AppGuard 3.x 32/64 Bit

Discussion in 'other anti-malware software' started by shadek, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Unfortunately, this is a known issue with AppGuard (even mentioned in the release notes):

    Anomalies with non-English characters:
    1. Folders and Files that contain non-English characters in their paths cannot be added to AppGuard policy.
    2. AppGuard will not enforce User-space protection if the user’s logon name contains non-English characters.
    We are working on a fix. We do know that if you have a Program Files subdirectory with non-English characters in it, AppGuard will treat that folder as System Space and protect it.

    Currently, the only work-around is to user a user name with all English characters (sorry).
     
  2. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Regarding the possible bypass: here's Engineering's official reply:

    We are aware of the new class of attacks and currently developing counter measures that would stop the attacks to MBR or GUID based systems and ensuring such counter measures do not interfere with the stability of the existing systems.
    As far as your post, I guess I missed some of your questions. I believe the only two that weren't answered are:
    I'm not sure what you mean by the MemoryLock feature (that being said, there may be some marketing material or even help documentation floating around out there that mentions MemoryLock). Perhaps you are referring to MBRGuard which IS different than MemoryGuard. The MBRGuard is actually a separate component that is installed with AppGuard and will protect your Master Boot Record.

    As far as why MemRead is off for GAs: When we first implemented MemRead protection, it caused many adverse side effects in the Guarded applications. Since then we've modified the implementation and the applications aren't experiencing those side effects. In the next release, we can easily make the default configuration set to protect memory read as well as write. I believe since many elect to run AppGuard in Locked Down where memory read is automatically enabled and no adverse side effects have been reported that it would be safe to do so.
    We've considered it, but thought it would be difficult from a customer support perspective. I'm curious what would you use the feature for? I've lobbied for supporting pre-defined Enclaves for products such as Quicken and TurboTax.
     
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Hi Pain, I've responded to your post here, but just wanted to let you know that we have not received a trouble ticket at Blue Ridge. Did you send it to AppGuard@BlueRidgeNetworks.com?
     
    Last edited: Mar 21, 2013
  4. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    399
    I sent it via "http://www.blueridge.com/index.php/support/contact-us/form"

    Is there a way to change the user folder name?
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The only thing I can think of to explain that is that .pif files appear to be treated as executables, whereas .bat files are maybe considered to be scripts.
     
  6. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Hi Barb,

    No, I don't mind at all - it would be an honour. I'm just glad that people find it useful. (We can sort out the question of royalties later. ;) :D )

    Kind regards
    pegr
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    +1 :thumb:
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,595
    Location:
    Outer space
    In this topic here, there is a 16-bit .exe file(self-extractor) that AG does not block:
    https://www.wilderssecurity.com/showthread.php?p=2206687


    Good to know it is being fixed :)

    MemoryLock is described as a feature on your website here:
    http://www.blueridge.com/index.php/products/appguard/enterprise

    Thanks :)
    If I correctly understand the description(http://www.blueridge.com/index.php/products/appguard/enterprise) it seems a bit like the Privacy features but more extensive as instead of blocking Guarded Apps to certain folders, it will block any program including not Unguarded from accessing the file/folder except when it is explicitly allowed. This will also allow for different folders with different programs allowed, for example a folder with PDF's that only the PDF program can access and a folder with documents that only Word can access. With the current protected folders, the policy is the same for every Guarded App, so if you disable Privacy mode on your PDF reader to let it access a protected folder with PDF's it can also access any other private folder. So the advantage would be that you can create different private folders for different applications and it protects agains both Guarded and Unguarded applications.
     
  9. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Sorry, I'm confused now. Is this a new bypass? Can you provide more details? Where was the file located? How did it enter the system? Would you send me a copy? I'll PM you with my private email - better not to send it to the entire AppGuard support team.
    On the Engineering/Ops side of the house, we use MemoryGuard as a generic term for both MemoryWrite and MemoryRead protection. I guess our marketing department is referring to MemoryWrite protection (i.e. code injection protection) as MemoryGuard and MemoryRead protection (ram scraping protection) as MemoryLock.
    That's a pretty good description of the feature. I'll see if we have any plans to include in the consumer version of the product.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,595
    Location:
    Outer space
    It's not the same as the bypass discussed earlier, I don't know much about it, it looks like a legit self-extractor which contains some old audio/speaker tool, I got the executable from the user CloneRanger who started the topic. I executed it in a win 7 32 bit VM with AG installed and execute it succesfully with AG on High and Lockdown mode. I sent you the sample via mail. As you can see in the topic, the file header is different from a normal executable:
    https://www.wilderssecurity.com/showthread.php?t=343842

    Ah, now that clears it up.

