AppGuard 4.x 32/64 Bit - Releases

wmic*.exe (Gui:No, Log:Yes, All:Yes) is part of the Ignored Messages in the new version. Look at the Alerts-tab, it was added after the upgrade to 4.4.4.1.

 

wmic.exe issues are bugs - and need to be reported.

* * * * *

c:\users\user\appdata\local\apps\2.0 is not longer included in User Space; you have to add it manually.

BRN removed it because it was causing too many problems for users.

 

Installed new version with no problems, kept my old settings, haven't had time to tinker with it yet.

 

4.4.4.1 just has some bug fixes and some policy changes.

 

yep nothing revolutionary, i expected more

 

I assume so, but can someone confirm this please?

 

If you added both System32 and SysWOW64 powershell.exe to User Space, then AppGuard should continue to block it from executing.

There really is no need for powershell.exe or powershell_ise.exe to be enabled.

However, with the new Guarded App policy applied to powershell.exe, it cannot modify System Space and critical parts of the registry.

BRN should have also added powershell_ise.exe to Guarded Apps.

Powershell and Powershell_ISE are just plain bad ju-ju...

* * * * *

Don't get your hopes up, but last time I checked an earlier 4.4 version there were some bugs associated with powershell.exe in both User Space and Guarded Apps.

When I get time I will have to check it again...

EDIT: I checked. It appears the bug has been fixed. Will require additional testing.

 

For substantially better system security:

Un-tick Powershell in the Guarded Apps list.

Add the powershell and powershell_ise file paths below to User Space.

 

powershell and powershell_ise are in ERP Vulnerable Processes..., I've added reg.exe and WMIC.exe too.
4.4.4.1 by internal updater. Publisher list is back...

 

Thanks.
I had the User Space entries as shown above.
I will untick the Powershell in the (new) Guarded Apps.

 

Yes, WMIC.exe is one I didn't have there (Edit: In ERP).

 

reg.exe and wmic.exe are vulnerable processes, but really only to mess with network shares. If you don't need either one, then it is safest to add to User Space.

They are included in 4.4.4.1 User Space policy - so no need to add.

 

Okay.....network shares...https://en.wikipedia.org/wiki/Shared_resource

 

They fixed some more under the hood.
If wmic.exe was blocked in the previous version i got a \device\-path in the log:
Prevented process <wmic.exe> from launching from <\device\harddiskvolume7\windows\system32\wbem>
With v4.4.4.1 the correct path and the parent process for wmic.exe is now displayed:
Prevented process <wmic.exe | c:\file.exe> from launching from <c:\windows\system32\wbem>

But for schtasks.exe i still get a \device\-path
Prevented process <schtasks.exe> from launching from <\device\harddiskvolume7\windows\system32>

 

OK so when add those 4 powershell exes to user space, do you still leave the tick on windows powershell in guarded apps?

Thanks

 

i keep them personally.

 

It doesn't really matter. I un-tick mine.

If anything needs to run powershell, I have to manually exclude it from User Space.

Powershell - even as a Guarded App - I do not completely trust it.

There are some NET Framework objects as well.

 

Does appguard protect against Kovter using mshta.exe? If not should it be added to user space also? Or since Kovter uses powershell and we have that added we don't need to add mshta.exe? I don't know
Thanks

 

mshta.exe is one of those vulnerable processes - that if you don't need it - then it is probably safe to add to User Space.

Powershell and powershell_ise are the only two that I add to User Space. There is a rather substantial list of vulnerable processes shipped with Windows. I added every single one at one time - and nothing was broken.

Some utilities - like WinPrivacy 10, Toggle Tweaker, etc - need cmd.exe, powershell.exe, wscript.exe, cscript.exe, etc - so you will just have to set AppGuard to Allow Installs or OFF.

It's not that difficult to figure out...

 

"It's not that difficult to figure out..."

Well I am a pretty new user to AppGuard and so far I have added all my security software exe's to power apps and the power shell exe's to user apps. I have read the user guide but will do so again. Now that I am retired I can mess with stuff anytime I am not fishing

 

You do not need to immediately add all vulnerable Windows processes to User Space.

I did mine over time just to make sure nothing would be broken.

The one and only programs that I recommend adding to User Space immediately are powershell and powershell_ISE.

The list of NET Framework objects is long due to multiple versions and both Framework32 and Framework64 versions.

Adding vulnerable processes to User Space just adds another layer of protection to the system - right within AppGuard.

 

Kovter starts mshta.exe using WMI i.e. wmiprvse.exe as noted here: http://blog.airbuscybersecurity.com/public/AMD/Kovter3.jpg . Mshta.exe in turn runs a powershell script which starts powershell.exe.

Use of mshta.exe today is pretty much deprecated. It was used by earlier vers. of IE. Easiest way to handle mshta.exe execution is to monitor its startup by wmprvse.exe.

 

Yes I was looking over that info the other day. I think mshta.exe is uded for HTA files?

http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-–-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE

 

Yes. This malware just another example of increasing malicious use of obsolete Win processes.