AppGuard 4.x 32/64 Bit - Releases

I've done some test with cryptolocker (3) and critroni (2) at medium protection level using default settings. Ransomware files were not digitally signed.

Cryptolocker has been blocked when trying to run from desktop.
Cryptolocker has not been blocked when trying to run from C:\cryptolocker. However AppGuard prevented changing time zone, creating randomly named file in %windir%, writing to its own file and reading some one process memory.

Installer infected with critroni has been blocked when trying to run from desktop, %temp% and ‘C:\Critroni'. It ran fine from C:\Temp. However AppGuard seems to block file encryption
01/20/15 23:02:27 Prevented process <1.exe | c:\temp\critroni installer.exe> from launching from <c:\users\<user name>\appdata\local\temp\ixp000.tmp>.

Separate file contained only critroni and has been blocked when trying to run from desktop and %temp%. It ran fine from C:\Temp, C:\Critroni. JPG files in private folder has been encrypted as well.

Is it ok and I don't have enough knowledge or it's something else? I was looking for but didn't find signed Critroni.

Pegr your guide is great, thank you!

Barb_C I hope you will get well soon

 

Meatouph, thank you for testing AG against different samples of Crypto Ransomeware! I should explain how AG's policy restriction works to mitigate attacks from paths such as C:\ which failed your test due to how you tested AG against the threat. If you copy any file to C:\, and then attempt to run it it will be allowed to run. This is not realistic to how any malware would copy itself to C:\. AG prevents malware from executing from C:\, C:\windows\temp, etc. by not allowing applications on the guarded apps list to write to C:\, C:\windows\temp, etc. The malware will attempt to write to those paths by executing through one's web browser, mail client, pdf reader, document reader, media players, P2P file sharing clients, etc.. Those applications should all be on the guarded apps list. AG works by not allowing applications on the guarded apps list to write to C:\, C:\windows\temp, C:\users, etc. So when malware like Cryptolocker tries to copy itself to C:\ from one's browser, or any other application on the guarded apps list it will not be allowed to write to those paths. You can test this for yourself by trying to download any file to the path C:\ , C:\windows\temp, etc. from your web browser with AG enabled. You will find that AG blocks your browser from writing to C:\, C:\windows\temp, etc., and the download will fail immediately. AG will take the same action if any application on the Guarded apps list attempts to write to C:\. AG will not allow any application on the guarded apps list to write to C:\ so the malware will have no way to copy itself to that path. As long as you have all your web applications on the guarded apps list the malware should not have any way to copy itself to C:\, C:\windows\temp, etc. If you land on a webpage infected with critroni, cryptolocker, cryptowall, etc., and it attempts to copy itself to those paths it will fail because AG will not allow your browser to write to C:\ because your web browser is on the guarded apps list. AG also will not allow any application on the guarded apps list to write to Program Files Folders, and any Windows folders. AG also has memory protection, and .dll protection as well. I hope I have explained enough for you to understand how AG prevents malware from executing from C:\, C:\windows\temp, C:\users, etc. I'm also not very good at explaining things sometimes so I hope I did not confuse you, but if you don't understand something I have said then let me know.

 

Meatouph, don't worry, I made similar mistakes when I first started testing AppGuard. It took me a few read throughs of the help file and a couple emails with barb before I finally grasped how it actually works. Once you get it, it seems so simple but before that happens it's easy to get confused. Cuttings post is a bit long winded (my edited version didn't prove to be much shorter) but I think his post will be enough to get you to that *ding* moment. If not, feel free to ask here or shoot me a message!

The lines from the help file that are under 'user space definition' which helped me to understand how my tests were flawed in the same manner:

This also led me to understand how the system drive (generally C:\) starts off completely as 'system space' and the rules defined within the 'User Space' section of the interface are directly related to the actual implementation of the protection for such "areas."

