AppGuard 3.x 32/64 Bit

Regarding the possible bypass: here's Engineering's official reply:

We are aware of the new class of attacks and currently developing counter measures that would stop the attacks to MBR or GUID based systems and ensuring such counter measures do not interfere with the stability of the existing systems.
​

As far as your post, I guess I missed some of your questions. I believe the only two that weren't answered are:

I'm not sure what you mean by the MemoryLock feature (that being said, there may be some marketing material or even help documentation floating around out there that mentions MemoryLock). Perhaps you are referring to MBRGuard which IS different than MemoryGuard. The MBRGuard is actually a separate component that is installed with AppGuard and will protect your Master Boot Record.

As far as why MemRead is off for GAs: When we first implemented MemRead protection, it caused many adverse side effects in the Guarded applications. Since then we've modified the implementation and the applications aren't experiencing those side effects. In the next release, we can easily make the default configuration set to protect memory read as well as write. I believe since many elect to run AppGuard in Locked Down where memory read is automatically enabled and no adverse side effects have been reported that it would be safe to do so.

We've considered it, but thought it would be difficult from a customer support perspective. I'm curious what would you use the feature for? I've lobbied for supporting pre-defined Enclaves for products such as Quicken and TurboTax.

 

Hi Pain, I've responded to your post here, but just wanted to let you know that we have not received a trouble ticket at Blue Ridge. Did you send it to AppGuard@BlueRidgeNetworks.com?

 

I sent it via "http://www.blueridge.com/index.php/support/contact-us/form"

Is there a way to change the user folder name?

 

The only thing I can think of to explain that is that .pif files appear to be treated as executables, whereas .bat files are maybe considered to be scripts.

 

Hi Barb,

No, I don't mind at all - it would be an honour. I'm just glad that people find it useful. (We can sort out the question of royalties later. )

Kind regards
pegr

 

+1

 

In this topic here, there is a 16-bit .exe file(self-extractor) that AG does not block:
https://www.wilderssecurity.com/showthread.php?p=2206687

Good to know it is being fixed

MemoryLock is described as a feature on your website here:
http://www.blueridge.com/index.php/products/appguard/enterprise

Thanks

If I correctly understand the description(http://www.blueridge.com/index.php/products/appguard/enterprise) it seems a bit like the Privacy features but more extensive as instead of blocking Guarded Apps to certain folders, it will block any program including not Unguarded from accessing the file/folder except when it is explicitly allowed. This will also allow for different folders with different programs allowed, for example a folder with PDF's that only the PDF program can access and a folder with documents that only Word can access. With the current protected folders, the policy is the same for every Guarded App, so if you disable Privacy mode on your PDF reader to let it access a protected folder with PDF's it can also access any other private folder. So the advantage would be that you can create different private folders for different applications and it protects agains both Guarded and Unguarded applications.

 

Sorry, I'm confused now. Is this a new bypass? Can you provide more details? Where was the file located? How did it enter the system? Would you send me a copy? I'll PM you with my private email - better not to send it to the entire AppGuard support team.

On the Engineering/Ops side of the house, we use MemoryGuard as a generic term for both MemoryWrite and MemoryRead protection. I guess our marketing department is referring to MemoryWrite protection (i.e. code injection protection) as MemoryGuard and MemoryRead protection (ram scraping protection) as MemoryLock.

That's a pretty good description of the feature. I'll see if we have any plans to include in the consumer version of the product.

 

It's not the same as the bypass discussed earlier, I don't know much about it, it looks like a legit self-extractor which contains some old audio/speaker tool, I got the executable from the user CloneRanger who started the topic. I executed it in a win 7 32 bit VM with AG installed and execute it succesfully with AG on High and Lockdown mode. I sent you the sample via mail. As you can see in the topic, the file header is different from a normal executable:
https://www.wilderssecurity.com/showthread.php?t=343842

Ah, now that clears it up.

Nice, thanks

 

Thanks! I got the exe and sent it to the developers. Hopefully they'll have a quick fix that we can put into our upcoming release (date still to be determined).

 

+1

I remember suggesting to BRN when I first started using AppGuard that AppGuard's privacy feature isn't granular enough. It's worth noting that the ability to lock down resource access by application is a feature that Sandboxie already has. IMO it's definitely something that BRN should consider adding to the consumer version of AppGuard.

Something else I've already suggested is that Privacy mode in Locked Down should continue to operate as configured, otherwise what granularity AppGuard has regarding Privacy mode is lost by applying all protected folders across all guarded applications in Locked Down. AppGuard can be configured to set the Privacy flag individually for each guarded application in the Guarded Apps list if that's what the user wants to achieve; there's no need to enforce Privacy mode globally in Locked Down, thereby overriding the individual Privacy flag settings.

 

Those submissions get to us eventually (I received it this morning).

The OS creates the directory based on the user-name. You would need to create another user with a name that only uses the English alphabet. Any files already in your current user directories (i.e. the desktop and My Documents folder) can be copied to the new user directory if you have admin rights.

 

When you say that it renders privacy mode ineffective, I take it that you mean that it renders the privacy mode settings ineffective at the Locked Down level since Privacy Mode is enforced for all applications at the Locked Down level.

So let me get this straight, you and PEGR would prefer that the Privacy Mode be set to "as configured" vs. "All" at the Locked Down level.

That would actually be great, because I'm currently working on trying to fix a bug (yes, the engineers sometimes let me attempt to fix what they consider easy bugs) that PEGR reported having to do with suspending Privacy Mode for a specific application. It turns out this bug is not that simple to fix and I'd rather just remove the Locked Down enforcement of privacy mode for all applications - that would definitely simplify the logic. I would still try to retain the feature of being able to temporarily suspend privacy mode at the High Level, but it may be for all applications running in privacy mode vs. an individual application.

 

Exactly!

 

I came across another security application calling itself Appguard. It reads SRT: Appguard. The only difference is it has SRT in the name. Could this be breaking copyright laws? It looks kinda of borderline to me. I believe this is their website -http://www.backes-srt.de/produkte/srt-appguard/

 

Thanks. I sent this to our lawyer.

 

Okay, so PEGR and Peter agree with this. Any objections? If not, I think I can get this into the next release.

 

I concur. I think its a good idea. Though it may seem on the surface to defeat the philosophy of "lockdown" mode; it adds a level of granularity that increases AG's flexibility for sophisticated users such as pegr and Peter.

 

I believe that I came up with a way via tweaking the policy to work around this issue. If you're interested, I will email you the steps. It works for me with my limited test setup (I'm using English OS with a user name that has a non-English character). If I can get it verified on a non-English OS, I will publish the steps in the release notes and on this board.

 

I think it is a good idea as well.

 

I have a new computer running Win 8, I have Appguard. My question I guess would be if I put AG on lock-down, that should help keep me safe from drive-by downloads? I use KIS 2013 so would lock-down interfere with KIS?
What tweaks would be needed to AG? Like if I wanted to download music or documents while in lock-down mode?

Thanks

 

I assume that AppGuard protects against most drive-by exploits while in Lockdown Mode. Is the same true at the High Protection level?