AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Many of the protections can be temporarily suspended from the context menu accessed by a right-click from the AppGuard system tray icon (e.g. lowering the protection level to "Install" in order to install or update software, suspending guarded execution, etc). This still has to be done before a blocked event occurs though; it is by design and is one of the ways in which AppGuard differs from a classical HIPS or anti-executable.

    A classical HIPS/AE in interactive mode would display a prompt that leaves the decision to block or allow with the user. AppGuard does not do this: it automatically blocks any potentially dangerous behaviour that could compromise the security of the trusted enclave. This is similar to the way a classical HIPS functions in policy mode. The purpose of the alert is to notify the user of the action that AppGuard has taken after the behaviour has already been blocked.

    For expert users who like to have full control over the operation of their system, and who have the required level of expertise to make correct security decisions, a classical HIPS/AE may be preferred. For average users who may lack the necessary expertise, the policy restriction approach is preferable because it removes the need for user involvement in decision making. Automatic policy restriction is also better for those expert users who, whilst having the necessary level of expertise to make security decisions, prefer their security programs to operate quietly in the background without them having to get involved in manually shaping the policy.

    Most blocked events are harmless and can be ignored. On the rare occasions that an AppGuard blocked event stops something from working properly, there is sufficient customization available within the program to overcome this.
     
  2. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    AppGuard version 3.4.2.4 is now available for download on http://www.blueridge.com/index.php/products/appguard/consumer. This addresses the issue with MBRGuard on Windows 8. There are no other changes so unless you are using Windows 8 there is no reason to upgrade. For those of you who are using Windows 8, please uninstall the previous version of AppGuard, reboot and then install the new version (and then reboot again!).

    I don't think the release notes have been uploaded to the web site yet (my fault), but they should be there later today.

    Please be patient with us over the next few days. We are in the path of hurricaine Sandy. I will try to monitor email and the forum, but given the massive power outages they are predicting I may not have reliable Internet connectivity.

    For others in the path of this historic storm, please be safe!
     
  3. chris1341

    chris1341 Guest

    Perfect timing, think I'll be upgrading this week.

    Any advice to go with Win 8? Can we/should we be guarding Metro Apps for example? I notice Tzuk is saying the AppContainer is good enough.

    Thanks

    Best of luck with that one to you and all at Blue Ridge and anyone else in this thing's path.
     
    Last edited by a moderator: Oct 29, 2012
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,281
    Location:
    Hollow Earth - Telos
  5. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    404
    Location:
    Event Horizon
    New Appguard Version running great on Windows 8, MBR guard working as intended. IE 10 guarded and inprivate is my new favorite :p

    Thanks blueridgenetworks for your brilliant Support!:thumb:
     
  6. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    AppGuard vs Blackhole exploit kit :doubt:
    -http://www.youtube.com/watch?v=K3Ha9ZAS5sg-
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    it fails in lockdown mode o_O :doubt:
     
  8. Seven64

    Seven64 Guest

    Don't use flash, what's the verdict?
     
  9. chris1341

    chris1341 Guest

    Hard to tell. The video moves very quickly and the Windows prompts are in Polish but it appears to suggest that in Lockdown AppGuard still allows a rogue AV to run (via Java exploit triggered by Blackhole or termination of AppGuard?).
     
  10. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Indeed. Exploit has loaded a process into memory and then LSP was been started. What a shame.
     
  11. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    Wow. Can someone explain how AppGuard in Locked Down was bypassed?! :eek:
     
  12. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    That's what we all are waiting for.
    I can understand that it could happen if protection level was set on High, but AG was compromised while working in Locked Down mode. It's a bit weird :(
    But anyway whaterver happened I believe that devs are going to fix this soon.
     
    Last edited: Nov 4, 2012
  13. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    404
    Location:
    Event Horizon
    Since I know about Appguard I haven't really seen anything got past it's protection you can basically throw anything against appguard without getting infected.
    That's why I can't really believe the Video. I might take a closer look what he was doing exactly but in the end you can see Appguard getting terminated and then the rogue launches.
    Appguard has self protection (tamperguard) so actually it shouldn't be terminated.

    I wonder if it makes any difference if you strengthen protection around Java, maybe guard it with Memory protections turned on etc...

