AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    That's why I asked... I knew it.

    Last time I used pCloud Drive it was flaky. In fact, it wouldn't work so I uninstalled it in less than 5 minutes of attempting to use it.
     
  2. guest

    guest Guest

    @Lockdown i knew you knew , it is why i waited the answer impatiently :D
     
  3. artoor

    artoor Registered Member

    Joined:
    Oct 13, 2012
    Posts:
    113
    Location:
    Poland
    In fact when installed pCloud at work I had to confirm that some driver is going to be installed... don't remember its name - it consisted of some lowercase and uppercase mixed up but I don't think it's relevant now ;)
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
    So,.... C:\ProgramData and C:\Users\user\AppData are deemed User Space ?
    I figured all C:\* was System Space and Desktop, Documents, Downloads, Pictures, etc was User Space.
     
    Last edited: Mar 12, 2017
  5. guest

    guest Guest

    yes, because those are classic target of malware.

    "C:\Users" is User Space; only "C:\Users\Public" and "C:\Users\All Users" are System Space.

    All is explained in the help file.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    System Space = the whole System partition (C:\*) except the following folders (+subfolders):
    C:\ProgramData
    C:\Users\<currently logged in user>
    C:\$Recycle.bin​
    All other partitions or removable drives are User Space by default.

    The default Rules after installing AG (the above mentioned folders can be seen here):
    AG_default_4.4.4.1_.png
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
    I read except user profiles as C:\Users\user\AppData
    I read except Program Datas as C:\ProgramData
    -----------------------------------------
    Yes, I've read User Guide
    So, System Space is generally C:\* and User Space is generally not C:\* plus
    ProgramData and AppData.
     
    Last edited: Mar 12, 2017
  8. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @artoor

    Would you please provide me with a link to the pCloud Drive\App that you have installed on your system ?
     
  9. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    He is referencing the single easiest means for a user to know what is included in User Space by default - the default portion of the User Space list.

    Study the User Space list. Study the Guarded Apps list. Study the Trusted Publishers List. Study the Exceptions Folder list. Read the Help file.

    It's all there...
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,027
    Location:
    Mexico
    In Locked Down mode:

    Code:
    03/12/17 23:07:40 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 20:36:45 Prevented <BitTorrent> from writing to <\registry\user\s-1-5-21-2268778702-717846570-3389315102-1001\software\microsoft\windows\currentversion\run>.
    03/12/17 20:35:07 Prevented <BitTorrent> from writing to <\registry\user\s-1-5-21-2268778702-717846570-3389315102-1001\software\microsoft\windows\currentversion\run>.
    03/12/17 19:03:47 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 19:02:06 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 17:48:57 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 17:46:55 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 17:21:27 Prevented <BitTorrent> from writing to <\registry\user\s-1-5-21-2268778702-717846570-3389315102-1001\software\microsoft\windows\currentversion\run>.
    03/12/17 17:19:51 Prevented <BitTorrent> from writing to <\registry\user\s-1-5-21-2268778702-717846570-3389315102-1001\software\microsoft\windows\currentversion\run>.
    03/12/17 15:43:31 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 15:41:40 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:38:05 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:36:25 Prevented process <Console Window Host> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:35:20 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:34:14 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:33:24 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:33:08 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:32:38 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:32:29 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 13:31:07 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:38:21 Protection level is set to <locked down>.
    03/12/17 11:37:25 Protection level is set to <off>.
    03/12/17 11:32:38 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:32:38 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:30:59 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:30:59 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:30:55 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:30:52 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:29:03 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:28:58 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:28:47 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:28:47 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:26:50 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 11:26:45 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 10:33:13 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.
    03/12/17 10:31:36 Prevented process <Windows host process (Rundll32)> from writing to <c:\bootsqm.dat>.
    03/12/17 10:27:43 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 10:25:59 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    03/12/17 10:25:55 Prevented process <Google Chrome> from writing to <c:\windows\rescache\rc0003\rescache.hit>.
    
     
  11. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I think those are not what @Lockdown was trying to ask. All of those are normal block events, to me.
     
