AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,624
    Location:
    USA
    At the time I suggested making it possible to add an entire folder as an exclusion I was not aware that the child processes inherited the same privileges as the parent application. In some cases it was hard to determine which executable was the parent application. This was something I suggested about 2 years ago when the power app feature was first introduced. Yeah, there is not need to exclude the entire folder, but it does cause confusion for almost everyone that is new to Appguard. It can be confusing adding Online Armor as a power app. If you look inside it's installation folder it has a whole screen full of executables, and it would be difficult to know which ones it the parent executable for the rest. I don't have it installed on this Laptop right now or I could describe in better detail the confusion of knowing which one to add as the power app. If I remember correctly there is no OA.exe, Online Armor.exe or another file name that would be common to indicate it as being the parent application. There are a whole screen of executables in Online Armors installation folder. I was able to figure out which ones needed to be added, but it was not very clear by just looking.
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The main use for power apps occurs when a guarded application invokes a security application executable. One example is where a guarded browser launches an AV executable to invoke a scan. The AV executable would inherit the same restrictions as the browser and run guarded, which could cause blocking messages to be issued. The only way to resolve this would be to make the invoked AV executable a power app, but it would be obvious which executable was involved from the blocking messages generated.

    Apart from these situations, there is rarely a need to add executables as power apps. Most of the time, blocked events can be resolved in other ways. Because power apps are excluded from all AppGuard protection, it is safer not to routinely make executables power apps unless there is a genuine need to do so. The advice given in the help file is that power apps should only be used if blocking messages are occurring in respect of a security application that can't be resolved any other way.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,624
    Location:
    USA
    In some cases conflicts between Appguard, and other security applications can cause BSOD's before having a chance to see the blocked events in the log. I experienced this between Online Armor, and Appguard about 5 years ago. In my experience this is quite rare though. I prefer to play it safe, but others can use what ever settings they like. I just don't see any considerable loss in security by making another security application a power app. If AG blocked another security applications functionality then that could mean a loss in security as well until AG was configured to prevent the conflict. The settings I use with AG has prevented AG from having any conflicts with any security applications I have used since experiencing the BSOD problem I ran into with Online Armor. When I use AG it blocks a lot of executions per session. My event log has a very long list of executions it blocks. It blocks the type of events I like to see it block. I don't ever see it blocking anything with other security applications. I believe this is mostly due to the AG settings I use. The settings I have been using has worked well for me. I have seen AG block malicious activity in my browser though so I know it is working well for me. Also today AG may run perfectly fine with a security application you have installed. It's possible a month, or year later that application may receive an update that could cause AG to block some new functionality that has been added to that security application. The settings I use with AG has served me well.

    I give you credit though. You do understand how AG works very well. I just prefer the settings I use with AG because they have worked best for me. Since I have started using these settings I have never had AG block anything from other security applications I use. The other security applications I use are also protection my system, and AG as well. I don't want to chance there functionality being blocked by AG when I know how to make sure to prevent this from happening. I just don't see any considerable loss in security when I have VoodooShield, and NOD 32 running as well. I will be running Online Armor with it as well again when I get my other machines back this week. I would rather make sure I have no system instability problems or BSOD's than worry about an insignificant loss of security on my setup. I seriously doubt anything is going to get by with how I have my overall security setup configured to work well with one another in harmony. If it does then there is Shadow Defender since I almost always operate in Shadow Mode.

    I started reading the manual, but didn't get far. I have been busy with work, beta testing, and fixing several computers recently. Have you finished reading the manual yet? It sounds like you have a very strong understanding of how AG works. I really need to finish reading it since i'm sure it should be way more in depth than the old one. It sure is much longer than the old one anyway.
     
    Last edited: Aug 27, 2013
  4. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    Known incompatibility: Webroot SA Complete and AppGuard on Windows 8 x64
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Currently I have OA running with Appguard in lockdown mode. No need to make OA a power app. What I did do was add a read/write memory exception for all of OA's exe files. Works fine.

