AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. hjlbx

    hjlbx Guest

    mrsa.exe is a typo on Florian's list; it is supposed to be msra.exe.
     
  2. Schorg

    Schorg Guest

    Thanks @hjlbx, you are a great help. I really appreciate your advice.
     
  3. hjlbx

    hjlbx Guest

    @Schorg - researching NET Framework is a dodgy affair; comprehensive, detailed infos on MSDN and TechNet is lacking. I could spend many hours deep within the bowels of Microsoft's development related sites and still not find much infos. This is not unusual.

    Florian from Excubits is a researcher - and everything he has stated has "panned out." So if he adds a process to his published list of vulnerable processes, then it is a safe bet that there is a valid reason for doing so - even if he doesn't explain why.

    If anything, adding the list of vulnerable processes to User Space (YES) has proven - at least to me - that the vast majority of home users do not need them during their day-to-day computing. One also has to remember that Florian's list is targets admins - so if he is recommending that admins disable the processes - it is probable that many of them also do not need most of those processes day-to-day.

    The concept is simple: If you need a process in User Space (YES), temporarily exclude it from User Space (change to NO), do what you need to do, then immediately re-include the process in User Space (change back to YES).

    The only case where I have found that I needed to completely exclude a process from user space is sc.exe - the Windows services command line utility - because it is employed by Windows during system idle Automatic Maintenance or maintenance initiated by the user (manual maintenance).
     
    Last edited by a moderator: Jul 26, 2016
  4. Schorg

    Schorg Guest

    Florian from Excubits published list of vulnerable processes is certainly a valuable resource.

    I am unaware (please correct me if I am incorrect) of any other developer who produces such a list and I hope he continues do to so.

    Without your post here and on Malwaretips I would of been completely unaware of it's existence and how to harden AppGuard to it's maximum potential.
     
  5. hjlbx

    hjlbx Guest

    There are various lists\sources online - NSA, CERT, etc, but Florian's is the most comprehensive all in a single list.
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Aha. That explains why set.exe, debug.exe and mrsa.exe are Search my stuff. W10 Search sometimes has me going in circles. Edit: msra.exe
     
    Last edited: Jul 28, 2016
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've got some more technical details courtesy of user "100" over on the MDL forums:

    Source thread: http://forums.mydigitallife.info/th...Anniversary-Update-Digital-Signature-Question


    Digital Signature verification is tied in quite heavily with Secure Boot now on Windows 10 Anniversary Update (and potentially future updates to Windows 7/8.x) and therefore disabling Secure Boot helps temporarily for certs that fail verification. Disabling Secure Boot is definitely not a good long term solution though, which is the reason why Florian from Excubits/Bouncer has had no choice but to pay the extra fees to get a HSM dongle for signing SHA256 and cross-signing with Microsoft Windows sysdev team. It's a tremendous amount of extra hassle and money, but seems to be the only way going forward. For example, currently Bouncer driver will not run on Windows 10 Anniversary Update without disabling Secure Boot. I've seen a lot of users with hardware drivers also having to disable Secure Boot, though that is likely older drivers.
     
  8. hjlbx

    hjlbx Guest

    The date set by Microsoft - Feb 14, 2017 - is for driver publishers and certificate signing requirements. After that date, driver certificates not meeting Microsoft's requirements will no longer be loaded by Windows 10.

    The Anniversary Update on W10 will not - or I should say should not because you never know if there is a SecureBoot bug in that update - break existing driver loading.

    I can't imagine Microsoft revising their complete policy regarding the deadline with the Anniversary Update. It will break many software... and cause open revolt by publishers.

    Sounds like a perfectly good reason not to install the Anniversary Update until reports confirm that it is OK; I will be disabling Windows Update service.

    Thanks for the infos @WildByDesign.
     
    Last edited by a moderator: Jul 26, 2016
  9. Schorg

    Schorg Guest

    I certainly agree!

    Thanks @WildByDesign, nice to know may try Windows10 Anniversary update on my laptop before proceeding with my main pc.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree with you 100%, it should not break any drivers until specified date. However, there has been quite a bit of driver related problems although that is mostly related to older hardware and older drivers (not nearly as bad as Vista driver problems, though). Although, for example, VoodooShield does not work on Anniversary Update currently as the kernel-mode driver fails cert verification. So users would need to disable Secure Boot temporarily. Dan is aware though and is already seeking HSM dongle or whatever appropriate signing solution for his dev team. I don't think that it affects non-UEFI systems though, but can't confirm. Also, I believe that systems where the operating system is "upgraded" to Windows 10, there is some exemption period in which kernel-mode driver verification is delayed until a later period in time, quite likely the date in which you specified.
     
