AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,006
    Location:
    .
    Thanks for compiling.
    Lets review Help for Sandboxie as an example.
    4.0 User Guide = 2.2. Moving a System-Space Folder to User-Space
    Windows and Program Files folders may not be moved to User-Space as they are core components of the trusted enclave. Where allowed, this is a two-step procedure involving both the User-Space and Guarded Apps tabs.
    The System-Space folder to be moved is added to the list in the User-Space tab, setting the Include flag to Yes in order to guard its executables. The folder is also added as an Exception Folder via the Guarded Apps tab, with the Type flag set to Read/Write in order to unprotect it and allow all guarded executables write access.
    An example is Sandboxie. The sandbox container folder is by default located in System-Space. For Sandboxie to work, guarded applications running sandboxed must be able to write to it. For optimum security, all executables launched from the sandbox container folder should also be guarded. To achieve both goals, the folder has to be moved from System-Space to User-Space.

    4.1 User Guide = There is no conflict between Sandboxie and AppGuard 4.1. Depending on where Sandboxie is installed, you may need to fine-tune AppGuard's policy as follows.
    1. If Sandboxie is using a folder C:\Sandbox, add this as an “Exception” folder on the Guarded Apps Tab:
    2. Make sure to change the type to Read/Write:
    No mention of moving System-Space Folder to User-Space

    4.2 User Guide = No reference to Sandboxie and yet online I find.
    There is no conflict between Sandboxie and AppGuard 4.2. Depending on where Sandboxie is installed, you may need to fine-tune AppGuard’s policy as follows.
    If Sandboxie is using a folder C:\Sandbox, add this as an “Exception” folder on the Guarded Apps Tab.
    Make sure to change the type to Read/Write
    No mention of moving System-Space Folder to User-Space

    ------------------------------------------
    I started with C:\Sandbox Yes, asked questions and was told change to No. Then I asked questions and was told delete Sandbox User Space.
    Help is seldom written in stone. And BRN does not test in-house. AppGuard Help requires supplementation by in-the-know Wilders members. And sometimes agreement among Wilders members is not forth coming.
    And note User Guide 4.0 was SBIE v4 and now with SBIE v5 significant re-write.
    Are we again ....C:\Sandbox Yes to guard the executables launched from sandbox.
    My limited gray matter is thwarted by documentation.
    So, I'll experiment and ask / experiment and ask and am told ....read Help.
    Thanks again!..... Mister X. Give me a mo' to find my reading glasses.
     
    Last edited: Dec 27, 2015
  2. hjlbx

    hjlbx Guest

    @bjm_

    Your case is perfect demonstration of AppGuard's terrible usability...
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,006
    Location:
    .
    I had some free time over holidays. So, time to dust off n' play with AppGuard.
    I can see Norton work. I can see ERP, SBIE n' HMP.A work. Hope springs eternal to see AG work, other than -- prevented legit from doing legit to legit. Toys R' Fun
     
  4. hjlbx

    hjlbx Guest

    Typical user doesn't see it as fun; they see AppGuard as garbage.

    Typical user might put only an hour or two into getting a soft to work - not days.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,006
    Location:
    .
    Well, fwiw ~ I'm not married to AppGuard in the way I'm married to Sandboxie. And even though Norton has detractors. I'm used to Norton. But, not married to Norton either.
    AG may be fun for me cause, not much skin in the game. And at my age any (skin) stimulation is welcome. Thanks
     
    Last edited: Dec 27, 2015
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    bjm, is it clear now why you cannot make folders like Downloads, and your desktop Private without causing some major usability problems? I think maybe at first you did not understand how Private Folders works to protect your files. The way AG protects files in Private Folders is by blocking Guarded Applications, and user-space executions from accessing those folders. So if you make the Downloads Folder Private then your web browser will not be able to access that Folder since your web browser is on the Guarded Apps List. Downloads is the default download folder for most web browsers so it's not possible to make that folder Private unless you configure your browser to download to a different folder, or have your browser always ask where to download to.
     
