AppGuard 3.x 32/64 Bit

Hi guys and gals.

I am having an issue.

Message:
08/30/13 00:16:42 Prevented process <files2folder.exe - c:\windows\system32\svchost.exe> from launching from <d:\downloads 1\folder&file utilities\access to favorite folders via right click\files2folder>.


It is a right click program.
I tried adding it but nothing changed. I know Im doing something wrong Please advise.

 

Files2Folder.exe runs from whichever folder you registered it from, which in your case is your downloads folder, located in user space. What you need to do is to remove Files2Folder.exe from AppGuard user space protection. There are two ways you could accomplish this: The first method involves making an AppGuard user space exception and the second involves moving Files2Folder.exe to system space and re-registering it.

Method #1: Make an AppGuard user space exception
Add the the full pathname of the current location of Files2Folder.exe in the downloads folder as an entry in the User-Space tab and set the Include column to No.

Method #2: Move Files2Folder.exe to system space
Run the shortcut in the unzipped Files2Folder to unregister the program then copy the folder from the downloads directory to your Program Files folder and run Files2Folder.exe again from the new location to re-register it. If you do it this way, you won't need to make an AppGuard exception.

Both methods will work so it's up to you, whichever one you prefer.

 

Thanks Pegr. I was trying to get it to work by messing with guarded apps.

 

Just started using AppGuard a few days ago and I've been looking at the Events log just to see and try to understand if anything is going on that I should either address or worry about. I use a program called Divvy (window positioning application) and it seems to show a lot of activity. Everything seems to be working correctly so I suspect there is nothing to do/worry about.

Here's a paste of the events log:
09/01/13 08:42:01 Prevented <Firefox> from writing to memory of <Windows Explorer>.
09/01/13 08:15:36 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:15:36 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:14:50 Prevented <Antimalware Service Executable> from writing to memory of <Adobe Flash Player 11.8 r800>.
09/01/13 08:14:50 Prevented <Antimalware Service Executable> from writing to memory of <Plugin Container for Firefox>.
09/01/13 08:14:50 Prevented <Antimalware Service Executable> from writing to memory of <Firefox>.
09/01/13 08:14:50 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:14:50 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:11:57 Prevented <Antimalware Service Executable> from writing to memory of <Adobe Flash Player 11.8 r800>.
09/01/13 08:11:57 Prevented <Antimalware Service Executable> from writing to memory of <Plugin Container for Firefox>.
09/01/13 08:11:57 Prevented <Antimalware Service Executable> from writing to memory of <Firefox>.
09/01/13 08:11:57 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:11:57 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:08:28 Prevented <Divvy> from reading memory of <Firefox>.
09/01/13 08:08:28 Prevented <Divvy> from writing to memory of <Firefox>.
09/01/13 08:08:19 Prevented <Firefox> from writing to memory of <Windows Explorer>.
09/01/13 08:07:48 Prevented <Divvy> from reading memory of <ClipMate 7>.
09/01/13 08:07:48 Prevented <Divvy> from writing to memory of <ClipMate 7>.
09/01/13 08:06:43 Prevented <Antimalware Service Executable> from writing to memory of <Helper program for Tweaking.com - Registry Backup.>.
09/01/13 08:06:42 Prevented process <Helper program for Tweaking.com - Registry Backup.> from writing to <c:\windows\temp\~dfe4a131d2baa3617c.tmp>.
09/01/13 08:06:40 Prevented <Antimalware Service Executable> from writing to memory of <Display DOS Device Names>.
09/01/13 08:06:38 Prevented process <VShadow, Volume Shadow Copy Service (VSS) Sample Requestor> from writing to <c:\windows\temp\vss-setvar.bat>.
09/01/13 08:04:27 Prevented <VShadow, Volume Shadow Copy Service (VSS) Sample Requestor> from writing to <\registry\machine\system\controlset001\services\vss\diag\vssapipublisher>.
09/01/13 08:04:27 Prevented <VShadow, Volume Shadow Copy Service (VSS) Sample Requestor> from writing to <\registry\machine\system\currentcontrolset\services\vss\diag\vssapipublisher>.
09/01/13 08:03:59 Prevented <HitmanPro 3.7> from reading memory of <Divvy>.
09/01/13 08:03:58 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:03:58 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:03:19 Prevented <WinPatrol System Monitor> from reading memory of <Divvy>.
09/01/13 08:02:45 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:02:45 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:02:41 Prevented <PDAgent Module> from reading memory of <Divvy>.
09/01/13 08:02:38 Prevented <PDAgent Module> from reading memory of <Divvy>.
09/01/13 08:02:37 Prevented <Antimalware Service Executable> from reading memory of <Divvy>.
09/01/13 08:02:37 Prevented <Antimalware Service Executable> from writing to memory of <Divvy>.
09/01/13 08:02:36 Prevented <PDAgent Module> from reading memory of <Divvy>.
09/01/13 08:03:39 Protection level is set to <high>.

