AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Yes, memory guard exclusions are honored in Locked Down Protection level.
     
  2. chris1341

    chris1341 Guest

    Thanks for the update. Here's hoping! I appreciate the sentiment, your stance is understandable, but it is frustrating that such a good combo works on 32 bit but not 64bit.

    Cheers
     
  3. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    @pegr, you must have removed your post but I read the contents in the email notification and agree with you. That was my reasoning for asking because I've personally found it to not honor it in some cases. I even typed up a reply earlier to that affect but didn't submit it. The most recent evidence for me is still the werfault.exe which I asked about in a previous reply. It's been added but I still see the alerts from time to time.
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The reason I removed my post is because when I posted it I hadn't spotted that Barb had already answered the question, so I assumed that what I said was incorrect.
     
  5. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Ok, thanks. I was hoping you might have some findings of your own. Maybe the next time AG updates I will totally remove the old and install afresh.
     
  6. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Anybody's using Jdownloader with AppGuard ?

    It's the sole app not mixing nicely with AG (Sandboxie also, but it's already documented here, on 7x64), even after tweaking it as well as I can. I have to disable AppGuard to be allowed to start JD, even "install mode" doesnt cut it ! Then once started I can return to lockdown without any more problem.

     
  7. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    460
    Slightly OT here, but why don't you try Mipony? I have been running it for a year now, I find it superior to JDownloader, and it runs nicely with AppGuard
     
  8. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Thanks for the suggestion newbino.
    I downloaded Mipony and will give it a try.
     
  9. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Anyone know if this should have some kind of exception made for it?
    Code:
    11/16/11 00:30:30 Prevented process <ppcrlconfig.dll> from launching from <c:\programdata\microsoft\identitycrl\production>.
    
     
  10. manar58

    manar58 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    75
    ~ VirusTotal Results Removed per Policy ~
    can you plz say what"s this


    Virus in password protected archive
    sorry for my poor languag
     
    Last edited by a moderator: Nov 16, 2011
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,739
    Location:
    Canada
    maybe a new virus or false positive;)
     
  12. manar58

    manar58 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    75
    :D :D
    Thanx Mr Jmonge
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,739
    Location:
    Canada
    your welcome:thumb:
     
  14. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I've having a very serious issue with AG. For about the last two weeks and every other day, I get this below
    Code:
    11/17/11 16:15:38 Prevented <Local Security Authority Process> from writing to <\registry\machine\sam>.
    
    
    
    11/17/11 16:15:38 Prevented <Local Security Authority Process> from writing to <\registry\machine\sam\sam\domains\account\users\000003e8>.
    When the above SAM fails to write changes to the database, I'm pretty much screwed. The first attempt in supplying credentials in the UAC fails. The next attempts have no input textbox for credentials and of course the option to select Yes is grayed out. I have to reboot to correct this. What can I do to prevent this?
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Have you tried uninstalling and reinstalling AppGuard to see if this corrects the problem?

    In case a policy file is corrupt, you should also delete the two AppGuardPolicy.xml files before reinstalling. They are located in the user profiles: one within your own user profile and the other within the All Users profile. You might need to enable the option to display hidden files to see them.
     
  16. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Is the process that is having the problem on the Guard List? Is it in User Space?
     
  17. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I would assume that it is a system file which means I would not have it guarded.

    Here are the events in order. The first one is baffling since there is plenty of space disk and memory wise. I'm guessing all are related to this but the last few may just be a result of the first error in that they are not able to restart/function
    Code:
    Log Name:      System
    Source:        Microsoft-Windows-Directory-Services-SAM
    Date:          11/17/2011 4:15:38 PM
    Event ID:      12288
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      Seven-PC
    Description:
    SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
        <EventID>12288</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:15:38.417968700Z" />
        <EventRecordID>134917</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="2556" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="SAMMSG_COMMIT_FAILED">
        <Binary>220000C0</Binary>
      </EventData>
    </Event> 
    Code:
    Log Name:      System
    Source:        Microsoft-Windows-Directory-Services-SAM
    Date:          11/17/2011 4:15:38 PM
    Event ID:      12289
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      Seven-PC
    Description:
    SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
        <EventID>12289</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:15:38.621093700Z" />
        <EventRecordID>134918</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="2556" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="SAMMSG_REFRESH_FAILED">
        <Binary>220000C0</Binary>
      </EventData>
    </Event> 
    Code:
    Log Name:      System
    Source:        Microsoft-Windows-DistributedCOM
    Date:          11/17/2011 4:20:19 PM
    Event ID:      10005
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Seven-PC
    Description:
    DCOM got error "1069" attempting to start the service stisvc with arguments "" in order to run the server:
    {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
        <EventID Qualifiers="49152">10005</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:20:19.000000000Z" />
        <EventRecordID>134919</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="param1">1069</Data>
        <Data Name="param2">stisvc</Data>
        <Data Name="param3">
        </Data>
        <Data Name="param4">{A1F4E726-8CF1-11D1-BF92-0060081ED811}</Data>
      </EventData>
    </Event> 
    Code:
    Log Name:      System
    Source:        Service Control Manager
    Date:          11/17/2011 4:20:19 PM
    Event ID:      7038
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Seven-PC
    Description:
    The StiSvc service was unable to log on as NT Authority\LocalService with the currently configured password due to the following error: 
    The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
    