    Nice, thanks :)
     
  11. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks! I got the exe and sent it to the developers. Hopefully they'll have a quick fix that we can put into our upcoming release (date still to be determined).
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    +1 :thumb:

    I remember suggesting to BRN when I first started using AppGuard that AppGuard's privacy feature isn't granular enough. It's worth noting that the ability to lock down resource access by application is a feature that Sandboxie already has. IMO it's definitely something that BRN should consider adding to the consumer version of AppGuard.

    Something else I've already suggested is that Privacy mode in Locked Down should continue to operate as configured, otherwise what granularity AppGuard has regarding Privacy mode is lost by applying all protected folders across all guarded applications in Locked Down. AppGuard can be configured to set the Privacy flag individually for each guarded application in the Guarded Apps list if that's what the user wants to achieve; there's no need to enforce Privacy mode globally in Locked Down, thereby overriding the individual Privacy flag settings.
     
    Last edited: Mar 21, 2013
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I totally agree. I want to run in Lockdown mode, and I have everything set so I can. But it renders privacy mode ineffective.

    Please consider changing this.

    Pete
     
  14. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Those submissions get to us eventually (I received it this morning).

    The OS creates the directory based on the user-name. You would need to create another user with a name that only uses the English alphabet. Any files already in your current user directories (i.e. the desktop and My Documents folder) can be copied to the new user directory if you have admin rights.
     
  15. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    When you say that it renders privacy mode ineffective, I take it that you mean that it renders the privacy mode settings ineffective at the Locked Down level since Privacy Mode is enforced for all applications at the Locked Down level.

    So let me get this straight, you and PEGR would prefer that the Privacy Mode be set to "as configured" vs. "All" at the Locked Down level.

    That would actually be great, because I'm currently working on trying to fix a bug (yes, the engineers sometimes let me attempt to fix what they consider easy bugs) that PEGR reported having to do with suspending Privacy Mode for a specific application. It turns out this bug is not that simple to fix and I'd rather just remove the Locked Down enforcement of privacy mode for all applications - that would definitely simplify the logic. I would still try to retain the feature of being able to temporarily suspend privacy mode at the High Level, but it may be for all applications running in privacy mode vs. an individual application.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Exactly! :thumb:
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I came across another security application calling itself Appguard. It reads SRT: Appguard. The only difference is it has SRT in the name. Could this be breaking copyright laws? It looks kinda of borderline to me. I believe this is their website -http://www.backes-srt.de/produkte/srt-appguard/
     

    Attached Files:

    Last edited: Mar 22, 2013
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    To quote PEGR.... Exactly!

    Pete
     
  19. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks. I sent this to our lawyer.
     
  20. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Okay, so PEGR and Peter agree with this. Any objections? If not, I think I can get this into the next release.
     
  21. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I concur. I think its a good idea. Though it may seem on the surface to defeat the philosophy of "lockdown" mode; it adds a level of granularity that increases AG's flexibility for sophisticated users such as pegr and Peter.
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I believe that I came up with a way via tweaking the policy to work around this issue. If you're interested, I will email you the steps. It works for me with my limited test setup (I'm using English OS with a user name that has a non-English character). If I can get it verified on a non-English OS, I will publish the steps in the release notes and on this board.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,595
    Location:
    Outer space
    I think it is a good idea as well.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    On a different note, things I've done have tested the user vs system space, but I realized I've never tested the "guard" concept.

    So I took and installer, happened to be an EMSI installer, but that is no matter.

    Left Appguard in lockdown, and tried running it from the Desktop. As should have been the case, the installer wouldn't even run.

    So then I moved the installer to the Program Files area, with a shortcut to the desktop. Ran beautifully. Did a complete install. Then I rolled back the system to repeat.

    This time, I left the installer in the Program Files area, but in Appguard I set the installer to guarded. This time when I ran the installer it started, but never got off the ground before being shut down.

    Well Done Appguard.

    Pete
     
  25. dstexas

    dstexas Registered Member

    Joined:
    Aug 11, 2012
    Posts:
    15
    I have a new computer running Win 8, I have Appguard. My question I guess would be if I put AG on lock-down, that should help keep me safe from drive-by downloads? I use KIS 2013 so would lock-down interfere with KIS?
    What tweaks would be needed to AG? Like if I wanted to download music or documents while in lock-down mode?

    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.