AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    Wow, are you sure? I know some exploit kits a while back were able to kill AG's GUI, and appear to be running, but upon reboot everything would be inert. You've made me curious (and nervous).
     
  2. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Yea, i'll try to video it but yea some installed with no problem

    could it be some conflict with other software causing it?
     
  3. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    Maybe something with Sandboxie? I don't know but a video would be cool.
     
  4. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    It won't be fancy, just to show proof

    EDIT: Well I couldn't find the links that installed those apps and toolbars, some crashed on me for whatever reason so maybe someone else can test appguard with those current links at malc0de?
    It was some weird download manager that downloaded and installed that crap, not a normal .msi or .exe

    I am going to install erp just to be safe
     
    Last edited: Jun 21, 2013
  5. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Sorry very confusing, and so it's hard to get anything - was it an exe or not? Without any proof or documentation of you it seems hard to believe.
    How could it run in first place? >> That's the most important question in knowing how AppGuard works.
     
  6. chris1341

    chris1341 Guest

    Every app has weaknesses but AppGaurd usually performs very well against the bog standard exe type stuff you get on malc0de. I've tested hundreds of samples like that over the period I've used the software but don't bother now because quite simply they dont run under AppGuard. Even most exploits fail because of memory guard.

    My gut reaction is conflict with other software or AppGuard was off or at reduced protection. We've all done things like that I'm sure.

    I'm not worrying yet but if you can get some proof I'd be interested in checking it out.

    Cheers
     
  7. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    190
    Location:
    Poland
    Maybe you have non-English Windows, or non-English alphabet letters in the username.
     
  8. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    o_O not at all
     
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    You've got me really curious about this. I don't see how anything could execute on Locked Down.
     
  10. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Well like I said it was a download manager/installer which downloaded and installed the toolbar and program...I checked the folder before and after in my sandbox and there were things that installed. I'll try again but the actual link I tried I couldn't find and others crashed.
    It was in lockdown mode, no mistake!
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Was the download manager running from system space or user space? If it was running from system space without being guarded, it could potentially download and execute other software via system space, bypassing user space, even in Locked Down mode.

    AppGuard automatically applies launch protection to all user space executables and guarded executables in system space, but unguarded executables in system space lie inside the trusted enclave. If you are using a third-party download manager that runs from system space, you should consider guarding it to prevent the possibility of an exploit.

    I think to understand the issue better, it would be helpful to know where everything was running from: system space and/or user space? If execution was via user space then I agree that AppGuard has been bypassed although, in all the testing I've done, I've never personally seen that happen when the protection level was set to High or Locked Down.
     
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    User space
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've been doing some testing. Just so this post and had an ah moment, and did some another test.

    Let me describe 3 different tests I've done. Bear with me.

    My Setup

    Online Armor, with Windows and Program FIles excluded.
    Appguard in Lockdown
    ERP with Program Files and Windows Whitelisted, but vulnerable apps so listed.
    SBIE 4.02 with separate sandboxes using granular control of what can run.


    The first test done a while back was very basic. I used the EMsisoft EAM installer. If I ran it from the desktop it was blocked unless Appguard was put in install mode. Then I put the installer in the Program Files Folder and put Appguard back in Lockdown mode. The installer ran with no interference. Finally I set the installer as guarded. It never got off the ground. Appguard worked perfectly.

    The second test I did last night. I used Leaktest from GRC as my test program, as it isn't in OA,ERP etc. Also I tested the interaction of all 4 of my programs.

    The tests.

    1. Run from Desktop. Appguard killed it dead.
    1 a Put Appguard in install mode. Both OA and ERP challenged it.
    1 b Left Appguard in install mode. Right clicked Leaktest and ran it in my
    Default box. Again both ERP and OA challenged it, but it couldn't do it's thing as that Sandbox has no internet access.

    1 c. Repeated 1b, except tried it with my Firefox Sandbox. SBIE blocked it because it's not allowed to run there.

    2. All the further tests were with leaktest.exe in Program Files. Here, both Appguard and OA ignored it as would be expected. ERP challenged. Nothing different as far as SBIE.

