AppGuard 4.x 32/64 Bit - Releases

that is what I was try to say cruel. guess I could not say it well enough. I liked your sound track as always.

 

The "Install" setting is for .MSI-Installer files, or something similar.

 

Can anyone else confirm this Trusted Publisher bug in 4.4.6.1 ?:

1. Add a publisher to the Trusted Publisher list.

2. Set that Trusted Publisher to "Install."

3. Close the AppGuard GUI.

4. Re-Open the AppGuard GUI.

5. Go to the User Space tab > Trusted Publishers.

6. Change the Trusted Publisher from "Install" to "--" (blank).

7. Close the AppGuard GUI.

8. Go to User Space tab > Trusted Publishers.

9. Change the Trusted Publisher from "--" (blank) back to "Install."

10. Close the AppGuard GUI.

11. Re-Open the AppGuard GUI.

12. Go to User Space tab > Trusted Publishers.

13. The Trusted Publisher that was just set to "Install" has been reset to "--" (blank).

 

Need "Install" for *.msi files.

Do not need "Install" for all other installation file types - e.g. *.exe.

 

Bug confirmed
I fiddled around with Trusted Publishers and:
a) Level --- => Install
b) It changed from Install -> ---
c) Level --- => Install
d) It changed from Install -> ---

= A publisher can't be set to Level: Install

 

I can not reproduce this on my setup, sorry.
================================
btw
1) what is the difference bewteen "Install" and "--" (blank)
2) what is the default setting for BRN in the TPL? I have:
http://s31.postimg.org/ug1vfvcwr/BRN_TPL.jpg

 

CE- The workings of the RAT was mentioned in the first part of the series. In short the signed executable will drop the dll and call up run32dll.exe to run that. At that point the services are set to autostart on Boot, running via the legitimate svchost. Licensed or not there was nothing for AG to detect on boot. There's really no magic to it (well, a little magic).

H- I guess I'm a little too subtle about things. Regarding signed files, note that AG stopped both the Microsoft file as well as the RAT. Obviously a person would install one with confidence but not the other- but this is only because I pointed out that one was legit and one was malware. In normal computing these helpful hints wouldn't be present.

Finally- for this Video I guess I could have run 100 riff-raffy malware samples (like AV-C does) and AG would have blocked every one. Everything then would have been Unicorns and Rainbows. But I guess I'm really not that type of Girl.

 

Re: video music bed, what does the legendary John Mayall have to do with Appguard?

 

Thanks. I'll have a look at the other parts later

 

It's just another reason not to use Protected Mode.

 

Thank you for the info! I will report this to BRN soon.

 

The use of a digital certificate from a vendor on the Trusted Publisher list and Protected mode = weakness.

That's why Protected mode and any Trusted Publishers - including Microsoft and BRN - in the list are both not recommended by experienced AppGuard users.

Protected mode and Trusted Publishers are both a definite vulnerability to the system...

* * * * *

I get the point about not knowing whether a file is absolutely legit. It isn't that difficult to make a reasonably accurate determination that a file is safe, unsafe or dodgy - but I guess the objection is that a n00b can't handle such things.

For n00bs (and the experienced) - the only way to absolutely protect the physical system is not to allow unknown\untrusted files to execute on the system in the first place. But I know most users just find this position plainly unacceptable - they can't accept this well-established, so-simple-that-it's-brilliant truth.

That's why n00bs should just use a SUA - which ain't perfect - but it is better than running Windows with the best available security solutions while in the limited Admin account. In fact, some of us experienced AppGuard users choose to run in the SUA.

The expectation from most average users is that they can do anything and everything - without any hindrance or alteration of their desktop experience - and still remain infection-free under 100 % of all computing conditions. I really wish it were so, but the reality is that it just ain't possible... not with any currently available security soft.

I know BRN's official position, "an AV must be used with AppGuard..."

 

Already got it. I would bet there is no real interest since it is a "certificate\digital signature" bypass...

The RAT executable was signed, the dropped *.dll was not - and initially blocked - I get that.

However, after system reboot the dropped *.dll was loaded - I get that too. It will be interesting to see what BRN has to say about it...

I surmise that if the *.dll is loaded by a service during boot, then AppGuard will not\cannot block it. If rundll32.exe made that linkage between a service and the *.dll - even as a Guarded App - then I think nothing can be done. Just a guess...

As we all know, Protected mode is just plain bad ju-ju...

 

If you report something to BRN, report also a bug regarding Install Mode. Install Mode doesn't let some to install properly since some files of that installation are blocked from running, which makes the installation unsuccessful or corrupted. Just recently, I updated Pale Moon. It didn't update well, since AppGuard in Install Mode blocked something in the installation process of Pale Moon. That's why I use Off when installing something.

 

Clean install of Pale Moon - or update install ?

In Install Mode - Guarded Apps are still run as Guarded Apps. Maybe that is the cause -- I don't know, it depends upon which Windows processes the Pale Moon installer calls in the run sequence - if any...

I can report it, but I need more infos.

 

It was a program update of Pale Moon.
But the issue isn't limited to Pale Moon because it happens almost every software installation.

 

I would submit a report directly to BRN support.

I too have seen unexpected blocks while in Install mode; I, as well as others, have reported such block events to BRN - but nothing never became of those reports as far as I know.

I will give you one example. One time I installed Kingsoft WPS. AppGuard blocked the installation of tasks while in Install mode. It only happened that one time. I tried to replicate it, but could not.

If you post your issue here, then it will very likely never be addressed.

 

I always do the same.

 

OK I had been running in Protected mode all along from an 'ease of use' perspective. Will try Locked Down and see how it goes ...
I have the default Trusted Publisher list, as well as some additions for my other security softs.
Do you recommend removal of all these (as some do), including BRN, even in Locked Down mode?

 

OK - thanks.

 

Don't get too worked-up about Protected mode. Afterall, the probability of a "certificate" bypass is quite slim.

Any how... I think you won't see much change in your AppGuard experience by using Lock Down mode.

 

@Barb_C

I had expected AppGuard to scan for already installed signed programs and add these to the trusted vendors list. Long time I discussed this with Eirik (and he would discuss this with the development team). Since users can add/delete from the trusted list, why not offer such a scan for signed programs when installing AppGuard?

regards Kees

 

I amended a previous post, but I think this deserves its own post: I just confirmed that you can buy AppGuard 4.X as AppGuard Personal through June 30th. On July 1st AppGuard Personal Subscription will be launched and AppGuard 4.X will no longer be sold. Note, we will continue to support and periodically upgrade AppGuard 4.x, but it will no longer be available for purchase through our web site.