Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.
I get that one often with Firefox. It has never caused any problem.
I always get the same popup while opening chrome. it doesn't like their reporter exe.
I assume you are running AppGuard in Locked Down mode. AppGuard will block all processes from executing from User Space in Locked Down mode - unless they are added by the user to the Guarded Apps list.
The software_reporter_tool is [part of] the Chrome Cleanup Tool (formerly the Software Removal Tool). Please see https://productforums.google.com/forum/#!topic/chrome/bFhfVkR-ENo.
Also, read about the Chrome Cleanup Tool here from official Google whitepaper: https://www.google.com/chrome/browser/privacy/whitepaper.html
If you don't want to see it blocked, then you have to allow it (Software Reporter).
To allow it, exclude its file path from User Space (NO) in the User Space list.
Replace the version number in the file path with the * wildcard so you don't have recreate the exclusion if it is updated and the version number in the file path changes.
The above is the best option. This is the option that I use for Locked Down mode.
* * * * *
Alternatively, you can add it to the Guarded Apps list instead of creating an exclusion for it in the User Space list. However, if you add it to the Guarded Apps list, you should keep an eye on it until you are sure that the Guarded Apps protections do not interfere with its functionality and operation.
Finally, you can make it a PowerApp if you so wish - but that is not recommended practice. I only mention it to give you all the options.
I should point out that adding software_reporter_tool.exe to the Guarded Apps may very be a viable option - I just never tried it. It depends upon what it does on the system. I will do it and report back.
EDIT: I added SRT to Guarded Apps and ran Google for a while + executed SRT. Nothing seems to break, but then again, I can find no official documentation that fully explains when it is invoked nor exactly how it works\what it does. So adding it to Guarded Apps could still affect its operation under specific circumstances.
Due to my hardened .xml, I am getting this block:
01/23/17 12:36:20 Prevented process <reg.exe | c:\windows\system32\svchost.exe> from launching from <c:\windows\system32>.
No idea what is triggering it. Should I allow it, or is there no harm in continuing to block it?
@paulderdash also had the same issue had no idea what triggered it in the end I just ignore it...
I blocked reg.exe too, but never saw a block-message for it.
At what time does it appear, directly after a reboot?
But if nothing seems to be broken, i think you can leave it in User Space with Include=NoYes.
I think I also encountered reg.exe block because I saw just recently that it was set to User Space=No, which is supposed to be Yes. So, I must have changed it to No to allow something, but I can't remember what triggered it and when. I changed it back to User Space=Yes already.
It happened randomly, I could not link it to any event or program ... haven't noticed anything untoward, so left it at Include=Yes, but you think change it to No?
I don't know why i wrote "No" before , but it is now corrected.
reg.exe is placed in User Space (YES) as part of AppGuard's default policies; it is not in User Space (YES) because of the hardened xml.
In the block event that you show, the parent of reg.exe is svchost.exe - so it is associated with a service\task. Check the process parent and other block events - immediately before and after the block in question - as they usually give you valuable insight as to what just happened on the system. If there are none before or after that you can associate the event with, then it comes down to knowledge of and experience with Windows and software.
For example, Intel graphics runs a task once in a while that launches reg.exe. Reg.exe is also executed by some utilities - like MaceCraft's jv-series system cleaner - but you should notice the block when running such utilities.
reg.exe is the command line utility for regedit.exe.
You ignore block events unless something is obviously broken. That is the definitive standard to follow. When considering to allow something that is blocked, ask yourself: "Is something that I know to be safe\legitimate broken because AppGuard blocked it ?" If no - ignore. If yes - allow.
It is an exercise in futility to try and second-guess every single block event that you see in the Activity Report.
It is also futile to continuously harbor nagging doubts about block events. "Oh man, I got this block event and I just know something is being broken - but I just don't know what is being broken... it's going to cause some kind of hidden system malfunction or security bypass..."
Really ? Stop that ! You will have greater peace-of-mind.
Block events that you question, keep posting here for review. The answers here are good for learning.
Now I know what is triggering reg.exe to launch and be blocked by AppGuard in my laptop. It's the Discord app. I launched it, and reg.exe block notification popped-up.
I have and use several Chrome sandboxes so when I run one or all of them, software_reporter_tool.exe tries to run on every instance being blocked by AppGuard in Locked Down mode. This behavior is not new for me but I wanted to bring it up as I'm tired of adding ignore messages in AG. This is normal I know and I want to keep AG blocking it and shows an alert which I can easily add to ignored messages, however every time there's a Chrome update, the path changes and AG alerts once again, as expected.
What I did is to use a wildcard (*) like this:
software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe
where the first * is the Chrome instance and the last * is the tool version
Problem is it does not work. I guess wildcards aren't supported in these messages.
Add Software Reporter Tool to User Space=No.
Change "user" to your user account name.
Thanks, but your solution is for:
I want to see it blocked.
Compound use of wildcards is currently not supported.
You will have to continue doing what you have been doing or alternatively use this file path:
c:\program files\google\chrome\application\chrome.exe r:\sandbox\mrx\*
software_reporter_tool.exe is a part of Chrome's protections - so I don't know why you would want to block it. I know one of its functions are to report on extensions that might be problematic. There isn't much official documentation on it, but I do know what it is not - it's not some kind of telemetry program designed to collect and report everything that is installed on the system.
See my reply. I edited it.
I want to block it not for those reasons but for experimenting reasons. I just want to know if it's possible to use wildcards in the lines. Perhaps for future use in other scenarios where I really want to block and ignore messages.
Try using the command line to the 1st wildcard position. See my previous post.
There's a bug in the Ignore Messages module. If you add things to it, then it might break the default Ignore Messages list and will start to get alerts for the processes in the list - like schtasks.exe.
Yes. I am reporting to you the first wildcard did the job, it's been hours since the change and no alert from any of Chrome instances.
I've added many times the software report tool ignore messages and haven't seen alert like if it was broken.
Good for you. On the other hand, Jimmy Fat-Fingers over here discovered a way to break it. I broke it by modifying some default Ignore Message settings. Since most users do not ignore additional messages beyond the defaults, the bug has flown under the radar and has been low priority for a fix.
The fix to resolve the issue should be a single policy for all users. Expect it in the next release.
lol at Jimmy Fat Fingers, new for me.
But as you said, modifying some default settings causes the breakage. I've never modified and existing default policy, just added new ones.
Jimmy Fat-Fingers = software breaker
Separate names with a comma.