AppGuard 4.x 32/64 Bit - Releases

@Barb_C

Quarri My POQ - a security soft - it is in the original post.

To get it to work with AppGuard, one must:

• Add to Power Apps:

C:\program files (x86)\quarri launcher helper
C:\ProgramData\quarriagent_tmp

• Exclude C:\ProgramData\quarri_agent.tmp from User Space (since a dll, Enforcerx64.dll becomes an executable, Enforcerx64.exe, upon launch)

• Add Quarri to Publisher list

• Disable Memory Protection for Quarri in Publisher list

This is the only way I have been able to get Quarri to work with AppGuard - using BOTH Protected and Lock-Down mode - since it does a lot of injecting into Internet Explorer.

About 4 months ago you and I had a rather long back-and-forth support ticket regarding this matter.

Only now did I think to disable Memory Protection for Quarri - and it solved the problem.

 

The main difference between 4.x and 5.x is the licensing. We are transitioning to a subscription based licensing model. Meaning that we will be charging yearly for the license. The licenses that were purchased for 4.x entitle you to perpetual license for 4.x releases.

The 4.x product will soon only be available to partners and for special purposes (such as for beta testing). The beta testing is the primary reason that 4.x may have additional features that 5.x may not. For instance, the enhanced wildcards are not included in 5.x until we get more feedback on them. Glad we did that because we just got a bug report from a beta tester in that area and our QA department found another one. Nothing major, but still want to get it fixed before distributing to a wider audience.

You're right I can't do anything about it - that's a decision made by marketing and sales, but this only affects 5.x which requires a yearly payment. There must be some enforcement or otherwise, why pay? There is plenty of warning via emails and toaster messages.

Will look into it.

 

Okay, but nothing on the Guarded Apps tab, correct? I don't think we'd change it on the publisher list.

Sheeeez, that's scarey . I have no recollection of that. I believe you, my memory is not what it used to be.

Good thinking!

 

Just installed the latest beta on my XP machine and it seems to work fine. Noticed it sometimes shows the names of the processes instead of the PID in the alerts which is a major improvement!
PID's are most of the time completely useless in this context.

Will BRN continue to support XP until the EOL of XP POSready ?

Microsoft will continue to support embedded versions of XP until April 2019 and many regular XP users in China continue to receive updates today. I know most people responding to this thread don't use XP anymore but I'll be stuck with it for the years to come so I'm willing to do extensive beta testing on XP if BRN decides to continue XP support.

 

If AppGuard is running with its default policy, nothing should be capable of instantiating itself such that it would be able to run at bootup. Though the consumer version of AppGuard does not apply policy until the user logs in, because malware cannot get a foothold into the system in order to run at bootup this type of attack should not be able to get past AppGuard.

 

@Barb_C

Internet Explorer, of course, is on the Guarded Apps tab.

Quarri executables are not on the Guarded Apps tab.

Upon execution of Quarri, it launches Internet Explorer in a remotely-hosted, sandboxed session with all extensions and settings disabled.

I am also working with Quarri to improve its stability and compatibility with OS and other security softs.

Combine two (super-tight) security softs - like AppGuard and Quarri - and problems should be expected.

 

True, but I recently discovered that the consumer version is not applying policy until the user logs in. The Enterprise version applies policy before the user logs in. It's on our roadmap to add a basic policy that could be applied at boot up in the consumer version as well..

 

So you had to disable MG for I.E.? I didn't see that in your original post.

 

@Barb_C

What's the rationale for a minimal boot policy - performance and\or conflicts ?

What happens if a user makes a mistake or inattention during Install Mode or while AG is turned off ?

I have made such a mistake... in malware testing - and it was only AppGuard re-enabling its policies that protected my system at boot !

 

@Barb_C

Had to disable MG for Quarri in Publisher's list - not IE.