    Last edited: Dec 27, 2015
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Many applications on this forum have had problems working with Sandboxie. It's not only AG.
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,006
    Location:
    .
    Well, my download default is desktop....so, I had a double whammy wo realizing. Is there a way to Lock Down Firefox so that browser/extension installs need permission. Yes, FF is Guarded and yet with AG Locked Down. Firefox behaves the same for me as wo AppGuard. I though Guarded Folders like documents/pictures -- Private is an enhancement. So, why not enhance downloads/desktop. I'm aware now. Thanks for clarity and driving me home. I wanted to see what happens, thinking Lock Down Firefox as enhancement.
    Help did not by my read state. I can't. Live n' Learn. Thanks
    Well, Norton and SBIE have been sharing my sys tray for 8 years.
    And I'm not aware what is / is not working by AG+SBIE.
    Just on occasion cryptic...prevented legit from doing legit to legit. Thanks again. I've added C:\Sandbox Yes back to User Space. We'll see if/when wheels fall off.
     
    Last edited: Dec 27, 2015
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I don't know of any way that you can use AG to make browser extensions need permission to install. I have found that AG will block some of them from installing though if you don't disable AG. I can't remember which ones got blocked, but it has happened to me in the past.

    AG should be enhancing Firefox Security without you noticing. Maybe you are not aware of what AG is doing. AG will block Firefox from reading, and writing to the memory of all other applications. This includes plugin-container which covers all extensions. So if Adobe Flash, or Adobe Reader plugin tries to read/write to the memory of another application then AG should block it. So AG will block .dll injection from Guarded Apps.

    AG will also block Firefox from writing to Program Files, System Space, and C:\. There is one easy test you can try to see if AG is working if you are using an Admin Account. Configure Firefox to ask you where to download files to from the internet. Then disable AG. Now download a file from the internet to Program Files. It will be allowed to download there. Now enable AG. Try downloading a file from the internet to Program Files now, and you will see that AG will block Firefox from writing to Program Files. You can also try the same thing by trying to download to C:\, or the System Space with AG enabled. You will see that AG will block it. AG will also block FF from writing to protected registry keys.

    Edited 12/27 @3:02
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I forgot to mention above that AG will also block Firefox from being the parent of rundll32, CMD, etc.. since those are Guarded also. You can add powershell, java, or whatever else you want to the Guarded list.

    Edited 12/27 @3:17
    I think it will work like that. Maybe I should get some clarification from Barb on that one. I have seen this behavior from AG, but i'm not sure that's always the case. I will ask her when she gets back from the holidays. At the very least they will be Guarded, but hopefully AG will block them from being Spawned by a Guarded App.
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,006
    Location:
    .
    Cutting_Edge,
    Will, Firefox write to Profile in Locked Down or Medium..?
    Will, Firefox write to AppData in Locked Down or Medium..?
    edit: save bookmarks in LD, so writes to Profile okay.
    And c:\users\user\documents and pictures are Guarded w easy toggle.
    I'll have to try FEBE backup....see if Firefox writes to documents.
    edit: FEBE backup went to sandbox for recovery w AG toggle.
    I imagined same easy toggle for downloads/desktop.
    Thanks for helping me w d/d.
    Hmm, hadn't though threw to mem r/w as not readily visible.
    AG will block .dll injection from Guarded Apps. Hmm....

    download a file from the internet to Program Files....don't recall ever doing or needing...?
    AG will also block FF from writing to protected registry keys....and protected keys need protection from..?
    #3961 = getting over my pay grade....
    baby steps for now
    Regards
     
    Last edited: Dec 27, 2015
  12. hjlbx

    hjlbx Guest

    For maximum protection it is best to add most vulnerable processes to User Space = block their execution. Both the SysWOW64 and System32 paths must be added.

    If AppGuard blocks a legitimate action, then just go to Guarded Apps tab and select "No" for "Include in User Space", then re-execute blocked action.

    After completing the execution, simply return to Guarded Apps tab and change "Include in User Space" back to "Yes."

    NOTE: Most users don't do this, but instead those that want this sort of added protection use NVT ERP to handle vulnerable processes.

    Of course I wouldn't add rundll32.exe to User Space since many, many legitimate actions will be blocked; best to leave rundll32.exe in the Guarded List.
     
    Last edited by a moderator: Dec 27, 2015
  13. hjlbx

    hjlbx Guest

    Most of the problems in this thread surrounding AppGuard in this thread are because users are running AppGuard in Lock-Down Mode.

