AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    You're welcome
     
  2. guest

    guest Guest

    You are welcome, best way to handle AG wih Sbie ;)

    unless you have hamperings/blockings.
     
  3. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Weird block event:

    12/03/16 21:02:00 Prevented process <AppGuard GUI Application> from accessing to <c:\users\***\documents\myprivatefolder>.

    Parent process is Google Chrome.
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    AppGuard has been well behaved sans Sbie processes as Power Apps.
    Personally, were I able to add folders. I would add Sbie folder to Power Apps...., same as I add Sbie folder to Norton exclusions. Just me. Just saying.
    I don't like my peas and carrots touching either :D
     
  5. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    This is known issue. Just in-tick pop-ups and toaster on User Space tab. Then you will not get the pop-up or toaster when AppGuardGUI.exe attempts to read Private Folders.

    It will still be logged in Activity Report.

    The issue is harmless.
     
  6. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Thanks for confirming, Jeff! :)
     
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
  8. guest

    guest Guest

    @CoolWebSearch AG doesn't care if the file is FUD or not, AG isn't a scanner, AG block the execution of everything located in "user-space", whatever it is legit or not.
     
  9. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    AppGuard is a software restriction policy software with additional protections. It does not protect the system by detecting anything as safe or malicious. At its most basic level, it blocks the execution of files from User Space. User Space is the combined areas of the Windows file system in which files can be downloaded and executed.

    The whole premise of AppGuard is to lock down the system.

    In short, AppGuard will block FinFisher executables - but it isn't going to tell you that an executable is FinFisher, is malicious or safe.

    What is not allowed by policy is denied. Default-deny is the protection model - block everything which is not allowed per policy.

    The proper way to use AppGuard:

    1. Clean install OS
    2. Install desired softs using known safe installers
    3. Install AppGuard and lock down system
    4. If you do modify the system, then only do so after you have determined that an installer\program is safe

    This is not difficult.
     
    Last edited: Dec 4, 2016
  10. Indeed, and as seen in my screenshot, it is my testing machines set up with a little extra muscle ;)

     
  11. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Just curious if this is the same Barb, has she move on?
     

    Attached Files:

  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It isn't the same Barb
     
  13. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Thanks.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    What have you Chrome guys/gals been doing about this block with Google Chrome Enterprise version? AG is blocking msiexec.exe from accessing googleupdatehelper.msi. I don't want to make any of my browser components Power Apps for obvious Security reasons, but I don't have that option anyway since Power Apps feature does not give the option to add .msi files.

    Edited 12/4 @ 5:59
     

    Attached Files:

    Last edited: Dec 4, 2016
  15. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    :thumb::thumb::thumb: Both softwares got my back.

    Any update on the latest v5 beta and where's Barb? Haven't heard from her lately...
     
  16. guest

    guest Guest

    Try switch to Protected Mode. A similar issue was reported about Google / Google Update:
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It tries to execute over, and over again. If I disable AG to allow it to run it will continue to run again, and again once I enable AG again. Placing AG in Protected Mode does not help. It seems this is something Chrome likes to run over, and over again. It may be something that Chrome added to Windows scheduled task. If that's the case then I may be able to remove whatever Chrome added to Windows Scheduled task. I'm just making a guess though of why this keeps executing over, and over again.
     
  18. guest

    guest Guest

    No, and our @Barb_C is actually very busy , anyway Jeff (and i in a very lesser extent) are here to fill her role here and lessen her burden.

    i dont have this issue on my Chrome, so i will ask you some questions:

    1-your xml file is the original one?
    2- what if you add googleupdate in user-space = NO?
     
    Last edited by a moderator: Dec 5, 2016
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Basically, *.msi are database files, or more properly installation packages, that contain instructions for Windows Installer API to make an install\uninstall\; *.msi files are not executables like an *.exe. What msiexec.exe is attempting to do is read googleupdatehelper.msi.

    It is OK to ignore the block event in the Activity Report.

    If you so choose, you can also Ignore the the denied read access to the *.msi in Activity Report.

    As an integral part of InstallGuard protection, the explicit file path of *.msi files cannot be excluded from User Space or added to Power Apps.

    However, it is not recommended practice, but you can try to exclude an *.msi file from User Space (NO) by using the * wildcard and manually typing in the file path within the AppGuard file explorer Path field (User Space tab > Add > type in file path in the Path field):

    For example,

    C:\Program Files (x86)\Google\Update\1.3.31.5\GoogleUpdateHelper.msi => C:\Program Files (x86)\Google\Update\1.3.31.5\*.msi

    If excluding the *.msi from User Space (NO) works (I don't think it will work), since googleupdatehelper.msi resides in Windows protected Program Files (x86) there is minimal risk to excluding it from User Space (NO). Like I said, that is if excluding it works.

    For optimal security, when you want to update Chrome, just lower protection to Protected or Allow Installs, and then manually update Chrome. Which mode to use will depend upon whether or not all the update files (e.g. *.tmp) are signed all the way through the update run sequence. One can try to exclude an unsigned *.tmp file from User Space (NO), but if I recall correctly it does not work - the User Space excluded *.tmp is still blocked by AppGuard.

    Also, the exclusion of complex file paths using the * wildcard is not supported. For example, C:\Users\User\AppData\Local\Temp\Folder\Randomly-Named-Subfolder\Randomly-Named.tmp = C:\Users\User\AppData\Local\Temp\Folder\*\*.tmp
     
    Last edited: Dec 5, 2016
  20. guest

    guest Guest

    it is what i do everytime.
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Just a FYI for those of you using W7. Microsoft is using *.msp files for at least some of the Quality Rollups in Windows Update.

    In those cases, you have to lower protection from Locked Down to Protected and then perform the update.

    If you do not, then AppGuard InstallGuard will prevent msiexec.exe from reading\installing the *.msp and the update will fail to install:

    12/05/16 00:38:25 Prevented <Windows® installer> from accessing <c:\c9a5128d4d1699048b20\ndp46-kb3195388.msp>.
    12/05/16 00:56:09 Prevented <Windows® installer> from accessing <c:\7be47e8eb467cec083a7987a\ndp46-kb3195388.msp>.

    Cap3.PNG

    The *.msp cannot be excluded from User Space (NO) by manually adding c:\*\*.msp.
     
    Last edited: Dec 5, 2016
  22. guest

    guest Guest

    i think it i obvious to lower the level to "protected" (or even better to "install") when installing/updating something.
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    In the case of a Microsoft digitally signed *.msp file it is optimal to lower protection to Protected mode.

    It is best practice to lower protection - when required - to the highest security level which permits the wanted\known safe action, If an action can be performed in Protected mode, then Protected mode should be used instead of "excessively" lowering protection to Allow Installs or OFF.
     
    Last edited: Dec 5, 2016
  24. guest

    guest Guest

    1- nothing special yet
    2- she is very busy
     
  25. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Good information. I noticed that too. I am not certain of what to install from Windows update and do usually only the critical ones but last month I tried also install the others and they did not manage with AG 4.x in locked down configuration.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.