AppGuard 3.x 32/64 Bit

Why would you guard an installer? Guarded apps aren't allowed write access to system space.

Why not just lower the protection level to Install? I don't understand why an installer would need to run as a Power App.

 

I agree with Peter. A context-menu option to Run as Power App would be good since it wouldn't require disabling protection, and it would make it more DefenseWall-ish.

 

No, it's the opposite; if it's guarded, it can't write to system space and the installation will fail.

You are quite correct that, under normal operation, an executable would need to be guarded to be able to launch from user space at the Medium protection level. But there's a problem: An installer running guarded will fail as soon as it tries to write to system space. What we want is a way of running an installer unguarded from user space without lowering the protection level. This is where the trusted publishers list comes to the rescue. It allows us to tell AppGuard that digitally signed executables from trusted publishers are allowed to run unguarded from user space at the Medium protection level.

I've performed some tests with a digitally signed installer running from user space with the protection level set to Medium to demonstrate this. Here are the results: -

Test #1: Publisher not listed as trusted.
Result: Installer prevented from launching. Fail

Test #2: Publisher not listed as trusted but installer added to Guarded Apps tab.
Result: Installer launched but prevented from writing to system space. Fail

Test #3: Installer removed from Guarded Apps tab and publisher added to Publishers list with Guarded flag set to Yes.
Result: Installer launched but prevented from writing to system space. Fail

Test #4: Guarded flag setting in Publishers list changed to No.
Result: Installation completed. Success

This illustrates the use of the Publishers list to allow digitally signed installations from trusted publishers to be performed at the Medium protection level.

That's what the publisher's list is for: to allow installations without lowering the protection level. Apart from the convenience of not having to temporarily reduce the protection level to install something, the main advantage of the Publishers list is that it allows automatic unattended software updates to take place without the user present.

I doubt that many people continue to use their system normally whilst doing an attended install, where you've got to concentrate and perform a number of guided steps through the installation procedure. Many installers explicitly advise not running other processes until the installation has been completed. On a clean system when installing software, it is what the installer may be doing that presents the risk, not existing running background processes.

Paradoxically, it is because policy restriction software is so effective at automatic threat prevention without asking the user what to do that protection has to be temporarily lowered in order to install something. If you make an installer a Power App, you've excluded it, and any processes it spawns, from AppGuard protection. I don't see how that would leave the system any better protected than temporarily lowering the protection level to Install in those situations where the installer is not a digitally signed executable from a trusted publisher.

The bottom line is that AppGuard, by its very nature, cannot be relied upon to protect the system from malicious activity during a deliberate software install by the user. This is one reason why policy restriction software should not be used on its own, and why it is best combined with at least one other additional security layer: anti-executable, system virtualization, real-time AV, etc, according to user preference.

Me too.

 

See my reply to Peter2150.

 

Hi Barb,

yes I am logged in as a Normal User and was elevating Firefox.

I did what you told me and it worked.

Thanks

 

AppGuard 4.0 is running smoothly on my 7 x64 computer with WebrootSA.

A lot of my games come from Matrix Games. They install automatically into a Matrix folder on C drive. Is that considered user space? For AppGuard protection would it be better if I put that folder into Program Files (x86)?

 

Only the user profile folders on the C drive constitute user space. Providing the Matrix folder is not located within a user profile, it is part of system space and can be left where it is.

 

Barb and everyone here. Have not beta tested 4.xx. Sorry if it has been requested/suggested...

...as you, Barb (BlueRidge), desires to make AG more 'user friendly', have you thought about a 'Restore to Default' on a specific tab and/or a 'Restore All to Default'? Would, IMO, allow your users to "get to know" your product without worrying if they make a mistake as they know they can always start from the original install.

Robert

 

Okay, thank you. Other than gaming most of what I do on the computer is within my Documents folder and sometimes the Downloads folder. I suppose those would be user space. Are there any settings in AppGuard I should be aware of that would make those areas more secure? Before AppGuard 4.0 I was using Sandboxie to isolate files in the Download folder until I could run a scan on them.

edit: After doing a little reading about user profile folders, it looks like they are something different from the Documents and Downloads folders. There are a lot of gaps in what I know about computers.

 

I think that's an excellent idea.

Maybe also an import/export settings feature within the GUI in case the user changes their mind after restoring all settings to default and wants to revert back.