    3. Run it via IE using the File>open, selecting the exe and letting it run.

    3 a 1st result was SBIE blocked it as my Sandboxes restrict what can run.
    3 b. I allowed leaktest.exe to run in the IE Sandbox and retested.
    3 c Here was the biggest surprise, and a big clue. Appguard blocked it. Whoa, what was going on.

    Turns out, if you do a new install of Sandboxie, it creates the container in c:\sandbox. Originally it was in %APPDATA%\Sandbox. Since my installs have been overwrites, it sill uses that. When I looked at the block error what happened was when I executed the leaktest even though it was in Program FIles, Sandboxie treated the execution as it was in the sandbox, which was in user space, and so Appguard blocked it.

    When I re read some of the posts MRF 71 mentioned files in the sandbox. If you have a recent install of SBIE then your container might be set to c:\Sandbox

    Hence one last test.

    With Appguard in Lockdown, I just manually copied leaktest to my container which is in %APPDATA%\Sandbox and sure enough Appguard blocked it. BUT when I copied it into c:\Sandbox, Appguard let it run, so clearly c:\Sandbox is system space

    MRF 71 check your sandbox container, by opening the GUI, click Show Windows>Sandbox>Set container folder and see where it is set. I'd bet it is c:\Sandbox

    If it is what happened is even though you were in user space, by running thru the sandbox, it pulled it to c:\Sandbox, and thus Appguard saw it as System Space.

    Pete

    PS I hope all that is clear.
     
  14. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Is there a way to backup/export all of your AppGuard settings?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I don't think there is in any meanful way. The policy xml file is tough to figure out.

    What specifically do you need Tom?

    Pete
     
  16. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    If you have a recent install of SBIE then your container might be set to c:\Sandbox

    yes it is
     
  17. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    Mystery solved.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That's explains Appguards behavior. It is working as it is supposed to.

    Go into SBIE and change your container to %APPDATA%\Sandbox and that will stop the behavior.

    Pete
     
  19. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Nothing in particular, Pete. It's just that I have things running pretty well right now, but I'm not exactly what you'd call a seasoned AppGuard user:D. Just thought that if something were to go "south," not sure if I would remember exactly what I've done to get it to this point or how to put it back together again.

    Edit: Oops. Attached my reply to the wrong quote.
     
    Last edited: Jun 22, 2013
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    In order to explain something about how AppGuard works, it isn't necessary to change the location of the sandbox container folder from its default location of c:\sandbox unless you choose to, but guarded applications do need write access to the folder for Sandboxie to work.

    User-space folders have both write access for guarded applications and launch protection so moving a folder from system-space to user-space involves a two-step procedure: -

    1. The folder is added in the Guarded Apps tab with the Type flag set to Read/Write in order to allow all guarded executables write access.
    2. The folder is added in the User-Space tab, setting the Include flag to Yes in order to guard its executables and apply launch protection.
    In the case of Sandboxie, omitting the second step won't cause a problem if nothing is ever run manually from the folder, e.g. an installer. Without the second step though, anything run manually by the user that is not explicitly guarded will be allowed. The safer procedure is to do both and use Install mode to run installers.
     
    Last edited: Jun 23, 2013
  21. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    I think I'm going to buy this soon. I noticed it asks for a mailing address. Is it a physical copy of the program that will be mailed to me, or would I just get a key in an email?
     
  22. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    I'm finding that when I used SBIE 3.76 that AppGuard alerts would come up telling me about blocked events. Since I updated to 4.02, I'm finding that this no longer happens and I'm quite concerned that I'm not getting AppGuard protection within SBIE. I'm using Windows 7 64 bit and the only new thing I've done was to add sbiesvc.exe to memory guard with read/write permission.
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    it is a licence key with your email:thumb: email is your user name and the licence your password :)
     
  24. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    Another question. The version of Chrome I use saves itself to Programs Files instead of the usual AppData. How would this affect AppGuard's protection of it? I would think it would make things better and Chrome would be able to update without any exclusions added to AppGuard, but I want to make sure any malware that came from Chrome wouldn't be able to run.
     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I installed for the first time AppGuard, and I have two questions:

    - how works " suspension time value ? "
    - it's possible to delete AG white list, to set all personally ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.