AppGuard 3.x 32/64 Bit

Hi Amit,

AppGuard would offer some additional protection because it is a different type of application to what you already have. AppGuard is not a classical HIPS or behaviour blocker; it is based on the concept of a trusted enclave so you would be adding an additional layer and not merely duplicating an existing layer. That said, there would be some overlap because you already have a comprehensive security setup so only you can judge whether or not the incremental increase in protection is worth the overhead of installing another application.

The biggest overlap I can see with what you already have is with the HIPS component in Online Armor. If you are comfortable using the HIPS within Online Armor then maybe AppGuard would be unnecessary. Both approaches provide system-wide protection using behavioural analysis. However, if you would prefer a more automated approach, silently blocking any behaviour that contravenes the policy depending on the trust level of applications instead of responding to HIPS alerts, then AppGuard would be a good replacement for the HIPS within Online Armor.

Regarding compatibility issues, it will partly depend on which OS version you are using. I experienced a Windows shutdown problem between AppGuard and WSA on Windows XP but my understanding is that this doesn't happen on Windows 7. I haven't tried AppGuard alongside Online Armor so I don't know how they behave together, especially if the HIPS in Online Armor is enabled. I assume you are using the free version of Malwarebytes but if it is the paid version, I would suggest disabling the real-time protection module in order to minimise the risk of conflicts or performance issues if you are considering running AppGuard as well.

Regarding Sandboxie, there shouldn't be any compatibility issues per se, but some AppGuard configuration may be needed to ensure that the sandbox folder is located in what AppGuard considers to be User Space so that it can be written to by Guarded Applications. You may also need to add some of the Sandboxie executables as Power Applications within AppGuard but the necessity for this appears to be system dependent. I didn't need to add any Sandboxie executables as Power Applications on my XP Pro system but some people on Windows 7 have reported having to do this. There is plenty of information available in this thread on how to configure AppGuard to work with Sandboxie.

Kind regards

 

Hi PEGR, thanks for responding to this. You and Cutting are trying to take my job away for sure. I really do appreciate the help though.

 

Thank you pegr. I will follow your advice. I'll try out AG to see how if it fits my taste.

One more thing, I have this XP SP3 32 bit pc which has SuRun and HMP only. Do you think I could replace that setup with AG+HMP only and run as administrator?

 

Getting AppGuard to work along side Sandboxie:

These are the settings I applied in AppGuard, so Sandboxie can work well. Please tell me if you see any wrong setting's being applied.

AppGuard settings for Sandboxie:

Step 1: Went to Customize, Guarded Apps, Under folder I hit Settings, I added C:\sandbox with read/write permissions

Step 2: Went to Customize, Advanced, I added the following to MemoryGuard

c:\program files\sandboxie\sandboxierpcss.exe with write permissions
c:\program files\sandboxie\sandboxiedcomlaunch.exe with write permissions
c:\program files\sandboxie\sandboxiecrypto.exe with write permissions

I applied the above settings and then Sandboxie opens up just fine, but then I get the following continuous message in the log...

Prevented <Sandboxie Control> from reading memory of <Firefox>

What I did to prevent the continuous blocking of read permissions was...

I went to Customize, Advanced, Under MemoryGuard I added...

c:\program files\sandboxie\sbiectrl.exe with read/write permissions

Now, my question is...Should sbiectrl.exe have read/write permissions?

In my mind, what I did is correct, But since I am a new AppGuard user, I would like to get your opinion if these settings are 100% solid or not. Did I apply everything correctly?.

I think I did, but it's nice to get a second opinion.

 

You're most welcome, Amit.

Yes, I think you could do that - I run Windows XP as administrator. One way to think of AppGuard is that it adds extensive LUA type features (and more) but with the easy convenience of being able to quickly enable and disable its features without having to switch user accounts.

I assume though that you are still planning to keep Sandboxie for virtualizing the browser. IMO a combination of virtualization and policy restriction makes a very good primary defense strategy, with anti-virus (on-demand or real-time depending on personal preference) as a secondary layer.

Kind regards

 

Your settings look okay to me. Providing applications are opening sandboxed and running normally within the sandbox then everything should be okay. MemoryGuard events can usually be ignored anyway without any detrimental effect on functionality.

Kind regards

 

Thanks for the reply, I appreciate it

Everything running perfect on my end, so I guess I'm good to go then.

 

New behavior today: Chrome is trying and being prevented from reading its own memory?


