AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I tried renaming a non signed .exe file with Cyrillic Characters, and executing it by just double clicking it from an external drive. It would not execute, but that really does not prove much. The question is whether or not a threat with Cyrillic characters would execute through the browser, or other exploitable application.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks for your input. I know that even with the known non-English character issue, AG is providing a significant amount of protection. The multi-language version of AppGuard is on our roadmap.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I just sent the following bug report. Check to see if you have the same problem on your machines.

    My System specs are Windows 7 X64. I have enclosed an Msinfo File for all details.

    I have discovered that folders containing %$ in the folder name cannot be added as a Protected Folder. If you try it will crash AppGuard, and disable all other application. Most Window's Functions will not work either after AG Crashes. All the screenshots I took for this report had to be taken with my iphone. MsPaint, and all other applications would not work once AG crashed.

    1. Create a folder called %$dfkdj or gfgf%$fd.

    2. Go to Appguard's Guarded Apps Tab.

    3. Click the settings button where it says Designate additional protected folders, exception folders, or Private folders.

    4. Click the add button, and navigate to one of the folders you just created.

    5. Add the folder to the list, and configure it as, "Deny Access".

    6. Click ok to each of the three Windows to make sure the settings were applied. I only had to click ok to the first, or second Window.

    7. Wait a moment, and watch the event viewer. AppGuard will crash, and say in the event viewer, "Appguard service is not running!".

    8. Try running any application you have installed now. It should say, "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item".

    Now click ok to the dialog box. It should say, "Can't Open This Item", "It might have been moved, renamed, or deleted. Do you want to remove this item". Very important information about why all applications will no longer function is contained in the Process Monitor Log enclosed. All the applications I tried running says, "File Locked With Only Readers" in the Process Monitor Log. I tried running Windows Media Player, KLite-Codec Pack, IE, Opera, Firefox, Ccleaner, Notepad, MsPaint, Keypass, HashCalc, TrueCrypt, and Anki.

    9. Now try performing some task with Appguard like create a new policy or change some configuration settings. Appguard will stop responding, and crash. When AG crashed I received the following dialog box, " BlueRidge Appguard: AppGuard GUI. exe Application Error. Click on OK to terminate Program". I enclosed a pic of the dialog box.

    Windows Event Viewer Application Log recorded the following entry each time AG crashed

    Faulting application name: AppGuardGUI.exe, version: 3.5.4.0, time stamp: 0x51d34741
    Faulting module name: MSVCR80.dll, version: 8.0.50727.6195, time stamp: 0x4dcddbf3
    Exception code: 0xc000000d
    Fault offset: 0x0000faa3
    Faulting process id: 0xfe0
    Faulting application start time: 0x01ce838ed17f54bb
    Faulting application path: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe
    Faulting module path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll
    Report Id: fb52b8e0-ef82-11e2-8153-78843c015ac9

    Windows Event Viewer Application Log recorded each time AG crashed. I listed the times below. I may not have listed them all.

    07/17 11:12:14 pm

    07/17 11:40:55 pm

    07/18 12:27:48 am

    07/18 12:27:40 am

    07/18 03:56:03 am

    07/18 04:08:20 am

    07/18 04:21:02 am

    07/18 04:21:03 am

    07/18 04:31:28 am

    07/18 04:31:29 am


    I found it very difficult to make Windows produce an application dump! I spent all night until the morning hours to get it to produce the 3 application dumps enclosed. I hope they help.

    Regards,

    Mike (cutting_edgetech)
     
    Last edited: Jul 18, 2013
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen
    Solved. Thank you to BlueRidgeNetworks and to very good and kind AppGuard Support :thumb:
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Blacknight, did you have any applications defined as Trusted Publishers? Did it preserve your trusted Publisher's List during the upgrade?
     
  7. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    After reviewing Blacknight's events we determined that he needed to add an additional Commodo application as a power application. We were both concerned about why AppGuard was behaving differently in this area from the 3.4 version. It turns out there was one more Security enhancement that I forgot to mention (and include in the release notes). We are now MemoryGuarding power applications.
     
  8. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    We have confirmed that any trusted publishers added to the policy are not being retained during the upgrade. Also the alert settings are not being retained during an upgrade.
     
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    Question: Does Chrome need to be guarded? Won't any drive-by downloads be prevented from running because of where they save themselves ie. user-space? I ask because I get so many alerts from Chrome doing things. I add them to exclusions, but there are so many different messages it's getting annoying. See below.

