AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    yea, and it would be very nice if you could see in the log, which .exe makes a problem. Per example Blizzard has 3 different updaters and user agent.exe on my system. Now the warning is: User Agent isn't allowed to write to BLizzard updater. Which one? I had to exclude all three to define which had a problem.
    It would be nice to right-click and see the executables file path.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Anyone?


    Also suggestions/a whishlist:
    -Ability to view currently running guarded processes in GUI with info on exceptions(if any)(to prevent information overload; could be done on mouse-over or (right)clicking the process)
    -Right-click menu with some options to run as guarded/unguarded and change exceptions
    -Ability to be notified about the (preferably only the first) execution of a guarded executable, separated setting from Guarded Execution Events.
    -Ability of tray icon to give information boxes/pop-ups instead of just blinking and needing mouse-over, something like this would be nice and still unobtrusive:
    shot1.JPG
     
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Open the AppGuard GUI, right-click on one of the blocked events and select Ignore Message... as if you were going to create an Ignore Message rule. You will then be able to see the full path name of the executable that generated the warning. You don't have to create an Ignore Message rule though; this is just a way of getting AppGuard to display the full path name of the executable that generated the warning.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I hope they correct this issue in the next build so that a user does not have to go through those steps as though they are going to create an ignore rule to see the full path of a blocked object.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Yes, that definitely needs to be addressed. Hopefully that will be fixed in the next release. There's no reason it should not show the full path from there.
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,570
    Is AppGuard development/testing still progressing?

    The Thread seems very quite.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes, albeit slowly right now. But.....

    If you go to their website you will see the have a significant Enterprise effort. That is probably what pays their bills, and allows them to sell the home version to us very economically. But that also means that has to be their priority as long as what we have know is doing the job.

    There is stuff we'd all like to see improve, but we just have to be patient.

    Pete
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    +1 :thumb:
     
  9. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    It appears that this subject has already been discussed at length, but there is so much material (and so many different approaches) that its a little overwhelming just trying to wade through it all. So I'm wondering if someone can help me with a very simple 1-2-3 step explanation.

    I'm a VERY new (and somewhat confused) AppGuard user (32bit) and a long time Sandboxie user (with Firefox on an XP system). I only use Sandboxie for browsing (not testing software, etc). I'm looking for the simplest approach possible to make these two apps compatible so that they can be used together.
     
  10. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    404
    Location:
    Event Horizon
    Just add the three sandboxie processes to power apps in Appguard and it should work. Also I would add the Sandboxie Container file to user space so that appguard can also Monitor what's going on in the sandbox and interfere if needed.
     
  11. STONEMAN

    STONEMAN Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    99
    Location:
    London,South Of The River
    Add the following files to the MemoryGuard exception list with write permission:

    sandboxierpcss.exe
    sandboxiedcomlaunch.exe
    sandboxiecrypto.exe

    Also add c:\sandbox folder to the folder exception list under the guarded apps tab with read/write permissions.
     
  12. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    I´ve installed Appguard, it is very light, but I do not understand how it works.

    For example, I have download ccleaner and installed it just fine. Appguard is set to high protection. Why appguard did not block the installation of ccleaner? Is it because it is a signed software?

    Also, should I set nod32 as a powered application?
     
  13. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    404
    Location:
    Event Horizon
    you are right. If the installer has a digital signature and Appguard is set to high the file will be executed. However the file will run guarded. Files that don't have a digital signature aren't allowed to run when Appguard is set to "High". On the main Screen of the program Appguard tells you exactly what it does. It's right beside the slider where you set your security Level.

    Regarding NOD32. If I remember correctly BarbC once pointed out that it's recommended to add other security programs that are supposed to run besides Appguard to power apps. So you are right with that as well.
     
  14. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    Thanks!
     
  15. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    Softwares and files that are in another driver (D:\) are considered inside user space or in system space?

    I have Steam and Origin installed on another driver. How should I configure them?

    Thanks for any help!
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    All volumes other than the system volume where the OS resides (usually the C drive) are in user space.

    I don't use Steam or Origin so I can't help you with their configuration, sorry.
     
  17. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    Ok, thanks. I think I will put the steam and origin folders as unguarded, as if they were installed in Program Files folder in the c:\ drive.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Appguard 3.4.2.0 fails Blackhole Exploit Kit -https://www.youtube.com/watch?v=K3Ha9ZAS5sg&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=11

    Faronics AE 5.10 passes Blackhole Exploit Kit -https://www.youtube.com/watch?v=5I8jBpNmZT0&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=9

    NoVirusThanks Radar Exe 2.4.0.0 Pro fails Blackhole Exploit Kit -https://www.youtube.com/watch?v=Gs1Js0XXOyo&list=UU_v3ST3w-gVCAm_rT0QNKGQ&index=10
     
  19. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    WOW! I would like an explanation on how it could bypass AppGuard, on Locked Down no less! :eek:
     
  20. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    404
    Location:
    Event Horizon
    I don't think it was fully bypassed. You could see the tray Icon disappeared although the Service itself might still have been active in the Background. Also remember that Appguard can let applications run guarded so although they run they can't really do any serious harm to your Computer.
     
  21. chris1341

    chris1341 Guest

    Would be nice to have a comment from BRN but it looks very similar to a previous 'bypass' they said they'd look at.

    I'd be interested to see what happened after re-boot as AG should have prevented the malicious file getting in to the MBR or creating an auto-start entry so therefore stopped it gaining a persistent hold on the system.

    I'd also like to see if the malicious dll killed the AG service as well as the GUI (the last time he looked at Kill Switch the AppGaurd Agent was still running) . If the service was still running so is protection. Even though the malicious app was running it may well have been guarded/restricted. We don't see from this if there was a pay load other than the rogue AV which probably would have just been an entry point for more 'interesting' stuff.

    Worrying, yes, but not enough detail (is there ever in these youtube things?) there to say exactly what's gone wrong or just how concerned we should be.

    Cheers

    Edit:Arcanez - apologies posts crossed so missed you'd basically already said this.
     
  22. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    This is old test of NVT ERP.
    It is now at v2.7.3 and offers protection against such exploits.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I haven't bothered looking at these youtube videos, but before getting all excited, ask yourself a couple of questions.

    1. Who is the tester and what are his qualifications. Does he know the software, and his he using the latest version with all it's features.

    2. Did he provide enough info to duplicate his test.

    Usually the answer is no.

    Last youtube test I looked at right after NVT's latest release wasn't using the lastest release but was infact using an old version of the free version. BAH!

    I no longer waste my time.

    Pete
     
  24. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Yep, you can trust the test if you can reproduce it yourself.
     
  25. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    94
    Location:
    Ireland
    1) All settings are shown in the video
    2) Test was conducted using the PRO version
    3) All the programs were current (at the time of recording test)

    You're qualified to judge the qualifications of others?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.