AppGuard 4.x 32/64 Bit - Releases

Hi @Barb_C ,

I will wait for the change log...

Thanks a lot for your support!

Regards

 

LicenseQueryApp.exe has to run and complete before AppGuard will apply it's protection. By complete, I mean exit - not actually access the Internet. So because you have a program that is preventing LicenseQueryApp.exe from finishing, AppGuard is stalled. We use LicenseQueryApp to query the state of the license. The license must be Activated or within the trial period or AppGuard will not apply protection. Once the license is activated, LicenseQueryApp.exe does not have to access the Internet again (but it does - more on that later) in order for AppGuard to run, BUT it must execute and complete in order for AppGuard to determine the license status. So if you had a tool that just blocked Internet Access to LicenseQueryApp but did not keep it from exiting, all would be well. LicenseQueryApp would eventually (seconds I believe) timeout and then the last status (Activated I assume) would be passed to AppGuard and your protection would be applied.

LicenseQueryApp.exe is executed every time that AppGuard is started (and maybe even more frequently), but it only is set to access the Internet every 5 days. If it does not access the Internet no harm is done (with the exception that we may not know the which version you have), but it must finish so that it can tell AppGuard that your license is valid (it does not need to access the server to determine that the license is valid). The reason that we want AppGuard to phone home periodically is for a few reasons:

1. We get the version information during this check. This is helpful to know who has which version installed (may actually need this if we do a mass email about our update issue).
2. We can see how many computers are actively running AppGuard.
3. Fraud control (if someone keeps asking for us to bump up their activations (you know who you are!), we can determine if they have several computers using the same license.
4. Future: We may be able to leverage some of the features on the license server for things such as updates (given my previous post about our update logic going awry, it might be sooner than later!).

BTW, all that I've said about LicenseQueryApp not having to access the Internet only applies to version 4.x with the perpetual license. For version 5.x (which has subscription based licensing), it will have to periodically access the Internet or it will not continue protecting.

 

@Barb_C

There is a doubt regarding the boot-time protection of AppGuard:

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-187#post-2569154

GMER is a portable anti-rootkit utility. It should not be able to start as @Cutting_Edgetech describes.

Or am I just misreading the posts

 

Well, i'm aware as I stated that AG will enable it's protection whether LicenseQueryApp.exe can obtain internet access, or not. AG will not enable it's protection until I allow, or deny the request though. I choose allow of course, but the protection will enable on it's own once I respond.

The biggest problem I see is that AG takes approximately 28-30 seconds after the desktop loads for it's protection to become active on my machine. I checked this at least 10 times with a stopwatch. I can execute whatever I want for the first 28-30 seconds after the desktop loads. I seriously doubt that will be sufficient to prevent an infected USB device from infecting one's computer if it is plugged in when the computer is off, or if it's already plugged in when rebooting. I would suggest that be a priority to fix during the next development cycle.

I'm not sure who you are referring to, but there is a problem with BRN's fraud protection for their license. I have had to ask for my license to be reset several times because BRN's fraud protection for their license is flawed. It probes the user's computer looking for hardware changes, and it treats an external USB drive plugged into the computer the same as changing the OS drive under some conditions. This causes AG to deactivate itself when rolling back to an image that already has AG installed, and activated. In my case it detects my external USB drive plugged in, and treats the license as not matching the hardware that it was activated on. I requested that it be fixed, but it never was. I always have to remember to uninstall AG before rolling my computer back to prevent this from happening. If BRN does not mind resetting my license in a timely manner then this will not be a problem. I just don't want to get stuck in a position of rolling my computer back, and then having AG deactivate itself without being able to get my license reset for an extended period. It would be best if BRN provided the user with some way of managing their own license like some other vendors do.

Edited 3/4 @ 11:17

 

Is this a normal behavior after setting protection level to off? I guess it is not...

 

It seems that this problem has been reported several times. For example: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-140#post-2518543 .

 

Thanks for point that out. Btw I'm on Win8.1 x64.

 

@Barb_C
Posts above confirm the "bug" of AppGuard blocking even if it is Off.

 

This is what I see intermittently on my W8.1 system:

• In Install Mode, AG will block certain actions - like writes to Task Scheduler of *.log files - during installation of certain new applications.
• In Protected (Medium) Mode, AG will block more writes performed by Cyberfox than it does in Lock Down Mode.
• In both Protected (Medium) and Lock Down Mode, AG will block system processes - like Windows Installer (msiexec.exe) - from updating files located in User Space - even though I have excluded the files\directories from all AppGuard protections (e.g. excluded from User Space, added to Power Apps, added digital signature to Publisher's list, made folders\files an Exception with Read\Write access, etc).

03/07/16 00:30:52 Prevented <Windows® installer> from accessing <c:\programdata\quarriagent_tmp\quarri enabler.msi <Quarri Launch Helper>>.

To be honest, it is difficult to make sense of it. Very often, when I report it to support, it appears they don't really know either...

What I have noticed is that if they cannot reproduce such behavior on their systems, then they just don't bother with it - and it never gets fixed. So for those who see such things, on their specific system, the likelihood of a fix is essentially nil...

 

Worst part of all is when if AppGuard catches a process(es) and blocks it, then I am screwed. Need to reboot the machine and turn off protection prior to be able to run the application.

 

That appears to be much more serious bug than just eccentric blocking events.

Did you submit report to BRN support ?

 

No I didn't but I will.

 

Barb stated to me that it is best to submit a support ticket since she can miss what is reported here.

