AppGuard 3.x 32/64 Bit

@Pegr

Thanks for all your help and suggestions. I think we've finally solved the mystery that I was about to give up on. Those pifs are nasty little rascals when it comes to AG


@Barb C

Thanks so much for your willingness to get involved to help resolve this issue, but I think Pegr's explanation has nailed it.

 

Hi Tom,

I'm glad we got there in the end. I assume that you have tested this to confirm that it works on your system.

Kind regards
pegr

 

I have and it works perfectly!

 

I am late to the party by far.

Just installed today (trial).

Have it set to high for now.

How do I know when its blocked something? Is there a way to test?

Want to figure this program out for sure. Any tips?

Thanks in advance.

EDIT: For example, what to do about this?

 

Copy an unsigned executable to the desktop and try to run it. The tray icon will blink and you will get an alert saying that the program could not be launched. Now set the protection level to Locked Down and try to run a signed executable from the desktop. The same thing will happen. One of the differences between the High and Locked Down protection levels is that High will allow signed executables to run guarded from user space while Locked Down will not allow any launches from user space.

I wrote a small getting started guide for new users, explaining some of the key concepts, as I understand them. It's not particularly comprehensive but it might help get you started: Re: AppGuard - New Getting Started Tutorial wanted

When you've read that, the AppGuard help file is the best source of information on AppGuard's various features and how to use them.

Most MemoryGuard blocked events are harmless and can be ignored, as they don't generally have any detrimental effect on the correct functioning of programs. That said, as Webroot SecureAnywhere is one of your security programs, you might want to consider adding WRSA.exe as a Power App in AppGuard.

 

Anyone use any of the stuff in the Advanced -> Parental Control section? So far, I haven't touched that area.

 

I have configured the Parental control on my desktop.Its pretty simple... I have one Admin account and 2 LUA,so in Appguard I have assigned Admin as Superuser,and have uncheked all the rights for the 2 LUA,so Appguard cannot be altered unless one knows the password for the Admin account.

 

Many thanks for the info, appreciate it!

So safe to assume that messages such as these are ok as well?

I added WRSA as a Powerapp just because.

 

The majority of applications don't depend on being able to write back to system space or write to the memory space of other processes for normal functioning so most of these kind of blocking messages can be safely ignored unless there is clear evidence that something isn't working correctly. You can set up ignore message rules to filter them out and prevent them from being displayed and/or logged if they become annoying.

When it comes to security programs, the situation may be different. As these are among your most trusted programs, and are likely to require unsupervised access to the system to work properly, these may need to be added as Power Apps. You don't need to do this automatically though: only if you see evidence of AppGuard blocking messages reported in the status panel relating to the program, or the program doesn't appear to be functioning correctly.

As one of the main purposes of AppGuard is to protect system space, you will need to temporarily lower the protection level to Install in order to install software or apply software updates. The use of the Trusted Publishers list can also help.

 

Any issues with these alerts?

Sorry for all the n00b questions. Trying to sort through what's what.

Thanks.

 

Thanks for your explanation. Makes sense. Sorry that I missed your post prior to posting my last post.

Cheers.

 

Sorry if I confused the issue. I didn't realize he was using a pif file.

 

Hi Barb,

Do you have anymore information on the possible bypass?
Also with all the posts about the DOS file and Sandboxie you probably missed my post, can you reply to it?
https://www.wilderssecurity.com/showpost.php?p=2203569&postcount=2143

 

I think appguard does not block an unsigned .exe lauched in the user folder, if the folder's name has an accent mark, in my case, c:/user/álvaro (protection level set to high). If I copy the same .exe to another user folder (without the accent mark), I'm unable to launch it.

So, my user folder is unprotected.

Edit: even in locked down level I am able to run the program from my user folder.

 

Yikes! Please start a support ticket on this! This needs to be verified by BRN, and fixed ASAP if that is indeed the case!

 

Well, I just uninstalled appguard. I think it's a simple thing to be reproduced so they can easily check if its really the case and fix it.

 

Are you going to send Barb an email about this? If not then I will. Btw.. are you running Windows 8 Pro on the machine producing the possible bug?

 

I have sent it.

Yes, I'm running Windows 8 Pro x64.

 

Thanks Pain! Good find!

 

Thanks, PEGR. I'm still not sure why .pif files are working from the desktop in Medium. I'll have to investigate. I think they should be treated the same as .bat files and .bat files are blocked in medium.

 

I want to recommend PEGR's tutorial as well. It is a very concise description of AppGuard. In fact, PEGR, I've been meaning to ask you if you would mind if I included some of your text in the Help file.

 

very clear help file good job man

 

Unfortunately, this is a known issue with AppGuard (even mentioned in the release notes):

Anomalies with non-English characters:
1. Folders and Files that contain non-English characters in their paths cannot be added to AppGuard policy.
2. AppGuard will not enforce User-space protection if the user’s logon name contains non-English characters.
​

We are working on a fix. We do know that if you have a Program Files subdirectory with non-English characters in it, AppGuard will treat that folder as System Space and protect it.

Currently, the only work-around is to user a user name with all English characters (sorry).