AppGuard 4.x 32/64 Bit - Releases

@Alkajak

You have not posted a reply to a question I asked regarding your report that AppGuard was switching from Locked Down to Protected:

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-279#post-2662813

I need to know if this is issue is new\recent or you have seen it in the past with AppGuard installed ?

 

@hamo

Did you find out additional information regarding the Kaspersky extension ?

@XhenEd - do you know if the Kaspersky browser extension is available as a standalone freeware ? Is @hamo using the Kaspersky URL Advisor extension or is something different that is only installed when Kaspersky AV\IS is installed ?

 

As far as I know, there's no standalone Kaspersky extension. I couldn't even see any .crx or .xpi in any Kaspersky folder. I think it can only be gotten through installing Kaspersky products.

 

There is Kaspersky URL Advisor extension, but I don't know if that is identical to what is installed when using KAV\KIS.

 

Maybe that's the same, but I'm not sure.

In KIS, there's an option under Network named "Inject script into web traffic to interact with web pages". It works only if the extension is enabled. Maybe that has something to do with the problem.

 

Creator's Update (1703):

You can expect that there will be changes to what needs to be excluded from User Space in Locked Down mode.

We do not know what changes need to be made to the User Space list at this time; we have to wait until after the final Creator's Update release on April 11th.

 

So, Protected mode is fine, right?

 

No... you're gonna contract Ebola and die.. what do you think ?

Protected or Locked Down on Creator's Update is fine. Just expect to make changes to what needs to be excluded from User Space due to changes made by Microsoft in Creator's Update.

Since I am working with the Release Preview - which has changed at the last minute before final release - I am not going to say "Expect these changes." We all just have to wait until Creator's final release is officially made.

 

I thought that Locked down mode will have problems, that's why there's a need to make changes in User Space. I misunderstood.

 

I wrote "you're." It is typo. It was supposed to be "your system is gonna contract Ebola and die..."

Unless Microsoft does something radical between now and April 11th, I only expect a few minor changes to the User Space list - and it will apply only to those that routinely run AppGuard in Locked Down mode and do not want any Microsoft processes in User Space to be blocked.

 

OK I see. BTW, did you test it against Dridex v4, and if so could AG successfully block the code injection? I'm thinking that simply blocking access to memory is probably better then trying to monitor all code injection methods like most HIPS do.

 

I've experienced it on previous clean installs some time back on 4.x as well.

 

Sent you a PM.

 

@Lockdown

Sorry, about my late!

I confirm that the kaspersky is the reason, If I disable Kaspersky, every thing be fine! .. And this happen for Firefox Browser only, ( I use the same extensions on F.fox, chrome and IE )

You asked me before about the server https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-281#post-2664021
This belong to Kaspersky Password Manger. https://www.kaspersky.com/password-manager

I am not professional enough to know why this happen!!

 

Do the Kaspersky extensions work correctly in Firefox with AppGuard protections enabled ?

 

Is there breakage to the Kaspersky extension (password manager) - it doesn't work ?

or are you just concerned about AppGuard blocking Firefox from running reg.exe ?

You can allow Firefox to run reg.exe easily, but it is not clear if the problem is one issue (Kaspersky extension not working) or the other (blocking of reg.exe) or both.

 

No, Kaspersky extension did not work, see here please : https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/reply?quote=2663763

Kaspersky Password manger work fine, Kaspersky extension https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/reply?quote=2664011 blocked.

- I ask here because I do not know "why AppGuard block reg.exe ? and more what is reg.exe ?
- I think there is some thing wrong between Kaspersy extension(NOT Kaspersky Password manger) and AppGuard, which is led to AppGuard block Kaspersy extension to work correctly. (and only for Firefox!!).

- I install a clean Windows 10 32 bit on VM "VirtualBox" , then install KIS + AppGuard + Firefox , the same block appear.

I hope I can clarify.

 

@harlan4096 might be able to help with this problem.

 

@Lockdown I'm still having this issues even if I have added some to User Space>"No"
Prevented process <sshlp.exe | c:\programdata\comodo\ccav\installer\ccavstart.exe> from launching from <c:\programdata\comodo\ccav\installer>.
Prevented process <sshlp.exe | c:\windows\system32\svchost.exe> from launching from <c:\programdata\comodo\ccav\installer>. should I just ignore it?!

 

I just noticed that Internet Explorer (which I don't use often) is in the Program Files Folder, and in the Program Files x86 folder on Windows 10 Professional. The path to Internet Explorer under Guarded Apps is only listed as C:\Program Files. If I don't add Internet Explorer to the Guarded Apps list from the C:\Program Files x86 folder also, will it still be protected if for some reason it runs from there? It seems like Barb said it will still be protected using their routing method, but I don't remember for sure. AppGuard is not blocking anything from IE, and it crashed after running on a popular New Website. The behavior was a little sketchy. I just want to make sure users will be covered no matter where IE is running from.

Edited 04\03\17 @ 12:15

 

I have a machine that AG 4.4.6.1 will not work on. It's a core i7 3.0 GHz, Windows 10 X64 Professional. AG worked on it just fine until I upgraded it to Windows 10. As soon as I try to change any settings of any kind from default I get an error message. I also get an error message every time it blocks something. I decided to not use AG on that machine anymore since AG had too many problems to put my trust in it. I tried installing AG 3 times just after formatting it. The last time I tried there was no other Security software on the machine of any kind, and I just formatted the machine. I kept the logs, and the usual stuff needed to look into the problem. I will have to send it to BRN soon.

 

Did you uninstall and reinstall it ? what messages you got?

 

Are you running AppGuard in Protected or Locked Down mode ?

You have excluded this file path by adding it to the User Space list and set it to NO, but AppGuard is still blocking the launch ?:

c:\programdata\comodo\ccav\installer\sshlp.exe

What is sshlp.exe and what does it do ? (Is it the new feature that creates a *.bat file from a command line in memory and saves it to User Space ?)

Goto sshlp.exe > right-click > Properties > What does "Description" state ?

Please ask on the Comodo or other security forum to find out more about what sshlp.exe does.

 

1. Would you please make a screenshot of the Kaspersky extension that does not work in Firefox > Extensions or Addons ?

2. Reg.exe is a command line registry utility - like regedit. In AppGuard default policy it is blocked. If you wish to allow it, then go to AppGuard User Space
list and find reg.exe > set it to NO.

3. What is AppGuard blocking ? - please post the block events from the Activity Report here.

4. What version of Firefox are you using ?

When you first made a report it was that AppGuard was blocking Firefox from launching reg.exe.

Then you state that a Kaspersky extension is not working in Firefox - I need to know the exact name and functionality of that Kaspersky extension.

If you make a screenshot of the Kaspersky extension, then I can ask @harlan4096 about it. He and I have worked together on various Kaspersky issues. In fact, I am sending him a PM regarding this matter at this moment.

 

The Guarded Apps list uses only c:\program files which ensures that Internet Explorer is Guarded when launched from both c:\program files and c:\program files (x86).

Also, in Activity Report, the c:\program files file path is reported for both c:\program files and c:\program files (x86). In other words, if AppGuard blocks c:\program files (x86)\Internet Explorer\iexplore.exe from doing something, it will be logged in the Activity Report as a block of c:\program files\Internet Explorer\iexplore.exe.

Internet Explorer has always had two file paths - one in c:\program files and the other in c:\program files (x86); the two file paths is nothing new.