08/16/12 13:03:08 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 13:02:36 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 13:01:42 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 13:01:15 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 13:00:44 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 13:00:02 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 12:59:36 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 12:59:22 Prevented <Google Chrome> from reading memory of <Google Chrome>.
08/16/12 12:58:57 Prevented <Google Chrome> from reading memory of <Google Chrome>.

 

I'm not sure if this question has been asked yet, but will a future AppGuard release include Windows 8 support?

 

The only thing I did with reference to AppGuard 3.4.2.0 and Sandboxie 3.72 was adding C:\Sandbox to Customize>Guarded Apps>Folders with Read/Write permissions, and nothing else. Sandboxie functions fine. This is on Windows 7 Professional 32bit. I'm also running SRP.

Later...

 

Just in case anyone was interested I discovered the cause of the recentfilecache.bcf event, the bootsqm is still a mystery to me but it has stopped now.
Application Experience in Task Scheduler triggers the event whenever the PC is idle for 3 minutes, the last run time matches the event to the second.

 

Anyone else having this problem?

08/21/12 11:46:30 Prevented <Kingsoft Antivirus Tray> from writing to memory of <Sandboxie COM Services (DCOM)>.
08/21/12 11:46:30 Prevented <Kingsoft Antivirus Tray> from writing to memory of <Sandboxie COM Services (RPC)>.
08/21/12 11:46:27 Prevented <Kingsoft Antivirus Tray> from writing to memory of <Firefox>.
Is this one of those memoryGuard events I should ignore or is kingsoft attempting to scan firefox?

 

You should add Kingsoft AV as a power app.

 

THanks kid. I was thinking about doing that. I wanted to see if I could fix it without using the power app feature. If there is a way to fix it.

 

Did you try making a MemoryGuard exception to enable Write access for Kingsoft AV?

 

Thanks pegr. So you are recommending AG+Sbie+AV(realtime)+on-demand scanner, right? You sure all those layers would work nicely along each other?

I could still use a firewall right? I mean AG does not perform firewall stuffs, now does it?

 

Hello,

I have a question that I have not seen an answer for. For example, say I have my anti-virus/malware security software and I need to make it a power app to be sure it functions properly. Now my question is what if that software spawns child processes during its normal operation. Do these child processes inherit the power app status or do I need to make each child process a power app individually. The reason I ask this is for instance with Webroot, you only have one process, but some like Panda Cloud runs with two main processes but can also spawn a half dozen or more child processes depending on what task it is running at the time. Is making the main process/processes enough or do all of the spawned child process need to be made power apps individually also? I guess the main question here is the power apps classification inherited to its children or not?

 

Spawned applications of power applications are also power applications. You do not need to explicitly make each child process a power application.

 

Thanks for the assists, Kid and Pegr. You can either make Kingsoft AV a power app OR use the MG exception - don't do both. A Power App is automatically a MG exception, but it can also launch from User-Space (probably not necessary) and it can write to protected resources. So the MG exception is the more secure way to go if Kingsoft AV does not need to write to protected resources.

I'm hoping in the next release we can automatically include some power app settings for some of the more popular security products as well as do some error checking to make sure that Power Apps aren't included in the MG exception list and vice versa. If you add a PA to the MG exception list and don't explicitly select ReadWrite, then you are actually overriding the PA's ability to perform Read or Write operations (depending on the MG exception setting that you select).

 

WSA has two processes- both called WRSA.exe

 

Yeah I'm unsure which application to add. Kingsoft has about 4 processes. I guess I can add all 4 of them.

 

you better do all 4

 

I am afraid to buy a license for 3.x now , just to see version 4 be released with Windows 8.

 

Well I went ahead and bought one. Although I am struggling to understand this program. When i went to start word starter i got an error.


Looking in appguards logs I found these

08/22/12 18:47:01 Prevented process <winwordc.exe - c:\program files\common files\microsoft shared\virtualization handler\cvh.exe> from launching from <q:\140066.enu\office14>.


08/22/12 18:44:12 Prevented <Microsoft Application Virtualization Client Service> from writing to <\registry\machine\software\wow6432node\microsoft\softgrid\4.5\client\packages\{90140011-0066-0409-0000-0000000ff1ce}>.
Turning off appguard, word starter started normally
What do i do now ? Turn off Appguard every time I want to write a letter.

Just to add, I cannot find winword.exe, this office starter, is an advert based freebie, that appears to have a drive of its own ( Q drive ) which is inaccessible. Is this why appguard is flagging it

 

I think i will buy a license , just two questions:

1- How well Appguard runs with Steam , Ad Muncher , EMET , Daemon Tools and Vmware ?

2- X64 protection is strong as 32 bits?