AppGuard 4.x 32/64 Bit - Releases

Hello kind folk, regarding the upgrade from 4.0.17.0 to 4.1.45.1, ( which i haven't done yet ) could anyone tell me, is it recommended. I am very happy with my current version. Also does it affect Sandboxie in any way ( changing settings etc )
Thank you very much

 

Ah, thanks for the reassurance...The faq is a bit misleading or badly phrased....I thought it was a one off chance and then its emails after...It seems as long as you uninstall it first online then all will be well on the new install....Bit daft to be honest, kinda annoying like itunes with their unsubscribe

I know this would have been asked a zillion times before but, it would be nice to have an audible or pop up warning for activities.

 

I did not see any changes in AppGuard settings for Sandboxie, when updating from 4.0 to 4.1. I have also not seen complaints from users from the update (might have been some I have missed).

 

You don't need to add CCleaner as a guarded app. The only applications you should normally add are web applications because that is the entry point for viruses to be able to infect the machine. I have never tried guarding VmWare Workstation so i'm not sure about that one. You could guard it as long as it does not cause any problems. I don't really think it is necessary though. Pete says he guards processes belong to VmWare, but I have never tried. If you do decide to guard it let me know if you have any conflicts.

You should always install new software in installation mode, or with the protection level set to Off. Install mode does have some protection measures still running, but it's not very clear to me which ones. I will have to look at some old literature I have, and see if it gives more information. Most of the time you should be fine installing software in installation mode. I usually just set AG protection to Off myself when installation new software, but it really should not be necessary. Just don't use Medium mode anymore to install new software. Medium Mode will allow signed executables to launch from the user-space, but it is not meant for installing software hence the errors you were receiving. Below is a description of install mode from the manual. Some of the manual needs to be updated though because there has been some changes made to AG since the manual was last updated so some of the information in the manual about memory guard is no longer true.

Install: Use this level when installing or updating software. If you are updating a Guarded application, you may also need to UnGuard the application. If your installation requires a reboot, uncheck the "Re-enable" checkbox. In that case AppGuard will not re-enable the protections until the user reinstates the Protection Level. If the "Re-enable" checkbox is checked, AppGuard will automatically re-enable AppGuard after the timeout has expired.

If you have any web browsers, mail clients, instant messengers, P2P clients (torrent clients, file sharing software), or media players not on your guarded apps list then you should add them. I enable privacy, and memory protection for almost all of the applications I have on my guarded apps list. If you are not sure which settings to use for a particular application on the guarded apps list then let me know. I'm sorry it took so long for me to get back with you!

 

No one is really recommending any additional protection features for AG so I will look into some methods to sort of feel in the gaps of protection myself. It seems like I should solely focus on shell code from most of the post I have read here at Wilders. I have been reading quite a bit about shell code recently, but its not so easy to say which methods would mitigate most exploit attacks overall. Maybe BRN could even work on some of their own in house methods like MBAE. Some products like HMPA use many documented exploit mitigation methods, but are some of those methods just redundant, and overlapping one another. I would welcome additional security measures being integrated into AG that target exploits. I just don't want to ever see a traditional AV, or anything that would cause bloat integrated into AG. I don't like having so many security apps on my machine so I would like to see AG cover as many threats as possible. I try to stick with 3 in real-time myself.

 

That would be easy to get around by just making it optional to enable in the settings. Any additional security features could be made optional to enable in the settings.

 

Thanks to all who chip in regularly. And thanks to AppGuard for a great little gizmo. Whenever something looks odd or the PC shows something is amiss etc my first reaction is: glance at toolbar - AppGuard alive? - relief. Perfect or not, its the best stress relief since DefenseWall.

 

Hmm, I have 32.