  12. artoor

    artoor Registered Member

    Joined:
    Oct 13, 2012
    Posts:
    113
    Location:
    Poland
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    I don't have the c:\windows\rescache directory anymore but i had these "rescache.hit"-events too.
    If nothings seems to be broken, you can just ignore these "rescache.hit"-events.

    I guess Chrome is not the only application, which want to write to this directory. While adding it to "Ignored Messages", you can enter * in Field 1, so this event is ignored for all applications.
     
  14. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Those are expected block events. I am looking for block events to ProgramData and other User Space directories.
     
  15. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @artoor

    I am going by your original post:

    The point is just after I have installed and configured pCloud app, restarting my laptop I got information from AG, saying:

    "There was an error when applying AppGuard policy and you may not be fully protected. Remove recently added policy and try again. If the problem persists, restore AppGuard settings to default on the advanced tab."

    I assume you have:

    A. Lowered AppGuard protections to either "Allow Installs" or "OFF"
    B. What did you do with "Resume previous protection level after 20 minutes" - did you keep it enabled or disabled ?

    * * * * *

    1. You install pCloud Drive
    2. After the pCloud Drive installer finished, you launched pCould Drive program
    3. You created a pCloud Drive account or log in to your existing pCloud Drive account
    4. You configure pCloud Drive from within the program windows
    5. Then you reboot\restart your system

    During system startup, you get the error message as shows above.

    Is all of the above correct ?

    * * * * *

    What is the manufacturer of the systems on which this issue occurs ?

    What partition style are you using on each system - MBR or GPT ?

    Do you have any user-created non-system (data) partitions on your system ?
     
    Last edited: Mar 13, 2017
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Had a strange experience this morning while viewing a Oscars page. I had been scrolling for a few min and my monitor went black and the swirling blue circle appeared for a short while. I thought my computer had rebooted and looked over at the power LED. My monitor then came back up and shortly after that I got a Appguard popup warning. This is something I have not seen before while using Appguard. Take a look at the screen shot.
    here is the website I was on, not that it matters. I might have just been my system too.

    http://www.upi.com/Entertainment_News/Photos/On-the-red-carpet-at-the-89th-Academy-Awards/fp/10929/?spt=rel_sp&cnt=1&or=tn_wn
     

    Attached Files:

  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    I guess AG was not the culprit of the black screen, but your graphics driver. For whatever reason the screen went black, your graphics driver re-initialized itself and wanted to change some settings in the registry (reg.exe) which was prevented from AG:
    Prevented process <reg.exe | c:\windows\system32\cmd.exe> from launching from <c:\windows\system32\>.
     
  19. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    593
    Location:
    US
    Hey. What are you guys adding in 'User Space' as a safe Windows executable. I only have cleanmgr.exe (No) so far (System Restore, Disk Optimizer and Defrag, etc). Or, none needed as they will all complete their task without intervention by AppGuard.

    Thanks,
    Robert

    P.S. Whoa, just noticed that I have been a member of this board for 10yrs. It's been a pleasure and an honor!
     
    Last edited: Mar 14, 2017
  20. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    reg.exe is a command line registry utility. It is blocked by default AppGuard policy. You can see this by looking in the User Space list.

    Without knowing what else executed on your system - before and after the reg.exe block - it is impossible to know what happened and if reg.exe played a part in it.
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Lockdown

    Yes I knew about the default policy. All I know is I was only using Chrome to surf the web. Don't have any new software install and have never seen it happen with my current installed software. Whatever it was that tried use that command, I have no idea.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    You have blocked cleanmgr.exe ?

    You added cleanmgr.exe to User Space (NO) ?

    You have blocked System Restore, Disk Optimizer and Defrag, etc ?

    You have added the above to User Space (NO) ?
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    This is why I recommend a software that captures command lines as part of its normal operation on the system. Having a record of command lines is helpful for trouble-shooting in case of problems and forensics in case of infection. The overhead for capturing command lines is next to nothing and the benefits are huge.
     
  24. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    593
    Location:
    US
    I have not added anything with a (NO) except cleanmgr.exe. Everything else I have added are (YES).

    Robert
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Why would you block cleanmgr.exe ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.