AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Change the MemoryGuard exception type to Read/Write or remove the MemoryGuard exception and add Sandboxie to the power applications.
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    I checked the Microsoft East Asian Language Input with "Locked Down" Protection Level enabled. I was not able too switch from English Input to Korean Input. When I changed back to "Full" Protection Level I am able to switch from English Input to Korean Input.
     
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I'm glad you figured it out. You can remove the Sandboxie applications from the MemoryGuard exception list. By virtue of being a power application they are also MG exceptions.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    LOL,Thanks barb I have a lot to look forward to then.:eek:
     
  5. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    Removed sandboxierpcss.exe, sandboxiedcomlaunch.exe and sandboxiecrypto.exe from MemoryGuard.

    Added SbieCtrl.exe to PowerApps

    This is what happened.
     

    Attached Files:

  6. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I see the AppGuard alerts, but did it cause any operational errors with Firefox?
     
  7. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    None. I'm using Firefox now and it's running smooth. No bugs, glitches, errors and the like :thumb:
    Will report back if I find any.
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I have discovered what appears to be a couple of bugs with Privacy Mode when the protection level is set to Locked Down.

    One of the features of the Locked Down protection level is that Privacy Mode applies to all guarded applications in the guarded applications list, irrespective of whether the Privacy Mode flags are individually set to Yes or No in the guarded applications list. The Locked Down protection level overrides the user configuration.

    The first bug is that the right-click option from the system tray icon to suspend Privacy Mode for a guarded application only works if the Privacy Mode flag is set to Yes in the guarded applications list; if the Privacy Mode flag is set to No, the option to suspend Privacy Mode for a guarded application in the list doesn't work.

    The second bug is that after Privacy Mode has successfully been suspended for a guarded application that had the Privacy Mode flag set to Yes, Privacy Mode operation subsequently reverts to "As configured" for all applications in the guarded applications list - applying the individual Privacy Mode flag settings - which is inconsistent behaviour.

    Apart from the above mentioned bugs, forcing Privacy Mode to apply to all guarded applications, irrespective of the Privacy Mode flag settings, can lead to undesirable outcomes. I'll give an example to illustrate the point.

    I have the whole of the My Documents folder set as a Private Folder. The only application that I am really concerned about from the privacy aspect is the browser, which has the Privacy Mode flag set to Yes. All the other guarded applications have the Privacy Mode flag set to No.

    At the High protection level this enables the music folder, which is a subfolder within My Documents, to be accessed by iTunes (a guarded application with Privacy Mode set to No) but not by the browser (a guarded application with Privacy Mode set to Yes). This was the desired outcome and the reason for the configuration.

    At the Locked Down protection level iTunes won't launch because it can't find the music library. Either the music folder has to be removed as a Private Folder, making it accessible to the browser; or iTunes has to be removed from the guarded applications list. Neither option results in the desired outcome.

    Bugs aside, I wish that Privacy Mode always worked "As configured" at the Locked Down protection level. IMO Privacy Mode should operate in accordance with user configuration, independently from the protection level.
     
    Last edited: Oct 12, 2012
  9. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks for the feedback, PEGR. We'll take your suggestions into consideration for the next release.
     
  10. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    Shame there isnt a free version.:'(
     
  11. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,140
    a question here
    i am running Avira premium and OA premium
    If i install AG can i just turn off avira real time and use AG and OA real time?
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Thanks Barb. :thumb:
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,589
    Location:
    North Carolina, USA
    Hi Barb_C,

    Any update as to the status of this?
     
  14. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    I want to run accessories>command prompt > scannow.

    ...but AG is blocking it. What is the correct way to get around this? Invoke "install protection level" or adjust via 'customize'?
     
  15. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    @Aalf
    * Right click the tray icon and select "Allow User-space Launches" > "Guarded"
    * Once launched, right click and "Disable User-space launch"

    HTH :)
     
  16. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Here's the log. I disabled, opened Comprompt, wrote command and hit enterto start scan - then I went to AG & did as per above.

    10/20/12 18:45:39 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\temp\sfcsqm_14417920.sqm>.
    10/20/12 18:45:39 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\setuperr.log>.
    10/20/12 18:45:39 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\setupact.log>.
    10/20/12 18:45:39 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\temp\coinlog.log>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infcache.2>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infcache.1>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infcache.0>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\drvindex.dat>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infstrng.dat>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infstor.dat>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\system32\driverstore\infpub.dat>.
    10/20/12 18:45:38 Prevented process <System Integrity Check and Repair> from writing to <c:\windows\inf\setupapi.app.log>.
    10/20/12 18:34:23 User-space Protection is enabled.
    10/20/12 18:32:39 User-space Protection was suspended.

    Considering the log, was the scan genuine or false??
     
  17. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    What operating system are you using? On windows 7 x64, nothing is blocked when I follow my previous directions.
     
  18. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Win 7 x64. As per my siggy. Maybe User-space protection suspension for a launch is only good for 10 minutes?? (see time on log?)
     
    Last edited: Oct 20, 2012
  19. chris1341

    chris1341 Guest

    Yes, it respects the global setting 'Suspension timeout value' which by default is 10 mins but can be changed if you need it to be longer (or shorter) by simply typing in the figure you want on the AppGuard GUI and clicking apply.
     
  20. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    User space suspension doesn't apply in this case as the protection was manually re-enabled after SFC was launched.
    Around 11 minutes would be the time for SFC to run on a machine of similar specs to mine.

    Unfortunately I'm unable to reproduce any blocking messages in locked down mode.

    You could always have a look at the CBS.log located in Windir\logs\CBS. You'll need to copy the log to user space to view it, or use an elevated instance of Notepad and then navigate to the log.

    Did the command prompt window notify you of any problems with file integrity after SFC finished running?
     
  21. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    Maybe I'm just too simple, but why not turn the protection level to OFF? You know that this is a safe application as you are the one initiating it, so there is no risk.

    That being said, I have found that even the OFF setting still effects the machine. On my W7 x64 SP1 machine, I can not rerun the Windows Experience Index with AG installed, even when set to OFF.
     
  22. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    In the past, this was/is due to the MBR guard protection. Disable it, reboot and you should be able to run WEI
     
  23. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,589
    Location:
    North Carolina, USA
    Does the same apply to guarded apps?
     
  24. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Can anyone advise how to configure AG to work together with EMET?
     
  25. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Nothing to configure, it just works ;-)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.