 

This isn't a change BTW. This has been how it has always worked. I was just correcting misstatement that I may have made to Cutting_TechEdge about the protection starting sooner in the boot-up process. In the consumer version, the policy is user-based so it is applied when the user logs in. In the Enterprise version it is machine based so can be applied before the user logs in.

 

So just to confirm - you didn't have to change the MG settings for the Guarded Apps tab for any of the Guarded Apps? That is what we're considering removing from the UI. MG settings will still be available on the Publishers List.

 

@Barb_C

No - I didn't have to change the memory settings for IE on the Guarded Apps tab.

BRN execs are really trying to "dumb-down" AppGuard for the average home user.

 

AppGuard always tries to resolve the PIDs. Re XP: We will continue to support XP with the current functionality of AppGuard, but we may not be able to create new features for XP because some of the newer APIs that we use aren't supported.

 

@Cutting_Edgetech,
@Barb_C,

Post #4587! Appreciate the answers!

 

Well, let's not bash my bosses okay? This was actually my suggestion because I don't recall that any one has ever had to use them. We made a major change to Memory Guard protection in either version 4.1 or 4.2 that should also reduce or eliminate the need for these settings. More reasons to eliminate unused settings:

1. It reduces testing. Multiply that by 9 different OSs that we test on and that adds up. Also, even if you don't count 4.x vs. 5.x, we have Tech Fortress version that we have to test as well.
2. It simplifies documentation.

That being said, I'm sure if we take them out, someone will need them in order to get something working so I hesitate to make the recommendation too strongly.

 

That's probably a good thing.
The average home user needs a "Install it and forget it" approach.
For nerds like us they could make a little button or a box to tick labeled "Expert settings".
After clicking it it should open a big dialog stating:

"Warning ! These settings are for experts only !
Improper configuration might create huge security risks.

Are you sure you want to continue ?"

After clicking "Yes" it should unhide a tab that contains all the advanced settings.
That would be a nice compromise.
Show an interface with ultra simplified basic settings until you click the "magic button" that opens the portal to the tweakers paradise.

 

@Barb_C

My intent was not to "bash" anyone.

"Dumb-down" is a colloquialism used between us security soft geeks.

 

I'm happy to hear that !
I would be perfectly happy if BRN could just fix bugs and do some minor tweaking of the interface and maybe add some small things if it's not too much of a hassle and feasible on XP.

I think the interface could be improved a lot and the terminology used is confusing for non-expert users, but hey... AG works and that's what counts in the end.
In my opinion the "user space" and "system space" concepts are too confusing especially for noobs.

 

Doesn't Shockwave Player run outside the browser like VLC, or Media Player Classic?

 

Thanks for confirming this @Barb_C

 

@Barb_C

02/23/16 00:49:09 Prevented <Windows® installer> from accessing <c:\programdata\quarriagent_tmp\quarri enabler.msi <Quarri Launch Helper>>.

 

No problem.

 

Barb, could you address the 2 post from Mood above? I combined them into one post for your convenience. Apparently AG is failing to add Windows folders to the user-space. Mood says after adding a folder from Windows to the user-space he/she can execute unsigned files from that folder in Protected Mode.

I was able to reproduce AG not preventing executions of unsigned files in Protected Mode from Windows Folders that have been added to the user-space. I did not receive the warning prompt about adding a Windows folder to the user-space like Mood did though. I added C:\Windows\temp\* folder to the user-space, and I was able to execute unsigned files in Protected Mode from the Window's temp folder. It blocked the same unsigned files in Locked Down Mode from the Windows temp folder. The problem seems to be specific to Protected Mode, and is not present in Locked Down Mode. I'm using Windows 7X64 Ultimate. I don't know which OS Mood is using.

If I'm understanding Mood correctly he/she is also able to add a folder from C:\foldername\* to the user-space, and execute unsigned files from that folder in Protected Mode also. I am not able to reproduce this on my system though. I created the folder C:\test folder\*, and added it to the user-space. AG is blocking unsigned files in Protected Mode from C:\test folder\* on my machine as expected.

Edited 2/24 @ 7:22