AppGuard 3.x 32/64 Bit

Would any of you AppGuard users know if it (and especially its MBRGuard) is compatible with Rollback Rx?

Thanks,
Scott

 

Well,

I cannot speak about Rollback Rx since I don't have it installed on my computer but I have installed Drive Vaccine PC Restore Plus that happens to be similar to RB Rx and it appears to work without any problems with the MBRGuard portion of AppGuard.

The only problem I had with DV and AppGuard was during the install of DV since it needs to access the MBR to install properly and AppGuard was protecting it so, I had to momentarily disable MBRGuard to proceed with the installation of DV. I re-enabled MBRGuard once the installation and reboot of DV completed and haven't noticed any problems so far.


Hope this helps.

 

Had it enabled while using Comodo Time Machine and Eaz-Fix. No problems that I know of. I would disable MBRGuard and reboot for install/uninstall as well as updating the baseline. When any of those operations are complete, re-enable MBRGuard. There are two things in Win 7 that MBRGuard seemed to affect with me though and that is System Image Backup/Backup and re-assessment of WEI.

 

I use AppGuard, with MBR Guard enabled, along with Rollback RX without any problems - they work together flawlessly (in the past there were compatibility issues, but they were fixed).

 

Thanks all. I've already gone through a trial of Faronics Anti-Executable (which seemed to go well), so now (based on your positive feedback) I'll give AppGuard a go to see which I prefer.

Has anyone else compared the two of them (and would like to share their findings)?

Scott

 

Does the latest build of AppGuard support Windows 8 alpha?

 

Thanks! We've actually added the feature of allowing signed DLLs to launch in our last Enterprise release. We will most likely include this feature in the next version of Consumer AppGuard.

 

Hi Zyrtec, Thanks for the taking the time to let us know about these problems.

The SAM issue has been reported by a few posters and I hope that the test department will concentrate on reproducing this problem next week.

I've also requested that test recreate the WMP problems as well to see if we can come up with a better solution than having to lower protection whenever you want to view a video. Can you send the events that you are seeing when this happens to AppGuard@blueridgenetworks.com?

The symantec issue is a new one that I don't believe was reported previously. Will you also send the events when you see this happening? Is Symantec still able to quarantine the file?

 

It does - at least one of our developers installed it on Windows 8. I'm trying to track him down to see if he did anything special to install it or if it just installed "out of the box".

 

Greg, thanks for getting back to us. I spoke to the lead developer and his response was that a normal MS app (unless it is an install or some special app or a malware) should not be writing to this registry key. He was wondering if you added any other Microsoft Applications or Services to the Guard List or if this happened during a Windows Update? Also, refresh my memory - what OS are you running on? BTW, if your Event Log still contains the events in question, would you mind sending them to us? Thanks again!

 

On my netbook, (Eaz-Fix, XP SP3,Panda cloud, ZoneAlrm 9.2, Prevx SoL, AppG) with MBR guard enabled everything will run normally but it will not shut down by itself, I will have to force a shutdown. With MBR disabled I have no such problem.

jdsandbe

 

Windows 7 Pro. Nothing being installed/updated nor any MS apps added other than Windows Live Mail. W32Time was one of the services for sure.

One of Windows Live Mail issues which is trying to write to registry\machine\system\controlset001\services

I would assume WLM is a Microsoft product and whatever it is trying to do is legit? https://www.wilderssecurity.com/showpost.php?p=1965516&postcount=634

I will reinstall and get some specifics.

 

Hi Barb,

Sorry for the late response. Well, in regards to Symantec Endpoint 12.1 it does quarantine the file without a problem but it looks like “under the hood” [so to speak], AppGuard is still blocking something related to Symantec.

The Windows SAM problem that I've seen with AppGuard blocking me from being able to log in onto Windows after the computer resumes from Sleep Mode is related to AppGuard blocking a legitimate Windows process that seems to kick in when the computer is on Sleep mode. I don't recall the name of this process from the top of my head but I believe it's been mentioned several times in this same thread.

The WMP issue, I have managed to shut it down by lowering AppGuard protection level [not the best approach from a security standpoint but it helps].


Hope this helps.

 

I'm having some problems (I think) with AppGuard since I installed Chrome.

Twice now after allowing scripts for a site with ScriptNo, it would refresh and I would get a RunDLL error for gcswf.dll for Chrome. It is logged in AppGuard, and I noticed it's keeping Chrome from making temporary files.

Is it because Chrome is stored and launches from my AppData folder? Here is a copy of some of the log.


01/24/12 00:29:00 Prevented process <googleupdate.exe> from launching from <c:\users\brandon\appdata\local\google\update>.

01/24/12 00:24:42 Prevented process <Google Chrome> from writing to <c:\windows\temp\fap5ba9.tmp>.

01/24/12 00:24:42 Prevented process <Google Chrome> from writing to <c:\windows\temp\fap5b84.tmp>.

Also attached is the RunDLL error.

01/24/12 00:24:37 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.

01/24/12 00:24:37 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\rescache\rc0003\rescache.hit>.

01/24/12 00:24:37 Prevented process <gcswf32.dll> from launching from <c:\users\brandon\appdata\local\google\chrome\application\16.0.912.77>.

