AppGuard 4.x 32/64 Bit - Releases

Peter:

 

Oops - I see I must have Guarded it (Privacy=Off, MemWrite/MemRead=On). Probably because I considered it 'internet-facing'.
Should I simply un-Guard it i.e.uncheck or delete it from the list?

 

@Jeff_T Testing Group I have another question. I sometimes see this block in my 'hardened' AG, I think due to some silent Microsoft Office update (OneNote?). (MS is not the only culprit here, I have similar from Lenovo crapware, which I guess you would recommend I remove).

12/30/16 04:15:34 Prevented process <msiexec.exe | c:\windows\system32\services.exe> from launching from <c:\windows\system32>.
12/30/16 04:15:24 Prevented process <wevtutil.exe | c:\program files\microsoft office\root\integration\integrator.exe> from launching from <c:\windows\system32>.

Is there a tweak I can set to bypass this, or is the only way to undo the msiexec.exe and wevutil.exe User Space = Yes in my 'hardened' settings?

 

Set msiexec (Windows Installer) and wevtutil (Eventing Command Line Utility) to NO in the User Space list or remove both from the list.

From the log entries, both are attempting to launch probably associated with some Microsoft Office task.

Or you can set both to NO in the User Space list for a few days, then re-set them back to YES.

Or you can set both to NO, find the associated task in Task Scheduler, run the task, then re-set them back to YES.

For convenience I would do the first option.

Lenovo crapware - yes, I would remove.

 

If nothing is broken it is OK to leave it Guarded. You know why the block events happen, so just ignore them.

 

Thanks Jeff, for your help on both questions.

 

Not sure what cause this just reinstalled all my soft from a previous backup image:
Prevented process <schtasks.exe | c:\windows\system32\wsqmcons.exe> from launching from <c:\windows\system32>.

as of today I only have AG as my sole real-time protection...

 

schtasks.exe is a command line utility for Windows Task Scheduler. It is in the default AppGuard User Space list and prevented from executing on the system because it can be abused to create malicious tasks. You should not have seen an alert; the block event should only be recorded in the Activity Report.

wsqmcons.exe is the Windows SQM Consolidator. It is used by the Windows Customer Experience Improvement Program.

Ignore it.

 

Virtualization gives bogus results sometimes; virtualization-aware malware goes silent.

I need to see the net changes on a system. VM doesn't allow for it always, and SD has the whole reboot issue.

If I just wouldn't forget to install Rollback RX sometimes,... right ?

These are all test systems - so I don't worry if they get smashed. I have to keep at least one operational for daily routine stuff though... so I will prop-up its defenses. Malware packs, new samples, etc,...

Systems change so often sometimes it gets really hard to keep mental track.

Not recommended for anyone else...

 

On my PC i can see that msiexec.exe is launched if Windows is doing a maintenance-job (daily) or while installing/deinstalling programs and the installer is a MSI-package.
In the c:\Windows\Installer\ directory are some msi (or .msp) installers which need to execute msiexec.exe.
----
The list of User Space-Apps is unsorted, and it's sometimes a pain to find a specific process in this list

 

Then I occasionally get a block of powershell in Protected mode, as expected, because I have unticked it under Guarded Apps and set it as User Space = Yes ...

12/30/16 12:00:11 Prevented process <powershell.exe | c:\windows\system32\svchost.exe> from launching from <c:\windows\system32\windowspowershell\v1.0>.

... but how would one determine what is actually needing to run powershell, and if that is legit?

In this case there is no preceding parent process, so I guess it's just Windows itself and would have been OK to run?

Just wondering whether to return to default setting of Guarded, and remove from User Space ... ?

Also normally NVT ERP would be first to hop onto powershell because it is in the default Vulnerable Processes list there, with the correct hash, but it didn't this time - AG blocked it first.

 

Windows is executing powershell. Since its parent is svchost.exe, I would expect it to be a task. However, powershell.exe never runs as part of any Microsoft task in default Windows 7, 8.1 or 10 that I know of. The only time I have ever seen Windows execute powershell is with the GWX W10 upgrade utility.

If you're using a powershell Windows Update utility, that could be it. For example, Win10Privacy or Powershell Windows Update module.

Check what softs you have installed - especially any utilities. Utilities commonly use cmd.exe, powershell.exe, wscript.exe, etc. A task might have been created.

If that isn't it, and you're running W7 or 8.1, then who knows. Microsoft is doing a lot of weird stuff nowadays.

You need to collect command lines and check the run sequences. Use SpyShelter. It is the easiest, most straight-forward method - because to do it any other way is convoluted and simply too much work.

You'll have to figure it out.

 

Thanks @Jeff_T Testing Group

 

I am on Win 10 AU. I can't think of any such utilities, but a quick look in Task Scheduler did reveal at least one powershell task for Lenovo (the usual suspect) ImController ... no idea what this does, and if uninstalling 'Lenovo System Interface Foundation' in CP 'Programs and Features' would safely remove it.
Amazingly, there are 11 Lenovo items listed there. They could/should all be potentially removed, except for maybe Lenovo System Update (ThinkVantage System Update).
Will have to figure out (as you say) which I can do safely on my ThinkPad Yoga.

 

"at least one powershell task for Lenovo - ImController"

Research it. Lenovo is known for its atypical\questionable OEM-ware.

 

Happy New Year - one and all !

 

Happy New Year too !

 

Happy New Year

 

http://gsnmagazine.com/article/4760...ts_2016_homeland?page=0,0&c=security_services

3rd time in a row....

 

I would use gmail for my email, and Dropbox for my cloud storage. I often share files with Dropbox when sending bug reports. I also like Zoho mail, and use it often. I use to use yahoo mail often, but they have been hacked to death, and caused me a big headache having to change passwords for many of my accounts.

 

What version of Windows OS ?

Do you observe these block events in Activity Report immediately after system boot ?

Or do you see them randomly at some time after system boot ?

 

What version of Windows OS ?

Do you observe these block events in Activity Report immediately after system boot ?

Or do you see them randomly at some time after system boot ?

 

What version of Windows OS ?

Do you observe these block events in Activity Report immediately after system boot ?

Or do you see them randomly at some time after system boot ?