opening roll out for AOL so I have not bothered asking her. I'm kind of eager to see what changes, or additions have been made in AG.

 

Hello,
I have two questions about Appguard 4:
1) I would like to run it with sandboxie (4.08, Win 7 64bit) and I read that all I need to do is to add c:sandbox to the exception folder (read/write). When I do this I still can't start my browser or my email program.
I get the error message: "SBIE2335 Initialization failed for process ...". Only if I add the .exe files in the sandboxie program folder (installed on D) to the power apps, everything works. But as far as I know Appguard 4 should work with sandboxie without adding anything to power apps. So how can I configure I Appguard properly?

2) If I only used Appguard as protection how can I prevent malware installation when I want to install a trusted program and therefore have to lower Appguard's protection. Would it be enough to reboot my computer before I set the install level of Appgaurd so that any possible malware in the memory is gone?

Thank you!

 

Just a quick question: did you add C:Sandbox or C:\Sandbox with read/write?