AppGuard 4.x 32/64 Bit - Releases

yes, the installer prompted for a reboot which I let it do.

yes same here for these 3 exes, version 4.4.6.0 and timestamp 2016-06-21
but "about" remains v4.4.4.1
http://s31.postimg.org/qrft3uhwb/AG4441.jpg
weird!!

 

Cruelsister's latest video about AppGuard is a good one to watch.

 

I see that powershell.exe was executed after clicking one of the documents and it connected out.
To have it as a Guarded App is not enough (protection).

 

mood cruel ran it in default mode with no user space rules?

 

No, it was on lockdown. But at default rules.

 

powershell.exe and powershell_ise.exe should be added to User Space - along with a whole bunch of other vulnerable processes for max security.

powershell.exe - as well as other host processes - can download malicious files, but they cannot execute in Lock Down mode or in Protected mode unless digitally signed.

 

Yes, default. AG can be hardened further, and it was mentioned in the video too.

 

One thing that should be mentioned that Cruelsister did not mention is signed executables that are not on the Publisher's List are able to execute in the User-Space with Restricted Rights (i'm not in favor of this). I'm not sure if Cruelsister was aware of that. If she does not see this behavior then that would mean there is a bug in AG unless BRN recently changed this without my knowledge.

I think maybe the RAT was able to infect the System because AG protection either started too slow at boot time, or it was due to protection briefly being disabled at boot time due to the user being prompted to register AG (that depends on whether AG protection is disabled when the user receives the prompt). Cruelsister did not show if the services were running after running the RAT until after a reboot, and did not show if the .dll in app data was in use until after reboot. I would have liked to have seen the services right after executing the malware. I think further testing is needed to know for sure if it was a bypass.

The Malicious Macros being used in a Word Document seems to be a bypass, but Word sometimes connects out even when there are no Malicious Macros being used. I'm more interested in why AG would allow WINWORD.exe to launch Powershell.exe. That should never be allowed. There are some processes Guarded Applications should never be allowed to Parent. I sent BRN a list of these once. I think they really should implement this type of concept in AG.

 

She shows both Protected and Lock Down modes; the first is Protected, the second is Lock Down.

She used default configuration of AppGuard.

She used a RAT that she had digitally signed using a certificate from one of the vendors in the Trusted Publisher's list to get it to execute in Protected mode.

Host processes that run as Guarded Apps - either in Protected or Lock Down modes can:

- connect to the internet and download files

The downloaded files (or payloads) cannot execute in Lock Down mode, and can only execute in Protected Mode if digitally signed.

Macros - since Microsoft Office, Kingsoft WPS and Softmaker Office are usually run Guarded - can also use Windows processes to connect to and download from the internet.

Even if a malicious download manages to get onto your system via a macro - once it executes in Protected mode it cannot create auto-start, cannot modify System Space, cannot modify protected areas of the registry. The malc0de might install files to User Space, but they won't start after reboot.

The only exception to "cannot modify System Space" that I have seen so far is rundll32.exe \svchost.exe abuse to disable or enable a service. It is because rundll32.exe - even as a Guarded App - can make some modifications to the system. I have already brought this to the attention of BRN - but you guys also need to report it.

BRN can choose to block macros - but they are also disabled in office software by default.

BRN should not allow the modification of services - especially by Guarded Apps. This could be a problem under certain legitimate cases, so denying complete access to Windows services might be a bit problematic. BRN needs to look at it.

 

I witnessed some strange behavior today with AG. After turning my computer on AG was in Protected Mode for 31 seconds before switching itself to Locked Down Mode on it's own. I always use Locked Down Mode. Also protection started earlier than usual before this occurred.

 

yes she did use a false digi sig that was in the allowed sig list.

 

Digitally signed files can execute in Protected mode; the digital signature does not need to be on the Trusted Publisher's list.

The malicious *.dll was blocked, but rundll32.exe was used to enable Windows' Remote Access Services; there was no RAT infection and enablement of remote access services doesn't constitute a formal bypass - but I think it is definitely undesirable behavior. AppGuard should not allow the modification of Windows services.

Macros were not a persistent by-pass. If they managed to use a Windows host process, then the downloaded file would not execute in Lock Down mode. The downloded file could execute in Protected mode - if the file is digitally signed. It could drop\install files to User Space - but they could not create auto-start. Personally, I consider it a "User Session" bypass in Protected Mode for digitally signed malware.

