AppGuard 3.x 32/64 Bit

Just an update to my previous post.
The AppGuard service is not terminated by this malware. This was just a fault in my testing, in that I didn't disable the VM integration features. It's just the GUI front end that is terminated and prevented from restarting, meaning all you lose is the notifications.
AppGuard completely restricts the malware's actions.

As for testing as shown in the YouTube video, I'm unable to reproduce any sort of bypass from any exploit kit. I don't doubt the legitimacy of the video, but do question whether AppGuard's protection was weakened by the presence of the many other commercial rootkits (aka security apps) installed.

 

Full test (with restart)
-http://www.youtube.com/watch?v=EK8Fx3_Q8dA-

 

Ha! I knew AppGuard wasn't so easily beat.

 

Can I have some housekeeping tuition plz.

Should I permanently allow the following - when i google "Microsoft(C) Register Server" I get this page

If 'YES' what words go 'where' in AG?

 

Hi users! I want AG to default deny any execution from

C:\ and
?:\

while still allowing execution from

C:\Program Files
C:\Windows

Using XP 32 bit. Is it even possible? Thanks

 

Regarding C:\ no, it's not possible. If the protection level is set to Locked Down, AppGuard will deny all launches from user space, but will allow launches from system space. C:\ is a core component of the trusted enclave that AppGuard does not allow to be moved from system space to user space. By default, system space executables run unguarded but untrusted executables can be guarded by adding them individually to the guarded applications list. The best you could achieve is to force any executables in C:\ to run guarded by adding them to the guarded applications list.

?:\ (where ? not equals C) on the other hand is automatically part of extended user space so if the protection level is set to Locked Down, all program launches from ?:\ will be denied by default.

If the reason for concern regarding C:\ is in case malicious software manages to write itself to system space and execute from there, it's unlikely to happen because of AppGuard's drive-by download protection. Guarded applications are not allowed to write to system space folders. This means that all launches of executables explicitly listed in the guarded applications list, any processes spawned by guarded applications, and any executables launched guarded from user space (if allowed) will not be able to write to system space. The only way an executable is going to launch from the root directory of the system drive is if you've installed it there yourself in which case it is presumed to be trusted. This illustrates the difference between AppGuard and an anti-executable program.

 

A long time ago I read that there is going to be a mayor release soon, AppGuard 4?
There is any estimated date for this? there is any what's new or something similar?
The 3.x licenses will not be valid for AG v4, right?

 

Mircrosoft Register Server is a legitimate application often used during software installations. Malware may use it to install persistent malicious software so we Guard it in all Protection levels except for "Install". Unless you are installing software (in which case you should lower the AppGuard protection level to "Install"), you should not allow regsvr32.exe to run unGuarded.

 

Just wanted to thank PegR for his extensive answer on this subject. Thanks!!!!

 

The release of AppGuard 4 has been postponed till early next year. In the mean time the latest version of 3.4 supports Windows 8.

We haven't determined the pricing for AG v4.0. There may be a nominal fee, but most likely we will be looking to the Wilders forum for some beta testers and if you participate as a beta tester, we will provide you with a license in exchange for your feedback.

 

Thank you. A great security tool. May I ask for a guestimate for the Beta 4 launch?

 

how does the updating work ? is auto or manual for version checks. if its manual it would be useful if there was a button you can click to force an update check

 

It auto checks at every system restart. If a new version is available, a prompt is displayed with a link to the BRN website where you can download and install the new version. The current version information and status is displayed on the About AppGuard screen (right-click on the tray icon and select About...).

 

What happens with auto-executing exploits which are guarded in user space,like for example,the C:\<user>\downloads folder if you lower the protection to "install" for a legitimate program?Can malware execute itself while installing another program in install mode?

 

It's a question that used to exercise me too but you need to ask what mechanism could instigate the execution of the malware that may be 'lurking' while AppGuard protection is lowered.

The presence of malware executables on your system does not in itself = infection. The malicious file needs to be executed and that requires a trigger which may be user intervention or malicious script, exploit etc.

Say you stumble across a malicious site and it drops malware via a drive-by. The malicious site needs to either convince you it is safe to execute, in which case AppGuard or anything else not reliant on signatures for that matter won't help, or find away of auto executing. AppGuard will deny that auto-execute whether via script or exploit etc.

