AppGuard 3.x 32/64 Bit

The current plan is to do a release 3.5 in the next month. There will be no additional charge for that release. AppGuard 4.0 has not been scheduled yet.

 

Any functional improvements in 3.5?

 

I would recommend improvements to the GUI. When one clicks on the customs tab the window that is presented to them is too small. I say this because if you look at the alert tab which is the first tab to the left you will see that the the ignored messages window is too small. Field 1, and field 2 are both cut off so one can only see part of the field. Also look at the advanced tab. The memory guard exception window is too small if one wants the convenience of being able to view all their memory guard application exceptions without having to scroll up, and down the very small window. The memory guard exception window is just too small.

BRN should consider merging the protection level Window with the sliding bar which also contains the events viewer with the rest of the tabs. In other words just make it an additional tab with one large window containing 7 tabs instead of 6. Make the window size about the same size as the protection level event viewer window. Then add 7 tabs to that window. The customize window size is too small for 7 tabs, and it's small window size is the reason the ignored messages window, and memory guard exception window are too small. Using a larger window size will make more room for the ignored messages window, and the memory guard exception window. This will also provide faster access to the other features of AG. Just make it to where when one closes the GUI to minimize it to the taskbar that when opened again it will display the protection level, and events viewer by default. That way for convenience it will always show the protection level, and event viewer tab first by default. This will provide quick access to view ones protection level, and give one quick access to view blocked events in the alert tab.

 

Thanks for the suggestions. We will definitely consider your suggestions from your first paragraph. While I agree with what you are saying in the second paragraph, our marketing department does not (they don't want to intimidate novice users making the UI too complex).

 

I'm using AppGuard together with Sandboxie. Does AppGuard run the application as 'Guarded' even though it's simulated in the sandbox? So in case the Sandboxed application that runs as 'Guarded' escapes the sandbox and tries to plant something into the user-space and run, AppGuard will block and intercept this behavior?

Meaning, if anything escapes Sandboxie and tries to run, AppGuard will be there to protect my critical areas?

 

Right click on C:\Sandbox, click properties, click on the security tab, click 'change permissions' button, click 'add' button on next screen, type Everyone in user text box and press 'OK' buton, select under deny column (tick box) after "Traverse folder / execute file", press ok, ok, etc.

Now you are allways protected, bij Windows ACL (access control list) of NTFS, and AppGuard

 

Very nice, though it does seem overkill. But who here at Wilders don't want to overdo it? I'm just wondering exactly what you meant with "Traverse folder / execute file"? What should I add 'deny' to?



Thanks in advance!

 

I am using Windows 8 and the UI is a bit different. Please take a look at attached image. Is it the correct permissions?



Thanks for putting time into this! I believe this is something many can make use of since many are using Sandboxie in conjunction with AppGuard!

 

At least for me ACL can only deny execute permissions together with read permissions. I can't let a user read and view Contents of a Folder but deny him to execute anything from there. It seems like I can't separate These two permissions from each other because the checkboxes are automatically set when checking deny execute...

Instead of creating a "Everyone user" why not just uncheck the execute permission from all admins and users for that Folder.

I know that deny rules are prefered over permissions though...

---------------------------------------------------------------

Not working for me just like Applocker, seems like Microsoft doesn't want me to use build in security. Also it's way to difficult to set up for the average user and such a pain when you have Change something. In Appguard you just push the slider to the top and you're done!

 

Agreed. So AppGuard will protect you if something escapes from Sandbox if it's run as 'Guarded'? I.e. the browser?

I've now created a deny rule for c:\sandbox which looks like this;



It looks kind of right?

 

That is the correct option "Traverse folder / execute file", but is it possible to invert the selection?

Look whether the option DENY is available in the dropdown list of TYPE and inverse/revert selection (see picture), by SELECTING only "Traverse folder / file execution" at the DENY TYPE. Please unselect everything at ALLOW.

Due to inheritage of rights, it is better to NOT give Anyone ALLOW permissions, your access rights will be determined based on your log-on (user rights) and elevation state of the process (medium/high integrity level). Preferred seeting is ONLY tick/select a DENY for Traverse folder/execute file and REMOVE or BLANK out all selections (undo) the ones you gave for allow.



Regards Kees

 

@ Shadek: Yes, correct.

@ Pete: I don't get this logic, is not needed

UAC provides simular protection as AppGuard. Appguard implements a different mechanism (second safety net), to the 'admin' space. So when you want a second safety mechanisme in admin space, why not apply a second safety net in user space? Also considering the fact that this is the only area where Sandboxie allows malware to play: in the sandbox! So when you go into install mode in appguard you are still protected, due to this second safety net.

 

You need to go into advanced options/show basic permissions as Shadek pointed out. It is possible on XP, Vista, Windows7 and Windows 8 to set this. But agree Microsoft makes all the build in security rather difficult to use. They should take an example to Apple (also much easier to use the apple sandbox for instance for developers).

