AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    you know a friend created this :

    http://i.imgur.com/opNjQyT.png

    and then my PM box was full of messages asking for a license or trial... :p
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Really?
    Some naive users don't know you that much, I can tell. LOL

    Love it.
    Note 9000% not 9999% to be realistic and conservative :p

    Now I quit this off topic.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I finally got around to checking my lists now.

    @mood Of these, the only new ones to me (not known before) were:
    *eventvwr.exe
    *mmc.exe
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\

    Edit: Added these to User Space.
    *mmc.exe does sound familiar. Not sure if I haven't added it efore, then removed it due to issues. Will have to see.
     
    Last edited: Feb 17, 2017
  4. guest

    guest Guest

    I have compared the new blacklist with an older blacklist, which i had saved to my hard disk "several months ago".
    This might be a reason why i was able to find more "new" entries after the comparison.

    I'm using some executables from the blacklist.txt on a "daily basis", so i don't have added all of them to "User Space (Include=Yes)" (and i don't have to switch "Include=Yes/No" every time).
    I am monitoring them with other applications.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Would be interesting to know which other applications?
    Because if / when I switch to AppGuard 5.x I would probably ditch the 'hardened .xml', go with a more vanilla version and rather 'monitor' as you do ...
    I also had the vulnerable processes in NVT ERP but ditched that due to the hashes changing with upgrades, so now also on the default list there.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Yes, I had been following Florian / Jeff's lists quite 'religiously' :cautious::)
     
  7. guest

    guest Guest

    ERP :)
    (and i have some deny rules in Applocker)
    The hashes rarely change on my system, so it's no problem for me to monitor them with ERP.
    On Windows 10 it's different ;) (new release = new hashes)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It's funny because I never thought about updates, but just checked hashes and they match the latests files.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I see some of you here are using appguard with sanboxie. did you have to do any tweaking to appguard. I tried installing sanboxie a bit ago and it didn't seem to be working right. did see a few blocks from appguard even with appguard set to allow installs.


    I posted in the sanboxie thread but should here too. Pretty sure there is a workaround but the one posted on their site didn't work for me.

    https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-138#post-2653859
     
    Last edited: Feb 18, 2017
  10. guest

    guest Guest

    The specific issue: #5743
    At least make c:\sandbox an exception folder.
    But what exactly is blocked from AG?
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Could it be the hash problem is only win 10?
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    in the other thread I posted a screen shot of the error.

    this is all I see in appguard right now but before I rebooted thee was more.
    I followed instructions on their site and added it as a guarded app. they said not to add to user space.
     

    Attached Files:

  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Add C:\Sanbox to the User Space list and set it to (NO).

    After that ignore any Activity Report block events unless something is obviously broken.
     
  14. guest

    guest Guest

    With each major release files gets updated, and with a lot of vulnerable applications (ERP) the user has to update them accordingly.
    I'm not affected, but @paulderdash is.
     
  15. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    There's a setting for that in NVT ERP "Purge old hashes..." or something to that effect. It's been explained at least 10 times how to avoid the hash change issues. It's only an issue if the settings aren't adjusted properly.

    I've used it across multiple Windows 10 cumulative and upgrade updates. With the proper settings, each time after a file hash change, ERP will generate a "File has changed" alert - without any need to rebuild the Vulnerable Process list. The user just has to choose to keep the rule.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    It happens with major Win 10 upgrades only.
    I have the 'Purge old hashes when a process is whitelisted / blacklisted' checked.
    I also applied other settings as suggested at the time, but did not get the desired 'File has changed' result.
    Maybe you can list the exact settings required an eleventh time :( in the ERP thread if I post a link to this post there?
    I still have a full vulnerable process list in ERP, it is just they do not generate alerts because the hashes still pertain to the previous Win 10 version (except for the default ERP vulnerable processes now).
    On the other hand, a new ERP version is forthcoming.
    Apologies, enough OT here.
     
    Last edited: Feb 19, 2017
  18. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You really should shoot Andreas a bug report.
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    still get a dll block. ignore?
     

    Attached Files:

  20. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Anything obviously broken ? Something not functioning as expected ? Any error messages ?

    AppGuard is not blocking the Shell.dll, but instead it is blocking something from writing to Shell.dll.

    If Shell.dll were blocked itself, the Activity Report would say "AppGuard prevented Shell.dll..."
     
    Last edited: Feb 19, 2017
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    then either I am infected with something unknown or sandboxie just can't work on my system. tried installing it three times with not security software involved.
    since other users here use appguard with no problems , I give up. not messing to sanboxie anymore.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Did you also make C:\Sandbox an Exception folder and set it to Read\Write ?

    Guarded Apps tab > Settings > Add C:\Sandbox > set it to Read\Write
     
  23. guest

    guest Guest

    If I want to exclude a program/executable, is it better practise to add to Guarded Apps+Exclude or User Space+Exception?
     
  24. guest

    guest Guest

    You have to do the above mentioned step.
    Optional:
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Exclude is to allow if something is blocked by adding to User Space list.

    Guarded is protection applied.

    Exception is to allow read\writes.

    User Space list is to allow or block by adding processes to User Space list.

    There is no one set formula; it varies with the circumstances, mode of operation, etc.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.