 

If the Downloads folder is not within a user profile, it would be part of system space in which case you would need to move it to user space. It would also be a good idea to make your Documents folder a Private Folder and ensure that the Privacy flag is set to Yes against all browsers listed in the Guarded Apps tab.

Instructions for moving a folder from system space to user space, and for making a folder private, can be found in sections 2.2 and 2.6 of the following link:
AppGuard - New Getting Started Tutorial wanted

 

Thank you for the link, a getting started tutorial is just what I needed.

 

I finally was able to make enough space for one of my test machines so i'm getting a late start on testing AG 4. I hope it does not take long to catch up with this thread now. My test machine has the following stats below.

Windows 7 Ultimate 64-bit SP1
CPU
Intel Core i7 960 @ 3.20GHz
RAM
8.00GB Dual-Channel DDR3 @ 534MHz (8-8-8-20)

Graphics Card
AMD Radeon HD 6900 Series (ATI)

Hard Drives
279GB Western Digital VelociRaptor WDC WD3000HLFS-01G6U4 ATA Device (SATA)

Appgurad 4 is running better than I expected so far for a first release. I thought there was going to be more changes made to version 4 than what i'm seeing which is good. I loved the last beta build of Appguard 3 since they made big improvements to the GUI. So far i'm really liking what i'm seeing in version 4.

One thing I noticed right after the installation is that Opera was not added to the guarded apps list. I can add it manually, but I believe it would be a good ideal to add all the popular browsers to the guarded apps list by default.

I remember reading something about changes were going to be made to AG's memory protection in version 4 due to support issues with the average user. It seems like the average user became alarmed (for lack of a better word) when they saw all the blocked events from the memory guard protection. I like it since I understand how AG works, but I can see why any new user would be alarmed when seeing all the blocked events. I hope BRN decides to keep memory protection since that is one of the reasons I use AG. There are not many other applications that protects the memory. I think the AG activity report will help keep users from becoming alarmed with harmless blocked events. If they only understood that AG forces applications to operate in a safe manner.

Well I have to catch up on reading this thread now. I wish I could have started sooner. If anyone would like briefly list some of the main bugs discovered, and the changes that have been made I would deeply appreciate it. It's great to see some new testers for version 4! You guys have been giving a lot of feedback! Well, I have quite a bit of reading, and testing to do. I will run AG through my usual test that I have been using for AG for the last several years.

 

In this particular situation I don't believe having an AE would do any good since you would likely have to disable it's protection for the install. Best to have a good traditional AV with AG in this particular situation, and don't install questionable software. Also, be careful where you get the installer from. I always check the MD5, or SHA1 hash before installing if the publisher makes it available. Most of us remember what happened with Combofix when the installer became infected with the Sality virus. Eset detected it, and notified them immediately after they verified it. Many of us were surprised that it had happened, but knew it was possible.

 

Do you think you could distinguish between good, and malicious code during the install as it is being executed? I think maybe I could in some cases, but I certainly do no feel confident in making that judgement during an install. It would be much easier if it was not an install, and one was using a HIPS, AE, etc.. For example: if code was attempting to execute through one's web browser, or opening a file that is not an installer it would be more obvious that a threat is attempting to execute. If I was an experienced coder, and even more knowledgeable in Security than I already am then maybe I would feel more confident in making those decisions. I learn more every day though.

 

it is obvious that one can not trust an untrusted,unknown or unsign files to execute in our systems,for sure I will not allow but there are some malware out there that they manage to get digital signiture it is very dangerous these days

 

A lot of trusted opensource software is not signed. At least with opensource software the code can be examined by anyone.
(edited): Not that you can completely trust any software. If your a great coder you can look through all the code for yourself.

 

Now that i look at the manual AG was suppose to automatically add Opera to the guarded apps list. I guess I have come across a bug. I will try installing again, and see if I get the same result. I need to roll my machine back, and install MS Office anyways so I can work on my resume.

 

very true

 

Hi Pete,

I thought I'd wait until v4.0 final is released and the official help file has been updated - just in case there are any late changes while v4.0 is still in beta. As there are only around 25 beta testers for v4.0, new users are probably all still using the current production version at present.

I'm glad you think the getting started tutorial is useful for new users though, and worth updating. I will get onto it as soon as v4.0 final is released.

Kind regards
pegr