    Medium Mode is worthless since it has allowed digitally signed malware to execute (verified on test system).

    So Lock Down mode is only way to truly protect system when using AppGuard.

    However, Lock Down mode causes lots of problems\hassles depending upon installed softs, how often system is changed, non-M$ soft updates, etc.

    For example, Lock Down mode will block Windows' built-in cleanmgr and even Windows Defender signature updates.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,984
    Location:
    Mexico
    Exactly what I don't do, to bother playing with AppGuard? Bummer!
    I rather go with NVT ERP. Actually I'm learning how to tighten security, i.e. vulnerable processes, system processes, etc. I feel it's getting harder and harder to deal with ERP this way but I hope at the end it will be a rewarding experience.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Digitally signed executables are ran with limited rights in Medium Protection Mode. Limited rights = Sandboxing. I would not call it worthless by a long shot. It will always be safer not to allow malware to execute to begin with than relying on containment. There's definitely no argument there. That will always be my preferred method of mitigation.

    I requested over a year ago that BRN only allow digital certificates on the Publisher's List in Medium Protection Mode. I was informed that it may be given as a third option. I think it should be the only option myself. I can't think of any reason all digitally signed executables should be allowed in the user-space. The chance of the Malware being signed by one of the digital certificates on the Publisher's List will be very slim if the user manages their Publisher's List right.

    There's also the problem of cleanup when allowing malware to run with limited rights. You can't just empty the Sandbox with AG so you have all these infected files remaining on the disk that could easily do great damage if AG is disabled later to allow a software update, etc..

    edited 12/27 @5:58
     
  16. hjlbx

    hjlbx Guest

    Really ?

    I've run digitally singed malware samples and riskware - that downloaded additional malicious files - was installed...

    So by that measure Safe Mode is worthless.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Were the additional malicious files able to infect the System Space, or Program Files Folders? It should not have been. The fact that AG runs the malware with Limited Rights still equals Sandboxing functionality. That's all I was saying. Here is a video of CruelSister testing AG on an already infected System. She does not install AG until the System has already become infected. It stops all outbound internet access by the malware, and blocks all the malware from running. https://www.youtube.com/watch?v=yEOJxUEApso

    I think I get your point though. I'm not really sure how good AG's Sandboxing ability is. It has never been tested much because the malware has to be signed in order to run. It makes testing it's Sandboxing ability harder since signed malware is harder to come by. I have seen a few different Crypto-Malware ran in Medium Protection Mode, and AG did block it from encrypting the user's files. I hope they take my advice, and only allow digital certificates on the Publisher's List in Medium Protection Mode soon. That would make a huge difference. That was on the list.
     
  18. hjlbx

    hjlbx Guest

    If AppGuard allows something malicious to be installed, it just isn't a good thing - ever.

    Dormant malware installed on system, but unable to launch is a really bad idea - since a user can lower AppGuard protections and make a mistake.

    That applies to Kaspersky, COMODO, NVT ERP, etc, etc - all that "Allow" digitally signed files from trusted vendors. So I'm not just picking on BRN. It's a huge complaint from most security conscious users throughout the world.

    Such a policy can easily cause infections because a big approach by malware authors nowadays is to purchase a certificate, keep the installer off the AV signature lists by not downloading malicious files itself, but download additional digitally signed apps that download\install malicious files.

    Install Monsters from China are famous from this sort of tactic.

    All I'm saying is that as far as absolute security, Medium Mode has limitations - whereas Lock Down mode is, well, rock solid.

    And this is supported here at this thread since most dedicated users here do not use Medium Mode.
     
  19. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Well ain't that a ***** and a half... I lost my post file for this thread... time for a 5th read, damnit! Thanks for these Sir, will add to them.
     
  20. guest

    guest Guest

    Exactly what i told him in the earlier post, guess he missed it :D

    Put Sandboxie's container on another partition (say D: ), and make this partition user-space. i never had any problems. anyway why let the container on C: it afford nothing more than being on another partition...?

    why wouldn't you do as i said above? i wonder why people look for complexity when simplicity is present...

    exactly my case :D

    Best way to learn , i always regret that AG gave mysterious alerts like "PID xxx is blocked because blablabla" , we stay in the dark and can't pinpoint the issue.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    On both Appguard, and ERP, I eliminate any allow based on certificates or signed exe's It has become to dangerous.