It's too bad, you know... trying to figure out AppGuard's eccentric blocks - and then it never seems to get definitely resolved even with support's involvement.

I think perhaps it might be rare, but there are blocks that break things. Your case appears to be one.

These type of things have been reported for a very long time now.

 

Sometimes if a file or an access to protected resource is blocked, i get "duplicated" entries in the Activity Report.
After it was blocked, then again 1-2 Minutes later. Even if the file is not running anymore

In my case it's only shown in the Activity Report, but it's not blocked after AG was turned off.

 

Well I think I explained wrongly the "not able to run the application" part. What I really meant to say is that I am actually able to run the server app again, problem is that Minecraft client can't connect to the local Minecraft server. Minecraft server runs, AppGuard (protection off) blocks the aforementioned events then the client won't connect at all.
Then I have to restart the PC and turn off AppGuard's protection firstly in order to things go well.

 

A question: How about those anti-theft software? Should I do something in AppGuard that would ensure proper operation of the software?
I installed Prey, but there are entries in AppGuard Report that state blocking events related to Prey.

 

FYI, if anyone sees these block events on their system, it is associated with Wix Tool Set (installer creation kit). Various vendors use Wix Tool Set and it places the installer in programdata. Why rundll32 attempts to execute from these directories I have no idea - perhaps maintenance of some kind.

This isn't during installation - it is after the soft has been installed for quite some time.

03/07/16 23:28:59 Prevented process <inventorui.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{85b9d34f-7397-4e39-8600-07942ef6ca04}\setup>.
03/07/16 23:28:59 Prevented process <osetupui.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{85b9d34f-7397-4e39-8600-07942ef6ca04}\office.en-us>.
03/07/16 23:28:59 Prevented process <ezavlic.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{85b9d34f-7397-4e39-8600-07942ef6ca04}>.
03/07/16 23:28:59 Prevented process <videoc.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{85b9d34f-7397-4e39-8600-07942ef6ca04}\setup>.
03/07/16 23:28:57 Prevented process <inventorui.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{8a849512-5527-4dc9-b5f0-dc08ae4489e8}\setup>.
03/07/16 23:28:57 Prevented process <osetupui.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{8a849512-5527-4dc9-b5f0-dc08ae4489e8}\office.en-us>.
03/07/16 23:28:57 Prevented process <ezavlic.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{8a849512-5527-4dc9-b5f0-dc08ae4489e8}>.
03/07/16 23:28:57 Prevented process <videoc.dll | C:\WINDOWS\system32\rundll32.exe> from launching from <c:\programdata\package cache\{8a849512-5527-4dc9-b5f0-dc08ae4489e8}\setup>.
03/07/16 23:11:53 Protection level is set to <protected>.

 

It is sort of perplexing - I see more block events when running in Protected versus Lock Down mode.

 

It might be because Protected Mode allows more to execute in some cases therefore you end up with more to block. Imagine a signed executable attempting to execute in Locked Down Mode. You would have only one blocked event because Locked Down Mode would block the .exe immediately. If you attempt the same signed executable in Protected Mode AG would allow it to run with limited rights, and then block everything it allowed to run once it reached the threshold where AG's policy was violated.

Edited 3/8 @ 1:24

 

Prey seems to operate fine alongside AppGuard on my Win 8.1 machine with no special entries in AppGuard.
I originally installed Prey before AppGuard, so don't know if there would be issues with AppGuard installed.
It installs into C:\Windows, and looking there it seems to have the latest, and previous, versions so updates are working with no problem.

 

Rundll32 has the same latitude to attempt to execute *.dlls in Protected or Lock Down mode since it is a Guarded app; in this case the level of protection is irrelevant.

Therefore, I would expect to see the same, identical block events in both Protected and Lock Down mode for rundll32 - but I do not. More block events are reported in Protected than Lock Down mode.

The question is not whether the *.dlls are signed or unsigned - since it is rundll32 executing a command line.

It appears to me that BRN has decided to hide a good portion of block events in Lock Down mode since version 4.2 - as I have noticed a significant decrease in the number of block events being reported in Lock Down mode as compared to those reported by earlier versions of AppGuard.

You would expect more block events to be reported in Lock Down since the enforced policy is much more strict than that of Protected mode, but that is not reflected in the Activity Report since v. 4.2.

 

Good for you!
What I did now was to put some of Prey directories and apps to be System directories and apps (User-Space Off). I also put some directories into exception.
I hope I did the right thing.
@Barb_C

 

Tested on a Virgin 8.1 install, no other security software added, just AppGuard and Java. Copied over the minecraft server.jar and ran it. AppGuard stopped it from writing to the system space folder (program files) as it should but after setting AppGuard to off and restarting the server, AppGuard started blocking it again suddenly after a few minutes while still 'off'. This should be easy for them to reproduce and investigate.


Here's a set of Procmon logs and exported Event Logs for the session resulting in the screenshot as well:
http://www.mediafire.com/download/brwkxliocwbib6l/AG_MC.zip

 

This block is not supposed to happen:

03/10/16 06:14:21 Prevented process <Internet Explorer> from writing to <c:\users>.

By default, user profile and program data are supposed to have read\write permissions.

 

AppGuard keeps blocking actions that, at least from my understanding, it should not be blocking.

I report it. BRN tests it for perhaps a few hours and then states they cannot reproduce it - so it never gets fixed.

Most of these block events take quite a while (sometimes over a week) to manifest.