So if you haven't specifically allowed the executable to run and the mechanism used to auto-execute it has missed it's window of opportunity how would anything 'lurking' when you reduce AppGuard protection launch? Even scripts and exploits need a trigger to load.

If you're worried run AppGuard in conjunction with a blacklister or HIPS to warn of execution when you reduce AppGuard protection.

Cheers

 

I agree with chris1341. The malware shouldn't get executed even when AppGuard is in Install mode. That said, I would prefer not to have it on the system in the first place, which is why my own preference is always to combine policy restriction with virtualization, especially where web browsing is concerned. I believe that Chris does this too.

If using a light virtualization program or application sandbox, the question doesn't arise because if configured correctly, a system reboot or deletion of the sandbox contents, respectively, will remove any malware unintentionally downloaded while virtualized.

 

THX for the replies guys....
Besides Appguard,I use SandBoxie too,so I'm a bit covered ......
I'm still not convinced though about the install mode.......

What if that trigger is the awareness,or memory read of a certain app,or getting access to a certain .dll or .exe in a system folder?

Although install mode is probably indispensable for a correct install,I would be happy if install mode could be coupled to the trusted vendor list ,so that only the trusted program can be executed,be it partially in user space or system space......without lowering the protection ....ATM,I prefer to move a (scanned) installer from a trusted vendor to system space to execute and see how far I can get without errors,before I lower my Appguard settings....

 

It would have to be running though I suppose to listen for those events or at least have been allowed to run previously to set up a scenario where it can intercept the actions you suggest. No?.

If you're running SBIE as well most likely anything nasty has been deleted when you closed the Sandbox. Other exploits than run in memory are transient unless they can write to the real disc so are likely gone as well.

A quick scan with MBAM or Hitman of any direct access folders you have in SBIE before lowering AppGuard protection might give you extra confidence. If you don't have any Direct Access you'd need to have let the malware out, no?

Also there are light virtualisation apps like Shadow Defender, Returnil, Toolwiz etc you could invoke before lowering protection so you can see for yourself what happens when you lower protection before doing it 'for real' I suppose.

In general I agree being able to say 'right click' and trust an installer without lowering protection would be a good enhancement.

Cheers

 

So,it isn't possible for a malware writer to write a autoexecute script that tries to trigger itself on scheduled time intervals,like let's say,every 5 minutes?

That's my point......

 

Wouldn't that generate a barrage of 'pink alerts'?

 

Very clearly it is possible. What I'm asking you to consider is how would it set up a routine to auto-execute while full AppGuard protection was enabled? We are after all taking about a situation where AppGuard prevents infection in real time only to be undone by install mode.

Any auto-execute still needs to use in-built Windows functions to start, usually because a previous execution, via an exploit running in memory or whatever, has set-that up. Again a file that contains auto-execute code won't/can't enforce that unless it has been run first or something else run that sets up a scenario where the malicious file is called. It doesn't just happen because a file contains the right code.

Similarly, how is a task scheduled so that it tries to run that script every 5 minutes? Likely any script that set that up would call cscript.exe or wscript.exe that are specifically restricted by AppGuard. At any rate the malware cannot create that schedule unless it has been run/executed.

It's really about whether you accept that AppGuard has done it's job while it was active (i.e. before you reduced the protection level to install) and blocked unguarded execution. If you do then, like me, you think the most that could have happened is a file is dropped to your system somewhere in user space. AppGuard should then prevent that file the setting up of any auto-execute procedure, stop anything that allows that file to be called on schedule and prevent a procedure being set-up to trigger the malware when an event/program calls it simply by preventing its execution.

If you don't accept AppGuard will prevent that behaviour then you need to mitigate against what you perceive as a weakness.

Cheers

 

I don't need to......after reading your last reply,it's al clear to me now.
I'm no malware analyst,nor a security expert,so I tried to get maximum protection against worst case scenario's.
Your last post makes it pretty clear that ther's no actual weakness and that I have nothing to worry about,so I wanna thank you for your patience and your clear answers.....

 

For you the people we paid for a license back when it was always lifetime before the changes does the lifetime still apply or will we have to pay also? im just curious

 

This question was answered here: https://www.wilderssecurity.com/showpost.php?p=2111713&postcount=1544

 

ah thanks for the post. lets hope more details will come thank you