AppGuard 3.x 32/64 Bit

The Medium, High, and Locked Down protection levels all protect against drive-by downloads by guarding or denying execution from user space. Whilst stopping a malicious executable from running is preferable to preventing it from exploiting the system once it is running, as long as it is running as a guarded application and it isn't able to bypass AppGuard, there is no difference from a practical perspective because guarded applications are prevented from writing to system space.

To expand on this: -

Locked Down provides the strongest protection because it denies all execution from user space.

High denies unsigned executables but allows signed executables to run guarded from user space. A malicious executable would have to both be digitally signed and have found a way to bypass AppGuard for an exploit to be successful. In practical terms the difference between High and Locked Down is small.

Medium allows unsigned executables to run guarded but allows signed executables to run unguarded. This is riskier than High or Locked Down because an exploit by a digitally signed malicious executable would be successful. The use of Medium is therefore not recommended for normal use.

 

So then, it sounds like pairing AG with NVT ERP would be a good layered defensive option - right?

 

The main use for this would be to implement a default-deny strategy in relation to system space. AppGuard already applies a default-deny policy to user space in Locked Down but applies a default-allow policy in relation to system space. System space executables are automatically trusted by default except where they are explicitly added to the Guarded Apps list.

AppGuard's security model provides strong silent protection that works without asking the user to make security decisions about what to allow and what to deny. The default-allow policy in relation to system space is why I've said in other posts that I consider AppGuard to be a policy restriction program, not an anti-execute program, although it does have anti-execution features in relation to user space. AppGuard continues to apply policy restrictions after allowing execution. A pure anti-execute program based on whitelisting is only concerned with the initial decision to allow or deny execution, not with restricting subsequent behaviour once execution has been allowed.

If you want a global default-deny strategy, applying to system space as well as user space, then yes, NVT ERP would make a good partner to AppGuard. You will get more alerts though. I don't currently have NVT ERP installed but from what I remember there is an option to configure it to whitelist system space executables to reduce the number of alerts. If you do that though, you won't gain any significant advantage over using AppGuard on its own IMHO.

 

Thanks for the explanation, that helps a lot.

 

I have an error message about flash player: 03/24/13 14:33:45 Prevented process <Adobe Flash Player 11.6 r602> from writing to <c:\program files (x86)\mozilla firefox\fap5fd4.tmp>.
What do I need to do to stop this?

 

maybe normal

 

How Do I stop it from happening?

 

I wonder why would Flash Player (the plugin I assume) write to Program Files?

I'm not using Firefox with Flash (sometimes I just use Firefox with no Flash), so not sure if something like that would be normal? I just find it odd.

 

Unless something has stopped working as a result (unlikely), just ignore it. If it is annoying you then create an ignore message rule to prevent the error message from being displayed and/or logged.

 

I will the ignore message rule, thanks

 

just right click with your mouse the red message and apply ignore message

 

Is there a setting somewhere to keep AppGuard from starting with Windows?

 

No real good reason, Pete. Thought it might be interfering with the start up of some other items, but tested it and it wasn't, so it's back to starting with Windows.

 

As Peter2150 said, AppGuard doesn't interfere with the start-up of items that are already installed, but I have found that AppGuard can ocasionally interfere with software installations that require a reboot to complete the installation. On a few occasions, in my case, this has included a BSOD at shutdown/restart.

This can be avoided by configuring AppGuard to stay in the Install protection level until full protection is manually re-enabled. That way, if the system has to be rebooted, AppGuard will stay set to Install until the software installation has been completed, at which time it can be manually re-enabled following the restart.

To accomplish this do the following: Open the GUI, move the protection level slider to the Install position and uncheck the checkbox that says Re-enable <xxxx> level after <yy> minutes. AppGuard will then remain permanently in the Install protection level until the previous protection level is manually re-enabled.

It does mean remembering to re-enable protection manually, but I have found it to be the safer procedure when installing software that requires a reboot.

 

Yes. On the GUI, turn AppGuard off and uncheck the re-enable checkbox.

 

from the msconfig tool you can disable start up service and only the service will start but not the gui

 

The Windows Updates work just fine even on 'Locked Down' in the latest versions, right?

