AppGuard 3.x 32/64 Bit

yea, and it would be very nice if you could see in the log, which .exe makes a problem. Per example Blizzard has 3 different updaters and user agent.exe on my system. Now the warning is: User Agent isn't allowed to write to BLizzard updater. Which one? I had to exclude all three to define which had a problem.
It would be nice to right-click and see the executables file path.

 

Anyone?


Also suggestions/a whishlist:
-Ability to view currently running guarded processes in GUI with info on exceptions(if any)(to prevent information overload; could be done on mouse-over or (right)clicking the process)
-Right-click menu with some options to run as guarded/unguarded and change exceptions
-Ability to be notified about the (preferably only the first) execution of a guarded executable, separated setting from Guarded Execution Events.
-Ability of tray icon to give information boxes/pop-ups instead of just blinking and needing mouse-over, something like this would be nice and still unobtrusive:

 

Open the AppGuard GUI, right-click on one of the blocked events and select Ignore Message... as if you were going to create an Ignore Message rule. You will then be able to see the full path name of the executable that generated the warning. You don't have to create an Ignore Message rule though; this is just a way of getting AppGuard to display the full path name of the executable that generated the warning.

 

I hope they correct this issue in the next build so that a user does not have to go through those steps as though they are going to create an ignore rule to see the full path of a blocked object.

 

Yes, that definitely needs to be addressed. Hopefully that will be fixed in the next release. There's no reason it should not show the full path from there.

 

Is AppGuard development/testing still progressing?

The Thread seems very quite.

 

+1

 

It appears that this subject has already been discussed at length, but there is so much material (and so many different approaches) that its a little overwhelming just trying to wade through it all. So I'm wondering if someone can help me with a very simple 1-2-3 step explanation.

I'm a VERY new (and somewhat confused) AppGuard user (32bit) and a long time Sandboxie user (with Firefox on an XP system). I only use Sandboxie for browsing (not testing software, etc). I'm looking for the simplest approach possible to make these two apps compatible so that they can be used together.

 

Just add the three sandboxie processes to power apps in Appguard and it should work. Also I would add the Sandboxie Container file to user space so that appguard can also Monitor what's going on in the sandbox and interfere if needed.

 

Add the following files to the MemoryGuard exception list with write permission:

sandboxierpcss.exe
sandboxiedcomlaunch.exe
sandboxiecrypto.exe

Also add c:\sandbox folder to the folder exception list under the guarded apps tab with read/write permissions.

 

I´ve installed Appguard, it is very light, but I do not understand how it works.

For example, I have download ccleaner and installed it just fine. Appguard is set to high protection. Why appguard did not block the installation of ccleaner? Is it because it is a signed software?

Also, should I set nod32 as a powered application?

 

you are right. If the installer has a digital signature and Appguard is set to high the file will be executed. However the file will run guarded. Files that don't have a digital signature aren't allowed to run when Appguard is set to "High". On the main Screen of the program Appguard tells you exactly what it does. It's right beside the slider where you set your security Level.

Regarding NOD32. If I remember correctly BarbC once pointed out that it's recommended to add other security programs that are supposed to run besides Appguard to power apps. So you are right with that as well.

 

Thanks!

 

Softwares and files that are in another driver (D:\) are considered inside user space or in system space?

I have Steam and Origin installed on another driver. How should I configure them?

Thanks for any help!

 

All volumes other than the system volume where the OS resides (usually the C drive) are in user space.

I don't use Steam or Origin so I can't help you with their configuration, sorry.

 

Ok, thanks. I think I will put the steam and origin folders as unguarded, as if they were installed in Program Files folder in the c:\ drive.

 

Appguard 3.4.2.0 fails Blackhole Exploit Kit -https://www.youtube.com/watch?v=K3Ha9ZAS5sg&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=11

Faronics AE 5.10 passes Blackhole Exploit Kit -https://www.youtube.com/watch?v=5I8jBpNmZT0&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=9

NoVirusThanks Radar Exe 2.4.0.0 Pro fails Blackhole Exploit Kit -https://www.youtube.com/watch?v=Gs1Js0XXOyo&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=10

 

WOW! I would like an explanation on how it could bypass AppGuard, on Locked Down no less!

 

I don't think it was fully bypassed. You could see the tray Icon disappeared although the Service itself might still have been active in the Background. Also remember that Appguard can let applications run guarded so although they run they can't really do any serious harm to your Computer.

 

Would be nice to have a comment from BRN but it looks very similar to a previous 'bypass' they said they'd look at.

I'd be interested to see what happened after re-boot as AG should have prevented the malicious file getting in to the MBR or creating an auto-start entry so therefore stopped it gaining a persistent hold on the system.

I'd also like to see if the malicious dll killed the AG service as well as the GUI (the last time he looked at Kill Switch the AppGaurd Agent was still running) . If the service was still running so is protection. Even though the malicious app was running it may well have been guarded/restricted. We don't see from this if there was a pay load other than the rogue AV which probably would have just been an entry point for more 'interesting' stuff.

Worrying, yes, but not enough detail (is there ever in these youtube things?) there to say exactly what's gone wrong or just how concerned we should be.

Cheers

Edit:Arcanez - apologies posts crossed so missed you'd basically already said this.

 

This is old test of NVT ERP.
It is now at v2.7.3 and offers protection against such exploits.

 

Yep, you can trust the test if you can reproduce it yourself.

 

1) All settings are shown in the video
2) Test was conducted using the PRO version
3) All the programs were current (at the time of recording test)

You're qualified to judge the qualifications of others?