AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    Yes, it should still be guarded.
     
  2. guest

    guest Guest

    that is not good at all... i think BRN has a lot of work to do for the next build
     
  3. guest

    guest Guest

    you know that malwares can auto-elevate it without UAC prompts...
     
  4. guest

    guest Guest

    yep , if elevated, no block from AG... :eek: but ReHIPS does :p
     
  5. hjlbx

    hjlbx Guest

    Selecting Admin cmd.exe is a UAC over-ride of AppGuard policy.

    Admin cmd.exe is not Guarded - it is in AppGuard User's Manual.

    @guest is correct though... malware can elevate a process without a UAC prompt; think exploit... escalation of privilege.
     
  6. hjlbx

    hjlbx Guest

    Can someone please confirm ?

    1. Open un-elevated cmd.exe

    2. Type this command: sc config RasAuto start= Disabled

    3. Access Denied with Open Access Code [X] where X = number, usually 5

    If the above command succeeds and you want to re-enable RasAuto, then type this command:

    sc config RasAuto start= Demand

    Reboot system.

    NOTE: RasAuto is auto-dial-up service and used by RATs; it should be disabled if you don't use DSL or dial-up internet.
     
  7. hjlbx

    hjlbx Guest

  8. guest

    guest Guest

    I can't confirm it :cautious:
    Protected+Locked Down: elevated cmd.exe = I can't copy files to System-Space, can't launch applications from user space, ...

    But services can be changed/modified. Maybe BRN should do something about that.
     
  9. hjlbx

    hjlbx Guest

    If you run Admin cmd, then Windows will execute consent.exe (UAC).

    Selecting OK in UAC prompt will over-ride AppGuard policies - but not User Space policies. Some Guarded Apps - like cmd and command line utilities - will be able to modify system. Using un-elevated command line those utilities cannot modify system.

    If there is a UAC bug in Windows that can be exploited and suppress the UAC prompt - then AppGuard might not be able to protect system... it depends upon what the malware calls.

    In Admin cmd.exe, the following processes will not be blocked:

    • sc.exe
    • hh.exe
    • installutil.exe - even if added to User Space (YES)
    • rundll32.exe
    • wmic - in User Space (YES) - access is denied, but will not generate block notification nor any logging in Activity Report
     
    Last edited by a moderator: Jul 6, 2016
  10. hjlbx

    hjlbx Guest

    Try this in both a non-elevated and Admin cmd.exe:

    rundll32 javascript:"\..\mshtml,RunHTMLApplication ";alert(‘AppGuardBypass’);

    The above command line is from Poweliks - which AppGuard blocks, but rundll32 in Admin command prompt can persistently modify system.

    It depends upon the command line fed to rundll32.exe...
     
    Last edited by a moderator: Jul 8, 2016
  11. guest

    guest Guest

    Ok. i'll test it later again.

    Edit: To understand this...
    a) If i elevate cmd.exe the User Space Policy is "active"
    b1) If there is a "UAC-bug", the User Space Policy is not active?
    b2) Or if i have only default UAC-Settings and malware is using one of these known "auto-elevate" executables (sysprep.exe, cliconfg.exe,...=bypass UAC), i'm not protected from AG?
     
    Last edited by a moderator: Jul 6, 2016
  12. hjlbx

    hjlbx Guest

    1. Yes - except for sc.exe, rundll32.exe, installutil.exe; for hh.exe and set.exe - User Space policy doesn't work - period.
    2. I meant, if a malc0der discovered a UAC vulnerability, then they could exploit it to elevate UAC without prompt.
    3. AG might not - it is difficult to know since it is even more difficult to test.
     
  13. guest

    guest Guest

    Ok. Thanks.
    Now it's crystal clear.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @hjlbx BRN should put you on their payroll for testing the hell out of AG. :)

    Hopefully they take cognisance of all incident reports, but I get the impression this is not always the case.

    And hopefully, v4 Wilders beta testers are not 'endangered' as has been intimated a bit earlier ...
     
  15. guest

    guest Guest

    unfortunately the support transmission chain of BRN is quite slow :p
     
  16. hjlbx

    hjlbx Guest

    Calms my nerves...

    BRN has the reports; QA\QC already has at least some.

    I think version 4.X will still be used for all beta testing; after all, there just isn't any real difference between version 4.X and 5.X.

    The only significant difference that I can recall, is that version 5.X AppGuard service starts after system boot, whereas 4.X service starts during system boot.
     
  17. hjlbx

    hjlbx Guest

    Can anyone else confirm ?

    1. Download SpyShelter Security Test Tool: https://www.spyshelter.com/download/AntiTest.zip

    2. Extract above archive

    3. Password is "spyshelter" without quotes

    4. In AppGuard Tray Icon select "Allow User Space Launches - Guarded"

    5. Open SpyShelter Security Test Tool (AntiTest.exe)

    6. Select System Protection

    7. Select "Service Registering Test"

    8. AppGuard will fail

    * * * * *

    AntiTest.exe is able to register new service on system. binPath= C:\Users\User\AppData\Local\ConAppTest.exe.
     
    Last edited by a moderator: Jul 8, 2016
  18. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I can confirm that...
     
  19. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I too confirm. Defense+ sees it and alerts.
     
  20. hjlbx

    hjlbx Guest

    @blacknight

    What does the CIS HIPS alert say exactly ?
     
  21. guest

    guest Guest

    the popup say "you are lucky to have CIS , if not you would get owned" :p
     
  22. hjlbx

    hjlbx Guest

    LOL... ROFLA :D:argh::p
     
  23. guest

    guest Guest

    Well said :D
    Edit: and this: "support transmission chain of BRN is quite slow"
     
  24. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
  25. hjlbx

    hjlbx Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.