Also, I wonder why so many applications install into user space by default...


Chrome...
Spotify...
Dropbox...

Which makes me wonder, does anyone know how to install Dropbox into system space instead of user space? I've tried with different commands in cmd.exe but with no luck. The setup offers no custum install when it comes to installation directory. I had to make the roaming Dropbox folder into system space for it to worked in 'Locked Down'... but I really don't like that workaround.

 

Ok, so actually, I've had some time to think about it...

I have two questions;

Some applications cannot be installed into system space. They offer no custom install and always install into user space (i.e. the roaming folder).

Dropbox and Spotify are the culprits for me and installs into roaming folder.

So, is the solution to this to exclude their directories from user space in order for them to be able to run/start in 'Locked Down'?

I then add them to 'Guarded apps' as they are internet facing applications (I want all those internet facing apps guarded if possible)?

Would this be a secure solution?

 

I think that if you add the applications to the Guard List, you do not have to exclude them from User-Space. I just tried it and it worked for me. I did not change the user-space rule, just added the application to the Guard List. The application launched in locked-down mode and was also Guarded.

 

I tried adding 2 application that are installed in the userspace to the guarded application list. Up until now i've had them excluded under the userspace tab in order to use them. In other words userspace include was set to no.

Processhacker launched fine, and worked as expected by adding it to the guarded application list. This was even with protection level set to lockdown mode. Privacy, memory read, and memory write were each set to no. I just looked in AG's event logger, and it says Process Hacker is being blocked from reading the memory of what looks to be all the application currently running on my machine. I have memory read set to no. Should I change it to yes to allow Process Hacker to read the memory of other applications? I thought you had to have memory read set to no under guarded apps to allow an application to read the memory of other applications. Process Hacker still appeared to be functioning as expected, but that's just from a brief observation.

I added Boleh VPN to the guarded application list with privacy, memory read, and memory write each set to no. Lockdown mode blocks Boleh VPN from using the tap adapter. High mode blocks Boleh VPN from using with the tap adapter. It was not until I set AG's protection level to medium that Boleh was able to use the Tap adapter. I added Boleh VPN as a Powerapp, and that made not difference. Boleh VPN still was unable to use the tapp adapter until I set AG's protection level to Medium. Below is from AG's event logger.

It seems that it is safer just to exclude Boleh from the userspace instead of adding it to the guarded application list so one does not have to lower AG's protection level to Medium in order to use Boleh. I've been using Boleh with it excluded from the userspace up until now. I just wanted to see if Boleh would work by adding it to the guarded application list.

15:30:44 Prevented process <tapinstall.exe - c:\users\achilles\appdata\local\bolehvpn\bolehvpn.exe> from launching from <c:\users\achilles\appdata\local\bolehvpn\drv\x64>.

AG's full event log is attached below as well.

 

Yes, you should be protected.

 

Changing to "Yes" will enforce the protection. I believe the reason that you are seeing memory blocks is because you are in Locked Down level. In Locked Down protection level, MemoryRead and MemoryWrite are both enforced regardless of the Guarded Apps settings. On High, if MemoryRead and MemoryWrite were each set to NO for ProcessHacker, then ProcessHacker should be able to read/write the memory of all processes except for those that are Guarded with MemoryRead protection. In order for ProcessHacker to bypass AppGuard protection of Guarded Applications, it should be made a MemoryGuard exception (or a power application).

In the case of Boleh, it does seem like excluding its directory from user-space is the better option since it is also trying to launch another exe from user-space. Perhaps in a furture release (in High), we should allow a user-space application to be launched by a parent application that is Guarded. The child-process would be automatically guarded. This would result in less AppGuard interference on applications, but maybe it opens too many holes. In theory then a browser could launch an application from user-space (a possible drive-by download attack), but that shouldn't cause any persistent damage since the child process would also be Guarded and not be able to alter protected resources. Food for thought.

 

I'm not really sure on the logic of the memory reading protection and the settings, but I do know if you want a process to be able to read memory of other Guarded Processes then you need to add it to MemoryGuard exception list on the advanced tab.
EDIT:Barb explained it properly in the previous post

I would prefer it not to be enabled on High but only on Medium, or put it as a separate option in the settings.