AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. hjlbx

    hjlbx Guest

    Does anyone see any examples of these type block events in the Activity Report ?:

    System Space (Guarded or UnGuarded App) blocked from writing to User Space.

    Except for msiexec.exe, I am particularly interested if anyone has seen AppGuard block an UnGuarded App from performing an action on the system.

    Trusted Installer is blocked from installing *.msi files when AppGuard protections are enabled; so it is expected behavior.

    Other UnGuarded App blocks are not expected. And I mean an UnGuarded App that isn't executed by a Guarded App; if a Guarded App is the parent of a normally UnGuarded App, then that app will inherit Guarded status from the parent.
     
    Last edited by a moderator: Sep 8, 2016
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,333
    Not exactly this kind of events, but I had events, where "normal" Apps that were not listed under Guarded Apps couldn't:
    * Write to System Space
    * Write to Protected Folders (Private/Read-Only)
    * Modify Registry Entries
    and it's weird to see that even a normal filemanager can't write to protected folders, because it shouldn't be a Guarded App.
    Or services can't write to Windows-Folders, notepad can't write to System Space, ... :eek:
    And if "AG is in a frenzy" nearly all running apps seems to be Guarded...
    Services, Apps, running Apps and even Apps that i afterwards started normally via startmenu :eek:

    Only a reboot solved this mystery.
    AG goes wild several times a year (the last time it happened was one week ago) -- But: it's not OS-specific, not configuration-specific and it happens out of the blue. Not reproducable, too :(
     
  3. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Please if you see these events where something is blocked from writing to user-space, please send to AppGuard@BlueRidge.com.

    Also, remember that AppGuard will Guard any application launched by a guarded application (this is a good thing). So if you suspect that there is a system space application that is being blocked that shouldn't be, if you're familiar with process explorer, please check to see if there is a guarded application in the process tree. Though this may not always be evident if for instance Guarded App A launched App B (not in the Guard list) and then A is closed. B will continue to be Guarded (I think), but you wouldn't see A in the process tree.

    We hope to add more event information in the next release that will make it more traceable as to why AppGuard made a block.
     
  4. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Planning to install RollBack RX, do you guys know of any problems with this and Appguard ?

    Thanks in advance
     
  5. guest

    guest Guest

    no issues at all (conflict wise)

    However i have a weird behavior, very specific case, not sure RX is the culprit or the way my partitions are made; but some portable apps can't be guarded while located on a non-system partition.
     
  6. hjlbx

    hjlbx Guest

    There is one thing that could happen if you do not pay attention:

    1. Install AppGuard on system
    2. Install Rollback RX and make AppGuard part of the baseline snapshot
    3. Uninstall AppGuard
    4. Rollback system to baseline snapshot that includes initial AppGuard installation
    • Step 3 will deactivate AppGuard license on BRN license server
    • AppGuard will remain active on local system for up to 5 days
    • After 5 days AppGuard license will transition on local system to the Unknown (deactivated) state
    image004.png

    image003.png
     
  7. guest

    guest Guest

    And by rollbacking to a AG-less baseline (without uninstalling AG before), and reinstalling it, will use one of your number of activations.
     
  8. hjlbx

    hjlbx Guest

    I will be submitting an enhancement request to eliminate the loss of activations. However, BRN uses a drop-in licensing module for AppGuard that is licensed from a 3rd-party, so I am not entirely sure that it can be eliminated. It will all depend upon whether or not the drop-in module and\or supporting server side are customizable by BRN.
     
  9. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Oke Thanks guys !

    So the best thing to do is keep appguard installed and take snapshots with it active ?

    I'm not afraid of viruses/ malware I'm more afraid that my current HDD is going to fail. I already have a new identical drive on standby.

    Edit: Already making images with Macrium (just in case)
     
  10. guest

    guest Guest

    it is what i did , my baseline has just AG + HMPA activated , i update it (and clean it) everytime MS release a big update.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    2 simple solutions to the licensing problem.

