AppGuard 4.x 32/64 Bit - Releases

Appguard uses policy to block execution instead of whitelisting. The only form of whitelisting AG uses is by digital certificate. AppGuard allows the user to allow software to run by digital certificate if they choose. AG does not build any whitelist.

I know you have never used AG after reading this. AppGuard will never prompt the user to allow, or deny anything. AG blocks everything by default. AG uses policy, and not whitelisting. You really don't understand how AG works. What I can't understand is why you would make such a post bashing AG based completely on assumptions.

 

Thank you for your information. I never said I used it, or am using it. I admit I did not install it, but I did read its website.

You said it uses policy instead of whitelisting. Would you please provide a source for that? What you mean by "policy"? You mean group policy? or Software restriction policy?

My assumption of Appguard using whitelisting is based on the #6 listed in the FaQ on its website, which is exactly how UAC works:

"http://www.appguardus.com/index.php/appguard/faqs

6. I am having trouble installing a new software product. What should I do?

When installing new software programs, open the AppGuard main interface.



http://www.appguardus.com/images/graphics/AG_Install_4.png

Reduce AppGuard’s protection level to Install mode, and the Install option will be displayed.
If the software installation requires a reboot to complete, uncheck the Automatically resume ... checkbox.
Remember to raise the protection level once the software installation is complete."




You said Appguard will never prompt you to ask for your opinion. Please tell me, in the above example, what is Appguard doing in order for you to install the software? Yes, technically, it probably did not ask you to allow the program to run. But you do need to modify its protection level in order to install the software. And the behavior you mentioned (deny applications from running by default) is what whiltelisting means. You lock down everything other than the ones you white list. If what you said is true: by default it locks down everything, and "AppGuard will never prompt the user to allow, or deny anything", how would you get anything installed? My point is, even though it did not technically prompt to ask for you opinion, you do need to take action by modifying its protection level, correct?

 

oliverjia, I really recommend you try the AppGuard trial to see for yourself. You have been given clear explanations, but I am sure the only way you can get the answers to all your questions is by working with the program yourself on your system. Together with the documentation.

 

Thank you Peter, for your explanation.
Yes I admit my criticism was a bit harsh toward AG, mainly because I was trained as a scientist who sometimes is a bit sensitive to marketing languages.
I am used to relying on Windows OS itself, from group policy, to software restriction policy, to Applocker, to secure the OS because many of these restrictions put forth by the OS is at kernel level that is almost immune to malware highjack, while third party software always have such risk.
Anyway, it appears AG is good for what it does.

 

Thank you.

I am not afraid of being called a thread crapper. I did realize the risk of initiating the criticism of a product against its fans. Most of the times it's hard to change ppl's mindset. I asked these questions, because I've used similar product, and I've seen better. I have been active in this forum for almost a decade, and saw all kinds of "revolutionary" products come and go. I hope AG stays and works well for you all.

I am done with this thread, and please, enjoy AG.

 

It is correct to say that AppGuard protects without needing to classify an executable as a threat, and without asking the user to get involved in making decisions about what to allow and what not to allow. AppGuard automatically and silently blocks all behaviour that could potentially enable the trusted enclave to be compromised if allowed. The intent of the application engaging in the blocked behaviour is irrelevant: good or bad, the outcome is the same; all behaviour that violates AppGuard policy gets blocked without consulting the user.

AppGuard splits applications into two camps: trusted and untrusted, with different policies applied to each. The default policies are defined by the vendor, Blue Ridge Networks, although some customisation via the GUI is possible. Applications are untrusted, not because they are in themselves malicious, but because they have the potential to be exploited for malicious purposes. Applications that should be untrusted include Internet-facing applications, office applications, document readers, media players, etc: In other words, any application used to load data that may contain potentially malicious embedded code.

Because AppGuard is so effective at preventing malware during normal operation, the protection level must be deliberately lowered by the user to install software. This means that the user must be especially vigilant to ensure that software installers are only obtained from reputable sources and are clean before running them on the real system. AppGuard is intended to be used as part of a layered security. Blue Ridge Networks have never advocated AppGuard as a replacement for anti-virus or other security approaches, and it is intentionally designed to be compatible with other security applications as far as possible. AppGuard is designed to prevent and contain zero-day attacks in real-time, but is not a replacement for remediation, e.g. on-demand AV scanning, to remove any inactive malware that may have been downloaded into user space, but which was unable to harm the system due to AppGuard policy restriction.

