AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    Yeah, I don't know why. o_O
     
  2. natZONE

    natZONE Registered Member

    Joined:
    Oct 8, 2012
    Posts:
    31
    Location:
    Germany
    These are not blocked Firefox processes but Sandboxie control processus, so add Sandboxie to the allowed PowerApps (i. e. whitelist it) and you're done.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    that's an expert talking there:thumb:
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    another master:D ;)
     
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I wish but thanks.Actually natZone may just have provide the answer.
     
  7. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    What do you mean? I can't add the entire folder. If you can see my screenshot, I have Sandboxie executables added in the Application Exception list. Should I just change the settings from 'Write' to 'ReadWrite'?
     
  8. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    The Sandboxie executable only? Or should I include sandboxiedcomlaunch.exe, sandboxierpcss.exe and sandboxiecrypto.exe?
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Its been a while since using SBIE but I had a issue with AppGuard and was able to add the whole sandbox folder.but that was before the new addition of powerapp of AppGuard.

    Try what natZone said and see if that helps any.
     
  10. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    Okay. I just opened Google Chrome. It has the same issue. :doubt:
     
  11. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    I added SbieCtrl.exe to the PowerApps list and it seems that the notifications have ceased.
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Glad you got worked out.:thumb:
     
  13. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    I am experimenting with AppGuard's "Locked Down" Protection Level.

    I have one issue that I have not been able to figure out. What do I need to get rid of this "Event" Message?:

    XX/XX/XX XX:XX:XX Prevented <Firefox> from reading memory of <CTF Loader>.

    This "Event" Message occurs when I open Firefox (sandboxed). Do I really need to do anything to get rid of the "Event" Message? I am able to surf the web while getting this "Event" Message.

    Thanks in Advance.

    Operating System: Windows XP Pro SP3 (32 bit)
     
  14. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I have a house full of females, wife and my girls. I work out of town and only come home about every four to six weeks for the weekend and it consumed most of my home time to update five laptops and one desktop. There is no getting them to understand how to do the updates and I never liked having WinUpdates set to auto because of potential crashes after a bad update which of course they would know nothing about how to restore. With AG installed, it was another hoop for them to jump through to disable protection for the update back when AG had to be disabled for WinUpdates to install. In my situation, I'm just miles ahead by using AG on High for them and Locked Down for me. If they can't install something, naturally they are going to call me for the "why isn't this installing?". This way, I know what they are installing and if it's legit, I can let them know how to lower AG's protection for the installation. I know that sounds hard but with my bunch, all they know about PC's is use, use and use. They know nothing about maintain and protect.
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Most MemoryGuard events are harmless. If it isn't stopping anything from working normally, just ignore it. Unless you are using the alternative user input feature of MS Office, I don't think you need CTF Loader (ctfmon.exe) anyway.
     
  16. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    Sometimes I do use East Asian Language Input, but usually only once or twice a month. I just tested whether or not East Asian Language Inputs would be allowed: "High" Protection Level = Yes, "Locked Down" Protection Level = No.

    Any ideas on what I need to do to fix this minor problem?

    Thank in Advance.
     
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Try adding ctfmon.exe as a PowerApp. If that doesn't work, switch to the default High protection level whenever you want to use the feature. You don't really need to be using Locked Down all of the time anyway.

    I run AppGuard at the High protection level because it is more flexible, provides better overall compatibility with other applications, and causes me the least problems. If you really like using Locked Down for normal use then temporarily switch to High when Locked Down is preventing something from working that you haven't been able to overcome by AppGuard configuration.
     
  18. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    Thanks.

    Earlier, I had tried adding ctfmon.exe (Including Firefox.exe) as PowerApps which didn't solve the problem. I also tried adding Firefox.exe and ctfmon.exe to MemoryGuard's Application Exception List (both ReadWrite) which did not solve the problem.

    With "Full" Protection Level I have not had any issues. I will run in "Full" Protection Level most of the time.
     
  19. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    You definitely don't want to be making exceptions for an Internet-facing application like Firefox, as you will be negating some of the protection of a guarded application. Changing to the default High protection level for normal operation is, as you say, a better option.
     
  20. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    When I first installed AppGuard, I followed all of the recommendations given here:

    https://www.wilderssecurity.com/showpost.php?p=2101597&postcount=1455

    Does anyone know the answer to the question asked in the above link:
    Any other comments on the recommendations in the above link?

    Thanks in Advance.
     
  21. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    MemoryRead events only tend to occur when the protection level is set to Locked Down. You shouldn't be seeing these at the High protection level. AppGuard exceptions should not be made as a matter of routine; the AppGuard events panel will tell you what, if any, exceptions need to be made.

    Regarding Sandboxie, it varies from one system to another, depending on the OS version and where the Sandboxie container folder is located. On my Windows XP system, I run AppGuard and Sandboxie together without any AppGuard exceptions. (Guarded applications have to have write access to the Sandboxie container folder, but I have it located on a RAM disk so it's automatically in extended user space.)

    If, on your system, AppGuard is reporting MemoryGuard write events for sbiectrl.exe then add sbiectrl.exe as a PowerApp in order to ensure that Sandboxie functions properly. If there are no sbiectrl.exe blocked events then there is no need to do anything. The same applies to all of the other Sandboxie executables.
     
  22. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sounds like a good stragedy.
     
  23. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    You think it's bad now - just wait until late mid age!
     
  24. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Not sure how sandboxie works exactly, but if the other processes are called by the sandboxie executable, then there is no need to add the other ones. They will inherit their "powerappness" from the calling app.
     
  25. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    If you are not seeing any anomalies when running Firefox (other than the message), I don't think that you need to worry about it.

    Answering your later posts on this subject (i.e. trying to allow this in Locked Down protection level), I don't believe that there is a way of doing this. Adding CTF Loader as a power application will not allow a Guarded Application to read its memory. The exception that would have to be made would be to not have Firefox memory read protected in Locked Down. Locked Down protection policy enforces Memory read protection on all Guarded applications and is not configurable by the end-user.
     
    Last edited: Oct 10, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.