Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.
Yes, but he is using version 4.2. In 4.3 we added .wsf files to our protection policy.
I did not fill out a bracket this year, but I watched every game I could. I stayed up late watching the game last night also. Congrats on the win!
Definitely don't add Explorer.exe to the Guard list. Unless you want to turn your computer into a brick!
If you add Powershell to Guarded Apps, the *.lnk bypass does not work.
There is no Powershell script involved. It is the same *.lnk bypass as with the one reported by @malware1 using cmd.exe about a year ago.
That is what the video creator states...
Didn't BRN disable *.lnk files pointing to cmd.exe ?
That might be the problem, it is disabled only for cmd.exe - and not all other abusable processes shipped with Windows...
Thanks! It was an exciting game. I was hoping for a blowout so I could go to bed early, but it didn't happen. I was the only one in the top 10 of our bracket to have Villanova. Everyone else had UNC so when Villanova won, I went to the top of the list. Guess we shouldn't hijack this thread to talk about basketball. Have a great day everyone. Looking forward to getting opinions about whether we should prohibit powershell all together.
I added Powershell.exe, and Powershell_ise.exe to the User-space months ago lol I had been adding it to the Guarded Apps List for years, but I decided it would be best to add it to the User-Space since I never use it. It has never caused me any problem.
I thought we fixed the issue that malware1 cited. Not sure why that would have been only for cmd.exe. I'll review that fix to see what we did. I'm not getting any audio on the video, so didn't know that the video creator stated anything.
AG did not Guard cmd.exe until that bypass occurred. That was one action taken in response to that bypass.
Those of you that use any of these products: Webroot, Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit and Malwarebytes Anti-Ransomware. Do you have to disable them to install AppGuard?
No. No audio. The creator communicates in Polish - so few people will be able to understand anyway...
We've always Guarded cmd.exe as far as I remember (but remember I'm not quite 100% today, but this I'm pretty sure about).
Thanks. I just now got the file from him. I used my detective skills (from watching too much TV no doubt) to figure out the identity of the creator. I will get to the bottom of this!
W10 64 bit
Webroot - No.
Malwarebytes - No.
Webroot can mess with installers - so it is not out of the realm of possibility that Webroot must be disabled to install AG.
Alternatively, the Webroot user can manually create an Allow rule for the AG installer - but that doesn't always work.
The issue of Webroot messing with installers appears to be system specific.
The Webroot user can submit a Support Ticket to Webroot to have the AG installer white-listed on their system.
cmd.exe has always been Guarded by AG; the policy has always been included in the default install.
Watch out... if he is only native Polish speaker using online translator you will be stuck reading gibberish in some cases.
I was reading a post of yours in response to that bypass where you talked about Guarding cmd.exe. Maybe I misunderstood the response you was talking about. It's probably not worth searching for the post unless it has other info needed. I'm more interested in finding out whether adding cscript.exe, and wscript.exe to the Guarded Apps List enforces any additional security policies that are not already hard coded into the KMD.
I must have misunderstood the post I was reading at the time. I guess it was only in relation to Guarding .ink from cmd.exe. That would make sense.
You got the malware samples?
Some Admins use Powershell so if it's added to the User-Space that could pose a problem for them. Does anyone know whether common Powershell commands used by Admins will work if Powershell is Guarded, or will they fail Guarded also?
They work to the same extent that you can use cmd.exe - for example, ping.exe, netplwiz.exe, nslookup, net user, etc, etc.
If you run scripts using Admin cmd.exe or powershell.exe to make persistent changes to system, then you have to set AG to install.
I think you can exclude file path to powershell scripts in user space - but you might want to confirm with @Barb_C.
Thanks, very helpful.
I use Malwarebytes Anti-Exploit, and I don't have to disable it.
Malwarebytes Anti-Exploit = No
Yes, please add it to the default policy.
If it's (only) added to User-Space, just set the powershell-entry to Include=No. Then you don't have to switch to Install-Mode.
Edit: But if .ps1-scripts are located in Userspace, you have to switch to Install-Mode.
BRN should go ahead, and add vssadmin.exe to the User-Space. http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
BRN should also look into bitsadmin.exe It is being abused.
Separate names with a comma.