AppGuard 3.x 32/64 Bit

Hi all,

I am rather new to AppGuard and I am getting this error;

04/04/11 18:20:43 Prevented process <Google Chrome> from writing to <c:\program files (x86)\google\chrome\application\dictionaries\en-us-1-2.bdic>.

Protection level is set to High.

Do you know why this happened?

Thanks,

Adam

 

If Chrome was guarded then it would be denied access to Program Files.

 

On Blue Ridge Network's website it states the following for AppGuard:

"Surf, Search, Shop, and Bank Online Safely"

Does this mean that programs like Prevx Safe Online or Trusteer Rapport are not necessary if you are running AppGuard? It would be nice to know since AppGuard reportedly interferes with these programs.

 

No it doesn't mean that those programs are unnecessary. AG doesn't interfere with processes within the browser unless they try to inject themselves into other processes. Prevx SO and Trusteer work directly within the context of the browser. AG may indeed interfere with Trusteer but I use Prevx SO with AG without any problems at all. In fact, they form a formidable pair.

 

Thanks for your feedback 1000db. I'm glad to know that Prevx SO is working properly with AG. Do you add Prevx SO to the Application Exception list in AG?

 

My experience is that AG prevents Prevx from writing to the memory of the browser process, even though it has been added to the MemoryGuard exception list.

It is true that Prevx SO appears to behave normally but the question is whether or not it still provides full protection against installed malware with MemoryGuard enabled. The only way to answer that would be to perform a set of tests similar to those carried out by MRG using live malware.

 

I agree that the most accurate way to tell is have a professional group like MRG test it. However, with the available testing application SO seems to function as normal; blocking keylogging, screen captures, etc. without any interference from AG. I guess in other words I have had no reason to think SO isn't working.

 

You're probably right that MemoryGuard blocking of Prevx hasn't had any adverse on SO; still it would be nice to be sure. Even if it has, I would think that having AppGuard installed makes it less likely that the infection would occur in the first place. I would like to see MRG include AppGuard in their tests in order to find out how effective AppGuard is at preventing banking malware.

The other aspect to this, which I've already reported to BRN, is that MemoryGuard shouldn't be blocking Prevx if Prevx has been added to the list of trusted applications. If MemoryGuard was allowing Prevx to fully integrate with the browser process, the question about SO effectiveness wouldn't even arise.

I've had email correspondence with Barb C over this and I believe that the AppGuard engineers are going to try to reproduce this themselves to get to the bottom of what is going on. The only other application where I've seen MemoryGuard ignore entries in the application exception list is Trusteer Rapport. Given that Rapport and SO perform a similar function, I wonder whether it is something about the way these types of browser protection utilities work that is causing the issue.

I guess we'll have to wait and see what BRN say about this.

 

its been while i wonder what they are planing with the possible lisence changing

 

Any new version coming soon to fix the issues with 'install mode' not always working when installing new software (incl. big updates from Windows Update)?

 

Yes, I'd like to know that too. I'm also curious to know why the install mode doesn't always work as it should do in the present release.

 

same here with the install mode problem too

 

I don't fully understand this Install mode so I won't go as far to say that it is useless but I got used to always turning protection off during Windows update. What degree of protection is Install mode over Off?

 

I had to turn off AppGuard also to complete the Windows Updates today. I thought that AG was supposed to allow Windows Updates without user intervention. Hopefully they will fix that issue as well.

 

Correct. AppGuard's install mode doesn't work properly. It's somewhat broken. Windows update won't work with it. Larger installations that includes drivers won't work with it either.

 

Same for me, most Updates installed correctly but I had to turn off AppGuard for the remaining three.

 

Part of the problem with the Malicious Software Removal Tool in particular is that it seems to install and run from user space, which AppGuard blocks. Something similar may also be happening with some of the other Windows updates.

 

Yes, there are other service packs for different Microsoft products which requires AppGuard to be completely turned off. Also, the problem isn't only isolated to Windows Update. Sometimes when I install games I encounter the problem as well.

 

The rogue software, MS Removal Tool just bleached my Win 7 Ultimate x64 under the protection of the Appguard, the Avira Premium Security suite, and the SpyShelter Premium (including the Himan Pro and all updated well).

All the software above are malfunctioned and even the Appguard got switched off. It wouldn't come back working. I left the Appguard in the medium level. This gave me a painful lesson not to rely fully on those security programme as they advertised themselves at their websites. I use the IE 9, and thus I decided not to use the Sandboxie 3.55 beta due to the conflict with the appguard. (By the way, the Sandboxie alone runs pretty well at the IE 9 while not running the Appguard).

Anyhow, I got the disk backed-up by the Acronis True Image Home 2011 and first try to make it normal by using the Malwarebytes. And if that fixes and my Windows 7 turns out to be OK, I have got to use the Sandboxie alone now on.

 

that must be a nasty one and did mbam catch it?

 

The only way to run AppGuard effectively is on High. Medium level allows guarded execution from user space, but in my testing on Win 7 x64, it permits many undesirable actions e.g. non elevated execution of programs in the System32 directory, user space read/write to name a few. Plenty of room for the current crop of rogues, winlock trojans etc to do their job.

 

that is bad as it is not wide range protection then

 

On medium AG will allow guarded launches but still should prevent the guarded application from accessing system files. The rogue would still run but as guarded so theoretically no loss of data should have occurred. I would be interested to hear what Barb or Eirik have to say concerning this. I have had a similar occurrence many months ago with Sanboxie. I had a rogue install (in the sandbox with rights dropped) but it still ran as if it had correctly installed. After a reboot then a flush of the sandbox all was back to normal. However, until I rebooted I was only partially infected as SB seemed to do its job and contain the threat, but only after reboot. I don't believe, though I can't prove it, that I would have lost any data even though the rogue ran. A similar thing could be happening with AG. On a side note; it would be great if AG would show in the task manager (or somewhere) which running processes are running guarded.

 

thats why the defaults are set to High not medium anymore

 

Yeah, but still, how are one to install/uninstall something with settings at 'high'? You have to lower settings for some removal tools/installations to run.

I believe that is the Achilles heal of AppGuard.