AppGuard 4.x 32/64 Bit - Releases

I agree with you on that point. Most users don't know what a digital certificate is. They don't know a digitally signed file from a file that is not signed. I think the best thing to do is give an option for the novice, and advanced user. Novice users could continue to allow all digitally signed files from the user-space if you think that will prevent a support headache, and advanced users could be given an option to only allow certificates on the Publisher's List. You already stated above that this is in the works so I guess this is going to be an option soon.

 

Thanks for the feedback.

We actually have had requests for this feature.

Considering this for future release.

If you are suggesting that we provide popups for every blocking event asking the user whether to allow, that has been considered previously and not implemented for these reasons:

1. Most blocking events (such as memory access and registry access blocks) are benign (meaning they don't affect operation of the application) and don't require an exception. Users that don't understand the uniqueness of AppGuard may think that they have to make a policy exception for all of these blocking events when in fact they don't (and they shouldn't).
   
2. We find our default policy works for most users without modifications.
3. System stability: Without going into too much detail about how AppGuard is working, basically our Kernel Driver is making a decision based on policy whether to permit programs to launch. If it had to check with the user and wait for a response, the system can become unstable. Think of someone leaving for a coffee break and all these process launches waiting.

We are considering a policy wizard of sorts that could be launched by right-clicking on an event in the AppGuard Activity report or perhaps from the blocked launch popup.

 

Hi Michael, we feel that the list of registry keys that we protect are proprietary and I am not able to share unless there is an Non-disclosure agreement in place.

 

Agree regarding the popups, AG blocks something in Chrome everytime I opened Chrome, up to 10 or 15 events each time, all the popups for this would drive me away from AG.

 

My feedback after 1hour of use :

- my issue with the license rejected is solved.

- in Lockdown Mode: when allowing/denying guarded/unguarded USB and User Space launches, the following error appears

http://i.imgur.com/6PGlScs.png

but the operation is still done.


- the path bug when adding an x86 process in Power Apps is still there.

- got the "schtasks.exe" block too.

except that all seems to works fine at the moment

 

I temporarily disabled TamperGuard and renamed AppGuardGUI.exe before installing over the top.
All went well in the installation and I have the new look GUI.
The first bug I encountered was found while trying to remove the renamed AppGuardGUI.exe.bak - disabling TamperGuard from the GUI has no affect.

 

Were can I find AG user configuration? (especially Guarded Apps list). I only found the default config in programdata and programfiles.

Oh and is there still an official manual? I seem to remember the v3.x version always came with a manual installed, which included release notes from multiple versions.

 

The manual can be found in the bottom right corner of the GUI labeled help. I'm not sure if the user configuration is found in the policy file, or in the programdata folder.

 

Users > "your name" > Appdata > Roaming > Blue Ridge Network > Appguard > appguardpolicy.xml

 

Thanks, haha makes sense, default config in program folders and user config in user folders

Hmm, thanks though that wasn't what I was looking for. I think the older versions had a PDF with them.
Are release notes/changelogs for 4.0, 4.1 and 4.2 available somewhere?

 

I will pm you.

 

Within the prior 9 months or so, @malware1 reported a Medium Mode by-pass using a .lnk to cmd.exe. The by-pass involved a ransomware file that was renamed (disguised) as a text file.

Of course, he reported it to you and - as far as I am aware - BRN rectified the issue.

At the time, I tested the malware against AppGuard Medium Mode and the ransomware was able to encrypt all possible files\folders.

 

I always operate in Locked Down Mode. BRN did fix one crucial bug in this release, and is currently working on another. If something is blocked from the Windows Folder it will now notify the user, and log the event. Before AG could block executables in the Windows Folder all day long, and you would never know.

 

What do you guys think about this ideal that I recommended to Barb? I think everything could be made modular using tickboxes instead of having different Modes of protection. I think if BRN decides to do away with Locked Down mode to prevent confusion then my recommendation below would be the best option. It would make things much easier to explain in the documentation, and also much easier to explain to new users her at the forum. NVT ERP already did this when they found out how confusing all the different protection modes was for new users.

"My Email to Barb"
I was just thinking that if BRN wants to only go with one protection mode to prevent confusion then the functionality of Locked Down Mode could be given in the settings. You could have a tickbox in the settings that says, "Do not allow signed files to execute in the user-space", or a similar description of the feature. AG could allow signed files to execute in the user-space by default, but the user would have the option to deny signed files from executing in the user-space by simply ticking the box in the options. I think everyone would be happy then. Really any feature can be made modular using tickboxes in the settings instead of having different protection modes to choose from.

 

@ Cutting_Edgetech, I was thinking along the same lines as you and think what you suggested in the email makes the most sense.

 

Thanks! I hope most people will be ok with it.

 

"Dormant" malware is not something that typical users understand... other security soft vendors are finding this out the hard way (increased complaints, support requests, negativity about the soft(s)).

 

On Windows 8.1 x86, I can confirm that in Lockdown mode:
1. The path bug when adding an x86 process in Power Apps is still there.
2. The "schtasks.exe" blockage is present here as well:

01/22/16 07:46:14 Prevented process <schtasks.exe> from launching from <\Device\HarddiskVolume1\windows\system32>.

Other than that all good so far.

One old request to remind you:

• To increase the amount of Power Apps which can be added.

Edited@8:07am, today. It seems I spoke too soon, schtasks.exe is being blocked just like in Win7.

 

I reminded Barb again today about Powerapps showing the incorrect path.
I was informed that schtasks.exe had been getting blocked all along on my machine, but I was just now seeing the block because of the bug they fixed that I reported. It was the bug I reported about the GUI not notifying the user when something would be blocked in the System32, and SysWOW64 folders. The blocks were not being logged either. The bug was in the service.
edited 1/21 @ 10:33

 

Ah ok good to know, thanks.

 

Sometimes I need to run several scripts manually from desktop. Obviously they are blocked by AG immediately, so is it possible to circumvent this or create a feature to add script (.cmd/.bat files) to Power Apps?
I just don't want to lower shields in AG every time I run them.

 

in fact what you requesting was already asked with the implementation of command lines/wildcards whitelisting/blacklisting. not sure it may happen.

 

I reminded Barb about Powerapps showing the incorrect path again today.
schtasks.exe was being blocked prior to this build, but a bug was preventing AG from alerting the user. AG was not alerting, or logging any blocked events from System32, SysWOW64, and maybe anywhere in the Windows folder. I also had executable in the Microsoft.NET folder moved to the user-space, and I don't think AG alerted to them being blocked either. There was a bug in the service, and now it has been fixed. That's why you are just now seeing schtasks.exe being blocked.

 

Thanks, I don't recall that time. Anyway thanks for telling me and I hope BRN listen to us.

Thanks CE I got it now, but I said in my post "NOT being blocked". Perhaps is Win8.1, dunno.

 

It turns out that the AppGuard service executable hadn't been updated. A clean install later and TamperGuard is fully functional.