AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    Ok i see. Thx.

    Now maybe you understand my point about "knowing what you install" :)
    Not completely disabled, you have "install mode".

    That is exactly what i keep saying here since eons.
    AG isn't for noobs/software test-holics , it is for people that know and control their static system while be able to pinpoint by eyes (or with by few tools) when something seems off.
    Most experienced AG's users are mostly those that configure their system like a corporate workstation: OS + Drivers + needed trusted softwares only then auto-block everything alien.

    It is also what i did when using ERP alongside AG, however i only let AG on install mode. now REHIPS does the job of ERP.
     
    Last edited by a moderator: Apr 23, 2017
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Not really fear, because of course you follow basic rules before running some app, you scan it with AV/Cloud AV and you download it from a trusted download site. But even then there is still a 10% chance it might be malicious. That's why I use HIPS, I don't see why everyone is making such a big deal about it. Of course, like Lockdown keeps pointing out, most HIPS will fail against advanced malware, but against "bread and butter" malware it will do the job.

    What has this got to do with NVT? EXE Radar will do a perfectly fine job when it comes to locking down the system. I don't know why you guys keep trying to make it a discussion about A vs B. When I'm mentioning other tools that I use in my setup, I'm just trying to explain my approach.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see, so it doesn't actually monitor anything during app install.

    Totally forgot that AG also blocks file system and registry modification. I assumed it only blocked against file access and memory reading/writing. That's why I asked about Dridex.

    Correct, but anti-ransomware tools are a good example of how HIPS technology might safe you even after execution. And if you block things like outbound connections, code injection and service/driver installation, there is a big chance that malware will fail to run correctly.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I actually almost never monitor child process execution during install, I got tired of the alerts. I only watch for certain behavior.
     
  5. illumination

    illumination Guest

    If you are one that is constantly downloading applications to try them out, and or replace functionality of another application that did not fit your need, I recommend using virtualization for this. I test all applications/updates/upgrades in a VM before it ever hits my system, including the validity of the files. Once you test the validity of the file in a VM, you can always drag and drop it onto the Host from there knowing full well at that point it is safe and legit.

    Personally, I clean install my system, place the applications I need/want then place Appguard on and Lockdown the system. The only time my protection drops is if one of the applications I already have needs updated and Appguard is interfering with it, which if you have those Publishers added to the Trusted Publisher list, can be done most of the time with no issues in Protected mode and no need to drop protection.
     
  6. guest

    guest Guest

    Mate, I told you since day one... AG doesn't monitors, it just block by default.
    Interesting, you are exactly at the same point i was before i ditched HIPS for anti-exes. So why uses an HIPS and hassle yourself?
    As @illumination said, any VM (or even Sandboxie) can be used for that purpose then. It is what i do with unknown softwares i'm really interested in, i have a VM with some monitoring tools.
    This allow me to let my real system clean in case the soft didn't satisfy me.
     
    Last edited by a moderator: Apr 24, 2017
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Re this post in another thread: https://www.wilderssecurity.com/threads/ransomoff-4.393013/page-3#post-2668242

    Does AppGuard disable Windows Scripting Host / Engine by default, and if so where would I see it - under Guarded tab? Or does one need to add it, and what exactly? Is this the same as csript.exe and wscript.exe?

    Apologies for noob questions, but I am here to learn right?. Just want to check my AG settings.
     
  8. guest

    guest Guest

    The Windows Scripting Host itself is not disabled by AppGuard but the execution of scripts from User Space is prevented by default:
     
  9. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If you are still using the "hardened XML" both wscript.exe and cscript.exe are disabled. Look in the User Space list. Both should be there and set to YES.

    If you are using default configuration, wscript.exe and cscript.exe are not disabled - so you won't find them in the User Space list.

