AppGuard 4.x 32/64 Bit - Releases

@paulderdash
I wrongly said, that files has been removed, but they were added
I corrected my previous post. #6728

 

Did an update to Internet Download Manager v9.27 build 5 an hour ago. Now I got some blocks in my usual Locked Down Mode:

Code:

02/14/17 10:13:07 Prevented process <idmmzcc.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components>.
02/14/17 10:13:07 Prevented process <idmmzcc.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components12>.
02/14/17 10:13:06 Prevented process <idmcchandler2_64.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components2>.
02/14/17 10:13:06 Prevented process <idmcchandler2_64.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components2>.
02/14/17 10:13:06 Prevented process <idmcchandler2.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components2>.
02/14/17 10:13:06 Prevented process <idmmzcc64.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components2>.
02/14/17 10:13:06 Prevented process <idmmzcc.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components2>.
02/14/17 10:13:05 Prevented process <idmmzcc64.dll | c:\windows\system32\rundll32.exe> from launching from <c:\users\mrx\appdata\roaming\idm\idmmzcc5\components12>.

 

The above *.dll block events are expected behavior. I would bet those *.dlls are unsigned. The loading of unsigned *.dlls isn't permitted in both Protected and Locked Down modes.

You can determine if they are digitally unsigned by lowering protection to Protected mode and try to update. If they are also blocked in Protected mode, then they are unsigned. Then in that case...

To update in both Protected and Locked Down mode, you could create a User Space (NO) exclusion: c:\users\mrx\appdata\roaming\idm\idmmzcc5\*

If you create the above exclusion, I wouldn't be surprised if afterwards there are more blocks. You'll have to create exclusions for those too.

For digitally signed *.dlls, your best option is to add the publisher to the Trusted Publisher List. When you need to update, just lower protection to Protected mode, perform the update, then raise protection to Locked Down mode. That way you don't have any User Space exclusions and don't have to set AppGuard to Allow Installs. It is recommended to use the highest protection level that permits you to do what is needed.

Remember, Locked Down mode disables the Trusted Publisher List except for Microsoft - so you will always have to create exclusions for non-Microsoft publishers if you want to update softs without having to lower the protection to Protected mode.

For updates that have digitally unsigned components, you'll have to create exclusions for both Locked Down and Protected modes - or more simply lower protection to Allow Installs.

For both Protected and Locked Down mode, if an update pathway exclusion would require the compound use of the * wildcard, it isn't currently supported and you will have to use Allow Installs.

 

@Lockdown

Digitally signed, all of them. But Digest algorithm says: md5

 

Add the publisher, ToneC, by navigating to the installer, selecting it, and Add to Trusted Publisher List. You should be able update in Protected mode then.

Should you want to update in Locked Down mode, you'll have to create the exclusion in User Space (NO): c:\users\mrx\appdata\roaming\idm\idmmzcc5\*

 

Point me to the specific download link that you use, please.

 

you would not recommend adding it to the power applications? or is that mainly for other security apps?

 

An application should be added to Power Apps ONLY if something is broken. I know a lot of people add all their security and other softs to the Power Apps list, but this is improper technique and needlessly creates vulnerabilities.

 

I added all my security apps because other people suggested it. I have now removed them and will see if all stays working well.

Thanks

 

I know it is often recommended on the forums, but it is not proper security technique.

 

Anyone seeing blocked WRITES to C:\Program Data or C:\Users ? [I am not interested in blocked executions - that is expected behavior.]

If yes, please post them here.

 

My list of Power Apps is empty, it has never caused problems or block-events. All is running fine

 

The only time I have had to add an app to Power Apps was Process Explorer (PortableApps.com version). There may have been another solution though.
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-171#post-2561164
I have some security apps in there, but now I'll try removing them.

 

Process Explorer is digitally signed by Microsoft. Remember, in Protected mode the Trusted Publisher List is enabled. Microsoft is set with MemGuard enabled. So if you execute Process Explorer - the old versions would execute the procexp\procexp_64 process from AppData (User Space). So the Trusted Publisher List settings for Microsoft would be applied to Process Explorer. The MemGuard protection would block procexp\procexp_64 from reading other process memory - and the columns would mostly be blank. In the case of the older versions, yes, it was best to add to Power Apps or run it in Locked Down mode (which disables the Trusted Publisher List settings). With the most recent version of Process Explorer it runs completely from System Space and there is no MemGuard issue.

 

With newer versions of Process Explorer (v16.20) MS is providing both versions (32-bit and 64-bit) in the ProcessExplorer.zip-file, which can be downloaded from their site.
You can now execute "procexp64.exe" on a 64-bit system and no temporary file is spawned in the temporary directory.

---
The portable version of Process Explorer (portableapps.com) does include both executables (32bit+64bit), but after executing "ProcessExplorerPortable.exe", it launches "procexep.exe" and the 64bit-version "procexp64.exe" is extracted to a temporary directory
instead of launching it with "ProcessExplorerPortable.exe", it's maybe better to copy the file "procexp64.exe" somewhere to System Space and launch it directly.

 

Thanks for posting about the portable version. I haven't used it in a long time.

 

Thanks for the info @Lockdown and @mood.
I did test the PortableApps.com version again now, without including it in Power Apps, and did still experience the issue of blank columns so the temporary directory issue does still exist with this portable version.
Indeed I could copy procexp64.exe to System Space and do away with any Power Apps, but for now it's just easier to keep ProcessExplorerPortable.exe in Power Apps.
I just prefer the convenience of PortableApps.com updating, and no extra steps.

 

An alternative to adding portable Process Explorer to Power Apps, you can run it with AppGuard set to Locked Down mode. That will disable the Trusted Publisher List settings. If you want to run it in Protected mode, then you can simply set the MemGuard setting to OFF, use Process Explorer, and then when you are done re-enable the MemGuard setting back to ON.

There are multiple solutions.

 

Please don't ask me for free licenses.

Please don't ask me for license discounts.

I don't have access to general licenses.

Licenses are handled by BRN operations; make requests through the AppGuard support page.

 

i think that statement will lighten your PM box

 

Thanks @Lockdown.
I do normally run in Protected Mode, on the assumption that I will get less blocks, but I will experiment with Locked Down mode, and see how it goes.

 

You will get block events from User Space in Locked Down mode; OneDrive updater, manual updates of Windows Defender, dismhost.exe during automatic or manual system cleanup, and perhaps others dependent upon what softs that are installed on your system and run processes from User Space. The Google Chrome software_reporting_tool.exe for example.

If you want to run in Locked Down mode, then all you need to do is to exclude those safe processes by adding them to the User Space list set to (NO).