 

Thanks, I found 10 running processes and have added them and some more:

vmnat.exe (Running from SysWOW64 but there is also a file in Program Files(x86)
vmnetdhcp.exe (Running from SysWOW64 but there is also a file in Program Files(x86)
vmware.exe
vmware-authd.exe
vmware-hostd.exe
vmware-tray.exe
vmware-unity-helper.exe
vmware-usbarbitrator64.exe from Program Files (x86)\Common Files\VMware\USB
There is also a 32 bit version: vmware-usbarbitrator.exe Program Files (x86)\Common Files\VMware\USB
vmware-vmx.exe
vprintproxy.exe

Got some Events logged, but all seems to be working fine so far:

Code:

09/04/14 16:43:45 Prevented <VMware Authorization Service> from writing to <\registry\machine\software\wow6432node\vmware, inc.\volatile>.
09/04/14 16:43:45 Prevented process <VMware Authorization Service> from writing to <c:\windows\syswow64\config\systemprofile\appdata\roaming\vmware\preferences.ini.lck\e16676.lck>.
09/04/14 16:43:49 Prevented process <VMware Authorization Service> from writing to <c:\windows\syswow64\config\systemprofile\appdata\roaming\vmware\preferences.ini.lck>.
09/04/14 16:43:51 Prevented process <VMware Authorization Service> from writing to <c:\windows\temp\vmware-system\vmauthd-2.log>.
09/04/14 16:43:51 Prevented process <VMware Authorization Service> from writing to <c:\windows\temp\vmware-system\vmauthd-1.log>.
09/04/14 16:43:51 Prevented process <VMware Authorization Service> from writing to <c:\windows\temp\vmware-system\vmauthd-0.log>.
09/04/14 16:43:51 Prevented process <VMware Authorization Service> from writing to <c:\windows\temp\vmware-system\vmauthd.log>.
09/04/14 16:43:52 Prevented process <VMware USB Arbitration Service> from writing to <c:\windows\temp\vmware-system\vmware-usbarb-1948.log>.
09/04/14 16:44:10 Prevented <vmware-hostd.exe> from writing to <\registry\machine\software\wow6432node\vmware, inc.\vmware workstation\volatile\isfirstrun>.
09/04/14 16:44:10 Prevented <vmware-hostd.exe> from writing to <\registry\machine\software\wow6432node\vmware, inc.\vmware workstation\volatile>.
09/04/14 16:48:00 Prevented process <VMware Authorization Service> from writing to <c:>.

 

Ok, thanks very much for the info

 

Thanks. I feel the same.

 

You probably don't need to add all of them (but it can't hurt either except for the limit on the number of Guarded Apps which is 128 ) because of the inheritance feature.

 

Glad I was away for a while (I'm guessing my feelings would have been hurt).

 

No problem! I have not looked at that part of the faq sheet in a long time. It may need to be updated.

 

What's different with the latest version?

 

Hello Gein,

Here is the list of changes that was introduced when version 4.1 was introduced for testing: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-62#post-2384284
There were a few minor changes during the testing process but I have not seen a final changelog after this version was released. If there is a final changelog, maybe someone else can link to it.
HTH...

 

Yes I´m glad too, I also missed most of the "fun".

I´ve managed to find an example of how "reading of process memory" can be used by malware. But I´m not sure if actual malware is using it, and apparently banks can solve this by encrypting data. But it is an example of how the "Memory Guard" feature can protect you.

EDIT: the video is down I think.

http://www.itnews.com.au/News/34520...dium=newsletter&utm_campaign=daily_newsletter
https://www.youtube.com/watch?v=8W9O0ISbj7o

 

Cryptolocker will try to write to the memory of other processes like explorer.exe as you can see from the screenshots I sent you. AppGuard's memory guard would block this attempt made by CryptoLocker. I would not doubt if CryptoLocker also reads the memory of other processes. Those screenshots I sent you does bring up a question about that product's memory protection, but I do not want to bring that up in this thread. I will have to ask that developer to clarify an answer he gave to me previously about that product's memory protection. I'm sure you probably already know what i'm talking about Rasheed, but we can't talk about it in this thread. I'm sure if I tried I could find plenty more threats that attempt to read/write to the memory of other applications. I just have not had the time to look. Well, I have to go. I want be back until later. I have to pick up my nephew for a football game.

 

Bummer, windows update (8,1) went wrong while having made it a power application, lost 2 GB of holiday pictures, no more AppGuard on Asus t100

 

Man, i'm sorry to hear that! That's horrible! I have never tried making Windows update a power app. I think it is suppose to work without doing that. I always have switched AG to install mode, or disabled AG's protection when updating windows. Do you have Windows configured to install updates automatically? I have windows update configured to download the updates, and then allow me to decide when to install the updates.