AppGuard 3.x 32/64 Bit

By default, Windows Media Player is in 'Guarded Apps' yet not Windows Media Center...please to explain why? Does not matter if one is running XP or 8; just different 'locations' within the OS.

Solve the problem...

Thanks,
Robert

Sorry, OS X64

 

I discovered some strange behavior with this build. I installed Webroot Secure Anywhere after installing this build. I added WSA as a Power App, Trusted Publisher with the following settings: Guarded: No, Privacy: Off, Memory: Off, install: Allow. I also added a Memory Guard exception giving WSA read / write privileges. After enabling Appguard's protection in High Mode it blocked WSA from doing the following below which I took from the Log file.

08/16/13 16:39:43 Prevented process <version.dll | C:\Windows\System32\regsvr32.exe> from launching from <c:\programdata\wrdata\pkg>.

08/16/13 16:39:43 Prevented process <oledlg.dll | C:\Windows\System32\regsvr32.exe> from launching from <c:\programdata\wrdata\pkg>.

08/16/13 16:39:43 Prevented process <lpbar64enu.dll | C:\Windows\System32\regsvr32.exe> from launching from <c:\programdata\wrdata\pkg>.

08/16/13 16:39:43 Prevented process <lpbar64loc.dll | C:\Windows\System32\regsvr32.exe> from launching from <c:\programdata\wrdata\pkg>.

08/16/13 16:40:53 Protection level is set to <off>

I do not believe Appguard should have blocked this in High Mode with the following Trusted Publisher settings I just described above. So I went back, and looked at my trusted Publisher Settings, and they look good. Then I looked at the log to find out that it shows no mention of me adding Webroot as a Trusted Publisher. The log file only shows that I made WSA a Power App, and that I added a Memory Guard exception for WSA. I looked in the Trusted Publisher's List, and sure enough Webroot is listed as a Trusted Publisher, but the change was not recorded in the log.

Why did Appguard block the following actions of WSA above? It should not have with the Trusted Publisher Settings I defined with Appguard in High Mode. Also Appguard failed to enter an entry in the log file for when I added WSA as a Trusted Publisher.

 

I just reinstalled AppG and have no system tray icon anymore. Any suggestions?

 

Is the AppGuardGUI.exe process running? If not, doubleclick on the AppGuard icon on the desktop to start it up. If so, are you running on Windows 7? If that is the case, the icon will not appear by default in the tray. You have to customize the icon to "Show icon and notifications":

 

regsvr32.exe is automatically guarded in the high level. This has not changed with this release.

 

Apparently AppGuard is interfering with Windows Media Center. Have you tried Guarding, but not enable MemoryWrite Protection?

We'll see if we can recreate in the lab? Anyone know if Windows Media Center works on Windows 7 or is this issue on Windows 8 only?

 

1) Put WMC in 'Guarded Apps' tab
2) Everything set to 'Off'
3) In Guarded Apps>Settings put C: Windows/ehome (Read/Write)
4) Added in 'Advance' tab C: Windows/ehome/ehshell.exe (Read/Write)
5) Set AppGuard to 'Medium'

Still does not work. Only on 'Install' mode does it run.

Thanks for the help,
Robert

 

Well for some reason in startup GUI was not checked. Sorry for wasting your time....... Now all is well.

 

Can AppGuard support white-listing executables with specific command-line parameters ?

eg. I would like to white-list some of my batch files so I don't get alerted when executing them, but don't want to white-list cmd.exe for all command-line parameters.

 

I could be wrong, but I don't think so. They did just fix a bug though where the policy file could not handle % in the folder path to add a folder as private. Could you give an example of an executable you would like to whitelist, and what command line parameter you would use? Maybe they can add support for this in a future build. I'm hoping they will add unicode support in version 4.

 

Maybe I've misunderstood what you are asking but the concept of whitelisting is more relevant to an anti-executable than it is to a policy restriction program like AppGuard, where all applications located in system space are automatically allowed to run but can be subject to additional runtime restrictions if guarded.

As cmd.exe is located within the Windows system folder and is also guarded by default, all executables launched via cmd.exe will run guarded and be subject to the same restrictions. The question of whitelisting batch files via command line parameters doesn't arise as it's not how AppGuard works.

It sounds as though you may need to consider adding an anti-executable (e.g. NVT ERP) to run alongside AppGuard to accomplish what you want to achieve.

 

It's a big thread now and difficult to find what you need sometimes so apologies if this has been raised. Just trying to find out if an issue with Office 2013 x64 files not opening when AppGuard is installed on Win 8 x 64 has been raised before.

I usually sandbox (with Sandboxie) and guard office applications. This has worked fine (and still does) but recently while testing the latest beta opened the documents outside the sandbox and keep getting errors from Office apps. Even switching AppGuard protection to off does not help. For example Word tells me there is not enough memory to run. Excel tells me I don't have the privileges to open the document. Uninstall AppGuard and all is well again.

If it is known are there plans to address it in this beta cycle, if not what do you need from me to narrow the issue down?

Also I was trialing AX64 back-up/restore software recently and could not create the recovery media even with AppGuard set to off. Uninstall AppGuard and the recovery media was created without a hitch. Anyone else experienced similar USB problems?

Thanks

 

No problems here on Win8 Pro x64. All Office 2013 x64 programs are in AppGuard's 'Guarded Apps' with 'Privacy'>On 'MemWrite'>On 'MemRead'>Off. AppGuard on High.