01/24/12 00:24:26 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.

01/24/12 00:24:23 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.

01/24/12 00:16:10 Prevented process <Google Chrome> from writing to <c:\windows\temp\fap8d6d.tmp>.

01/24/12 00:16:04 Prevented process <gcswf32.dll> from launching from <c:\users\brandon\appdata\local\google\chrome\application\16.0.912.77>.

 

Yes, you need to uninstall Chrome. Remove all temp-data and install: http://www.google.com/apps/intl/en/business/chromebrowser.html

That solved my similar problems with Chrome and AppGuard. The problem is as you correctly claim, caused by Chrome running from UserSpace. The above installer will install Chrome in System Space. Just make sure to remove all traces of Chrome in UserSpace before installing it though, or you'll keep having the same problems.

 

Thanks shadek for helping out on this one. I just sent an email recommending the same thing as well as other alternatives (reducing protection level from Locked Down to High, or excluding the appdata google directory from user-space). Both alternatives reduce the protection level slightly so the best solution is to install Chrome in System Space.

 

I just added the exclusion to the User-Space. How much does this affect protection though? Wouldn't malware have to be in the Chrome folder to run, which it probably wouldn't be?

 

I wouldn't recommend this as it makes your browser somewhat vulnerable, or rather, nasties could run from the excluded folder. I'd still suggest you try install Chrome into System Space using the installer I linked to in post #765.

 

Although I agree with shadek - the most secure solution is to run Chrome out of system space - you are correct, that with the exclusion you added, the malware would have to run out of that specific directory. That probably does make your browser more vulnerable, but keep in mind that your browser should still be guarded (and so would any processes that it launches - so if malware does land in that directory and your browser launches it, those processes will also be guarded) so although the browser may get attacked and launch malware out of the excluded directory, it still should not be able to alter critical system resources (although I guess it's possible that the malware may attempt to read data from your computer and export it - I don't think AppGuard would block that type of attack - I will ask the developers on Monday about that).

 

Hi Barb,

Yes, I'm the right person indeed. Not yet fixed this trouble ? Do you know if others french users are facing with this issue ?

 

We have not had any French users report any issues, but we have had issues with Spanish Windows.

 

Thanks Zyrtec. We're still having difficulty recreating the SAM problem. If you haven't done so will you send the following information to AppGuard@BlueRidgeNetworks.com (please also indicate date/time of SAM issue so we can check out the related events):
1. System Information File

• Start Menu, select "Run"

• Type msinfo32.exe, click "OK"

• In System Info application, select from "File" menu "Save"

​

• Name, save (no type change), and email the file

​

2. Application Event Log: To generate an AppGuard Windows Event Log file:

• Control Panel

• Administrative Tools (may need to be logged in as admin?)

​

• Click on 'Event Viewer'

​

• Click on to highlight “Application” in left-hand pane, then

​

• Event Viewer menu “Action”, select “Save Log File As”

​

• Name it, change type to .csv

​

• Save and email it

​

Regarding AppGuard still blocking something related to Symantec, it is quite possible that even though AppGuard is reporting a block it is not actually blocking Symantec's intended operation. Here's an answer for an AppGuard FAQ that I am working on:

AppGuard is designed to stop applications from performing high-security-risk activities. These high-security-risk activities are often exploited by malware as entry vectors into the system, and that is why AppGuard blocks these operations – usually with no adverse side effects. These activities may be the result of a legitimate application having been exploited by malware or it may simply be the result of the application programmer not adhering to best programming practices. In the latter case, the legitimate application may be requesting privileges that it really doesn’t require (for instance it may indicate that it requires write access to a system directory when in fact it only requires read access). In this case, AppGuard will block the write access (which is suspicious) and allow the read access to proceed. Fortunately, most of the time, these types of blocks do not result in any side effects even though AppGuard reports the blocking event. Occasionally, where an application actually intends to make changes to the system, such as self-updating programs, AppGuard may block a legitimate action.
​

 

Hi Wilders AppGuard users,

I wanted to let you know that we finally received the go ahead to do another release of the consumer version in March. This will not be a major revision so anyone that currently has a license will be able to upgrade for free. We hope (don't hold me to it, please) to include at least the following improvements:

• Apply Trusted Publisher Rules for DLLs

• Fix "SAM" bug as reported by Zyrtec and Greg S (as long as we are able to recreate it here)

• Allow entry of path names for exception folders without having to browse (so you can add paths that you don't have permissions too)

• Add parent process information to the blocking events messages.

• Support for Windows 8.

• I hope we can also add support for non-English Windows (but this will definitely be a stretch item).

I'm soliciting other suggestions from you all and we will try to accomodate as best we can. We will also be looking for people willing to beta test for us well.

 

Hi Barb,

Thanks for your response. I will follow the steps outlined by you in your post and I'll send the information to the e-mail address you provided.

By the way, do you guys have plans for an interim AppGuard minor update to address the problems many of us are having?


Thanks.



P.S.: I quoted the wrong post, so I edited it to fix it. BTW, it's good to know you guys are working on a minor update of AG.

 

I'm willing