AppGuard is not an anti-exe, although it has some anti-exe features. Here's a couple of things I wrote previously about this in another thread.

 

White listing software builds a list of software on the user's machine, or has it's own list before hand of applications that are safe. It works very much like a guest list. If you are on the list you get in, but if you are not on the list you are not allowed in. AppGuard does not build a list of any software of the user's machine. It blocks executions based on policy. The only whitelisting it has is it comes with some digital certificates by default. I myself delete most of those from the list. I think digital certificates can be dangerous.

I do consider AG an anti-executable though so I do disagree with some of the other users of AG that don't. It's a policy based AE. I don't believe you can solely define an AE as software that uses whitelisting. Though many would make the argument that if that's the case then just about any software could be considered an AE. HIPS, BB, etc.. They all prevent executions. AppGuard also allows executables to run with limited rights making it also use Sandboxing as well so it's not only an AE.

I don't really need to provide you with a source to prove that AG uses policy instead of whitelisting. I have been using AG since 2007. I understand how it works. It's easiest to explain it by the difference in AG Mode of protection. In Medium Mode of protection AG will allow executables to run from the user-space if they are signed. These executables will be allowed to run with limited rights. They will not be allowed to inject code into other processes, they will not be allowed to read/write to the memory of other applications, will not be allowed to write to protected registry keys, and will not be allowed to make changes to the protected system space. In Medium Mode of protection executables that are not signed will not be allowed to run from the user-space at all. In Locked Down Mode of protection it makes no difference if executables are signed, or not signed. Executables that are signed, and executables that are not signed will not be allowed to run from the user-space. The only executable's that will be allowed to launch from the user-space in Locked Down Mode are those on the Guarded Apps list. The applications allowed to launch in Locked Down mode will be ran with limited rights. The applications allowed to launch in Locked Down Mode will not be allowed to inject code into other process, will not be permitted to read/write to the memory of other applications, will not be allowed to write to protected registry keys, and will not be permitted to make changes to the protected system space. The applications one the guarded apps list are browsers, mail clients, media players (Windows Media Player, VLC Player), adobe reader, adobe flash, java, Microsoft Office Applications. The user can, and should add other internet facing applications that are on their machine that don't come by default. Additional applications that should be added are torrent clients, file sharing Clients in general, Instant Messengers, additional media players, other .pdf readers, other document readers, additional browsers that are not on the Guarded Apps list by default, and other mail clients that are not on the Guarded Apps List by default.
There is a video on youtube of someone using AG in Medium Mode of protection which allows signed executables to run from the user-space. The flame worm was allowed to run due to it being signed, and AG's limited rights successfully prevents the user's machine from being infected.

I will address the rest of your post when I have time, but honestly i don't understand what point you are trying to make that you have to lower the protection of AG to install software.

Edit: 08/20/14 @ 3:12: I forgot to mention AG's dll protection. Loading of DLLs is based on digital signature and trusted publisher policy. So for instance if a DLL’s publisher is on the trusted publisher list, it will be allowed to load. The DLL will be Guarded if the process that is loading it is Guarded.

 

anyway Oliverjia doesn't care to even try it , so we talk to a wall...

 

Back in the golden days as my bro used to tell me, "watch out those walls move quick!"

Might sound silly but it actually makes sense given proper context.

All in all, he finds the idea improbable. Just as I did, BEFORE I tried it. He has points in some areas that I agree with (it really is mostly just a smarter version of UAC ; ~hey let's add that to marketing maybe MS will buy you out and implement it properly?!) There is no denying that AppGuard is highly effective but to a small degree where installs are concerned it requires user input and let's be honest-this is where the majority of users will fail installing ****ware. Not many of us 'regular or power consumers' have access to enterprise options so we use what IS available to us. As such AppGuard has become an integral secondary protection level in my setup and has never (yet) failed me.