I recently addressed an issue that was not quite related to this by explaining how AppGuard generates these rules upon installation and how user added rules were treated exactly the same (Assuming no exceptions are made in the Guarded Apps > Folders > Settings section.) as those rules auto generated by special entries of the xml which exist (you can also view the default state of the AppGuardPolicy.xml with these entries in the program folder while the created&used xml files reside elsewhere.) after installation and then upon first launch of the software (driver/service) it defines and adds these entries using the environmental variables your OS has. Once these are generated and added the 'default' rules are used to define the 'User Space' areas that are ~generally~ considered as such. Adding a folder to the 'User space' rules however will make AppGuard treat it in the same manner as the default rules even if said folder doesn't meet the mental definition that is normally 'stuck in our heads' for 'User Space.'

Simply put, if its not in user space or on the guarded list, AppGuard doesn't mess with it by design. This allows it to be highly effective yet not mess with anything outside of its (defined) scope resulting an extremely light but powerful tool.

It can require a bit of learning and tweaking for those of us with non-standard setups and as such isn't quite as 'install and forget' like AppGuard may appear to be upon first glance where more advanced PC users (or complex setups) are concerned. They've done a great job with the defaults IMHO but they are not comprehensive. They work exceptionally well for normal use (users) however!

P.S. Glad to see you around again Barb, sorry to read about your troubles, hope you feel healthy (and good) again soon!

 

What I could understand from your post CET, I agree with all. So yes a good post I think, EXCEPT so hard to read! Maybe I have some reading disorder or low tolerance. My eyes kept skipping this line and that, sigh

 

Cutting_Edgetech@: Of course you're right, guarded apps can't write to C:\ etc. Downloading using IE failed when trying to save a file to C:\new folder, C:\, C:\Critroni and C:\Windows\temp.
The exception is %temp%. You can download files to this dir on both medium and locked down. You are able to open those downloaded files via browser at medium protection level while you are unable to do so at locked down protection level.
Your explanation was good, I was just tired. Thank you.
Unfortunately I can't share screenshots I made because I used them in graduation work. (I wrote 6 pages about AppGuard )

syrinx@: I use AppGuard for a couple of months, Barb_C helped me to set it up when I won the license and I didn't mess with configuration too much. I always thought about Guarded Apps exactly opposite than they really are

Thank you guys. Critroni files details screenshot in attachment

 

I've forwarded to our security guru, but we've similar events when AppGuard blocks the poweliks virus. Are you still getting them?

 

Even if signed, AppGuard will block Critroni from encrypting data within private folders (if Critroni is introduced via a Guarded Application or thumb drive). We have shown this in our lab, but basically, the assumption is that if Critroni is introduced via a Guarded application, it will not be able to be planted in C:\Temp, C:\Critroni etc. It could only end up in user space where (on Medium) level it will automatically be Guarded and run in Privacy mode. So your private folders would be safe. If you explicitly copy Critroni to one of these drives, then AppGuard can't help you (unfortunately, AppGuard can't help stupid - not calling you stupid, I understand you were testing).

 

If the parent application doesn't run in privacy mode, will Critoni still in privacy mode?

 

Hey I wanted to share a few recent AppGuard successes with you (I may have shared the first one with you already so forgive me if I've already shared):

1. AppGuard won best anti-malware product homeland security award: http://www.gsnmagazine.com/article/...and_?page=0,0&c=access_control_identification
2. We had a consumer customer report that theirs was the only computer in his company that did not get infected by an email attachment that was sent out to everyone in their company (his was the only computer with AppGuard installed).
3. One of our Enterprise customer's remote users had been infected with Poweliks and AppGuard protected their computer until the computer connected to the corporate VPN where their enterprise tools finally detected Poweliks (15 days after the attack).

 

Well done, AppGuard Team!!!

