AppGuard vs. Voodooshield or NoVirusThanks EXE Radar Pro

Hello,
I'm looking for a second security layer for my PC (first defense is Sandboxie). I read that a lot of you guys are fans of AppGuard. But since AppGuard only protects system space doesn't it make more sense to use programs like VS or NVT ERP that can protect all data?
Do you think that AppGuard offers a better protection or that the other programs can be bypassed easier by malware than AppGuard or what's the advantage of using AppGuard compared to the other programs?
Thank you!
Michael

 

Awesome thread. My first defense is sbie as well and it does a great job! I prefer NVTERP over VS and AG...I think it's just as powerful (or close to it).

 

From what I know of NVTERP it does a good job but I do not think that it is as simple to use as VS nor as configurable...but that is just my view. I think that it would be worth trying all options out as a trial and seeing which one suits best.

Regards, Baldrick

 

Its been awhile since I tried VS but from what I remember I think NVTERP was simpler to use.

 

AppGuard does not only protect System Space; AppGuard protects all the user-space as well. AppGuard has several protection features that whitelisting Anti-executable software does not have. AppGuard uses policy enforcement to prevent guarded applications (web facing applications) from writing to the System Space, and Program Files Folders. Guarded applications are also not able to read, and write to the memory of other applications unless you make an exception in the settings to allow it. This really makes a big difference when sandboxing applications in the user-space to contain a malicious threat. AppGuard only allows signed executables to execute in the user-space in Medium Mode of protection. In Locked-Down Mode of protection AG only allows Guarded Applications to execute in the user-space. I have made a request that AG give an option to only allow signed applications on the Trusted Publisher's List to execute in Medium Mode of protection in the user-space so I think you will see that in the next version of AG. AG also has registry, and .dll protection as well. I've been beta testing AG since first alpha builds so if you have any questions then feel free to ask. I should be able to answer most questions.

 

I have lots of photos, videos, documents and some programs in user space. I don't want e.g. Cryptolocker to decrypt all these files or any malware to delete/manipulate the stuff I have in user space. I think I can protect the files by AppGuard (making private folders etc.) but protecting all files on my PC by default would be more convenient.

 

Yes, you can make those folders private in AG settings, and not allow other applications access to those folders. It's easy to do.

 

I've used AppGuard with VoodooShield, and NVP ERP without any problems. You may want to try using AppGuard with VoodooShield, or NVT ERP. Either one would make a good combo. There will be a lot of overlapping in protection though.

 

@Cutting_Edgetech:
Ok, I see your point. But as a layman I find the concept of AppGuard quite confusing. I mean what an application is allowed to do or not to do depends on so many factors: is it installed in system space or user space, is it added to the guarded apps or not, is the privacy setting turned on or off, is memguard turned on or off, is it added to the publishers' list or not, is it digtally signed or not, is the protection level set to install, to medium or to locked down etc.
Although I read AppGuard's manual and also Pegr's guide to AppGuard I still don't really understand how to configure AppGuard for best protection.
What I miss is a simple guide. E.g. for optimal protection do this:
Step 1: Install all programs in system space. Step 2: Add all programs in system space to guarded apps. Step 3: Turn privacy and memguard on for all guarded apps. Step 4: Make private folder for all important documents/files in user space...

You mentioned that AppGuard only allows signed applications to execute in user space. Isn't there malware that uses fake digital signatures? An anti-executable would stop those malware because it's not white-listed.

 

Hi micrei,

I know you've addressed your reply directly to Cutting_Edgetech, but I hope you and he don't mind if I add a few comments of my own.

1. AppGuard assumes that system space is where programs are running from and that user space is where user data is held. AppGuard works best if programs are installed into system space, so do this wherever possible.

2. Do not add all programs in system space to guarded apps. Security programs and system utilities should not be guarded or they will be prevented from working properly. Programs that should be guarded are those applications vulnerable to being used to exploit the system, and which should not be trusted. This includes Internet-facing applications (browsers, email clients, etc) and applications used to load documents that can contain embedded code (office applications, media players, document readers, etc).

