AppGuard 3.x 32/64 Bit

It sounds like something is preventing AppGuard from starting. Will you send in a problem report to AppGuard@BLueRidgeNetworks.com and we will follow up via email?

 

I'm sorry that you're running into some problems with the new release. I agree we should provide the ability to add dll's to the guard list. We'll address this in an upcoming release. Are the dlls digitally signed? If so, would you try adding the publisher to the trusted publisher list and see if that makes a difference?

 

Hi Barb,
I added Symantec (Norton) as trusted publisher, but AppGuard still prevented the cceraser.dll as reported previously another user in this thread. I had to exclude the Norton folder in C:\Documents and Settings\All Users\Application Data\Norton on WinXP to eliminate this issue.

Dave

 

ntshrui.dll is a component of Windows XP and the publisher is therefore Microsoft Corporation. The file version is 5.1.2600.5512 and is not digitally signed.

 

Hi, currently testing AppGuard on my Win 7 x64 rig.

I have read through the help and (quickly) through this thread, and I must confess I am somewhat in need of orientation.

My initial question is to confirm that the following apps should be added to the guarded apps list: at a minimum, other browsers (eg, in my case Palemoon) and email clients (Thunderbird). Then possibly media players and pdf readers. Anything else?

Also, I noticed that someone raised the issue of switching the default setting of MemRead for Guarded Apps to YES, but I haven't seen a definite answer on this by Barb and Eirik - apologies if I missed it

I'll probably be back with some more questions

thanks

 

Yes, you should probably add your other browsers, email clients, media readers and pdf readers to the guard list - basically anything that you use to access files from outside sources. Note that when you launch another application from a Guarded application, it will also be automatically guarded so that may reduce the number of applications that you need to add to Guard List.

I'm sorry but I don't recall any issue with switching the default setting of MemRead for Guarded Apps. Can you elaborate?

 

Thanks Barb for your reply.

I traced the references:

link

and here

link

to rephrase my original question, is it recommended, and if yes why this default NO?

 

Some more on AppGuard and DLLs - AppGuard is preventing either regsvr32.exe or rundll32.exe from accessing these dlls because they are in user-space. AppGuard's default policy Guards rundll32.exe in locked down mode only and regsvr32.exe in medium and above. If you're seeing other behavior (such as blocking rundll32.exe in all levels), it may be because you upgraded from a previous version of AppGuard which had rundll32.exe guarded at medium and above in the default policy. Since I got the same error as Dave (rundll32.exe could not access cceraser.dll in high protection level) on my home PC, I will do some more investigation and report back tomorrow.

PEGR, I've also inquired about adding dll's to the Guard list and the developer indicated that it was not feasible (I'm not convinced and will ask him again - this was a quick hallway discussion), but he will be able to allow signed dll's to be executed by rundll32.exe and regsvr32.exe in a future release.

I also want to find out what the rationale was for guarding rundll32.exe in locked down only while guarding regsvr32.exe in medium and above. I'm not sure why there is an inconsistency (perhaps regsvr32.exe is considered more vulnerable?).

Anyway, more to come on this matter...

 

Thanks for the refresher. I think that in general it is recommended, but in our beta we did find that it interfered with some applications (at least Google Chrome on 64 bit machines) so we elected to not set to yes by default. At the time of the release, we felt that we did not receive enough feedback to change the policy to enforce MemoryRead for all Guarded applications. We elected to not enforce this feature thinking that it might lead to some frustration for our less experienced users.

BTW, Locked Down protection level is not set to automatically enforce Memory Read as Eirik indicated that it might in a future release. It now enforces Memory Read as configured.

 

Ah, didn't know that. Eirik needs to go set in the corner for a timeout.

 

it would be kinda nice to have some kinda of wizard that you help a user add exceptions for apps. On what to set and really do. I mean i know how to use AG but most people would have a hard time.

 

I tried unguarding both regsvr32.exe and rundll32.exe but it made no difference, so I don't think that's what causing the DLL blocking problem on Windows XP. In any case, the blocking events make no mention of regsvr32.exe or rundll32.exe.

Using the example of ntshrui.dll reported as blocked whenever Internet Explorer is closed, the strange thing is that ntshrui.dll is located in c:\windows\system32\, not in user space - unless of course Internet Explorer runs it from user space on exiting, but I can't see why it would need to do that.

Is it possible that this behaviour is due to a bug in AppGuard?

 

Could someone tell me if it would be a good idea to add javaw.exe to the list of guard programs ?

I also ask because I use Jdownloader and it start by this command line:

Code:

"C:\Program Files\Java\jre6\bin\javaw.exe" -Xmx512m -jar "C:\Progs\JDownloader\JDownloader.jar"

Or maybe there a better way to guard this downloader ?

 

pegr and PETE you guys helped me set sandboxie up with appguard. Thank you all is working well.

 

That's good to know.

Regards

 

anyone know what should be add to the exclutions list for Panda Cloud AV PRO to work well. ?

 

I don't currently have PCAV installed so I can't remember the names of the PCAV processes; but I would suggest adding all of the PCAV real-time processes to the MemoryGuard exclusion list. You can easily get a list of them using Process Explorer. As Panda use signed executables, I would also suggest adding Panda Security to the Trusted Publishers list.

As Peter2150 said, also keep an eye on the AppGuard blocking messages to see if anything Panda related is getting blocked.

 

Running Windows 7x64

Can anyone confirm the following:
* Guarded Apps tab - exception folders is limited to 14 entries
* Windows Media Player x64 version has no audio unless unguarded
* Internet Explorer x64 version has no audio (e.g. when watching a flash video) unless unguarded
Nothing is logged as being blocked for either application.
There's no problem with their 32 bit counterparts.

It seems there's a problem similar to what pegr described, where legitimate dlls
in the System32 directory, are not being loaded when running the 64 bit versions of WMP and IE.

 

i am lock down

 

1. What default settings should I change to get a DefenseWall level of protection and ease-of-use?

2. Any tutorial and tips?

3. I will be getting Battlefield 3 next week and I would like it to work well. It installs several other things including Punkbuster which I believe behaves like a rootkit; will switching AG to install mode before installing make sure everything works well?

Thanks!

 

Was just given a notebook with win7 64-bit...use both desktop and notebook for work and using DefenseWall. However, I'm taking a look at Appguard for both machines (can change the desktop to 64-bit). Is anyone aware of any discounts?

 

At this time, there are no discounts available.

 

Thanks stackz! Knew that the price was $24.95 in the spring, then went up. Just e-mailed sales to ask if any discount for 2 licenses vs. 1. Comparing AppGuard to DefenseWall...have a new 64.bit laptop.