    For home use, I recommend that both wscript.exe and cscript.exe be treated as follows:

    1. Disable by adding them to the User Space list and set to YES
    or
    2. Add both to the Guarded Apps list

    wscript.exe and cscript.exe are rarely used by Windows or during typical home use. You would expect to use them when employing utilities - as an example, Win10 Privacy. How often does one use such utilities ? They're mostly one-time use. So, in that case, I would disable both wscript.exe and cscript.exe. If I needed to use such a utility, then I would either lower AppGuard's protections to Allow Installs or OFF. Use the utility. After, re-enable protection. Or I could just temporarily enable them in the User Space list, use the utility, then after disable them in the User Space list.

    If a legitimate, safe program uses either one on a frequent basis, then you don't disable them. You can experiment with adding them to the Guarded Apps list. If nothing is broken, then keep them on the Guarded Apps list. If something is broken, don't add them to the Guarded Apps list.

    Three basic categories in AppGuard:

    A. Disabled
    B. Guarded Apps - Guarded\MemGuarded\Privacy Mode
    C. Enabled

    As a general rule, you have the option of assigning vulnerable processes to the most restrictive category which does not cause problems.
     
  10. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    For as long as you have been using AppGuard, you should be a Rock Star. :D

    I think you know, but just are not confident yet. It's OK. "Better to be safe, than sorry" is one of my favorite sayings.
     
  11. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Malc0ders are wise. Code injection and service\driver installation are used less and less - to the point where it is infrequent. If you practice with SpyShelter using decent malware samples, you will rarely get a code injection or service\driver alert. As far as the code injection, it could be that the malware does not use it or that the HIPS does not detect it\alert for it. There are multiple variables. It is not always a straight-forward, "black-and-white" thing.

    I have experience with SpyShelter. It is a good product, but there are cases that are tricky. A user is not going to know unless they have actually practiced and carefully studied what happens with a lot of various malware.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @mood @Lockdown.

    Indeed I have c:\windows\* \wscript.exe as User Space = Yes, and cscript.exe now reset to User Space = No, but added to Guarded Apps because it is used by legitimate program HD Sentinel.
     
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    It is always the same basic strategy when configuring AppGuard for vulnerable processes.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I know it blocks by default without any alerts. But I assumed that when you install/run some new app, it would automatically block memory writing/reading. But apparently it does not, since protection needs to be disabled.

    I will reply in the other thread about HIPS.

    You may mention them, but I don't see the relevance especially because your comment doesn't make any sense. There isn't anything "child's play" about NVT ERP, it will do the same as AG, that is it will auto-block apps that are not approved to run, which will block malware delivered via exploit. Remember, if you block malware from running you don't need extra features like Memory Guard and data protection. That's what I was trying to explain, those features are meant as a fail-safe in case malware does manages to run.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Then which new techniques are being used? Nowadays it's al about banking trojans, ransomware and RAT's, and they still use the same techniques as years ago. Of course I know that advanced malware will probably bypass HIPS like SS, but there is only a 10% chance that malware is capable of running on my system, so I can live with that. But I'm always searching to improve my setup, that's how I ended up in this thread. SS won't block rapid file modification, advanced code injection and process hollowing, so I need additional tools.
     
  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    LOL... I wish I had time to keep on-top of it all, but I just don't

    In practical terms, it is less than 2 % - and probably in the sub-1 % range; it is hard to quantify, but it is a small number

    You make it that small of a number; if you were a deranged, negligent, ignorant user then it would be higher - how much higher depends upon a lot of variables, but infected = 100 %

    SS does block those, if you select Terminate in the Action 53 alert - Execute an application

    If malware runs Guarded...
    • AppGuard does not prevent encryption of User Space except for defined Private Folders (file vaults)
    • AppGuard does not prevent keylogging and data stealing
    • AppGuard does not prevent process hollowing
    AppGuard blocks all those malicious actions by blocking the malicious process from launching in the first place

    "If it doesn't run, then there is no need to protect against it"

    "If it is blocked from executing, it does nothing"

    You can ask @Peter2150 - because AppGuard enforces the very simple concept above - provided by its protection modes, AppGuard prevents nuclear wars. :D
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That is a big 10-4. I've added the list of vulnerable processes to user space, and then NOTHING gets past Appguard. I do use HMPA, but to get to it I have to turn off Appguard, when I am testing malware.
     