    Can anyone test this again in a virtual machine?? Would be interesting to see what the actual Problem was that got the Computer infected.
    ------------------------------------------------------------------------------------------------------------------------------------------------
    So I watched the Videos closely and it seems the first Thing appearing in Memory is a .dll file. Then he continues to paste the malicious URL in the browser and then you can see the oiginal jusched.exe being terminated and after that you can see a process called javaw.exe poping up. After some more attempts pasting the URL the rogue finally launches. It seems the malware gets through in pieces. That's why he pasted the URL over and over again.


    BTW: In the Publishers tab there's Sun Microsystems which is now Oracle and install is set to allow.
     
    Last edited: Nov 4, 2012
  14. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    I am wondering how it would be if process javaw.exe would be protected with EMET?
     
  15. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    I just tested this same FakeAV in Virtual XP.
    Protection mode: Locked down
    Allowed guarded user-space launches and ran it from the documents folder.
    It successfully terminated AppGuard; in fact it's very good at terminating most things.
    Unfortunately for Mr Malware, the BrnFileLock driver blocks it from writing its start entry, so upon reboot poor FakeAV is dead.
    Even if it didn't block writing the run once start entry, it would not have been able to launch from its user-space directory.
    RIP malware
     
  16. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Well done stackz, :thumb:
    Would it be possible for you to retest in high mode ?
    Also can I ask all other appguard users, if they experience any conflicts/problems running appguard in locked down mode.I just switched to locked mode, and I'm getting 11/04/12 11:37:03 Prevented <Sandboxie Control> from reading memory of <Firefox>. every 2 seconds

    Thanks
     
  17. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Stackz,
    Can you please repeat this test with EMET added and javaw.exe protected by EMET?
     
    Last edited: Nov 4, 2012
  18. chris1341

    chris1341 Guest

    Nice testing. The difference between these videos and the real world illustrated. Would be nice though if BRN commented on the termination technique and if they have any plans to address it.

    Adding SbieCtrl.exe to memory guard exceptions or to Power Apps should resolve that.
     
  19. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Just follow these instructions:

    • Open the main AppGuard window and click on “Customize…”
    • Switch over to the “Advanced” tab and click on “Add” under the MemoryGuard settings.
    • Navigate to your Sandboxie install location (default is C:\Program Files\Sandboxie).
    • We will be adding the following 3 Sandboxie executables with “Write” permission:
    1. sandboxierpcss.exe
    2. sandboxiedcomlaunch.exe
    3. sandboxiecrypto.exe
    • Now switch over to the “Guarded Apps” tab and click on “Settings…” under Folders.
    • Add your main sandbox folder (the default location is at C:\Sandbox) with Read/Write permissions.

    Source: Technology Explored
     
  20. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Many thank Chris1341, unfortunately it did not make a difference

    Many thanks pablozi, but I already had those settings in place.
    It's only when switching from high to locked down, do i see the alerts every 3 seconds.

    11/04/12 14:30:54 Prevented <Sandboxie Control> from reading memory of <Firefox>.
    11/04/12 14:30:51 Prevented <Sandboxie Control> from reading memory of <Firefox>.
    11/04/12 14:30:48 Prevented <Sandboxie Control> from reading memory of <Firefox>.
    11/04/12 14:30:45 Prevented <Sandboxie Control> from reading memory of <Firefox>.
    11/04/12 14:30:44 Protection level is set to <locked down>.

    There is no apparent problems, just alerts when I open the Appguard gui.
    I have gone back to high mode. I just don;t like the idea of anything interfering with Sandboxie, but i really appreciated your advice :)

    -
     
  21. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    For LockDown - I just added the above to Power Apps & all is quiet - so far. :thumb:
     
  22. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Very strange, just put lockdown on my desktop, and not a peep from Appguard, yet it has identical settings to the laptop regarding Sandboxie.
    Will have to investigate further.
     
  23. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    451
    i would like to make a suggestion for future versions. as well as showing in the log window it would be useful if you could right click on a blocked program there was an option to manage it eg. allow app to be excluded or allowed and maybe another option to block
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    good idea:thumb:
     
  25. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I agree. We will consider this feature for the next release.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.