AppGuard is a great application, I have put it on my son's laptop. Normally one is better of buying a Windows Home with a AppGuard lisence, in terms of price/protection, than buying an Ultimate (like I have). My Safe-Admin setup mimics AppGuard 2.xx protection, I do not have the memory protection of 3.xx

 

Well, I probably would've been safe with just running Chrome as 'Guarded' but it's now also running in the Sandbox and it cant run malicious code (or any other code for that matter) even if it escapes the Sandbox (thanks to AppGuard i 'Locked Down' and Kees (Windows Security) advice)!

I've uninstalled my real-time AV and now just using Hitman as on-demand.

 

Thanks, Pete. I was beginning to think that I had stumbled into the wrong forum.

 

Barb

Any info on functional improvements of 3.5, have asked this before, no answer yet (you were problably stumbling in the wrong forum because of my posts on ACL)

Regards Kees

 

Hi Guyz,

brand new (licenses bought today) Appguard user here.

When I start appguard, I got a lot of these messages in my eventvwr

(This is a sample)
Cannot locate Guarded Application <c:\program files\mozilla firefox\firefox.exe>.

My Firefox is installed in C:\Program Files (x86)...

And this strange one (strange because I don't have Adobe reader installed)

Cannot locate Guarded Application <c:\program files\adobe\reader 8.0\reader\acrord32.exe>.

Can I safely ignore these? And why can't I delete the standard installed guarded Apps (delete button is not clickable)

And also what can I do to allow this ?

04/19/13 17:42:09 Prevented process <Firefox> from writing to <c:\windows\temp\etilqs_jhjd1cfnaebjhhu>.

I already added C:\Windows\temp\etilqs_* to Guarded Apps\Folders\Settings but this doesn't seem to help as it seems to be for folders only (and I don't want to add my Temp Folder (for obvious reasons))

Thanks !!!

Ps: Running Win 7 x64

Edit: //

 

There will not be a lot of enhancements - mostly bug fixes and minor GUI enhancements.

 

When delivered, AppGuard's default policy is set to Guard most vulnerable applications (such as Acrobat Reader). The event message that you're seeing regarding Adobe is indicating that it could not find the application and so it isn't Guarding it. I'm not sure why you are seeing the one related to Firefox since it is clearly on your PC and AppGuard is Guarding it (since AppGuard is blocking it from writing to C:\Windows\temp\etiqs_*). Perhaps on 64 bit systems AppGuard is looking in both the Program Files directory and (x86) directory and reporting that it cannot be found in one of them.

Regarding the last question, I take it that the directory name is a randomly generated name and since we do not support wildcards at this time for directory names you cannot specify a rule for this directory.

When you see this block, are you noticing any operational anomalies with Firefox? If not, you might just ignore it. Another possiblity would be to exclude the entire temp folder from the Protected Resources (i.e. allow Guarded Applications to write to that folder) as you mentioned. Even though this might open a hole in the AppGuard defenses, you could also add the temp folder to User-Space protection which would prevent a program from launching from that folder. So even if a "bad" executable might find it's way into that folder, it would not be able to be executed. Though, I'm not sure if that would have adverse side effects with other programs if, for instance, it is common practice for applications to drop legitimate executables into that folder.

 

Hi Barb_C,

thanks for this !

I noticed when Firefox is blocking that etilqs_(random name) (btw it's a file and not a directory) my Firefox RSS reader was not remembering the articles I read.

Firefox puts a lot of stuff in that Temp Dir, like when you download a file Firefox puts a (random name).part file (which is the download file) there and only after it finished downloading, moves it to your download directory. So when Firefox is put on High, you can't download files. (but that is understandable)

Thunderbird for example puts (when you download your email) a file called newmsg there. I tried different things to solve Thunderbird be able to download my email, but your suggestion works best., but I am also worried about the side effects as you wrote (Maybe when running Windows Update ).

Maybe it's a good idea to make the exclusions support a wildcard ?

Last question, is the Guarded Apps\Folders\Settings for Folders (directories) only or also for Files ? My guess it's for Folders only, because if I put C:\Windows\temp\newmsg (Thunderbird temp file) in there it is ignored and I get

Prevented process <Thunderbird> from writing to <c:\windows\temp\newmsg>.


Thanks !

 

Isn't this an argument in favour of adding the AppGuard Enterprise Enclaves feature to the consumer version?

Sandboxie (which I also use) has the ability to associate Restrictions and Resource Access for sandboxed applications with specific programs, e.g. Firefox and Thunderbird. This avoids the potential for adverse side effects with other programs due to a lack of granularity in the policy.

 

Firefox should be using the user-space folder "%USERPROFILE%\AppData\Local\Temp" and not the system-space folder "C\Windows\Temp".

The following link may help to diagnose and fix the issue: http://www.askvg.com/where-does-win...files-and-how-to-change-temp-folder-location/