AppGuard 3.x 32/64 Bit

@ Greg S and Barb_C

I am relieved to find another person with this problem!

I am leaving my PC on, coming back to it and finding when I enter my password I am getting the following message once I press [Enter] "The security account manager (SAM) or local security authority (LSA) server was in the wrong state state to perform the security operation" I am then forced to force re-start the system.

In the error log I have;

Log Name: System
Source: Microsoft-Windows-Directory-Services-SAM
Date: 07/12/2011 17:23:49
Event ID: 12289
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: Adam-PC
Description:
SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
<EventID>12289</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-12-07T17:23:49.961607800Z" />
<EventRecordID>6002</EventRecordID>
<Correlation />
<Execution ProcessID="536" ThreadID="1936" />
<Channel>System</Channel>
<Computer>Adam-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="SAMMSG_REFRESH_FAILED">
<Binary>220000C0</Binary>
</EventData>
</Event>


Log Name: System
Source: Microsoft-Windows-Directory-Services-SAM
Date: 07/12/2011 17:23:49
Event ID: 12288
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: Adam-PC
Description:
SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
<EventID>12288</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-12-07T17:23:49.961607800Z" />
<EventRecordID>6001</EventRecordID>
<Correlation />
<Execution ProcessID="536" ThreadID="1936" />
<Channel>System</Channel>
<Computer>Adam-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="SAMMSG_COMMIT_FAILED">
<Binary>220000C0</Binary>
</EventData>
</Event>

It is annoying that AppGuard is cleared on restart as I have no way of getting the details.

What is happening, do you have any news?

Thanks,

Adam

 

No Adam, I have not heard anything back from them about this. This is similar to my previous reply about the tweaking that needs to be done for registry prevention, if possible. It may be that it's not possible without opening the door for some type of attack.

 

Greg and Adam, I've asked the developers to take a look at this issue. I hope to get back an answer soon.

 

Hi Barb_C,

It will great that you don't skip my issue, thanks !

https://www.wilderssecurity.com/showpost.php?p=1984163&postcount=672

 

Hey, I just bought a copy of this program and I got a couple questions.

Are there any tips to configuring this so that it is air tight or does the high setting do the job?

I put Firefox Nightly and Chromium in the Guarded apps but when I temporarily disable appguard does the protection for those guarded apps drop?

Thanks for the help!

 

Ashanta, I believe that you've already emailed Blue Ridge directly about your problem (if this is not the case, please let me know). We believe that it is related to using the French version of Windows. We've asked our test department to recreate the problem.


Greg and Adam, the developers came back with the following questions (forgive me if you've already answered these):

1. Does it happen when the computer is locked (screen saver) or when you are logged out?​

2. Would you send us your msinfo file at AppGuard@blueridgenetworks.com?​

System Information File

• Start Menu, select "Run"

• Type msinfo32.exe, click "OK"

• In System Info application, select from "File" menu "Save"

​

• Name, save (no type change), and email the file

​

 

Thanks for purchasing AppGuard. The "Locked Down" setting is pretty much air tight because it does not allow any applications in user-space (where most malware resides) to run. The High level allows digitially signed applications to execute in user space, but automatically guards and memoryguards them so that they can't be compromised or compromise the system. So in the high case, if there is digitally signed malware located in user-space, AppGuard would allow it to execute, but the malware probably would not be able to cause persistent damage to your PC.

Yes.

 

@ Barb_C

It happens when I am logged out, and I will email the msinfo file now.

Thanks,

Adam

 

Thanks - still haven't received the msinfo file though.

 

It has been sent to AppGuard@blueridgenetworks.com as requested. It has a subject of AdamL - WildersSecurity

I will send it again now.

Thanks,

Adam

 

Got it - thanks!

 

It happens for me during the middle of day to day putering. I open up an app that requires UAC credentials, the UAC dialog flickers a second or so like something's wrong but it pops up, I enter the password, click OK or hit enter and get the SAM warning/error. I close the UAC dialog, try to open the app again with no place for credentials and the OK button grayed out. msinfo will be on it's way in a few.

 

Hi Barb,

Oups ! I didn't see your message, I'm sorry.

Yes, I already sent the msinfo32 rapport to the Support staff.

It was happening when I logged in. It will be interesting to check the hash file as this program is no longer available.

 

Running Appguard 3.2 without any problems along side others.
Very happy with Appguard but I do have a question.
I check for new releases at the vendors websites and all the rest I have installed post the current version, but with Appguard I can not find the current version posted, unless I'm missing it.
I know when a new version is released it will be posted here but if I don't see the post (I might miss it,the old eyes ain't what they used to be) it would be nice to see what the current version is if it is in plain sight on the web site.
So am I not looking in the correct place or is it just not there?

 

This is where I check periodically:
http://www.blueridgenetworks.com/support/appguard.php

Dave

 

In Control Panel mouse options, unchecking "Enable pointer shadow" and applying gets me this

Code:

12/15/11 16:41:22 Prevented <Windows host process (Rundll32)> from writing to <\registry\user\s-1-5-21-2916050139-3011366498-894364119-1000\control panel\desktop>.

and prevents the option from being applied. This is just one of quite a few mishaps with the registry protection. I must have tried to apply that mouse option 10 times before I looked at AG's log. Other registry notifications I have set to ignore but still can't help but wonder what legitimate operation is not being carried out due to these blocks.

 

Thank you Dave.

 

appguard will show a popup saying there is a new version of AG.

 

Good to know, Thanks.

 

Glad to help.

 

I'm going to be reinstalling Windows soon and was wondering if I will be able to reuse my AppGuard license without any problems.

 

No, not at all. You should not have any problems if you reinstall Appguard as I've done it myself without any problems so far [knock on wood]. Thanks Jmonge !!!


Regards.

 

appguard rocks

 

What's in the pipeline for the future versions of AppGuard and when can we expect to see the next release?

 

Greg, this is a result of AppGuard guarding Rundll32.exe in High and Locked Down protection levels becuase it is often used as an attack vector by malware. Unfortunatley (as I think you speculated earlier) if we allow exceptions to the Guard rules we will open security holes. Also, we don't want to over complicate the interface and become more like a HIPS system. Anyway, if you temprorarily reduce the protection level to medium, you should be able to add make your mouse setting persistent.