AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,287
    I would like to publicly thank Lockdown for his tremendous effort on my behalf. We essentially beat Napster, and that was no mean feat. Jeff many thanks.
     
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You are welcome. I just want to make sure that the fixes are persistent. Have to wait for a Napster update...
     
  3. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I'm not sure what happened, but I don't see "Video" anymore in the Guarded Apps list. If I try to add the path, AppGuard says that "Path does not exist".

    Another thing, I actually wanted Windows Mail, but I think its .exe is hxmail.exe.

    Also, what other Windows Apps that need to be Guarded?


    Edit: I already added hxmail.exe to Guarded Apps, as well as hxtsr.exe. Their names are Microsoft Outlook Mail and Microsoft Outlook Communications, respectively. :)
     
    Last edited: Feb 23, 2017
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,782
    It seems that the WindowsApp was updated, so the path has changed and it is not shown anymore in the Guarded Apps list.
    You have to add it again, but with the new, existing path to the file.
     
  5. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    That's what I have in mind, too. :) Thanks!
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    The behavior you are describing happens when a program is uninstalled during an update. For example, updates of Kingsoft WPS will remove the current installation for the user and then re-install the programs. When that happens, the programs are dropped from the Guarded Apps list and are not automatically re-added; they have to be added again by the user manually.

    I am not sure if Windows Apps does the same type of update procedure as Kingsoft WPS. I suspect that the versioning portion of the file path changed when the Video.UI.exe was updated, but I'd like to confirm from your system.

    Would you please post what the new file path for Video.UI.exe is on your system ? Below is from my system:

    Old path: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.10221.0_x64__8wekyb3d8bbwe\Video.UI.exe

    New path: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16122.10291.0_x64__8wekyb3d8bbwe\Video.UI.exe
     
  7. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    The same path as your "new path".

    What Windows App is Video.UI.exe, by the way? :)
    Edit: Never mind. I just found out that it's the Movies and TV App. :D
     
  8. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I will try to find a workaround.
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,502
    Location:
    Under a bushel ...
    Through UltraSearch:
    Mine is: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17012.10301.0_x64__8wekyb3d8bbwe\Video.UI.exe

    I also have this: C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_3.6.19281.0_x64__8wekyb3d8bbwe\Video.UI.exe ? Wonder what that is.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,782
    The package in C:\Windows\InfusedApps\Microsoft.ZuneVideo... seems to be a backup of the package in C:\Program Files\WindowsApps\Microsoft.ZuneVideo...
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,287
    Hey Jeff

    A video Napster :)
     
  12. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If someone is using Google Enterprise\Business Chrome - would you please post any blocks of msiexec.exe <Windows Installer> from accessing (reading) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleUpdateHelper.msi ?




    Also, anyone seeing any blocked WRITES to C:\ProgramData by a Guarded App ?

    Seeing any blocks of Guarded Apps attempting to do anything in User Space ?

    If yes, pleased post the block event here.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,287
    Any thoughts about protecting .net exe's?
     
  14. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I disable all the .NET Framework processes on Florian's\Excubits list except:

    csc.exe - used by Windows maintenance and network troubleshooter
    dfshim.dll - used by Napster\Rhapsody

    I have seen DFSvc.exe used only a single time - on the notepad xml website where there is a ClickOnce download link - but I don't use that one; I use the regular direct download link at the bottom of the page

    The only time I've ever seen vbc.exe, jsc.exe and RegAsm.exe executed is by malware during testing

    Alternatively, you can add them to the Guard list

    It's sort of tinkering with processes to find which ones you need on your system - and, for the most part, everyone might have a single process or two difference between their system and everyone else's

    It depends upon which softs you have installed. So I disable them. Look for any block events. If I see that I need a process on a regular basis, then I will allow it. If I see that I need it only once in a great while, then I keep it disabled and do the on-demand enable thing.

    Different strategies...
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,287
    Thanks Jeff
     
  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Currently I am testing Enterprise with csc.exe, eventvwr.exe, and mmc.exe as Guarded Apps.

    csc.exe as a Guarded App might not be a problem.

    I don't think eventvwr.exe and mmc.exe should be disabled - at least not by those who use them on any kind of basis - as both are particularly useful built-in Windows utilities. If a user rarely - if ever - utilizes either one, then it is their choice to disable them.

    As to whether or not either or both should be made Guarded Apps remains to be seen. mmc.exe as a Guarded App might cause problems for some Trusted Publisher updates due to blocked writes to all the mmc.exe snap-ins like TaskScheduler, EventViewer, Services, ComputerManagement, etc.

    Here's an example:

    DateTime Facility Severity Type Message
    03/03/2017 21:15:40 03/03/2017 21:15:40 CORE 3 Info CORE. AppGuard prevented process <C:\Windows\system32\mmc.exe> from writing to <c:\windows\system32\taskschd.msc>.

    For a final determination, it is going to take extended testing.

    The threats to eventvwr.exe and mmc.exe are essentially nil if AppGuard protections are enabled and the user isn't launching unknown\untrusted files willy-nilly.

    And worrying about some exploit that could abuse either one is a waste of personal resources.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,287
    Again Jeff thanks. I disabled eventwvr and haven't seen any ill effect
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,782
    Yes, should be no problem to block it. Only if you want to look at your event logs you have to enable it.
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,502
    Location:
    Under a bushel ...
    Thanks for that insight Jeff.
    Currently I have these three disabled, but I had noticed the mmc.exe block when checking services.msc. So may re-enable mmc.exe and eventvwr.exe ...
    Didn't know about csc.exe and Windows maintenance, maybe will try guarding it.

    One block I do get is bytecodegenerator.exe. I think it's some Lenovo utility, not sure which one.

    Edit: Guarded csc.exe. Due to no wildcard, 6 entries for 'Visual C# Command Line Compiler' ...
     
    Last edited: Mar 4, 2017
  20. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If it has been blocked, then how can you not know the parent - all you have to do is look at the Activity Report log ?

    You use NVT ERP, right ? So look in the execution log to see what is calling bytecodegenerator.exe... in other words find bytecodegenerator's parent.

    You can also try Excubits cmdScanner to get a better idea if it is a task, run by a service, etc.

    bytecodegenerator.exe, I think, is used to generate runtime code for java instead of compiling it. I'm not completely sure how it is used on Windows as I have never seen it used - ever.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,502
    Location:
    Under a bushel ...
    It only happens very occasionally. IIRC I did look at the Activity Log but didn't see a non-Windows parent ...
    Will check out NVT ERP next time also, didn't think of that.
    Will do more research next time it happens.
     
  22. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    I just started using OpenVPN. There are several executable files associated with it (openssl.exe, openvpn.exe, openvpn-gui.exe, openvpnserv.exe, openvpnserv2.exe) which one should I set as a Guarded App?
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    None
     
  24. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Ok, thanks.
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Guarded Apps = Untrusted Apps

    unGuarded Apps = Trusted Apps

    OpenVPN is trusted and not very often targeted to exploit any vulnerabilities

    Browsers, PDF editors\readers, office suite programs, Java\JRE, Flash, etc... those are often targeted to exploit any vulnerabilities - so that is why they are added to Guarded Apps

    Also, I have seen where adding a VPN or VPN related process to Guarded Apps will completely break the VPN client or cause other unwanted malfunctions
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.