It depends upon how someone defines bypass. To me a bypass can be user-session-only or persistent. Sandboxie, COMODO sandbox, especially Shadow Defender, AppGuard - will all permit user-session-only-bypasses - dependent upon settings.

This is why, if BRN ever completely removes Lock Down mode, it will seriously damage AppGuard's protection and reputation. I use AppGuard in Lock Down mode because it solves most of the problems with sandboxes.

On the digitally singed malware issue and Protected mode - BRN is wishy-washy. They don't want to make Protected mode more strict - due to breakage. BRN is sensitive to user complaints that they (the user) cannot get this to work or that to work.

 

I have noticed it too in the logs. It is random; difficult to replicate. There is something amiss...

 

I did not see anything in that video that most of us didn't already know.

The digitally signed malware info is incorrect; digitally singed malware can use any digital signature - and not just those on the Trusted Publisher's list.

I also saw the dig at Lock Down mode: "A little too restrictive -- don't you think ??" (because it blocked a Microsoft signed file from executing; she didn't add it to the Guarded Apps List) - and then another dig about allowing macros to execute.

So, which is it - Lock Down is too restrictive or too permissive ??

It is neither; Guarded Apps can run from User Space in Lock Down mode; Lock Down mode will not permit execution of all other FILES from user space. It works as designed.

Yeah, yeah... the services thing needs to be fixed. I've mentioned such things before to BRN, but they are skittish about System Space sometimes = they are afraid it will cause problems for users.

 

The dropped .dll in AppData was Locked, and in use after reboot.

 

Someone needs to submit the video to Barb - and ask -- WT* ??

I can tell you what BRN will say: "No bypass..."

 

Hmmm... I looked at it again. The precise details of what happened is not completely clear. Perhaps the malicious *.dll was surreptitiously registered as a service.

There are potential problems with regsvr32.exe, rundll32.exe and powershell.exe as Guarded Apps - as well as all the other vulnerable processes not in the Guarded Apps list. I have repeatedly pointed these facts out to BRN.

Protected mode is pretty high protection, but - to me - it makes no sense to use it. And the default AppGuard Guarded Apps\User Space configuration doesn't make any sense either...

 

H- I'm not going to get in the way of this discussion, but regarding the digitally signed malware comment- The point I was trying to make is that AG will block malware even though it is signed, as long as the certificate is not one that is included on the trusted vendors list (like the RAT). That's why I included the 6th sample.

But the real question is if you enjoyed the soundtrack.

 

@cruelsister

Your choice of "soundtracks" is always great...

Your point about digitally signed malware and the Trusted Publishers list is why Protected mode makes no sense security-wise; BRN includes it for auto-updates of software that Lock Down mode will block = because users are too lazy to lower protection from Lock Down mode, update the soft, and then allow AppGuard to automatically re-enable Lock Down mode or the user manually enable Lock Down mode. God forbid a user has to use the cursor to do something...

For a long time - at least a couple of years - a bunch of us have been trying to get BRN to improve this area of the product -- but no dice. BRN seems "stuck."

In the past, it has also been pointed out that AppGuard permits the modification of Windows services...

 

It's not clear in the video at what point the bypass occurred. You did not show the services right after executing the RAT; you waited until after a reboot. At what point did the injection occur? At what point did the services enable? At what point was the .dll locked, and in use. The video shows you receiving a prompt to register AG after reboot, and I think AG was briefly disabled at that time. That's why I said the infection may have (maybe better wording is bypass) occurred due to AG starting too slow at boot time, or due to AG being briefly disabled due to the registration prompt you received. This is important to know.

Edited 6/26 @ 5:00 pm

 

I'm trying to find out how the bypass occurred before submitting anything. My fear is it will be disregarded without having all the facts. The video shows AG disabled briefly at boot time due to the registration prompt so there's no way for us to know if that allowed the bypass to occur without another video, or further testing. We need more information to verify it's a bypass, and how the bypass occurred in order to fix it.

 

Only watching the video is not enough to find out what is exactly happening.
More information is needed to get a overview of what the RAT modified on the system, what processes in the background are started, ...

 

Well, I have to roll my machine back, and change my setup a bit so I will be away from this discussion for a while.

 

She digitally signed the RAT executable with a digital certificate from one of the vendors already included in the Trusted Publisher's list.

It is a "certificate" bypass in Protected mode...

It is unclear to some users that you do not have to set a Trusted Publisher to "Install" for an installer to actually install software while in Protected mode.

That the above can be done should be a bug; I was under the impression that only Trusted Publishers set to "Install" will permit the installers to execute.