AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. hjlbx

    hjlbx Guest

    There is a vulnerability in the AppGuard settings & configuration xml file.

    It is stored in C:\Users\User\AppData\Roaming\blue ridge networks\

    Ransomware can encypt the AppGuard xml file - like certain variants of Cerber:

    • Protected mode - digitally signed ransomware or "Allow User Space Launches - Guarded"
    • Lock Down mode - "Allow User Space Launches - Guarded"

    NOTE: Of course, if you run anything UnGuarded, then you are screwed...

    AppGuard will regenerate the default xml - but your custom config will be gone.

    It's a major oversight... the settings & config file should not be in an unprotected User Space directory - it's stupid... there should be folder access rights to the AppGuard xml hard coded for AppGuard only; Appguard defined as a "trusted process."

    However, what do you do about explorer.exe - when it is hollowed\code injected by ransomware ?

    * * * * *

    Plus I have read claims on this thread that AppGuard will prevent process hollow\code injection.

    AppGuard most certainly cannot prevent hollow process\code injection; launch ransomware that hollows explorer.exe, svchost.exe, etc - using "Allow User Space Launches - Guarded" and the ransomware will encrypt your files.

    The only thing that AppGuard will block is access to any Private Folders.

    * * * * *

    The only way a system is truly protected is by using Lock Down mode - and not executing any unknown\untrusted files on the system from User Space - not even as Guarded.
     
    Last edited by a moderator: Jul 8, 2016
  2. guest

    guest Guest

    one reason i asked since ages an import/export feature that is not using xml files, but my voice was unheard.
     
  3. guest

    guest Guest

    too bad :eek:
     
  4. locoJoe

    locoJoe Registered Member

    Joined:
    Apr 7, 2016
    Posts:
    21
    Then why keep AG on the system?
     
  5. hjlbx

    hjlbx Guest

    Can someone else confirm this ?

    Protected or Lock Down mode:

    1. In AppGuard tray icon select "Allow User Space Launches - Guarded" or "Allow User Space Launches - UnGuarded"

    2. AppGuard tray icon with exclamation within green triangle will appear.

    3. Click once on AppGuard tray icon.

    4. AppGuard tray icon will revert back to Protected mode icon with green check mark or Lock Down mode icon with lock.

    5. User Space launches are still enabled.

    It's a tray icon bug - that if the user doesn't pay attention - they will be mis-led by the tray icon to think that User Space launches have been disabled and AppGuard protection has reverted back to Protected or Lock Down mod.
     
  6. hjlbx

    hjlbx Guest

    Guarded Apps has never protected the system completely from every single type of malware - namely ransomware.

    In my testing, there are two cases where AppGuard will not protect your system against ransomware:

    1. Digitally signed ransomware (with valid digital certificate)
    2. If you launch a ransomware from User Space via tray icon "Allow User Space Launches - Guarded"

    AppGuard protects a system by not allowing a file to execute on the system in the first place...
     
  7. Schorg

    Schorg Guest

    Hello Hjbx,

    I am new to Wilders and Appguard, should Adobe Reader Touch when guarded and (privacy ON) be able to open a pdf document in myprivatefolder - which should be prohibited from access with guarded apps?
     
  8. hjlbx

    hjlbx Guest

    It can open it if you navigate to MyPrivateFolder and double-click the PDF, and it will probably be able to modify the PDF also - since you have granted complete access to the PDF by opening it with PDF Reader.

    You should also be able to open a PDF stored in MyPrivateFolder with Adobe Reader via File > Open.

    If you don't want Adobe Reader to access the PDF, then set Privacy to "ON" for Adobe Reader in the Guarded Apps list.

    I haven't test AppGuard's MyPrivateFolder protections completely yet.
     
    Last edited by a moderator: Jul 9, 2016
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    AG will grant access to files in MyPrivateFolder by double clicking on them because they are being opened by explorer.exe. Since explorer.exe is not Guarded it will allow the access, and allow data modification. If you have important files in MyprivacyFolder, or you have configured your own Privacy Folders then it would be important to enable Privacy Mode for pdf readers. I have mine enabled even though I don't store any important files on my C drive so it should not hurt to enable it.
     
  10. hjlbx

    hjlbx Guest

    That's what I told him: "If you don't want Adobe Reader to access the PDG, then set Privacy to "ON" for Adobe Reader in the Guarded Apps list."
     
