AppGuard 4.x 32/64 Bit - Releases

That is my setup

That is what I was thinking about rundll as well.

 

I'm getting some strange block activity in my AG Activity Report. Has anyone ever seen this before? I'm using AG 4.4.6.1 on Windows 10 X64 Professional.

05/28/17 04:30:22 Protection level is set to <locked down>.

05/28/17 04:32:18 Prevented process <RealTimes Desktop Service> from writing to <c:\windows\temp\etilqs_eog6bmihiffbmhi>.

05/28/17 04:33:24 Protection level is set to <locked down>.

05/28/17 04:42:59 Protection level is set to <off>.

05/28/17 04:46:46 Protection level is set to <locked down>.

05/28/17 04:58:09 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 04:59:15 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 04:59:49 Prevented process <pid: 5544> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 05:00:55 Prevented process <pid: 7824> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 05:35:29 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 05:37:13 Prevented process <pid: 7720> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 07:15:39 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.

05/28/17 07:17:20 Prevented process <pid: 4932> from writing to <c:\bootsqm.dat>.

05/28/17 12:55:47 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\inf\hdaudio.pnf>.

05/28/17 12:57:50 Prevented process <pid: 6264> from writing to <c:\windows\inf\hdaudio.pnf>.

 

Pete

I have also done testing with Appguard and Voodoo installed in a VM and Appguard always alerts first.

 

That's not my concern Pete. I'm more concerned about malicious behavior. You just can't be too careful these days. HP recently was discovered to have a keylogger packaged with their audio driver. I plan on rolling my machine back later tonight though when I get back. My machine has actually had some issues since I had a botched upgrade of Eset.

I have to leave now, but I will check back in when I get back later tonight.

 

In Locked Down those block events are expected. Has the appearance of an update.

 

A forensic determination cannot be made by reviewing Activity Report events alone. It takes a lot more than that - which is well beyond the support that AppGuard LLC provides.

If you suspect that your system is infected, then I suggest that you seek the advice of a malware removal expert. Kevin Zoll's services over at the Emsisoft forum are excellent.

AppGuard does not prevent keylogging if there is a malicious keylogger already running on the system - and especially if it is integrated into a driver which is stored in C:\Windows.

The keystroke capture you make reference to is not malicious, but instead a triggering mechanism on the system for legitimate purposes. Almost all programs do things that malware do - that does not make them the same as malware.

 

that is why CS megan suggested an antikeylogger

 

You don't have to worry about keylogging if nothing can be installed on the system or run from User Space. What an anti-logger amounts to is a "just-in-case" additional protection layer that might or might not work - because anti-loggers are notoriously not 100 % protection against every single form of keylogging.

The best protection is not to allow something to execute on the system in the first place - always.

 

99.99 % of the hysteria on these security forums arises after people read IT security reports. The people who write those reports do an absolutely atrocious job of explaining things in practical terms that people can understand. Many IT security reports that get posted on the web are not for general public consumption even though they are made publicly available. The end result is that users read this stuff, don't understand what is said, but still drive themselves crazy worrying about, and trying to patch stuff, that has little to no relevance to them on their specific systems.

If you look into the people that write IT security articles, you will find that the vast majority of them are not IT professionals writing the article - but simply journalists of various types. Such journalists simply extract from and re-write the original release made by a security researcher, a company, or whomever. Those journalists themselves typically do not even know what is said in the original release means. This partly explains why such articles are not very informative to the typical user.

 

Thank You @stapp

Picked up the PDF over there on this one.

Is there a ready tool or manner from another way to read the order as it current is per session or can it shift via some change etc.

 

You are right about the Activity Report not giving enough forensic information. It mostly gives process numbers, and that's not any help for me to make a determination of what is really happening. I can't really do much with a process number since it's not running on the system.

I seriously doubt it's malware, my system stays locked down. I was just seeing if anyone else had seen the same thing in their Activity Report. I don't need any Malware removal services, as I stated i'm rolling my machine back anyway.

 

Thanks stapp

VSScanner.sys
388050
VoodooSoft

BrnFileLock.sys
388000
Blue Ridge Networks
BrnSecLock.sys
387990
Blue Ridge Networks

 

Development has tried all the methods to resolve the PIDs using the means made available by Microsoft applicable to the AppGuard framework.

 

I read a post in another thread that BRN has been working on a new build of AG that includes more options, or something I don't remember the exact wording of the post. I'm not sure why I have not had access to this build to test yet since in the past I usually had access to internal builds before they were released. Is there a build that will be released for testing soon? Can we expect to see new features, or functionality in an upcoming release?

 

There have been no beta releases for AppGuard Consumer made this year. With the company transition there is no ETA for an AppGuard Consumer version beta; all efforts are being focused on the Enterprise version at this time.

 

Ok, thanks for the update.

 

the only popups are alert notifying a block , so something was probably trying to get in where it shouldn't.

Exact,

you can do it, then we will help you to "handle" it.

 

re popups, I may have had AG set unnecessarily tight, plus way back then my wife and I shared a pc and popups bugged her. Honestly I do not remember the details of AG other than I think it had about 5 screens to tweak, and I did spend some time going thru the hundreds or 1000s of posts here, I wanted to be a fan, but could not get there then.

couple quick questions before I install AG again. You mentioned that a business or commercial version offered more protection. Is it available to a small business with 5 -10 pc? And if I wanted to start with 1 business license would that be available? Do you only use personal version? Does BRN offer a free trial period for personal? All I see is "Buy AG." I visited their website and trial did not jump out at me. Is it generally compatible with other security apps? Does it install ok with Revo_pro? Some security apps do not. is AG compatible with VS_pro?

no offense intended but I'm reading thru AG website and it says "AppGuard Personal is designed to be very easy to use. It installs with a basic protection policy that, in most cases, doesn’t need to be customized." my hunch is I mis-customized AG once upon a time not understanding enough of what I was doing. Somewhere I have notes, I'll see if I noted why I "gave up."

 

I think @Lockdown will answer this part better than me

1- I use consumer version (aka personal/home user)
2- officially , no trial but you have a link hanging in the thread few pages earlier.
3- yes
4- it should
5- yes

SRP should never be run with default policy , at the beginning obviously you have no choice because you learn it, but after some times you should customize your policy.

 

In GUI, on User Space tab you can disable:

1. Block events
A. Popups
B. Toaster
C. Flashing tray icon

I just use B

2. Privacy events
A. Popups
B. Toaster

I just use B

3 versions:

1. Personal
2. Business - at this moment basically the same as Personal; in future there will be different features than Personal but no ETA
3. Enterprise - is a managed product at this time (AppGuard\BRN manages the policies for the client)

Basically you get the same protections from all 3 versions

One (1) license - yes; Personal and Business available (1) license; Enterprise is a $1,000+ product.

Free trial is no longer offered, but you can download the most recent trial version (4.4.6.1):

https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup-4-4-6-1.exe

Compatibility between AppGuard and other security software is extremely high; I have only seen one case where a product would not work with AppGuard - and that is because the security program installed itself to User Space and was really flaky itself to begin with !

I never tried to install it with Revo, but I would be very surprised if there were any problems. It is possible, I just do not know from first-hand experience between the two products.

Voodooshield Pro and AppGuard are compatible.

 

Advanced configuration of AppGuard is not difficult. Advanced configuration is not absolutely necessary.

There is good help on this thread. You don't need notes; just ask.

 

I installed v4 with Revo Uninstaller Pro. No problems with AG install and in Revo, AG is there in the Traced Programs section. Have done this many times.

Robert