AppGuard 3.x 32/64 Bit

I'm using version 3.5 and am having trouble with windows updates. I have to reboot to install the latest updates. Can the "install" level of protection survive reboot somehow? Or is it necessary for installing the MS updates?

 

If it has an interactive alert mode, it could be configured to warn about all attempted launches that are not on the whitelist. Admittedly it is dependent on the user being able to make sense of the alerts, but I would be suspicious if some randomly named process tried to launch from system space. Once system space has been compromised, it's game over for AppGuard; but an AE, or a firewall with HIPS, might still be able to contain the malware and prevent it from phoning home.

Excellent advice to put the emphasis on prevention. This is exactly what I do, as I imagine do other Wilders members.

 

Absolutely and thank you for taking an interest in it.

 

My experience is that Install mode is needed for some updates but that others install okay at the Medium or High protection levels. I always play it safe and lower the protection level to Install to apply MS udpates. You should leave AppGuard in Install mode during the reboot. Here's what the help file says about this: -

"Install: Use this level when installing or updating software. If you are updating a Guarded application, you may also need to UnGuard the application. If your installation requires a reboot, uncheck the "Re-enable" checkbox. In that case AppGuard will not re-enable the protections until the user reinstates the Protection Level. If the "Re-enable" checkbox is checked, AppGuard will automatically re-enable AppGuard after the timeout has expired."

The Re-enable checkbox is visible when you open the GUI and move the slider to Install.

 

ok I see it now, thanks for the info

 

Thanks I found it too.....

 

Another great suggestion.

Robert

 

I am not sure if this issue was reported earlier. When appguard is in lockdown mode and when it blocks something icon changes to exclamation. Perfect. But after clicking the icon, it changes to medium mode icon with tick mark and not the lockdown mode icon.

 

Yep. I've have that issue too.

 

Has anyone tested the version 4.0 beta against malware? I'm curious how the new protection levels affect protection, as Medium almost seems like it wouldn't be as effective as High was, which was what I used, and Locked Down is too secure as it wouldn't allow updates.

 

Exactly. I dont understand what protection medium level provides. Dropbox and spotify (which installs in user space) works fine in medium mode. Does this mean any executable in temp folder will also be executed ? I thought in medium mode it does not execute any application unless its guarded. So I have made lockdown my default. Can anyone throw some light on this ?

 

What operating system are you running and where in user space are dropbox and spotify installed?
Executables in the user temp folder should not execute - they don't on my Win 7x64 machine in both medium and locked down.

 

Dropbox by default installs in C:\Users\<UserName>\AppData\Roaming\Dropbox\bin\Dropbox.exe and
Spotify in C:\Users\<UserName>\AppData\Roaming\Spotify\spotify.exe

I am on Windows 7 Home Premium x64, SP1

 

From the release notes for the beta:

So I gather dropbox and spotify must be digitally signed.

 

Me too, on one of the PCs. Medium is painful enough for a home user. It. blocks more than plenty of program installs in the home market. I don't know how you Wilders lads survive in 'Lockdown' mode. You must have a lot of patience or stick to 'top shelf products only'. Which is not what most home users do. We are far more reckless & careless with what we allow on our PCs. AppGuard's Medium level seems just like the old 'High' to me. I don't know what goes into your PCs at the business end of town, but AppGuard's "Medium" is like a locked gate that one must reset to 'install' for every product. So far I haven't installed anything that's 'gone thru' with AG still set on 'medium'.

AaLF

Barb, I think it's been mentioned before, but when I open HELP to check e.g. 'why is it blocked' the help file still refers to the level as 'high' & not 'medium'.

 

I have heard of malware where a digitally signed safe application is downloaded together with a bad DLL. The signed app uses the DLL in preference to the normal one as it is in the same directory. Would AppGuard protect against this?

 

Afaik v4's Medium is the same as v3.5's High. So Dropbox and Spotify should be able to run with 3.5 on High was well, because Signed applications are allowed to run as Guarded there as well. Only difference is the new MemoryGuard policy. In v4 memory of processes is protected from Guarded processes. In v3.5 the same but there, it's also the other way around, memory from Guarded processes is also protected from UnGuarded processes.

Good question.

 

Hi Pete understand what you are saying there. But I'm thinking along the lines of the average Sam & Sally who I reckon will just elect for "install". 2 reasons, most if not nearly all don't read instructions, so they'll likely see 'install' & click & install. And - Nominating 'install' is a lazy way

As for lock down. I haven't been there in 4.0. Just keeping to 'recommended' (medium).

Am looking forward to AppGuard finally launching. I like it like i used to like Defensewall. (ah, the good ol' days).

 

Hi Barb,

I have noticed that when switching to the Install protection level and unchecking the Re-enable checkbox using the GUI, v4.0 is not remembering the setting following the restart. I don't know whether this is a deliberate change from v3.5 or whether it is a bug in v4.0. For me, the way it works now is less convenient than the way it used to be, which was set once then forget.

I know I've said this before but I'm going to repeat it: The new tray icon in v4.0 is too small to display the protection level indicator overlays clearly. I would like to see the new tray icon enlarged, but if that it is not possible then my preference would be to see a return to the tray icon in v3.5 which does display clearly.

Kind regards
pegr

 

Peter2150, did you see this?

 

The suspension timeout setting has moved to the Advanced tab in v4.0, as you can see from the screenshot that FleischmannTV has posted. Unlike the auto resume setting which no longer persists across a restart in v4.0, the suspension timeout setting is remembered. I have it set to the maximum value allowed of 1440 minutes as I prefer to re-enable suspended protections manually.