    1. Block the network when you uninstall Appguard. That will preserve the license for reinstall. Tested and works.
    2. Download sysinternals Autorun. In that uncheck the GUI, driver and service and reboot. Now Appguard is a bunch of inert files. Later when desired, just recheck those 3 items and reboot. Appguard is again active and happy. Also tested and works.
     
  12. guest

    guest Guest

  13. Schorg

    Schorg Guest

    Hi all

    I have an issue - when adding the following to user space(yes) Appguard does not block(access denied) regardless whether using the command prompt or command prompt(Admin)

    C:\windows\*\tree.com
    C:\windows\*\chcp.com
     
  14. hjlbx

    hjlbx Guest

    AppGuard does not block *.com files.

    *.com files are simple executable files similar in concept to a *.cmd or *.bat file.

    Those two files are safe, but theoretically malc0ders can create malicous *.com files.

    I am going to submit an enhancement request for it. I haven't gotten around to it as I've been busy with Enterprise.

    It probably won't be accepted as the potential threat is extremely low; *.com files are limited to about 64KB in size on current Windows and they are loaded in a very particular way. The *.com file type is pretty much obsolete\fallen into dis-use. The *.com files shipped with Windows are for rare backwards compatibility of batch files.

    Here is infos: https://en.wikipedia.org/wiki/COM_file#MS-DOS_binary_format
     
    Last edited by a moderator: Oct 20, 2016
  15. Schorg

    Schorg Guest

    Thanks @hjlbx

    I think it was on JPCERT/CC Blog? Not sure now.

    Glad they are safe.

    Thanks for the info:), interesting that com's execution preference over exe's and how programmers of a malicious persuasion could use that.
     
    Last edited by a moderator: Oct 20, 2016
  16. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I lost my AppGuard protection temporarily after having been put Avast AV into aggressive hardening mode. Avast does not recognize AG 4.4.6.1.
    Straight after doing so I needed only to make an exception to AG GUI.

    Maybe 5 days after, today, I noticed Avast wanting an exception to licquery.exe. I did not notice it was related to AG, so i did nothing. Later today AG complained and told it is not protecting my computer anymore. I remembered, rebooted and after that Avast gave the popup again, then I made an exception to that executable.

    This to those readers using Avast with that mode and also AG. And not to some hacker stalkers, but they will read anyways, so that can't be avoided.

    EDIT: After posting the above, I again lost AG protection. Also at some point Chrome asked if I want to stop a download, wtf? I rebooted and will see now if my system did not suffer any permanent damage. This is just crazy to say the least.
     
    Last edited: Oct 20, 2016
  17. hjlbx

    hjlbx Guest

    To see what Tree.com does - for example - open the directory containing Tree.com > open cmd from within Explorer > type tree
     
  18. Schorg

    Schorg Guest

    I see shows a tree/branch like structure of the directories:)

    Thanks I must stop being over paranoid:)
     
  19. hjlbx

    hjlbx Guest

    You are using a combo of AppGuard and SpyShelter correct ?
     
  20. Schorg

    Schorg Guest

    Yes, thats correct my main pc has SpyShelter and AppGuard.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,333
    AG has to connect to verify the actual license. If it can't do that for a longer time, it's seen as "invalid"
    Edit:
    #6065
     
    Last edited: Oct 20, 2016
  22. hjlbx

    hjlbx Guest

    I can't imagine anything happening to the physical system with both programs installed. It would take a massive blunder on your part.

    You can still be hacked via the network, but the odds of that are probably about the same as you winning the lotto. As long as you are behind a NAT router at home with AG and SpS it is sufficient. In fact, it is overkill. If you take a laptop and use it at public wifi hotspots then you should use a firewall that can detect MitM attacks - but other than that - I wouldn't bother. You can also consider adding VPN if you do a lot of public wifi use - not infrequent - but on a regular basis public wifi use.

    Are you an Enemy of the State or made any hacker enemies ? I think not...
     
    Last edited by a moderator: Oct 20, 2016
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,063
    Location:
    Mexico
    :argh::ninja:
     
  24. Schorg

    Schorg Guest

    I know its overkill, but still learning and I suppose when unsure you tend to over compensate unfortunately (I do anyhow):)
     
  25. Schorg

    Schorg Guest

    I know:)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.