AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    It looks OK. You routinely run in Locked Down mode while surfing, that is the single most important factor in securing your system. Creating additional policies are for "just-in-case" and to counter "corner" cases.

    However, it is best practice not to add any programs to Power Apps unless something is obviously broken. If HMP is launching from C:\Program Files or C:\Program Files (x86), then you do not need to make it a Power App. If you are using the portable version and it launches from User Space (AppData), then it should be added to Power Apps. Same for any other portable security soft you are using. Based upon my prior experience and observations EIS, HMPA and MBAM don't need to be added to Power Apps as AppGuard didn't break any of their functionality during testing.
     
    Last edited: Feb 8, 2017
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Wildcard saves you from writing multiple rules for the same process.

    Example...

    C:\Windows\*\cscript.exe = C:\Windows\System32\cscript.exe and C:\Windows\SysWOW64\cscript.exe

    Like @mood said...

    If you add both System32 and SysWOW64 to the Guarded Apps list, then the SysWOW64 will disappear; just need to add the System32
     
  3. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    What about "user space" should the Syswow64 be removed?
     
  4. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Since you've already created the rule, the answer is "No, do not remove it."

    To disable a process that exists in both System32 and SysWOW64 in the User Space list, you must add both paths.

    You can use the * wildcard to create a single rule that covers both paths, or add each path individually.

    In the User Space list, C:\Windows\*\cscript.exe will completely disable cscript.exe. Adding C:\WIndows\System32\cscript.exe and C:\WIndows\SysWOW64\cscript.exe individually will disable it.
     
  5. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,273
    Location:
    USA
    Thank you.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Having read a couple of articles on the Polish Bank Heist, I've added SC.exe from both system 32 and syswow64 to my users list with yes. Shut that baby down.
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,560
    Windows 7 Home Premium 64 bit + Appguard 4.X.

    How would you configure Appguard to allow for Windows Defender malware signature updates while Appguard is set at the highest security setting (Lock-Down)?

    Thank in Advance.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Pete

    isn't having powershell locked down enough and if not wouldn't Voodoo take this sc.exe file down? Also I can see locking down that exe could make it difficult to install new software that installs it's own service.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes it should. as would ERP. But I've learned the biggest vulnerability is ME. Tired and in a hurry and click and Oh Duh. So I don't mind a couple of bites at the apple so to speak. Has indeed saved me.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You know in doing the malware testing and playing, I've noticed with many malware attacks you can have several opportunities to save your self. The enemy can be me.
     
  11. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Exclude these file paths from User Space (YES):

    i. <c:\users\user\appdata\local\temp\*\mpsigstub.exe> [allows for manual update of Windows Defender signatures]
    ii. <c:\users\user\appdata\local\temp\mpam-*.exe> [allows for manual update of Windows Defender signatures]
    iii. <c:users\user\appdata\local\temp\*\dismhost.exe> [allow for automatic and manual system maintenance]
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
  15. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You can add it to Guarded Apps if you so wish. sc.exe is one of those programs that is recommended to disable if you have no need of it. Windows maintenance uses it.

    Just be aware that the attack in the cited article is targeted against servers and not home users. The servers were targeted and breached using administrative passwords for the required admin privileges to make the system modifications possible. The attackers had to get Meterpreter, MikiMatz, et al onto the system to make it all work together.

    This attack is not a download-file-get-infected scenario. There might have been some type of server exploit utilized, but that isn't clear from what I just read. It isn't something to fret about.

    As usual, an IT security article makes the security forums and there is a needless over-reaction by users. I've seen that thread lit-up all day.
     
  16. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    What folder type is correct for sc.exe under Guarded Apps? When I add it it automatically sets as "Private-Deny Access". Is this correct?
     
  17. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You could, but sc.exe is a Windows Services command line utility that doesn't access folders. So, basically, there is no need to set Privacy to "Deny Access."
     
  18. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    What should I set it as then? Had AG some while but still learning about adding new protections.
     
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Just use the default values created when adding it to the Guarded Apps list.
     
  20. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    How did you add sc.exe in the Guarded Apps list? From what I understand from your post, you added it in Folder Settings that is found under the Guarded Apps tab. If that is the case, you didn't really add it in the Guarded Apps list.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Putting SC in user space had an adverse effect on FIDES. I move it to guarded apps and all seems well
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    Guarded Apps>Add Program>browse to c:\windows\system32\sc.exe and syswow64\sc.exe
    Resolves as Service Control Manager Configuration Tool
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Problem solver... :thumb:
     
  24. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    He's added it to Guarded Apps and AppGuard is setting the Privacy setting to Deny Access. He asked if that was correct\what is best. For sc.exe, it doesn't matter because sc.exe isn't used to save files, so to make his life more simple he should just use the value created by AppGuard.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    OK I understand what you're asking @Dark Star 72 now. Yes, that's what he must have done, instead of adding it to Guarded Apps as in post #6706.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.