    07/18/13 17:14:59 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\debug.log>.
    07/18/13 17:14:59 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\libpeerconnection.log>.
    07/18/13 17:14:45 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\debug.log>.
    07/18/13 17:14:45 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\libpeerconnection.log>.
    07/18/13 17:14:21 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\debug.log>.
    07/18/13 17:14:21 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\libpeerconnection.log>.
    07/18/13 17:13:38 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\debug.log>.
    07/18/13 17:13:38 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\libpeerconnection.log>.
    07/18/13 17:13:21 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
    07/18/13 17:13:16 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\debug.log>.
    07/18/13 17:13:16 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\28.0.1500.72\libpeerconnection.log>.
    07/18/13 17:04:03 Prevented <Windows Task Manager> from reading memory of <Malwarebytes Anti-Exploit>.
    07/18/13 16:47:34 Prevented <Windows Task Manager> from reading memory of <Malwarebytes Anti-Exploit>.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Ok, thanks for the update! I was wondering if I was the only one since I had not seen anyone else mention it.
     
  11. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Ok I have a problem, my laptop does fine using the new beta. Its a windows 7 64 bit. My pc a vista 32 bit won't load the driver, and will not load the new beta, I have the old one on now with no problems.I'm cleaning up the system after taking it off, with CCcleaner. Has anybody else had this problem?
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Did you get any errors after installing it on Vista? Did it seem to install ok, and then request a reboot to complete the installation? Are you using NVT on Vista also?
     
  13. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Took nvt off and tried to load it. The old driver works fine,the new driver does not download at all so it never installs peroid.this driver does not work on my vista pc 32 bit. Even with a clean install.....
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    What do you mean the new driver does not download at all? Sorry, i'm not sure I understand what you are saying. Are you saying the new driver will not install at all. Are you talking about the brnfilelock.sys? I just noticed it is not running in my process viewer on my Laptop. I'm pretty sure it was in previous builds. I just ran SysInternals AutoRuns, and it is still listed as a startup item in the registry. I will have to ask Barb about that one. She will probably be reporting back tomorrow.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Disregard my last post. brnfilelock.sys is running. It is actually a service so i'm not sure what you mean by, "the new driver does not downloading at all".
     
  16. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    That's perfectly fine. :) Just add debug.log and libpeerconnection.log to ignore list and they won't bother you any more.
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    So here's my bug in detail:

    I set a Privacy to No in Lockdown-mode for any App. I reboot and the GUI shows Privacy is set to Yes, even though it really isn't.

    I'd really like to revert back to old version. I cannot stand the thought of the GUI showing wrong security settings. I'm getting paranoid and neurotic thinking I might not be protected. Anyone have a link for previous release?
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Is this the same bug you reported in post 2727? Are you talking about privacy mode settings under the Guarded Apps tab or the Publishers Tab?
     
  20. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    It is the same bug but latest report is more clear exactly what the problem is!

    I'm talking about Privacy mode setting under Guarded Apps tab. Nothing else. :)
     
  21. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Actually, if anything the potential for protection is now increased because previously if there was a guarded application, e.g. iTunes, that accesses a private folder (Privacy Mode set to No), the choice was between using Locked Down and unguarding the application OR guarding the application and not using Locked Down; but it wasn't possible to run it guarded in Locked Down mode because of the Privacy Mode setting being overridden, which was unsatisfactory.

    The only issue now is that there is a display error in the Guarded Apps tab when in Locked Down mode which, as I said previously, may simply be a residual leftover from the previous version which did work that way. As v3.5 is a beta, I imagine this will be corrected before the final release.

    The question of being less protected doesn't arise because Privacy Mode protection is now always applied according to the user configuration chosen. If the user wants to set Privacy Mode to Yes for all guarded applications, they are free to configure it that way in the Guarded Apps tab. Nothing has been taken away, but there is now added flexibility to configure Privacy Mode to always achieve the desired outcome.
     
  22. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Agreed. I was very happy when the new version came out, as my Dropbox folder now could be completely protected even when Dropbox was Guarded in Lockdown-mode. It gave me the option to ONLY allow Dropbox to access the Dropbox folder. :) But as it is right now, I cannot see which application that are allowed to touch the private folder and which is not. I really would like to know, at all times. :)
     
  23. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    Well I did, but like I said, it seems to keep throwing messages for various stuff. Here are some from today:

    07/19/13 23:16:27 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    07/19/13 23:16:01 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    07/19/13 23:10:42 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
    07/19/13 23:10:37 Prevented process <Google Chrome> from writing to <c:\users\brandon\appdata\local\google\chrome\user data\default\history provider cache>.
    07/19/13 23:10:37 Prevented process <Google Chrome> from writing to <c:\users\brandon\appdata\local\google\chrome\user data\default\gpucache>.
    07/19/13 23:10:37 Prevented process <Google Chrome> from writing to <c:\users\brandon\appdata\local\google\chrome\user data\default\gpucache\data_2>.
     
  24. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I take that you have Chrome installed into User-Space (this is default). If you keep it installed there you'll see all these messages and there'll be no end to it.

    Best would be to install Chrome into System-space instead. I can almost guarantee you that these obscure event messages will stop. Here's the link to that installer:

    http://www.google.se/intl/en/chrome/business/browser/
     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen
    I can't understand why it isn't possible to minimaze AppGuard GUI on the tray bar.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.