AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    No, your current licenses will not work on 5.1, but why do you want to use 5.1? The only difference is the branding and licensing. In the future, 4.x is only going to be available on a limited basis for beta testers and partners. In fact, 4.3 currently has a feature that 5.x does not have yet (the enhanced wildcards). If we deviate from our plan to have 4.x stay in line or ahead of 5.1 we would still want to have Wilders do some beta testing for us and I guess at that time, we would issue some 5.x licenses for anyone volunteering to beta test.

    Also with 5.x, if you don't allow AppGuard to contact the license server periodically, AppGuard will discontinue protection until you do (with due warning). With 4.x, AppGuard tries to contact the license server periodically, but after initial activation, AppGuard 4.x won't stop protection if it can't reach the license server.
     
  2. hjlbx

    hjlbx Guest

    @Barb_C - thanks for clarification. Mis-read your post regarding 5.X versus 4.X.
     
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    LOL. Sometimes I feel like it.
     
  4. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Beta testers will want to test the version they will be using so I hope they don't plan on making 5 an undesirable version for Wilders type users. If that occurs you want have many testers for version 5. I also highly doubt BRN will want to make any improvements to version 4 just for Wilders members. In the future when development starts again I think most members will want to see progress made in the version they will be using.

    edited 2/19 @ 3:14
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well from what I see I'd rather keep using V4, but sure would be willing to help beta test 5

    pete
     
  7. hjlbx

    hjlbx Guest

    @Barb_C - had to set Memory Protection for two security applications to function properly - Quarri POQ (virualization with SRP) and IT Hurricane Power Tool (root kit remover).

    LOL... I knew the setting would come in handy some day.

    Please don't remove Memory Protection on\off setting.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1
     
  9. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    AppGuard protection is suppose to start even before the desktop loads. There's no need to tweak any settings.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Linking to this post in the NVT ERP thread, I have added the additional vulnerable processes in ERP (with no problems in Alert mode).

    But if I were to try accomplishing the following using AG:

    I also suggest that you restrict write access permissions on
    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\tracing\*
    C:\Windows\Temp\*
    C:\Windows\Tasks\* - NOTE: When installing some apps, they will need access to this folder to schedule start, updates, etc.
    C:\ProgramData\*
    such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble


    would that be possible (even desirable)? If so, how would I need to 'define' these folders, and trustedinstaller.exe?

    Or is AG already protecting these folders?

    @pegr @Barb_C or anyone :) - could you chime in here?
     
  12. guest

    guest Guest

    After i added a Windows-Directory i was even able to execute unsigned files in Medium/Protected-Mode :eek:
    Maybe it's not a wise decision to add a Windows-Directory to User Space according to this:
    AppGuard_add-Windows-Folder-to-User-Space.png
     
  13. guest

    guest Guest

    I think it's safe to ignore these rundll32.exe-messages.
    In my case i see iobdll64.dll (from SOB) and mbae64.dll that are being blocked from launching every time.

    I decided now to ignore c:\windows\system32\rundll32.exe -- if it's launched from c:\sandbox\*
     
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Okay, regarding your setup after you Ignore those rundll......are SOB and MBAE degraded...?
    Regarding my setup....why does AG throw Alert for hmpalert.dll with hmpalert.exe as Pwr App. After I Ignore rundll will HMP.A be degraded in IE sandbox...?
    Ignore, as I understand is cosmetic.
    "Ignore" does not whitelist programs.
    After you Ignore (suppress) Alerts.
    AG policy remains AG active policy.....Yes / No...?
    Thank you very much for your informed reply.
    Be nice if BRN replied but, as I've been told. BRN does not test SBIE nor SOB nor MBAE nor HMP.A.
    And if I forgot to mention C:\Sandbox -- No...renders AG quieter for IE11 run.
     
    Last edited: Feb 21, 2016
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Hmm, do you know what the reasoning is behind developing both the 4.x and 5.x versions at the same time?
    Anyway, let's wait with complaining until we know more about v5 :p


    Probably you can't do anything about it, but that's really a step back instead of an improvement.


    You've already received answers on the security sofware, but I would advise to add dnscrypt-proxy.exe to guarded apps:
    https://www.wilderssecurity.com/threads/dnscrypt-1-5-0-released.377562/#post-2565017
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I don't know if adding Flash executables to Guarded Apps would improve protection. Apart from the Firefox Flash process, with browsers and other software using Flash, it seems to run inside the host process. So Powerpoint, Word etc need to be Guarded to protect against Flash exploiting. Sometimes when Flash is being used, for example in IE, you also see a Flash process running, but that is the installer/uninstaller file. I've asked about it sometime, but it seems it is not known why it's running.
     
  17. guest

    guest Guest

    No, ignoring messages doesn't degrade other programs. The messages are only suppressed (and AG remains active)
    If these rundll32-messages are shown the next time, just ignore them.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The way AG protects all the Windows folders you have listed is by not allowing vulnerable applications that are on the Guarded Apps List to write to those folders, and also by not allowing executions from the user-space to write to those folders. As long as you have all your web applications on the Guarded Apps List then you should be fine. AppGuard will not allow anything to execute in ProgramData that is not already installed. I'm not sure how it accomplishes this.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It sounds like you found a bug. Where was you executing the files from? AppGuard already protects all Windows Folders by not allowing vulnerable applications on the Guarded Apps List to write to those folders, and also by not allowing executions from the user-space to write to those folders. You should be ok without adding those folders as long as all your web applications are on the Guarded Apps List. Adding those folders should not have disabled AG protection though. That's why I think it's a bug. Hopefully Barb can take a look at it tomorrow.
     
    Last edited: Feb 21, 2016
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I don't have Adobe Shockwave Player installed so I don't know if it's on the Guarded Apps List by default, but if it's not then it should be added to the Guarded Apps List. I was going to check with Barb to see if it's added by default, and forgot about it. Regular Flash Player should be Guarded by default as already mentioned since all browser plugins are Guarded.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks. I will avoid that then.
    I had toyed with making those directories read only under Guarded Apps, and make trustedinstaller.exe a Power App but that doesn't sound right either! :confused:
    @Cutting_Edgetech says I have the necessary protection for those folders provided I have all my web-facing apps guarded.
     
  22. guest

    guest Guest

    Yes, they are already protected.
    It was only an experiment from me (that has failed)

    I created 2 directories c:\!\unsigned + c:\windows\!\unsigned and added them to the user space list (launching is disabled).
    Unsigned files shouldn't be allowed to execute from these directories, but ...

    It's possible to execute unsigned files from this directory: c:\windows\!\unsigned
    (but they are started guarded)
    AppGuard_Userspace-folder_unsigned-file_(1).png AppGuard_Userspace-folder_unsigned-file_(2).png
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think shockplayer is also mainly an add in so it should be protected.
     
  24. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Were you Guarding those applications? If not, I'm confused on what had to be done to make them work? I would have suggested adding them to Power Apps.
     
  25. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    With the exception of C:\ProogramData, AppGuard is protecting those folders from Guarded Apps. In other words, Guarded Apps cannot write to any Windows Folders. C:\ProgramData is being protected in the sense, AppGuard prohibits applications from running from that folder.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.