AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. hjlbx

    hjlbx Guest

    The vast majority of files shipped with Windows in C:\Windows are unsigned.

    Blocking unsigned Microsoft files from C:\Windows will break some Windows functionality; unsigned Microsoft files execute from C:\Windows all the time as part of Windows' normal operation.

    AppGuard cannot differentiate between an unsigned file from Microsoft or a malware publisher.

    Besides, in Protected Mode nothing can be installed\written to C:\Windows, except by Windows Installer, and then only if the *.msi is digitally signed by Microsoft - or - written by an un-Guarded application - or - the user defined C:\Windows as an exception folder with write permissions.
     
    Last edited by a moderator: Feb 24, 2016
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I have the same view as you, but maybe BRN should not allow users to add Windows Folders to the user-space then. What about Windows temp folder? Do you think it would break Windows, or just stop some Windows update functionality? Since AG currently allows Windows Folders to be added to the user-space we should hear what expected behavior should be from BRN.
     
  3. hjlbx

    hjlbx Guest

    I agree. I know what I have seen when adding any System Space to User Space, but I will wait for Barb's reply.

    My tinkering indicates that, while you can add C:\Windows sub-directories to User Space, executions will still be permitted.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,706
    No, i wasn't able to execute it outside of the windows-directory :isay:
    c:\!\unsigned = Blocked
    c:\windows\!\unsigned = not blocked
    My plan was to add only subdirectories of c:\windows, not the whole directory c:\windows.
    yes, maybe it should be not allowed to add a Windows Folder...
    Let's wait for an "official statement" ;)
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,535
    I just upgraded when prompted to version 4.3.13.1. I waited at least 10 minutes and there was no prompt saying that the upgrade was finished or a prompt to reboot. AppGuard could not be opened. The AppGuard process was running. I found out that the AppGuard Service was not running, so I started the AppGuard Service and AppGuard could then be opened.

    I rebooted and AppGuard 'seems' to be working OK. Would an uninstall/reinstall have been better? I want to make sure that AppGuard was upgraded properly.

    Thanks in Advance.
     
  6. hjlbx

    hjlbx Guest

    Most people here have installed 4.3.13.1 "over top" of earlier versions without incident - but what you are experienced is not unheard of.

    I would just observe - or - just uninstall\reinstall - whichever you so choose.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Barb emailed me yesterday, and she said if they decide to make AG block unsigned files from System Space Folders that have been added to the user-space in Protected Mode then we may see that fix in the next build.
     
  8. hjlbx

    hjlbx Guest

    That is good idea. Thanks @Cutting_Edgetech.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
  10. hjlbx

    hjlbx Guest

    @Barb_C

    Here is another unclear block even while in Install Mode (while uninstalling Webroot):

    02/26/16 23:53:20 Prevented <pid: 2052> from writing to memory of <persistence Module>.
    02/26/16 23:51:35 Prevented <Windows host process (Rundll32)> from writing to memory of <persistence Module>.

    pid: 2052 = rundll32.exe

    Protected resource: c:\windows\system32\igfxpers.exe

    Guarded applications are still blocked while in Install Mode ?

    That's only conclusion I can draw based upon the above.
     
  11. BrendanAdams

    BrendanAdams Registered Member

    Joined:
    Jan 2, 2009
    Posts:
    145
    Location:
    France
    Same here, but then I realized there was a new AG icon on my desktop, so I guessed I just needed to reboot my laptop, which I did. And now it is working as usual. Besides, the gui does mention version 4.3.13.1, so I guess it's ok.
     
  12. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    725
    Location:
    Cumbria, England
    Thats is exactly my experiance.
    Everything seems ok after the reboot.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,706
    Very good :thumb:
    Yes and No. There "can" be problems, if a guarded app is updated. Even if you set AG to Install Mode. I experienced it myself.
    (a) Turn AG off
    or
    (b) Unguard the Application temporarily
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,555
    1. When I did the upgrade the toaster pop up said it was finished and to reboot.

    2. I never use install to install, I always turn Appguard off.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Yes, these are the type of things they really need to focus on fixing. I don't think AG should be blocking this in Install Mode. Even Windows updates install successfully on my machines in Locked Down mode. It's strange that AG would behave like this in Install Mode. Another thing they really should focus on in my opinion is figuring out how to give file names with Process ID's so the user knows what is being blocked.
     
  16. wojtek

    wojtek Registered Member

    Joined:
    Jan 5, 2014
    Posts:
    33
    Last edited: Feb 28, 2016
  17. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,263
    Location:
    USA
    Yes, appears it is now stable. Beta has same hash as release version on their webpage.
     
  18. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    725
    Location:
    Cumbria, England
    +1
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    30 minutes after the update process had begun the AG tray icon still indicated the service was disabled, and that it was still in the process of updating. The update process at no point informed me I needed to reboot. The upgrade did not occur successfully until after a reboot. Something really needs to be done about their update process/module. I hate to say it, but it's the worst I have seen.

    updated 2/29 @ 11:55
    I reported the update problem to Barb.
     
    Last edited: Feb 29, 2016
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    It seems the information I was given from BRN was not correct as Barb already pointed out. I just did my own testing, and discovered that AG protection does not begin until approximately 30 seconds after the desktop has loaded. This is the behavior I am seeing on my machine. I rebooted at least 10 times, and used a stopwatch. AG protection enables itself at about the same time my wireless internet gains internet access, but I think this is only coincidence. I executed GMER (unsigned executable) each time approximately 28-30 seconds after the desktop had loaded. I do not find this satisfactory. This may not prevent an infected USB device from infecting the computer.
     

    Attached Files:

  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I just did my own testing, and discovered that AG protection does not begin until approximately 30 seconds after the desktop has loaded. This is the behavior I am seeing on my machine. I rebooted at least 10 times, and used a stopwatch. AG protection enables itself at about the same time my wireless internet gains internet access, but I think this is only coincidence. I executed GMER (unsigned executable) each time approximately 28-30 seconds after the desktop had loaded. I do not find this satisfactory. This may not prevent an infected USB device from infecting the computer.
     

    Attached Files:

  22. hjlbx

    hjlbx Guest

    Isn't the AppGuard service always running ?
     
  23. NT Five

    NT Five Registered Member

    Joined:
    Aug 23, 2015
    Posts:
    15
    Location:
    Stuck in NT 5 land...
    I agree entirely with this statement. In most cases knowing nothing but the PID when you get a notification that something is blocked is completely useless. Several times I tried to find the PID with task manager... in vain. After a while it starts to be annoying. In my opinion BRN should put it somewhere near the top of their to-do list...













    I
     
  24. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I don't know at what point the AG service becomes active during boot since I have been informed different things. The one thing clear is AG is not preventing executions until approximately 30 seconds after my desktop loads. I'm able to execute GMER (unsigned executable) from my desktop with no problem for the first 30 seconds after the desktop loads. Bouncer, and ERP protection is active much earlier than this.

    Edited 2/29 @ 10:16 pm
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.