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I think cruelsister did a video not that long ago and AG blocked everything except. I think she may have done one also that used a custom file that was in AG's Cert's list that got through.
     
    Last edited: Apr 25, 2017
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    She purportedly used a file that was digitally signed with a valid certificate from one of the publishers on the default Trusted Publisher List.

    She used a RAT that enabled the Remote Access Connect Service (RasAuto) and perhaps the other Remote Access service too.

    What she doesn't state in any of her videos is that UAC is disabled.

    For a process to modify services it has to have Admin privileges and so when launched it will generate an UAC alert.

    Whatever the technical details in the demonstration, it is true that there is some element of risk using Protected mode. The risk number is quite small. Her greater point was that digital signatures can wreck the entire security soft industry. She mentioned business front and nation-state\governmental agency... you should be able to grasp what she was getting at.

    In Protected mode, the greatest risk of course are malicious files with a valid Microsoft signature, and arguably followed by someone that targets you because they know:

    A. you use AppGuard
    B. you use Protected mode
    C. what other programs you routinely use

    How likely are either of those ? Even if you are targeted, it is still a big crap-shoot for the person targeting you.

    Within AppGuard there are multiple ways to mitigate the risk of Protected mode:

    1. Don't use Protected mode, use Locked Down mode instead
    2. Modify the default Trusted Publisher List (you can always delete every single publisher if you are that paranoid and use Protected mode)
    3. A bunch of other strategies covered on this thread, on other threads at Wilders, and over at MalwareTips
     
    Last edited: Apr 25, 2017
  20. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Thanks, finally after 300 or so pages got a spot-on response about "Protective" vs "Lock-down".
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Digitally signed malware with a valid certificate from one of the default Trusted Publishers is very - if not extremely - rare. So the risk of getting an infection due to Protected mode's default use of the Trusted Publisher List is a small number indeed.

    Locked Down mode disables the Trusted Publisher List except for Microsoft.

    Malware using big-name certificates is such an unusual and rare event that, once detected, immediate security advisories are made on the web and the certificates will be revoked - sometimes within hours.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Believe me, I've read a lot of reports about popular malware, and it's mostly advanced code injection and process hollowing that's being used, mainly because it makes it easier to bypass security tools.

    Yes, but you don't need HIPS for that. HIPS is for monitoring behavior. In my view you need to have a pre-execution and post-execution strategy. In a perfect world, AV and AE would block all malware from running, but we all know this is hard to achieve. So that's why back in 2004 I started learning about HIPS and sandboxing which makes is it possible to block or contain malware after they are already running. Of course these tools will not always be able to safe the system, it all depends on how advanced exploits and malware are.

    Yes, I came to the conclusion that because of the way AG works, Memory Guard wouldn't really help me, I probably need a tool like MemProtect.
     
  23. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Hey, Lockdown. Just installed Chrome and getting this from AG's Activity Report. Should I do anything in AG? Create in User Space (No) or just ignore it?

    Thanks,
    Robert
     

    Attached Files:

  24. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Did you install Chrome for Business or Chrome for Consumer ? Google used to install the googleupdatehelper.msi only with the Business version, but I think they also install it for the Consumer version now.

    * * * * *

    You are running AppGuard in Locked Down mode. Locked Down mode will deny msiexec.exe from reading *.msi files even in System Space.

    Options:

    1. Use Protected mode
    2. Add the block event to the Ignore Messages
    3. Disregard it; just go about your normal activities

    I do Option 3
     
  25. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Chrome for Consumer. Included is Chrome Updater which I allow through my Firewall (WFC). AG always in Lock Down mode. Will just do your option 3. Will turn AG off then update Chrome myself.

    Thanks,
    Robert
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.