    Pete
     
  6. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Hello, is anyone successfully running Appguard 3.4.2.0 ( on high level ) with Sandboxie version 4 or later. This would be on a 64 bit windows 7 machine. If so , I would be extremely grateful to hear your Appguard settings.I am still using S.B 3.76 Here's hoping. Cheers
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Hi Cutting_Edgetech,

    I have very occasionally seen BSODs where the likely cause from analysing the minidump is the brnfilelock.sys driver. As these appear to be kernel faults, whether making other security applications power apps would have made any difference is hard to say. The only other time that I've seen BSODs in the past was when installing stuff. I found that these could be avoided by keeping the checkbox to automatically re-enable protection when in Install mode unchecked, and always rebooting the machine after completing the install before re-enabling AppGuard protection. Since following that procedure, I have never seen a BSOD during a software install.

    I wasn't being critical and I agree that you should stick with what works best for you. The only point I was making is that in situations where a power app is actually required, rather than simply being a matter of user preference, it is usually easy to tell which executable is involved because a blocked event will have occurred. I agree that it won't weaken the overall security by making other security applications power apps. You're setup is very similar to mine, and I would hope that we're both already very well protected. I prefer to operate on the principle of least privilege and only add AppGuard exceptions when I have to but that's just me. I guess if I was going to routinely make security applications power apps, I'd concentrate on the executables that actually provide the protection and have to be running all the time. In the main, with most security applications these tend to be the processes that run as services.

    Yes, I always try to read through all of the documentation for all of my security programs in order to get an understanding of how they work, and how to configure and deploy them effectively.

    Kind regards
    pegr
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I am running on Window XP, so I can't say what will be required on 64-bit Windows 7. The only thing that is a definite requirement is to ensure that the sandbox container folder is in user space so that guarded applications can write to it. This is true of all Sandboxie versions so you must already have done this as you are using Sandboxie 3.76.

    You may need to make MemoryGuard exceptions for some of the Sandboxie executables and/or add them as power apps. If you don't see any blocked events and everything seems to be running normally, you probably don't need to do anything. The only difference I found when upgrading from Sandboxie 3.76 to version 4 is that I had to add a MemoryGuard write exception for sandboxierpcss.exe in order to overcome a blocked event, but it may be different on your system.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The combination of WSA and AppGuard doesn't work well on my Windows XP system either. The system hangs at the Windows shutdown screen with both installed. If either WSA or AppGuard are installed separately, everything is fine. As I had to make a choice between WSA and AppGuard, I preferred to keep AppGuard and use a different antivirus.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I am running the latest beta posted in this thread, with the latest SBIE beta on Lockdown level on a new Win 7 x64 machine.

    All I've down in Appguard is set read/write memory exceptions in the advance tab, and added c:\sandbox under the settings button on guarded apps tab.

    Works like a champ.

    Pete
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,624
    Location:
    USA
    I had a lot of BSOD's with brnfilelock.sys back in the early days with AG. I don't believe making a security application a power app would have prevented any of them, but I could be wrong. I think they were all due to a bug, but it's been a long time so I can't remember for sure. I submitted several bug reports for the BSOD with brnfilelock.sys. AG was really buggy in the early days, but I knew it would be great once they worked the bugs out.
    Appguard has enabled it's protection before some applications I was installing completed installing. I increased the time before it would enable it's protection, but still had it happen with some application that took a long time to install. I had it happen with Microsoft Office, and I had to roll back my image. I just decided I really only wanted AG to reenable it's protection when I enabled it myself. I don't even use the timeout feature anymore. I always leave it unchecked.
     
  12. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Many thanks Pegr and Peter2150, I will give it a try soon. Your advice is very much appreciated :thumb: :)
     
  13. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    This was raised before and was one of the primary drivers for this release. Perhaps we did not go far enough with our mods. I will forward your concerns to the developer.

    The problem that we corrected had to do with opening up Office 2013 documents that originate from another computer. There is a flag on these documents that indicate that they originated from somewhere unsafe:
    BlockedDocProperties.PNG
    If you click on the unblock button, does that solve the problem?

    You indicated that you have this issue even if you open the document up from Explorer but is it a "Sandboxied" explorer (forgive me if that doesn't make sense - I'm not familiar with Sandboxie)? If Sandboxie is uninstalled, does that make a difference? Sorry - just read your second post on the subject: Can I assume that Sandboxie was not installed and you saw the same issue?
     
    Last edited: Aug 27, 2013
  14. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    That is not quite true. Children Applications of Power Applications inherit the power app property, but not all applications in the folder are automatically power applications.
     
