AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Yes, but he is using version 4.2. In 4.3 we added .wsf files to our protection policy.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I did not fill out a bracket this year, but I watched every game I could. I stayed up late watching the game last night also. Congrats on the win!
     
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Definitely don't add Explorer.exe to the Guard list. Unless you want to turn your computer into a brick!
     
  4. hjlbx

    hjlbx Guest

    If you add Powershell to Guarded Apps, the *.lnk bypass does not work.

    There is no Powershell script involved. It is the same *.lnk bypass as with the one reported by @malware1 using cmd.exe about a year ago.

    That is what the video creator states...

    Didn't BRN disable *.lnk files pointing to cmd.exe ?

    That might be the problem, it is disabled only for cmd.exe - and not all other abusable processes shipped with Windows...
     
  5. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks! It was an exciting game. I was hoping for a blowout so I could go to bed early, but it didn't happen. I was the only one in the top 10 of our bracket to have Villanova. Everyone else had UNC so when Villanova won, I went to the top of the list. Guess we shouldn't hijack this thread to talk about basketball. Have a great day everyone. Looking forward to getting opinions about whether we should prohibit powershell all together.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I added Powershell.exe, and Powershell_ise.exe to the User-space months ago lol I had been adding it to the Guarded Apps List for years, but I decided it would be best to add it to the User-Space since I never use it. It has never caused me any problem.
     
  7. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I thought we fixed the issue that malware1 cited. Not sure why that would have been only for cmd.exe. I'll review that fix to see what we did. I'm not getting any audio on the video, so didn't know that the video creator stated anything.
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    AG did not Guard cmd.exe until that bypass occurred. That was one action taken in response to that bypass.
     
  9. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Those of you that use any of these products: Webroot, Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit and Malwarebytes Anti-Ransomware. Do you have to disable them to install AppGuard?
     
  10. hjlbx

    hjlbx Guest

    No. No audio. The creator communicates in Polish - so few people will be able to understand anyway... :argh:
     
  11. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    We've always Guarded cmd.exe as far as I remember (but remember I'm not quite 100% today, but this I'm pretty sure about).
     
  12. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks. I just now got the file from him. I used my detective skills (from watching too much TV no doubt) to figure out the identity of the creator. I will get to the bottom of this!
     
  13. hjlbx

    hjlbx Guest

    W10 64 bit

    Webroot - No.
    Malwarebytes - No.

    Webroot can mess with installers - so it is not out of the realm of possibility that Webroot must be disabled to install AG.

    Alternatively, the Webroot user can manually create an Allow rule for the AG installer - but that doesn't always work.

    The issue of Webroot messing with installers appears to be system specific.

    The Webroot user can submit a Support Ticket to Webroot to have the AG installer white-listed on their system.
     
  14. hjlbx

    hjlbx Guest

    cmd.exe has always been Guarded by AG; the policy has always been included in the default install.
     
  15. hjlbx

    hjlbx Guest

    Watch out... if he is only native Polish speaker using online translator you will be stuck reading gibberish in some cases. :argh:
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I was reading a post of yours in response to that bypass where you talked about Guarding cmd.exe. Maybe I misunderstood the response you was talking about. It's probably not worth searching for the post unless it has other info needed. I'm more interested in finding out whether adding cscript.exe, and wscript.exe to the Guarded Apps List enforces any additional security policies that are not already hard coded into the KMD.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I must have misunderstood the post I was reading at the time. I guess it was only in relation to Guarding .ink from cmd.exe. That would make sense.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    You got the malware samples?
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Some Admins use Powershell so if it's added to the User-Space that could pose a problem for them. Does anyone know whether common Powershell commands used by Admins will work if Powershell is Guarded, or will they fail Guarded also?
     
  20. hjlbx

    hjlbx Guest

    They work to the same extent that you can use cmd.exe - for example, ping.exe, netplwiz.exe, nslookup, net user, etc, etc.

    If you run scripts using Admin cmd.exe or powershell.exe to make persistent changes to system, then you have to set AG to install.

    I think you can exclude file path to powershell scripts in user space - but you might want to confirm with @Barb_C.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Ok, thanks!
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks, very helpful.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I use Malwarebytes Anti-Exploit, and I don't have to disable it.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    Malwarebytes Anti-Exploit = No
    Yes, please add it to the default policy.
    If it's (only) added to User-Space, just set the powershell-entry to Include=No. Then you don't have to switch to Install-Mode.
    Edit: But if .ps1-scripts are located in Userspace, you have to switch to Install-Mode.
     
    Last edited: Apr 5, 2016
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.