AppGuard 3.x 32/64 Bit

Whew! I think I finished responding to all of the older posts except to address the rootkit attacks getting past AppGuard which I will post when our Chief Software Architect responds to my enquiry.

If I missed your post it was either because I felt that someone else on this forum addressed it adequately or because I simply missed it (in that case, please let me know).

As we return our focus to Consumer AppGuard, I hope to be more active on this forum. You all are such a great help to our development process and we really appreciate it.

 

Hi, is this the video posted by spaceghost ? Or are there other possible bypasses. Thanks

 

@Barb_C:

To test the protection during start-up, on Windows XP using the High protection level, I ran an unsigned executable from user space, which should have been denied. As long as the tray icon was showing a red cross, I was able to launch the executable. After the tray icon changed to green, I was no longer able to launch the unsigned executable from user space.

I then tested the protection at start-up on a guarded application with the privacy flag set. While the tray icon was showing a red cross, the guarded application was able to access a protected folder. After the tray icon changed to green, the guarded application was no longer able to access the protected folder.

I know that the protection is provided by the AppGuard Agent, and that the AppGuard GUI doesn't have to be running, but that's beside the point. The delay in the AppGuard GUI establishing a communication with the AppGuard Agent at start-up - as indicated by the red cross in the tray icon - appears to correlate with the protection not working until after the tray icon turns green. It may well be that AppGuard isn't meant to function this way but it's the reality, which is easily demonstrated.

 

They should make sure AppGuard loads before everything else then if possible.

 

Barb_C,

Comment wasn't meant to suggest AG MG doesn't work under x64, rather that while MG exceptions will allow AG and SBIE to work together on x32 that will not be sufficient to allow AG and SBIE to work together under x64. That requires Power Apps.

Just reminding x64 users that Peter2150 and pegr's comments suggesting MG exceptions were a better approach to get SBIE compatibility won't work for everyone.

No need for further investigation from you.

Thanks

 

Hi Barb,

you have a PM.

thanks

 

That is correct. The AppGuard service starts early in the bootup sequence and that is what is applying the protection. The GUI is only necessary to modify the policy or change the protection level.

 

Thanks for clarifying. You had us worried.

 

It loads as early in the bootup sequence as possible.

 

Thanks for bringing this to our attention. I have a feeling that this is because until a user is logged in, AppGuard hasn't applied the user-space policy. We'll have a look at this and see if we can make a more restrictive policy until the user is logged in.

BTW, unless this unsigned executable made its way onto your machine prior to having AppGuard installed (and the registry run key modified to launch the program), I believe that it would be difficult to find a way that malware can infect your system to accomplish this.

 

I only use the one administrator account that doesn't require a log-in (the system boots straight into it) so maybe that is the issue. When I get time, I'll set up a user account that requires a log-in and retry the same tests to see if I get the same behaviour, and report back.

I agree it is unlikely that malware would be able to exploit any delay in AppGuard protection at start-up. As you say, it would require the machine to have become infected previously. I posted this only to confirm that, on my system, there is a delay in protection at start-up, not to express concern. That said, it would be nice to see AppGuard protection become fully operational earlier in the boot cycle.

 

Thanks for confirming that Pete. I won't bother with any further testing.

Regards
pegr

 

How do you feel about this wishlist? Is it still possible for v4.0?

• Ability of tray icon to give information boxes/pop-ups instead of just blinking and needing mouse-over, something like this would be nice and still unobtrusive/user-friendly:
  
  
  
• Ability to view currently running guarded processes in GUI with info on exceptions(if any)(to prevent information overload; could be done on mouse-over or (right)clicking the process)
  
  
• Right-click menu with some options to run as guarded/unguarded and change exceptions
  
  
• Ability to be notified about the (preferably only the first) execution of a guarded executable, separated setting from Guarded Execution Events.

Thanks, the latest updates installed fine

Why remove MG exceptions when it's safer than a PA?

 

Thanks for the suggestions! We are probably going to do a quick turn on a version 3.5 to address an issue with Office 2013 on Windows 8 and some bug fixes that have already been checked in, but not yet released. There won't be time to include the wish list that you requested in 3.5, but we will consider for 4.0.

