AppGuard 4.x 32/64 Bit - Releases

Maybe you forgot that Guarding the programs limits the operations of the programs. Since ransomware needs a registry access and possibly other accesses, I think AppGuard should be able to make the ransomware ineffective.

In the whitepaper I read, BRN showed that with AppGuard's Medium Mode (Protected Mode) the ransom screen of Cryptolocker was able to launch but the encryption didn't happen since its registry operation was blocked.

 

If they had a proper forum like everybody else , it would be easier, but no...

 

Thanks Peter2150 for the advice regarding if I have to reinstalling Appguard, great tip!!

Thank you hjlbx for your reassurance regarding my purchase of Appguard, I am following the advice of this thread and your recommendations regarding vulnerable processes.

I feel very fortunate to be able to participate here and learn how to configure AppGuard.

I may make mistakes along the way

 

Running some ransomware as a Guarded App - they will encrypt files in User Space; AppGuard does not restrict encryption in User Space.

Every ransomware has a different mode of action. Against most ransomware, AppGuard will not stop it - unless it is digitally un-signed - but AppGuard will protect System Space and Private Folders from being trashed.

I will give you Cerber and Zepto samples that will trash your User Space.

Cerber will encrypt the AppGuard settings & config xml in AppData\Roaming !

See my signature and open the top Bug Tracker link. There is an image of the encrypted AppGuard xml.

 

Fly-by-the-seat-of-your-pants bro...

 

Yup! That is a bypass. Maybe the ransomware doesn't rely on registry operation.

 

Cerber, Zepto, Petya, Bart, etc - oh boy - don't run using "Allow User Space Launches - Guarded" !

Stay in Lock Down mode all the time !

 

hahaha...

I am.

 

AppGuard will protect against malware downloaded by malicious macros - so there is no need for AppGuard to block macros.

Besides, macros should be disabled by users and require notification to enable.

Even with an AutoEnable macro bypass - AppGuard still protects system.

Lock Down mode - of course. Protected mode will protect if the malware is not digitally signed - which is typically the case.



Why anyone would use Protected mode -- I have no idea...

 

beginners

 

People that find the steps below an emotional and mind-shattering annoyance:

1. Lower AG from Lock Down to Protected or Install mode - as required by the soft and your config
2. Update the soft
3. Re-enable Lock Down mode

The above is too much -- they can't handle it. To succeed they would need mind-altering substances.

 

you

know after clicking hundreds of XXX links, it is too much to select "install mode"

 

Can anyone confirm this ?

1. Add c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup to Guarded Apps tab > Folders as any type of Folder

2. AppGuard returns "The Folder c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup Already Exists" (paraphrase)

 

@hjlbx

I am getting the same message.

Could it be because of that c:\users\user is already under "User Space" ?

 

@hjlbx

User added <c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup> to user space folder list, launching is <disabled>. this is what I get
No other message at event. Win7 x64

 

It's in User Space, but Guarded Apps can still write to User Space.

I want to test blocking any writes to that directory = malware deposits start-up scripts and other files in that directory.

I want to test that directory as both a Access Denied and Read-Only folder - which I should be able to create for User Space policy.

It's in the xml, but not exposed (listed) in the AG GUI. See @mood's post below...

It is a bug... already added to Bug-Tracker.

 

Have a look in the policy:
c:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml
<tcPath>Programs\Startup</tcPath>

 

@mood - thanks bro... I wouldn't have thought that BRN would have un-exposed\un-listed items in the GUI.

 

@hjlbx Kudos!!!

Great pen-testing you are doing so far. Awesome the bug tracker thing. Great job!
Thank you for making AG a better product... well maybe (it's on BRN)

 

What's going on Barb. My license is not valid. Why?

 

That'd be a question you'd want to ask via email, not on a forum!

As for the many other recent posts, I'm glad to see that some of you are reporting issues similar to (and even beyond. yay CS!) those that made me lose faith in AG and abandon it not that long ago [yes I know Locked Down is another beast]. CruelSister and hjlbx in particular have exposed some of the weaknesses but there are a few more I have reported (perhaps not quite as big) in the past but they never seem to respond until I give them an address where the issue begins so goodluck on that. =(* You'll likely get the 'dev' -doesn't think that blah- response if any at all. I gave up on them around the beta period :-/ So I'm obviously angry...and biased....

It's a shame because it COULD be as great as I thought it was... =( ..it just isn't atm...and with the way things are going, well, /cry

 

Hey. I did not say that. I'm just addressing to Baeb. Simple...

 

That's BRN or whatever. Barb not u

 

Some of us, including me, have encountered your problem. Your issue is probably because of backup-restore or OS re-installation.
Send an email to BRN, and they'll sort that out.

 

Thanks, but I know that. Maybe I do not post that much but I pay attention!