    And I agree with Appguard keep it simple.
     
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I've noticed this behaviour too. I recall that Firefox updates used to get blocked in Locked Down, but the latest Firefox 43.0.2 update wasn't blocked by AppGuard in Locked Down on my system.

    Looks like something may have changed recently in the way Firefox updates are applied. Whether or not it is a bug in AppGuard would depend on how the updates are initiated.

    If updater.exe in the Firefox program folder is scheduled to run independently of firefox.exe, AppGuard wouldn't block it: updater.exe is an unguarded system space application that is free to do what it likes if run as a main process.

    On the other hand, if updater.exe is launched by firefox.exe, it looks like a bug: child processes of a guarded app should inherit the restrictions of the parent process.

    I don't know whether it's a bug or not; but it does look as though something has changed.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    I had removed C:\Sandbox = Yes from User Space due to this advice: http://www.sandboxie.com/index.php?KnownConflicts#appguard
    But readded it now also, thanks to this link to @pegr's advice: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-12#post-2307841, provided by @Mister X in #3939 ...
    Edit: I use SBIE mainly for browsing, not testing. (https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-13#post-2307848)
     
    Last edited: Dec 28, 2015
  24. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I believe we've had this discussion before: #2565.

    The thing that governs this is that system space and user space each come with a pair of default permissions, summarised below.

    System Space:
    1. Block guarded apps from writing to system space
    2. Allow system space apps to run unguarded
    User Space:
    1. Allow guarded apps to write to user space
    2. Block user space apps from running unguarded or running at all
    For individual folders, the default read/write and run permissions can be changed using the Guarded Apps and User Space tabs, respectively.

    For sandboxes used only for sandboxing existing guarded apps (e.g. browsers), all that is necessary for Sandboxie to work is that guarded apps must be able to write to the sandbox. If the sandbox folder is in system space, it must be listed as an Exception Folder in the Guarded Apps tab. If the folder is in user space (on a non-system volume or RAM disk), guarded apps will already have write access and nothing need be done.

    However, just because that's all that's necessary, doesn't necessarily mean it's optimal. There's an advantage to also applying AppGuard run restrictions to executables downloaded into the sandbox. It increases security and it's more convenient than Sandboxie start/run restrictions, which may require some system space executables to be whitelisted in Sandboxie. To apply AppGuard run restrictions to a system space folder, list the folder in the User Space tab with the Include flag set to Yes. If the sandbox folder is in user space and you don't want AppGuard to apply run restrictions then list the folder in the User Space tab with the Include flag set to No.

    For sandboxes used for software testing, in addition to write access, applications installed into the sandbox must be able to run. If the sandbox folder is in system space, nothing extra need be done. If the folder is in user space, AppGuard run restrictions will be in force. See above on how to remove run restrictions from a user space folder. Alternatively, run restrictions can be lifted for individual apps by listing them as guarded apps within the Guarded Apps tab. Yet another way is to temporarily allow user space launches from the AppGuard tray icon right-click context menu.

    As you can see, it is very difficult to give blanket recommendations to cover all cases. The important thing is to decide what you want to achieve and learn how AppGuard works, so you understand how to configure it to achieve the desired outcome in different situations.
     
    Last edited: Dec 28, 2015
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    It seems I have found a bug with AG when adding powershell.exe, and powershell_ise.exe from the System32 folder to the user-space. AG does not blink, or log the blocked event after attempting to launch powershell from the System 32 folder. If I launch powershell.exe, and powershell_ise.exe from the SysWOW64 folder instead then AG blinks, and logs the event as blocked even though AG does not block them from launching. If I add powershell.exe, and powershell_ise.exe from SysWOW64 folder to the user-space then AG blocks them from launching, but does not blink, or log the event. This is probably not specific to powershell. I would say this would happen with other executables as well. I'm using Windows 7X64 SP1 with all security patches.

    Update: Bug report was sent 12/28 @ around 7:00 am
     
    Last edited: Dec 28, 2015
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.