3. The default for programs added to the guarded apps list is that MemoryGuard flags will be set to On and the Privacy flag set to Off. All programs running from user space (where allowed) without an explicit entry in the guarded apps list will automatically be guarded and MemoryGuard and Privacy mode will both apply. Of the default programs already in the list, only browsers have the Privacy flag set to On. If the Privacy flag is set to On for all guarded apps, they will not be able to create or access their data files in private folders.

4. It is a good idea to put ALL personal data files in user space into private folders. There is no disadvantage to doing this and it provides protection against ransomware introduced via the browser. For normal web browsing, browsers should run in privacy mode as they have no legitimate reason to access personal data.

5. AppGuard only allows signed applications to execute in user space if running at the Medium protection level. At the Locked Down protection level, no applications are allowed to run from user space unless they are explicitly added to the guarded apps list. Personally, I prefer the Locked Down protection level because it's more secure. However, something to bear in mind is that some signed program automatic updates that would be allowed at the Medium protection level may be prevented at the Locked Down protection level. It's a trade-off between convenience and security.

Regards
pegr

 

Hi pegr,
thanks for the info. That was very helpful. I think I'll use AG as second security layer now.

 

It also took me a while to figure out how AG exactly works, it was a bit too complex for me. I'm using Sandboxie + ERP, so basically, isolation is done by SBIE, everything that is running inside the sandbox can't touch files outside of it. And ERP controls which apps are allowed to run (also inside the sandbox), no matter where they are launched from. VS also seems to be a bit too aggressive for me.

 

You're welcome.

 

I forgot to mention that AG also has some HIPS capabilities, as it monitors certain processes. This is an advantage over ERP and VS. But I prefer ERP (simple anti-exe) + advanced HIPS like SpyShelter.

 

+1

 

I said AG only allows signed executables to execute from the user-space in Medium Mode of Protection. AG will block signed executables from executing from the user-space in Locked Down Mode of Protection. I have requested that BRN only allow certificates on the Trusted Publisher's List in Medium Mode of protection. The chance of the Malware being signed by one of the certificates the user has on their Trusted Publisher's List would be very slim. Barb informed me they may give an option to do this soon. Everyone thought it would be the smart thing to do. That would allow the user's applications to update in Medium Mode of protection while providing a much higher level of security. AG has videos of Crypto Malware being allowed to execute in the user-space due to being signed, but AG prevented any damage by sandboxing the threat. The Crypto-Malware was not able to encrypt any of the user's files. It's still best not to allow a threat to execute in the first place so I hope they make the change I recommended.

 

Yes, that would be great!

 

AG has an option to specify which vendors you trust, which reduces (as long as you don't include Comodo ) risk of signed malware to minimum. Many Anti-Executables don't block dll's or other loadpoins (e.g. driver through inf file). Don't know whether VS or NVT-ERP block DLL loading. Not looking at DLL's poses a greater risk as the FUD-ded signed malware threat.

Best answer is allready given by Peter2150. When your PC has enough power to push it: go for AG + NVT ERP + SBIE (SBIE is nessecary when you use a browser without a sandbox, like Firefox)

 

Appguard is better

 

Peter, I assume your talking about the publisher lists in AG, so you remove them all including Google, Microsoft, BlueRidge Networks etc? That doesn't bugger anything up?

 

Good Evening! I Like AppGuard...a lot...I basically set it and forget it. Now on the other hand I've also used Voodoo Shield...like me it can be a tad aggressive at times. Otherwise it's a Superb App. I Had AppGuard...Voodoo...and WSA Security Plus...in Tandem...Homeland Security at it's finest. I know I'll be using the Power of Voodoo...in the not too distant future. You simply can't go wrong with AppGuard. Like the BlackHawks! Sincerely...Securon

 

+1
I do exactly the same as you... me a bit paranoid? Yes but I "feel" secure.