Not sure which forum I am supposed to post this in (mods please move it to the right place if this isn't) I wanna try and recreate appguard, maybe even possibly improve it, mainly cuz I don't wanna pay for a license, but also to learn something new, I think if we all combine our knowledge as a community we can go far with this As far as I know, appguard v6 does these things: Maintains a list of Protected Folders, along with a list of exceptions, by default the former are: the entire system drive minus C:\ProgramData and C:\Users\Username if C is the system drive the (entire?) registry (the manual also says "registry settings") From the manual: "Malware or hackers could maliciously modify these applications, transforming them into harmful tools", suggesting that portable applications' folder should also be added as a Protected Folder, as well as any application with the potential to cause harm and whose folder isn't included in the Protected Folders Maintains a list of Private Folders Maintains a list of Trusted Publishers Maintains a list of Guarded Applications Applications in this list cannot write to Protected Folders Each application has 3 additional options Privacy Mode, application cannot read/write to Private Folders Memory Write, application cannot write to memory of other applications (processes) Memory Read, application cannot read memory of other applications Child processes of guarded applications are also guarded Maintains a list of Power Applications Unaffected by Appguard's other rules Any child process launched from a Power Application also becomes a Power Application, overriding other rules Maintains a list of folders also known as "User Space" which standard users may have write access to, along with exception folders and files By default includes the user profile folder (C:\Users\Username), removable media, network shares and any drive that is not (the) system drive Blocks all scripts and unsigned applications in User Space from running Blocks all removable media executables Blocks all User Space launches when in Locked Down mode In Protected mode, if "Allow only files signed by Trusted Publishers to run from User Space in Protected level" is checked Appguard checks if the launched application is in the Trusted Publisher list and follows the instructions there, otherwise treats the application as a Guarded Application with all 3 options enabled. If the option is unchecked, all digitally signed applications are allowed to run Additionally, regardless of whether they're located in or out of User Space, installers/uninstallers that "use the built-in Windows installer (msi) tools" are prevented from running in Locked Down mode and only allowed to run in Protected Mode if they're digitally signed by a Publisher included in the Trusted Publishers list. If signed by Microsoft, msi files are always permitted to run regardless of Protection level (the so called InstallGuard) Pass the hash protection - "when this box is checked, AppGuard is protecting against pass the hash and pass the ticket attacks" I think that's all, did I miss anything? Now, where to begin from? I'd like to think Windows 10 SRP can be configured with the above details, although many are still missing, like which file types are "applications"? I say let's start from the Guarded Applications component. My first idea is to use the absolutely free software, Comodo Firewall. With its containment feature, just like with appguard, we can pick any file/folder (as well as file/process hash and pre-defined file groups that can be customly modified) and apply restricted permission to the process(es) executed from those objects. There are 4 levels of restrictions Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default) Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges. Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting. Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting. The last two are too restricting, but the first two could work, although this information that I took from comodo's help site is a bit vague as to allowed permissions in each level Another option is to use the HIPS module of Comodo Firewall, adding every single application we want to "guard" to the HIPS rules and creating a custom ruleset that suits the given application. That gives us a lot more customization than Appguard's guarded options. We can define protected entities - protected files/folders, protected registry keys, protected com objects and then choose what permissions the "guarded" applications will have to each of those, the options being allow/ask/block. As we can read from comodo's manual - "if a file is 'Protected' it can still be accessed and read, but cannot be altered", if we deny a "guarded" application access rights to the protected files/folders, then it has only read and use access (like hosts file for browsers) and not write access to them, which is what we want to achieve. The same thing works for Protected Registry Keys, the "guarded" applications won't be able to modify them. I'm not sure if appguard includes com objects protection, preventing "guarded" applications from modifying them through the Protected COM Objects access right can certainly be something that appguard doesn't do and we've possibly just improved on. On top of that, according to the manual, CIS already protects COM Objects from malicious (not just HIPS-ed or contained, the ones we call "guarded") applications. By default, there are some com interfaces defined in Comodo Firewall that I have no idea what they mean, perhaps someone with more knowledge can explain? We can possibly combine HIPS rules with Partially Limited containment level for extra protection. We can even define Protected Data files/folders which only trusted applications have read/write access to, our "guarded" applications will have neither read nor write access to them, in case we don't want read access, this is Appguard's Privacy Folders. In addition, we can define Protection Settings - "Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called 'Protection Types' ", appguard doesn't have this, we can now protect "guarded" applications from each other! We can also set exceptions for all of those As for the memory read/write protections, we can either use MemProtect, another free program, or Comodo HIPS's "Interprocess Memory Access" access right, which works only for preventing writing to memory of other processes, doesn't prevent reading them. Here are the other access rights from comodo's manual https://help.comodo.com/topic-72-1-766-9163-HIPS-Settings.html#activities_to_monitor The "Physical Memory" access right can prevent "guarded" applications from accessing the physical memory, which I suppose is different from the memory of the protected processes? What do you guys think about this?
Couple of problems. First memprotect is not free. 2nd you may be treading on appguard patents. I personally don't like someone trying to just avoid someone buying a license so I for sure won't support this. Also you might come close in some area's but it still won't be appguard.
You have an impressive amount of information and put good effort into your post. I am really not trying to be snarky, but if you really mean that you want to improve Appguard and are willing to devote that much time and effort to it, you should try to get a job with the company that makes it. I think perhaps you should title your post "Re-creating Appguard's Capabilities" or "Approximating Appguard" because that seems more like what you want to do. If that is what you really want to do, then you are off to a good start. It may take people a while to unpack all of your info and reply. I have to agree with Peter2150, however, and say that it still won't be Appguard.
It is more like it. @Floyd 57 you can do even simpler than using comodo, i did a similar setup as the one you described above (even using the HIPS in Paranoid Mode) but i had to ditch Comodo because it has (had?) an annoying bug that delete all of your rules out-of-the-blue without notice. However, you have Andy Ful's Hard Configurator : https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/ It is basically a "improved" (and easy to use) SRP but without Memory protection; then you can use an anti-exploit or MemProtect to protect the memory. As you original post said, Appguard have some particular features, some can be reproduced with various tools.
There is a free version of memprotect, but there is a limit on the size of the config file. Also, please note that it is stronger and more hermetic than AppGuard memory protection, and this can break things. Nevertheless, you can do a lot with the free versions of the various Excubits products, to reproduce AppGuard protections. @Floyd 57, if time is money, Appguard even without a discount is still a lot cheaper than what you proposing to do.