 

I have to admit, I'm a bit shamed to ask this but what exactly is UAC (since you always write this short name?
I thought AppGuard is a policy restriction type like DefenseWall, I've been using DefenseWall for a very long time, it truly does have similarities with DefenseWall.
Windows_Security wrote that AppGuard is like UAC/SRP and something else, but on steroids, basically a combination and better, more improved version of UAC/SRP and whatever else that you have in your Windows mechanism-I just wonder how much more improved?

And I wonder what are AppGuard's limitations, what should I take care of, what AppGuard does not protect, and what cannot protect-I'm asking this because I want to fill holes that AppGuard does not fill-so far I didn't find what AppGuard cannot protect, and I'm asking this because I'm not sure if I should have Avira free antivirus with AppGuard and is Avira compatible with them and vice-versa.

Because right now AppGuard blocks everything and is, so far, 100% effective, yes the only product which comes out that effective is DefenseWall (but doesn't have 64 bit protection yet, which is why this is a moot point), and Sandboxie I must menetioned (at least so far).
This is why I use Sandboxie and AppGuard without antivirus (although it's always recommended to have antivirus with both SBIE and AppGuard.

 

Thanks, Stapp, I'll read more about this, I wanted to ask that "SRP" stands for software restriction policy, right?

 

Hi, Peter, thanks for your advice, I have to admit that from all security setups, your security setup to me is somehow the most sympathetic, because it is so simple and yet effective, right now I have 2 computers, one is still old XP service pack 3, and the other is the newest, windows 8.1, I'm very much interested in using combo SBIE4+AppGuard+NoVirusthanks exeradar pro because this combo is extremely effective when it comes to protection and security, but I'm still afraid would there be any compatibility issues with windows 8.1 from each of these security applications, would there be any compatibility issues between these security applications, or something else.

I want to tighten up SBIE4 protection with configuration as much as possible, and yet I want to have AppGuard in Lockdonw mode and NoVirusthanks exe radar pro on maximum level of protection-pegr on AppGuard forum told me to look at post 1093, which I did, and it helped and I use Lockdown mode, but the question could I have maximum protection from all 3 mentioned security applications and they all 3 work together just fine?

One quick question, what firewall do you use besides these 3 security applications?
And is this firewall compatible with all 3 mentioned security applications?
Sure, I could simply use just Windows 8.1 firewall to avod any and all conflicts/problems/risks with all mentioned security appliactions, but I'm not sure if Windws 8.1 firewall is enough at all.
Big thanks in advance.

 

Very informative post.

And I already asked this question earlier in this thread, but besides protection from code-injection and memory reading, which registry keys are protected? And what do you mean with "protection against changes to system space"?

 

Here is a quote from the 2009 AppGuard WhitePaper: -

"AppGuard Technology guards at-risk computer applications, preventing them from writing to critical system resources such as Windows directories, Program Files, HKLM registry hives, and select HKCU keys (e.g., Run, RunOnce)."

http://ww1.prweb.com/prfiles/2010/05/11/1052624/AppGuardTechWhitePaper.pdf

Protection against changes to system space means that guarded applications are prevented from writing to system space files and folders. This is covered in section 1.3 of post #5 on page 1 of this thread.

 

Thank you! I hope Pegr's response answered the rest of your question. If not then let me know.

 

Thank you for always being so helpful!

 

I just reported a possible bug to BRN. I wish I would have caught it during the beta stage, but I don't use Tor Browser very often. AG is blocking Tor Browser from launching from C:\Program Files(x86)\Tor Browser. I have Tor Browser on the Guarded Apps list with memory read/write, and privacy protection enabled. These are the same settings I used with the last stable release of AG, and I did not have this problem then. Below is a screenshot of the block info. I'm using Windows 7X64 Ultimate.

I also inquired about post 2052 from Syrinx since I believe this possible bug could be related to the same problem he/she is experiencing with System32 components being blocked.

 

Thank you too for your detailed and informative posts. We all help each other.

 

Looks like AppGuard just doing its job, i.e. guarded application not being able to write or modify a file in system space.

 

I don't think so. The block info shows it's not able to write to it's own folder in Program Files(x86)\Tor Browser. AG did not block it before in previous stable builds. It's actually blocking the browser from launching.