    To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
        <EventID Qualifiers="49152">7038</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:20:19.847656200Z" />
        <EventRecordID>134920</EventRecordID>
        <Correlation />
        <Execution ProcessID="520" ThreadID="364" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="param1">StiSvc</Data>
        <Data Name="param2">NT Authority\LocalService</Data>
        <Data Name="param3">%%1352</Data>
      </EventData>
    </Event> 
    Code:
    Log Name:      System
    Source:        Service Control Manager
    Date:          11/17/2011 4:23:29 PM
    Event ID:      7038
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Seven-PC
    Description:
    The TrustedInstaller service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: 
    The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
    
    To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
        <EventID Qualifiers="49152">7038</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:23:29.775390600Z" />
        <EventRecordID>134930</EventRecordID>
        <Correlation />
        <Execution ProcessID="520" ThreadID="3492" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="param1">TrustedInstaller</Data>
        <Data Name="param2">NT AUTHORITY\SYSTEM</Data>
        <Data Name="param3">%%1352</Data>
      </EventData>
    </Event> 
    Code:
    Log Name:      System
    Source:        Service Control Manager
    Date:          11/17/2011 4:23:29 PM
    Event ID:      7000
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Seven-PC
    Description:
    The Windows Modules Installer service failed to start due to the following error: 
    The service did not start due to a logon failure.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
        <EventID Qualifiers="49152">7000</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-17T22:23:29.775390600Z" />
        <EventRecordID>134931</EventRecordID>
        <Correlation />
        <Execution ProcessID="520" ThreadID="3492" />
        <Channel>System</Channel>
        <Computer>Seven-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="param1">Windows Modules Installer</Data>
        <Data Name="param2">%%1069</Data>
      </EventData>
    </Event> 
     
  18. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    Though it caused no problem, it's a rather unusual destination path - some sort of parsing error?
     
  19. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I'm going to ask one of the developers to look at this, but before I do, can you tell me what the name of the process (<Local Security Authority Process>) is? An easy way to do this is to select the event in the AppGuard Status dialog, right click on it and click on "Ignore Message". The "Ignore Message" dialog will display the name of the process. Simply click on "Cancel" afterwards (so that you don't actually ignore the message). Thanks!
     
  20. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks, I'll refer it to one of the developers.
     
  21. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    AG log is cleared on reboot. Remember, I've lost all elevation privileges when this happens and have to reboot. I'm quickly approaching the time for it to happen again. My best guess on this is going to be lsass.exe
     
  22. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    702
    Location:
    Europe
    Hi,

    I can't shut down my computer with AppGuard under Vista Business 32 bits.

    On regards of the Eventviewer I have a 3 errors related to this shut down troubles.

    How can I fix these errors ?

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient" Guid="{73370bd6-85e5-430b-b60a-fea1285808a7}" />
    <EventID>2</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2011-12-06T12:03:29.238Z" />
    <EventRecordID>1271</EventRecordID>
    <Correlation />
    <Execution ProcessID="1848" ThreadID="1852" />
    <Channel>Application</Channel>
    <Computer>PC-de-Flore</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData />
    </Event>

    ---------------------------------------------------------------------------------------------------------
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="BlueRidge AppGuard" />
    <EventID Qualifiers="16384">104</EventID>
    <Level>4</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-12-06T12:03:15.000Z" />
    <EventRecordID>1270</EventRecordID>
    <Channel>Application</Channel>
    <Computer>PC-de-Flore</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    - <EventData>
    <Data>C:\Program Files\Blue Ridge Networks\AppGuard\AppGuardAgent.exe</Data>
    <Data>c:\windows\system32\csrss.exe</Data>
    </EventData>
    </Event>
    ------------------------------------------------------------------------------------------------------

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Desktop Window Manager" />
    <EventID Qualifiers="16384">9009</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-12-06T12:03:04.000Z" />
    <EventRecordID>1269</EventRecordID>
    <Channel>Application</Channel>
    <Computer>PC-de-Flore</Computer>
    <Security />
    </System>
    - <EventData>
    <Data>0x40010004</Data>
    </EventData>
    </Event>
     
  23. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    41
    This is got to be the best software I added to my Security this year!

    Sure saved me from my infected External Hard-Drive loading Malware :)
     
  24. 22ndcitysaint

    22ndcitysaint Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    62
    Location:
    PH
    Hi, I'm a new user of AG. Need help about exclusions.

    AG is blocking netsh.exe which is used by OpenVPN.


    How can I make it work?
     
  25. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I can't answer your question, but somehow I'm getting the feeling that all this registry prevention needs some serious tweaking by Blue Ridge. There may be a way to allow ones that are considered trusted but so far, I haven't seen an answer for it outside of not guarding the big three MS processes.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.