This is at odds with our Chief Architect's philosphy of being as unobtrusive as possible, but I like this idea because it gives the end-user an idea that AppGuard is actually doing something. If you mouse over the icon, you will see a tool tip with the last launch blocking event. We've theorized that AppGuard's silence may be a barrier to converting a trial user to a purchase since they may not realize that AppGuard is constantly preventing suspicious behavior - perhaps another optional setting on the Alerts page. A little background: Previous versions of AppGuard blicked the icon for every blocking event. This was considered to be too noisy, so we made the alerts configurable (I think the default is to just blink the GUI for blocked launches). BTW, you can reconfigure the Alerts so that the icon will blink for all blocked events.

When you say "could be done on mouse-over...", where are you right-clicking - on the "Guarded Apps" tab? If so, this tab doesn't include Apps that are "Auto Guarded" by virtue of location (for instance an application that was launched from user-space. We could probably add an additional tab tha would include all currently Guarded Applications. BTW, you can determine indirectly the currently running guarded processes from the tray menu: "Guarded Execution" which gives you the option of suspending Guarded Execution for a specific application.

Do you mean a context menu that appears when you right-click on a file in File Explorer. We have discussed this as a nice-to-have feature, but haven't had a chance to implement it yet. Perhaps in 4.0.

Not sure I understand this one.

PAs are easier for the average user to understand vs. MG exceptions and I would say that MG exceptions are only slightly more safe than PAs and perhaps not worth the trade-off in complexity. Most likely we will just make the MG exceptions a little less visible so as not to confuse the typical end-user.

 

Nice

In addition to giving the user the idea AG is doing something, it's easier to notice(especially on large screens with high resolution) and requires less effort of the user, all-together making it easier to troubleshoot/notice any issues or conflicts so the user can change the configuration if necessary.

Nice, thanks

I mean that if you would add that additional tab, that the user can mouse-over or right-click the line of a currently Guarded Application and then it can show the (possibly inherited) exceptions.

Yes, that's what I meant.

I mean an notification like with blocked executions, but one for the execution of a Guarded process. For example if a GA would be exploited and launch an application in system-space, then the user would know about it. The Guarded Execution Events notifications only inform about blocked actions.

Good enough for me


Why is the MemRead protection for GA's off by default? And is this the same as the MemoryLock feature?

One last thing It would be very nice to have the Enclaves feature in the consumer version as well.

 

It could be off by default, blocked executions is currently the only notification that makes the systray icon blink, the others are off by default as well.
I don't think there are that many inexperienced users using AG btw, due it being not very well known and being mostly discussed on IT websites, and it's also not the most easy concept, I normally never read manuals, but I fully read AG's manual

 

I need a little help with this whole Sandboxie thing. Not sure if the AppGuard program I installed has a problem - or as a brand new user, if it's just my lack of understanding.

I added the first three items mentioned above to the MemoryGuard exception list and that seems to be working. But I'm having trouble with adding the other item (c:\sandbox) to the folder exception list. When I try to add it, I don't see any kind of option to change the "Type" (permissions) to read/write - and it looks like it's a "Private" item rather than an "Exception."

Can someone please tell me what I'm doing wrong. Thanks.

 

If you click in the Type column on the entry where it says Deny Access you will see a drop-down control appear where you can change the type to Read/Write.

I suggest also going to the User-Space tab and adding c:\sandbox as an exception folder with Include set to Yes. That completes the job of moving c:\sandbox from system space to user space and ensures that any executables that get downloaded to the Sandboxie container folder while you are web browsing will run guarded by AppGuard as well as being sandboxed by Sandboxie.

Regards

 

Thanks so much, Pegr. Is it necessary to also add Sandboxie as a PowerApp as some have suggested?

 

Hello pegr, i have never done this part, yet had no problems. Is this applicable to the new Sandboxie 4 ? Are any Appguard settings different for S.B 4 ?
Thanks in advance

 

No. Not necessary.

Due to the changes in Sandboxie v4 you also have to set sbiesvc.exe as memory guard exception. (see here)