  11. guest

    guest Guest

    It is me or when you scratch a little , there is rust under AG's shiny armor :p
     
  12. hjlbx

    hjlbx Guest

    There are chinks (small openings) in the armor !
     
  13. hjlbx

    hjlbx Guest

    Contrary to what has been stated on this thread, AppGuard does not detect nor protect against process hollowing. If it did, then it would prevent all hollow process ransomware - which is nearly all of the different ransomware families - from functioning properly and encrypting files when executed (Guarded) from User Space.

    The encrypted files will be in User Space - which includes your documents, video, download, etc folders. The only files in User Space that will be protected are those designated as Private Folders.

    If you designate documents, videos, download, etc folders as Private Folders, then you will not be able to download and save files to these folders with any program (e.g. browsers) on the Guarded Apps list with Privacy set to "On."
     
    Last edited by a moderator: Jul 9, 2016
  14. Schorg

    Schorg Guest

    Thank you very much for your detailed reply hjlbx
    Also thank you to Cutting_Edgetech

    Yes I set Privacy to "ON" for Adobe Reader Touch, then opened the PDF via Adobe File > Open I can still open PDFo_O, (I was just testing the folder protection). Am I missing something or is this a bug!!!

    Just looking at all the bugs you have found hjlbx - not good at all:doubt:

    Edit: Also I can save a PDF via Adobe Reader Touch to myPrivateFolder:eek:
     
  15. hjlbx

    hjlbx Guest

    Adobe Reader is the default program to open PDFs - so you can't do anything about that - so it can open it, but it shouldn't be able to modify the PDF. In other words, it should be able to read the PDF, but not write to it.

    I am not absolutely sure about that one.
     
  16. Schorg

    Schorg Guest

    Thank you for you quick reply!! I got it, if its a default program to open PDF's then its able to open it.

    I think I will contact support regarding whether or not it is able to modify the PDF.

    Thank for your help and keep up your good work with testing AppGuard:thumb:
     
  17. hjlbx

    hjlbx Guest

    Unless something has changed with Adobe Reader it cannot modify the PDF; you need Adobe Acrobat (paid) for that...
     
  18. Schorg

    Schorg Guest

    Your right, what I did with Adobe Reader Touch (windows 10 store app) was opened the PDF via Adobe File > Open. Then once opened right clicked the PDF > save as, gave PDF a new name and saved it to myprivatefolder.

    Edit

    Also I purchased AppGuard, what does 3 activations mean?

    Does it mean I can install AppGuard on 3 pc or does it mean I am only able to re install on the one pc three times.
     
    Last edited by a moderator: Jul 9, 2016
  19. hjlbx

    hjlbx Guest

    It makes no sense to execute unknown\untrusted files in User Space - even Guarded. If the file happens to be a ransomware, then it will trash User Space by encrypting files there - including your AppGuard custom config & settings xml !
     
  20. hjlbx

    hjlbx Guest

    A license is for one (1) PC.

    You can activate your license three (3) times before having to contact BRN to reset it.

    What this means for you is this: Un-install AppGuard before re-formatting your drive. If you re-format your drive three times, without un-installing AppGuard, on the fourth reformat your license will be disabled. Then you will have to contact BRN to re-activate it.

    I don't know why BRN uses this license model - because it is an annoyance - but they do and it is what it is.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    OK, hadn't thought of that.
    @hjlbx 'signature' could get quite long :)
     
  22. Schorg

    Schorg Guest

    Thank you hjlbx once again for your time and assistance regarding my post about activations of AppGuard.

    With all these issues with AppGuard I think I may have purchased rather prematurely:thumbd:
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    On the license issue, if you need to uninstall and don't want license problems, simply block your internet connection and uninstall. Then when you reinstall the license will be good.
     
  24. hjlbx

    hjlbx Guest

    Don't start to second guess your purchase. AppGuard in Lock Down mode with a custom config is the best protection value for the money.

    Just participate here and learn how to configure AppGuard and your system will be protected - unless you make a mistake. :D
     
  25. hjlbx

    hjlbx Guest

    It better not get long. I'm about tapped-out on finding bugs. Oh, I'm sure there are some more, but it gets to be a pain after a while.

    The bug tracker is so us beta testers can keep track and make sure stuff gets fixed.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.