AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Anyone else seeing Intel Igfx - -.exe block events in Protected and\or Locked down modes ?

    What version of Windows OS ?

    If Windows 10, Fast Startup enabled or disabled ?

    It's not a problem. I am just trying to identify under which OS and settings these block events will be logged.

    For example, on W10 Pro with Fast Startup and Hibernation completely disabled (these options do not even show in the Power Control Panel), running AppGuard in Protected mode these block events are not logged.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I have been seeing these everyday for as long as I can remember.

    Windows 10 Home evaluation copy. fast startup disabled.
     

    Attached Files:

  3. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Immediately after system boot or some time after boot ?

    You see those igfxEM.exe blocks when running AppGuard in Protected mode ?
     
  4. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @boredog

    You have MBAM installed. Is it installed to Programs directory or is it a portable version ?
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "You have MBAM installed. Is it installed to Programs directory or is it a portable version ?"

    Programs directory
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    1. Intel Graphics Service creates a {*}.bat file in System32 during system start.

    2. At system boot the {*}.bat file is executed.

    3. cmd.exe executes the {*}.bat file.

    4. The {*}.bat file script is:

    @Echo off
    if exist igfxEM.exe start igfxEM.exe
    if exist igfxHK.exe start igfxHK.exe
    if exist igfxTray.exe start igfxTray.exe
    del /Q {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat

    5. igfxEM.exe, igfxHK.exe and igfxTray.exe inherit cmd.exe's protections since cmd.exe is a Guarded App.

    That is why they are prevented from writing to System Space and protected areas of the registry.

    It is nothing to be concerned about as nothing is broken.
     
  7. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Windows 10 Home Single Language 1607 64-bit

    I think immediately after system boot. I'm not sure.

    Fast start-up enabled.
     
  8. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Please do me a favor and check for igfxEM.exe blocks immediately after system boot.

    If I recall correctly these block events happen when an Intel Graphics task runs - so the block event doesn't occur right at system boot.
     
  9. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Okay. I'll monitor the block events, next time I reboot my laptop. :)
     
  10. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    01/08/17 16:23:02 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\mediakeys>.
    01/08/17 16:23:02 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_*.dat>.
    01/08/17 16:21:52 Protection level is set to <protected>.


    @Jeff_T Testing Group I just did a system restart. I presume that can already be classified as "immediately after system boot". :)
     
  11. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Thanks

    You have Fast Start enabled and get these block events.

    I do not have Fast Start enabled and do not get these block events on Windows 10 Pro 1607 14343.576.
     
  12. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Thanks for the info! :)
     
  13. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Windows 10 Pro (10.0.14393)

    Yes.

    Also this, as you can see below...

    01/08/17 16:09:29 AppGuard stopped <51972> suspicious activities while active.
    01/08/17 16:06:51 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_*.dat>.
    01/08/17 16:06:51 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
    01/08/17 16:04:58 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_*.dat>.
    01/08/17 16:04:58 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
    01/08/17 15:40:57 Prevented process <igfxEM Module> from writing to <c:\intel\gp\profile_*.dat>.
    01/08/17 15:40:57 Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\mediakeys>.
    01/08/17 15:40:24 Prevented process <pid: 8104> from writing to <c:\intel\gp\profile_*.dat>.
    01/08/17 15:40:24 Prevented <pid: 8104> from writing to <\registry\machine\software\intel\igfx\dpp>.
    01/08/17 15:40:24 Prevented <pid: 8104> from writing to <\registry\machine\software\intel\display\igfxcui\mediakeys>.
    01/08/17 15:39:29 Protection level is set to <protected>.
     
  14. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Do you have Fast Startup enabled ?

    Blocks are not a concern: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-258#post-2643568

    I am just trying to connect the circumstances\system settings and when these block events appear.

    Thanks
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I figured out what the problem is. it is not just about disabling fast startup. you must shut down your computer not just restart- reboot.
    I just rechecked and missed the instructions to actually shut my computer down , not just reboot,
    please see screen shot. hope this helps;)
     

    Attached Files:

  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Thanks
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Yes.
     
  18. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,059
    link to the newest version?
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Code:
    http://www.appguardus.com/support/products/AG52/AppGuardSetupPers-5-2-9-1.exe
     
  20. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,059
    Much appreciated. :thumb::thumb:
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Anyone running Kingsoft WPS with W, P and\or S as a Guarded App on Windows 10 ?
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Disabling Powershell and Powershell_ISE on Windows...

    Microsoft provides no means shipped with Windows to uninstall Powershell or Powershell_ISE on Windows 8/8.1 and 10. Believe it or not, it's a feature.

    If you turn off Powershell 2.0 in Windows Features, then all that does is disable backwards compatibility for some rare Powershell scripts that can only run under Powershell 2.0. However, it is curious that Powershell 2.0 is enabled by default - but it won't work unless you also enable NET Framework 3.5 - which is disabled by default.

    To disable Powershell and Powershell_ISE on Windows 8/8.1 and 10, Microsoft advises using a software restriction policy - like AppGuard, AppLocker, etc.

    In AppGuard, un-tick Powershell in the Guarded Apps tab and then add c:\windows\*\powershell.exe and c:\windows\*\powershell_ise.exe to User Space (YES).
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    for some reason today I got two odd blocks for appguard to myprivate folder right after going from off to locked.
     

    Attached Files:

  24. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You can prevent such alerts by disabling (un-ticking) pop-ups and toasters on User Space tab > Privacy Mode.
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    can you explain why I would get that alert when I never have before?

    thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.