 

That's very good info. Congratulations

Barb_C@: Ok. I don't keep any personal files on system partition, maybe except game save files.
One more question: What to do with a 'D:\Różne' folder? This folder has mixed content and many subfolders inside. I keep there images, documents like .pdf, .docx, .txt, .reg, archives like .7z, .rar, configuration files backups. Those files are in many different subfolders mixed (stored by content not by file type). There are also some .bat and executables but I don't launch them. This folder is one of the folders I sync with encrypted cloud server.
I do not want this folder to be encrypted if the worst scenario happen. It's like myprivatefolder. Also I would like to have access to it to save those kind of files I mentioned above. What to do with this folder? I don't have this folder added to any kind of settings (yet).

BTW: It's Critroni (not Critoni)

 

Have you tried making it a private folder in AG? That way guarded applications have no access to that folder? Just go to the guarded apps tab, and click on settings. Then click add, and navigate to your folder. Then make the type, "private (deny access)". This would work only if you don't add your sync software to the guarded apps list, but that might create a different security risk. I guess it's just deciding which one posses the most risk.

 

Barb, what can be done about %temp%?

 

Had your professor, or any of the other students heard of AG before you wrote your paper?

 

If I make this folder private (deny access) I won't be able to save documents there. Sync software is inside system space.
I think %temp% is needed to be like it is because many apps use it for storing temporary files. However in locked down mode if you download some files via browser to the %temp% they won't run. That's how drive-by download protection works or at least I think so (please correct me if I'm wrong)
http://www.appguardus.com/support/products/AG4/files/AppGuard Quick Start Guide v3.pdf
page 4
I use locked down all the time except I install/reinstall/update/uninstall software.
I haven't finish it yet. Next chapter is popular sandbox app. I don't think they ever heard about AG

 

where is %temp% at on the disk?

 

I have more detailed documentation than that guide. I understand very well how AG works. I just need your knowledge on %temp%.

 

Sheesh, I knew that. I wish I could say it was just a typo, but I made the same mistake several times. Must be having a "senior" moment. Anyway, corrected it. Thanks!

 

Barb_C@: I did this this mistake few times too when I was looking for infected samples and got no results. Also even set archive password wrongly when repacking .7z to .zip

C:\Users\Jacek\AppData\Local\Temp. C is system partition

Ah so you just checking me, right?

 

According to this wiki article http://en.wikipedia.org/wiki/Environment_variable %temp% is %SystemDrive%\Users\{username}\AppData\Local\Temp which is user space so AppGuard prevents unsigned apps from launching and autoGuards signed applications. In Locked Down, nothing would run.

 

lly

No, not really. I'm just use to having full paths, and %temp% does not seem like a good abbreviation for %SystemDrive%\Users\{username}\AppData\Local\Temp. I wonder who decided to just called it %temp% in the tech community. That path is protected though by AG since it is part of the user-space as Barb stated above. The reason the malware was allowed to execute from this path is because it is signed. The malware is signed, right? AG allows signed files to execute in medium mode of protection from the user-space "guarded", which is the equivalent of allowing it to execute sandboxed, or with limited rights. I was not aware AG allowed guarded apps to download to %SystemDrive%\Users\{username}\AppData\Local\Temp. Good find. I would like to further discuss this when I get back. I have to leave though for now. I just learned my father is in the hospital so I had to really rush this post. I appreciate you, and Barb giving me the info on %temp%.

 

Not for a couple of weeks, happened maybe 6 or 8 times previously, seemed to only occur when I left computer idle for awhile, which means the computer would be on but I would be away from it for an hour or so, I would come back and see that Appguard blocked something, it would throw up 2 or 3 alerts over this time. Scanned with EAM, nothing, and haven't noticed anything that would indicate I'm infected. Thanks for the help.

 

I don't see digital signature tab in file properties.However you can see first file is fake osk (on-scrren keyboard) - product name (...) Microsoft and the second one is fake IE installer. Installer needed admin rights, otherwise it was unable to create separate file in %temp%, file responsible for encryption
https://www.wilderssecurity.com/attachments/szczegoly-png.246279/

 

Hi AppGuard friends

I'm usually in Shadow Mode. Any logic to adding Shadow Defender to Guarded Apps.

Why is it I may have c:\program data in User Space but, not c:\program files