  15. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    This is probably related to MBRGuard. You can disable MBRGuard without disabling all of AppGuard.
     
  16. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Is Office 2013 the 64 bit version or the 32 bit version?
     
  17. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    When you say that the Office Applications will not start, are you trying to start them by double-clicking on a word document file or are you trying to start the Office Applications by the Start Menu?
     
  18. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    New beta working great here!
     
  19. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I think you may have missed the irony in my response to Cutting_Edgetech. I was indirectly hinting that had it been true, it would have been mentioned in the help file and the release notes. I did suggest, rather more directly in post #2925, that it is not the case. :)
     
  20. chris1341

    chris1341 Guest

    ,
    Barb, I've replied via the support e-mail also but no SBIE was not installed and while the files are not marked this way, so I can't unblock, they open in protected mode when not guarded. I suspect Protected mode and AG are not getting along.

    Regards
     
  21. chris1341

    chris1341 Guest

    Double clicking.

    Cheers
     
  22. chris1341

    chris1341 Guest

    Confirmed, un-checking protected mode check box's in trust centre settings allows Office Docs to be opened guarded.

    That's why it worked in SBIE I think as it over-rides the protected settings.

    Regards
     
  23. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Hello, today i kept getting notifications from Avira anti virus, it was a pop up asking whether i wanted to modify or remove Avira. I also noticed Avira was outdated. Manually updating failed every time. I looked at the appguard logs, here are some
    08/29/13 22:08:40 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:40 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:37 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:37 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:34 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:34 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:31 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:31 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:28 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:27 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:25 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb7f1\setup.log>.
    08/29/13 22:08:24 Prevented process <Avira Setup> from writing to <c:\windows\temp\avsetup_521fb82c\setup.log>.
    08/29/13 22:08:24 Prevented <Avira Updater> from reading memory of <Avira WSC Helper Tool>.
    08/29/13 22:08:24 Prevented <Avira Updater> from writing to memory of <Avira WSC Helper Tool>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to <\registry\machine\software\wow6432node\avira\antivir desktop>.
    08/29/13 22:08:23 Prevented <RoboForm TaskBar Icon> from reading memory of <Avira Updater remote GUI>.
    08/29/13 22:08:23 Prevented <RoboForm TaskBar Icon> from writing to memory of <Avira Updater remote GUI>.
    08/29/13 22:08:23 Prevented <Ask Toolbar Notifier> from reading memory of <Avira Updater remote GUI>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Updater remote GUI>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira Updater remote GUI>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Updater>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira Updater>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Control Center>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira Control Center>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira System Tray Tool>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira System Tray Tool>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Shadow Copy Service>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira Shadow Copy Service>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira On-Access Service>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira On-Access Service>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Scheduler>.
    08/29/13 22:08:23 Prevented <Avira Updater> from writing to memory of <Avira Scheduler>.
    08/29/13 22:08:23 Prevented <Avira Updater> from reading memory of <Avira Setup>.
    I only have appguard set to high
    Immediately after disabling AG my Avira updated
    So what do i do, add every Avira exe file as a power app/
    Many thanks
     
  24. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    @mick92z
    It's been a long time since I looked at Avira, but it should only be necessary to add the executables that run as a service to power apps.
    Those used to be avguard.exe and sched.exe, not sure now. Look in Windows services and add the executables referred to by Avira's service entries.
     
  25. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I don't use Avira so I can't try it myself, but here's some suggestions to see if they help.

    For <Avira Setup> to be prevented to writing to a system space directory, it is most likely to be running from user space. If that's true, try adding the executable as an entry in the User-space tab and setting the Include column to No.

    The MemoryGuard exceptions for <Avira Updater> should be able to be resolved by making a MemoryGuard exception for the executable in the Advanced tab and setting the Type column to ReadWrite.

    The <RoboForm TaskBar Icon> and <Ask Toolbar Notifier> messages can probably be ignored.

    The suggestion by stackz is a good one because the Avira services may well be parent processes of the ones that are getting blocked, in which case making them power apps should resolve the issue.

    Also, add Avira to the Publisher List if you haven't already done so with the following settings: Guarded = No; Privacy = Off; Memory = Off; Install = Allow.

    If you are still having problems, please post the full path names of the executables that are being blocked.
     
    Last edited: Aug 29, 2013
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.