Robert

 

Thanks for taking the time to respond. I didn't think I'd seen it reported before. Must be me. I'll strip back recent changes I've made to the set-up and see if I can find a reason. For info are you on the latest beta?

 

Yes (3.5.6.0). But had no problems with 3.5 either. By the way, no Sandboxie installed.

Robert

 

I just switched from Bitdefender Antivirus Plus 2014 to ESET NOD 32 Antivirus version 6.X on my Windows 8 Standard 64 bit Laptop.

What changes should I make for having ESET NOD32 Antivirus version 6.X installed?

What I have done so far is:

1. Added ekrn.exe to PowerApps.
2. Added egui.exe to PowerApps.
3. Added egui.exe to Publishers - Guarded = No, Privacy = No, Memory = No, Install = Allow.

I think that I read somewhere in this Thread that adding a Publisher for a file applies to everything in the Folder containing that file and the subfolders. Is that correct?

Thanks in Advance.

 

My understanding is that a publisher isn't added for a file. It would be more accurate to say that a publisher is added from a file, using the file to provide an example of the publisher's digital signature. Any digitally signed file by the publisher can be used. All files with the same digital signature will then be recognised as belonging to that publisher, irrespective of location.

 

Actually what you read was referring to power apps. If you add an executable as a power app then all the other executables inside the same folder inherit the same privileges so you only need to add one from the same folder. The Eset executables you added as power apps are actually the ones you needed to add.

You only have to use one file with a digital signature from the application you are adding as a trusted publisher. The digital signature will be the same for all files belonging to that application. The settings you used for trusted publisher are the ones you needed to use so you are ok there as well.

I also add a memory guard exception for ekrn.exe giving it read, and write memory privileges. You can do this by going to the advanced tab, and click the add button beside memory guard. Then just navigate to ekrn.exe, and select ekrn.exe Use the drop down box to select readwrite. Then click apply.

 

If that's true then BRN need to update the help file and the release notes because nowhere is that stated within the documentation that I could find. I've searched this thread and the only post I could find is this one, which says that there were no plans to allow entire folders to be added: -

https://www.wilderssecurity.com/showpost.php?p=2202483&postcount=2122

What is true is that any application launched by a Power App will also run as a Power App, whether from the same folder or any other folder.

 

Agreed, this needs to be in the manual, and maybe they should revisit this. I wanted the ability just to exclude the entire folder. I had asked about this more than once. I'm not sure if I got a PM about it or it's somewhere else in the thread. That post even states that if you add the parent application as a power app then the rest inherit the same privileges as the parent. I did not remember it saying the parent application in the post, but it is there in plain view. I had been adding the parent application as the power app all along out of instinct or knowledge I guess. I just knew that was the safest way to go. I'm glad you pointed out that the other executables do not have to be in the same folder to inherit the privileges of the power app as long as it's invoked by the parent application. I think I was in error when stating other wise. I would like to her Barb address this as well.

I have never had a conflict using AG with any other security application with my configuration settings. I've been using the same settings since the power app feature was introduced.

Btw.. I need to go back, and look in the thread myself. I thought I asked about this power app issue 2 years ago. It shows her addressing that post in March of this year. I guess I have no since of time, or I have another post about this that is much older

 

Ok, just done clean install of Windows 8 Pro x 64 & Office 2013 x 64 then updated. Installed AppGuard as the only security software and still the same issue. No blocking events in the logs and neither Word, PowerPoint, ACCESS or Excel will start guarded. That happens regardless of the level AppGuard is set at from Lock down to Off and no matter what I set memwrite/memread/privacy settings at.

Remove the Office Apps from the guard list and they'll run fine. Outlook runs fine guarded.

Any help would be appreciated.

Cheers

 

Sorry to hear that.

All I have besides the Office products in 'Guarded Apps' is I put in Advance>Exception list>C:\Program Files/Microsoft Office 15/clientx64/intergatedoffice.exe to Write Access.

Probably won't help as if you set AppGuard's protection level to Off, Office should just run.

Your path in 'Guarded Apps' is X:\Program Files/Microsoft Office 15/root/office 15/whatever?

Robert

P.S. Have Access, Excel, OneNote, Outlook, Power Point, Publisher and Word in 'Guarded Apps'.

 

Thanks again Robert but it did not work I'm afraid.

By the way, the Office version is Pro-Plus installed from the offline installer so not the App-V version as Is often the case with Pro-Plus using the standard on-line installer from Microsoft, if that makes a difference.

Regards

 

As far as I can see, this was never progressed. The ability to add an entire folder from a single file within it was considered unnecessary by BRN as the inheritance mechanism whereby any child process of a parent power app will also run as power app was deemed to be sufficient.

 

At the time I suggested making it possible to add an entire folder as an exclusion I was not aware that the child processes inherited the same privileges as the parent application. In some cases it was hard to determine which executable was the parent application. This was something I suggested about 2 years ago when the power app feature was first introduced. Yeah, there is not need to exclude the entire folder, but it does cause confusion for almost everyone that is new to Appguard. It can be confusing adding Online Armor as a power app. If you look inside it's installation folder it has a whole screen full of executables, and it would be difficult to know which ones it the parent executable for the rest. I don't have it installed on this Laptop right now or I could describe in better detail the confusion of knowing which one to add as the power app. If I remember correctly there is no OA.exe, Online Armor.exe or another file name that would be common to indicate it as being the parent application. There are a whole screen of executables in Online Armors installation folder. I was able to figure out which ones needed to be added, but it was not very clear by just looking.