AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. meatouph

    meatouph Guest

    I'm native polish speaker :)
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    That's good to know. You may be the Rosetta Stone we need! Lol
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Is this the Polish forum the AG bypass was Published in? https://safegroup.pl/ I think ichito from Wilders is active on that forum. He may help run that forum for all I know. I think Polish is his native language as well.
     
  4. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Okay, so I did a quick test of the malware shown in the video. The lnk file uses power shell to download an executable to c:\windows\temp and runs it from there. The key here is that the user had to click on the .lnk file (which would require some social engineering to accomplish). You might say, well malware could launch the file. And it can but if you tried to launch it as if it was malware entering your system (that is by using a Guarded app to launch it), then AppGuard will thwart the attack! What ever is used to launch the lnk file will be Guarded and so will PowerShell by virtue of our lovely inheritance patent. These were the blocks that occurred when trying to launch the lnk file from cmd.exe.
    AppGuardBlocks.png

    And the attack failed!

    Note AppGuard was running in the default protection level and with the default policy. So our conclusion is that this is not a true bypass of AppGuard because it required the user to click on the lnk file (requiring social engineering). That being said, I see no reason why we shouldn't add Powershell to our policy and go with the belt and suspenders approach to security.

    If someone can come up with a way that the lnk file could be executed through an unGuarded application without the user doing something stupid, by all means please challenge our findings. Remember if a Guarded Application is in the process tree, inheritance will come into play and AppGuard will be victorious!!!!:p

    Edited slightly to discuss social engineering: There have been many comments regarding my comment about social engineering not being a valid bypass of AppGuard. Social Engineering is definitely a problem and we do protect against the most prevalent method (email attachments) of social engineering.
     
    Last edited: Apr 6, 2016
  5. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Yep.
     
  6. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Adding cscript.exe and wscript.exe would add additional security, but it might break something as well. Right now we're just blocking their associated files from being launched from user-space. If you Guarded cscript.exe for instance, we would prevent any script that is executed with cscript.exe from writing to protected resources. So even if you allowed a script to launch (or let's say a script from system space is launched with cscript.exe), that script would not be able to write to c:\windows or c:\program files etc. That may cause some side-effects. Remember our goal is to try to be as unobtrusive as possible but at the same time provide extraordinary protection.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Social Engineering is probably the most widely used method of infection so it should be treated as a serious threat IMO. If I remember correctly Sony can vouch for that! It's usually the easiest way to infiltrate most networks. All the hacker has to do is convince some unsuspecting employee to click on a bad email attachment.

    Edited 4/5 @ 6:18
    People downloading torrents will sometimes find these kind of goodies in their download.
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I guarded cscript, and wscript for years without any problems i'm aware of. All similar security applications i'm aware of either block, or restrict them. (SecureApluse, ERP, VoodooShield, etc..).
     
  9. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,273
    Location:
    USA
    Is this correct way of adding powershell,exe.
     

    Attached Files:

  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I have always added powershell_ise.exe also.
     
  11. hjlbx

    hjlbx Guest

    God love ya... I wish I could speak Polish.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Another vulnerable application that should be at least Guarded is mshta.exe
     
  13. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,273
    Location:
    USA
    Isn't it added by adding the whole powershell folder to User Space? or do you have each only as Guarded App.
     
  14. hjlbx

    hjlbx Guest

    Good grief... there is a rather large list. About 30 to 50 (I haven't counted the list) processes shipped with Windows are abused by malwares.

    I test malwares regularly. So I can tell you that cmd.exe, vbc.exe, RegAsm.exe, wscript.exe, cscript.exe, PresentationHost.exe, powershell.exe, powershell_ise.exe, wusc.exe, wimc.exe, msiexec.exe, etc - they are all a risk.
     
  15. hjlbx

    hjlbx Guest

    To effectively add process to User Space on 64 bit system with sysnative, you must add both the process' System32 and SysWOW64 file paths.

    For NET assemblies, you must add both the System32 and SysWOW64 file path + each version of NET Framework - e.g. 1.0, 2.5, 3.5, 4.5, etc.

    So, for example, with vbc.exe you need to add framework 32 and framework 64 for each version of NET Framework installed on your system as you will find vbc.exe included in multiple versions of NET Framework.
     
  16. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,273
    Location:
    USA
    Okay thanks.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I have a very large list of them I have been using for some time now. It's easier to add them in Bouncer though if they can be blocked instead of Guarded because adding something like vbc.exe to the policy will block it everywhere regardless of path. In AG you would have to add it from several different paths to cover it, and in Bouncer you only have to add it once. My User-Space List in AG is rather long though.
     
  18. hjlbx

    hjlbx Guest

    This is one of my primary complaints about AG. I hope in some future release they make it more efficient.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I requested an option to block by process name regardless of path, but it never made the cut. Maybe next time.
     
  20. hjlbx

    hjlbx Guest

    By hash would be better, but then they would have to implement some type of "File has changed" Allow|Block alert.

    I think they won't do such a thing because of the whole prompt thing...
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I also recommended by hash when I recommended by process name. I think the option by process name, and hash should be given together. The user could use either one, or both. The hash for all instances of an executable with the same name is not always the same though. I have not seen hashes change very often, but i'm sure we can figure out a good solution.
     
  22. guest

    guest Guest

    i still get this alert (see attached file):

    - AG in Lockdown mode
    - App is Ccleaner portable , located on D: partition (partition set as "user-space")
    - App is able to run as guarded when i allow "user space launches - Guarded"

    now the alert said "may not be protected" so do i conclude it is protected...?
     

    Attached Files:

    Last edited by a moderator: Apr 5, 2016
  23. hjlbx

    hjlbx Guest

    @guest

    I am able to run D:\CCleaner64.exe either as Guarded or UnGuarded - without any Error Message.

    On my system, I don't see that message... AG giving different behaviors on different systems in this matter of non-system partitions.

    However, if I run CCleaner Guarded from D:, then it cannot perform any Registry cleanup.
     
  24. guest

    guest Guest

    running Ccleaner is ok, it is when you add it to the guarded apps that you get the alert box.
     
  25. hjlbx

    hjlbx Guest

    So only if add to Guarded Apps tab ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.