  11. guest

    guest Guest

    It's not that easy as i thought with these certificates.
    And a lot of security apps i have installed doesn't meet the requirements.
    "Feb 14, 2017" will be an interesting day :eek:
     
  12. hjlbx

    hjlbx Guest

    I am not going to install Anniversary Update until I definitively see that others are not having issues between drivers and the SecureBoot revisions; I will disable Windows Update service on my W10 Home.

    It makes no sense to disable SecureBoot - but it does make sense to delay the install of the Anniversary Update.

    This whole Anniversary Update is going to be interesting...
     
  13. scootnod

    scootnod Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    37
    Location:
    Midwest US
    Everything was perfect till

    Prevented process <icudt.dll | c:\windows\system32\rundll32.exe> from launching from <c:\programdata\gog.com\galaxy\redists\overlay>. etc

    Do I put c:\programdata\gog.com\galaxy\redists in ignored user space? What I did.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hope so.
    Sure will be.
    Think so too.
     
  15. hjlbx

    hjlbx Guest

    Rundll32.exe is blocked from loading *.dlls from User Space per AppGuard default policy.

    I would only exclude: c:\programdata\gog.com\galaxy\redists\overlay\icudt.dll -- unless more objects are used from overlay sub-folder.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It seems AG is still not quite ready for Windows 10 yet. I just installed AG on a fresh install of Windows 10 x64 Pro, and I keep getting an error message that states the following below.

    "There was an error when applying AppGuard Policy and you may not be fully protected. Remove recently added policy and try again. If the problem persist, restore all AppGuard settings to default on the advanced tab".

    I have not edited AG's policy in any way. I just installed AG, and started receiving this error message immediately after rebooting. If I attempt to restore AG policy to it's default using the advanced tab it gives me the same error message. If AG blocks something, if I change the protection level, if I try to hide the redundant block notification window, etc.. I receive the same error message.

    The only other Security Software i'm using other than Windows Defender is Eset Smart Security 9. I have not tried changing any AG settings since I fear it will make it harder for BRN to locate the problem. I seriously doubt it will allow me to change any settings anyway since i'm not even able to hide the redundant block prompt. I will try after I collect any data BRN needs.

    When I installed AG I was informed a reboot was required, and after I choose reboot I received a message not to shut off my computer because Windows was preparing something. I waited for almost an hour before Windows finally rebooted, and finalized AG's installation.

    Has anyone else experienced this error message on Windows 10?
     

    Attached Files:

  17. hjlbx

    hjlbx Guest

    I am on W10 Home (not part of W10 Insider ring - just std W10 Home); haven't seen any such error.
     
  18. guest

    guest Guest

    this is the error i mentioned some months ago , sent to support and never had a reply since...

    In my case it is related to guarding some portable apps located in another partition while rollback RX is installed.
     
  19. hjlbx

    hjlbx Guest

    I have just installed RB Rx a few days ago. Looking out for any errors.

    I don't have same situation as you though - since I have no partitions other than system partition. So I might not see any problems between AG and RB Rx.

    I know @Cutting_Edgetech does not use any HDS products.
     
  20. guest

    guest Guest

    in my case , you will not have the error if in the same partition.

    So something is wrong with AG and some guarded apps.
     
  21. hjlbx

    hjlbx Guest

    Could be something between AG and W10 Pro.

    You and he are the only time I have seen this error.

    I know your situation because I have followed it. Illuminator used W10 Pro and AG, but never reported anything.
     
  22. guest

    guest Guest

    im using Win10 Home.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Not seen this error on W10 Pro (see sig of Primary machine).
     
  24. guest

    guest Guest

    ...no reply? o_O
    Is there no "interaction" between the support and the user anymore? :confused:
    IF you get a reply from them (...see above) :(
    Does the error messages disappear after deinstalling ESS9?
     
  25. hjlbx

    hjlbx Guest

    4.4.6.1 download link: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup-4-4-6-1.exe

    The above download link will be available until the next release of AppGuard Professional 4.X.

    Only the AppGuardSetup-4-X-X-X.exe portion of the URL should change; AppGuardSetup-4-4-6-1.exe will be replaced with the most recent release version.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.