 

What is the path of the Antimalware Service Executable in the event log? Right click one of the Antimalware Service Executable blocked events, and click message info. Then copy, and past the path to your post so we can see where Antimalware Service Executable is located. What application does Antimalware Service Executable belong to? You need to make a read / write memory exception for Antimalware Service Executable. Most blocked events can be ignored, but you don't want Appguard blocking functionality of other security applications.

 

Here's the path as copy/pasted from the AppGuard log:

c:\program files\microsoft security client\msmpeng.exe

Thanks for your help.

 

That was not what I quite expected to see. So Antimalware Service Executable points to the following path c:\program files\microsoft security client\msmpeng.exe Are you using Microsoft Security essentials? I don't use Microsoft Security Essential so I'm not sure that is the application the path is pointing to. If you are not then do you recognize the application at the path you provided? If it's not a security application then don't add the exception I have listed below.

If the path you posted is correct, and you are using Microsoft Security Essentials then you need to click on AG's customize tab. Then navigate to the advanced tab on the far right of the UI. Then where it says memory guard click on the add button. Then navigate to msmpeng.exe that you have listed in the path above. Select msmpeng.exe, and choose readwrite from the dropdown box in the exception list. Then click apply. Appguard should no longer block Antimalware Service Executable from reading, and writing to the memory.

I also prefer to make security applications a power app. You can also add msmpeng.exe as a power app to prevent possible conflict with AG. If it works fine without making it a power app then it is not necessary.

 

In addition to what Cutting_Edgetech posted, I see an entry for HitmanPro, you may also want to add it to MemoryGuard exceptions so ensure it can do it's work properly.

 

Thanks guys, I appreciate the help.

Divvy is an application that does window positioning. I don't know what it does in the background, but it allows you to always have application windows pop up in the same location and of exactly the same size as you selected. I think my first attempt will be to disable Divvy, reboot my machine and see if I still get these alerts. I really can't believe that with all the effort the folks at AppGuard put into this application, they would have it interfere with a security application provided by Microsoft as part of the Windows platform. Even when the alert dealt with HitmanPro, it still referenced the Divvy application. I'll post back with more info after I disable Divvy.

Again, thanks for the help.

 

According to your logs I would try the readwrite memory exceptions within Appguard if you plan on continuing to use MSE. BRN can also hardcode an exception to AG for this if they believe it is necessary. It may not be interfering with MSE as far as we can tell, but we don't want AG blocking any functionality of other security products. I'm sure Barb can give you some good advice on this as well when she is back from Holiday.

 

OK, so far all I've done is uninstalled the "Divvy" applications and this is what I see in the AppGuard events log:

09/02/13 20:05:06 Prevented <Firefox> from writing to memory of <Windows Explorer>.
09/02/13 20:03:07 Protection level is set to <high>.

. . . and that's after about a half hour's work.

 

Once you know how to make a read / write memory exception it only takes like 20 to 30 seconds. Once you learn your way around Appguard making exceptions are fast, and painless. Do you plan on not using Divvy anymore?

 

I plan on reinstalling Divvy and then adding the application to the read/write memory exceptions list. Just finding my way around AppGuard and didn't want to "do" something that I could later find can't be undone. I'm cautious when it comes to making changes to protection programs, but, based on the posts here in response to my questions, I'm feeling more confident. Thanks guys.

 

I'm sure this will come as no surprise to those of you who have worked with this application . . .

Set the memory read/write exception for Divvy, results, no entries in the AppGuard events log

 

Barb, have you figured out why Media Center on Win8 x64 does not run when put into 'Guarded Apps'?

Robert

 

firstly let me apologize if this is posted in the wrong place. i have recently subscribed to private internet access VPN here for more info https://www.privateinternetaccess.com/ can anybody tell me how to configure appguard to work with and allow the client software.

Gazzer

 

It would be nice to know if you have already tried it and ran into issues or if you are just asking in advance.

 

i have already tried it and not found a way yet and my issues are it wont start unless appguard is set to install protection level

 

Where is it installed?

 

appguard is in the isual C:\Program Files (x86)\Blue Ridge Networks and private internet access client is in C:\Program Files\pia_manager

both default locations

 

@garry35
Could you post the blocked events from AppGuard's log?

 

thanks for your help, where can i find the appguard logs

 

Hi all. haven't checked in for a while. I'm running Appguard 3.4.2 Am I using current version?