AppGuard 4.x 32/64 Bit - Releases

It would be much easier to help you if you posted the activity report of when you tried to start The Bat.

 

Has anyone experienced wrong number of recorded events in activity log?

 

When you say "wrong number of events", in what way? Cutting_edge just reported a bug where if you do a "save as" on the activity log, only 1/2 of the events are saved. This was a bug introduced with the Unicode support. It will be fixed in 4.1.

If that's not the bug that you're reporting, please provide more details. Remember, not all events are reported to the Activity Log. That will depend on your Alerts settings.

 

Children of powerapp should also be powerapps. I think there is an known issue that this feature is not working when the child is located in user-space. I'll check the status of this bug and hopefully the fix will be included in 4.1.

Also, there is a feature in 4.1 that might solve this problem (if we are unable to fix the power app child bug in time for the release). You can set a trusted publisher so that when something from the trusted publisher is executed, AppGuard will automatically go into the Install Protection level. Another feature that might help (but we haven't quite decided if this will go back into the release) is the publisher inheritance mode, where an unsigned application will inherit the policy from the trusted publisher settings if it is launched by a trusted publisher.

 

We definitely want to avoid confusion and any suggestions on how we can do that are extremely welcome.

 

Yes, adding thebat.exe to power apps did allow the application to work.

I will try that later when i get back to that computer.

 

Nothing comes up in the activity report it is blank.

Just medium protection from when appguard is lauched at boot up.

 

Thanks, Barb! AG is at default settings.
For example, it says that it stopped 24 suspicious activites and down under, in the log, there are only 8 entries.

 

The fundamental problem is the way the GUI is organised, which is something we've discussed previously by PM. The way System-Space and User-Space are currently represented within the GUI needs to be simplified and made more transparent in terms of folder access and launch permissions.

I've sent you a PM to remind you of what we discussed previously where you agreed and said that you would be looking at addressing this in 4.1.

 

I tried adding the folder and granting read/write and it still didnt work.
Nothing in activity report either.

 

I believe this would resolve the issue I have with Boleh VPN, but I'm not sure how safe adding this type of policy would be. Boleh works just fine by excluding the installation folder from the User-space. Does anyone have any thoughts on which method would be safer? Allowing a Trusted Publisher launch an unsigned application, or just excluding an installation folder from the User-space. I think excluding an installation folder from the User-space may be safer.

Barb, I have a questions about this policy. In medium level protection will the unsigned application launched by an application on the Trusted Publisher's list be allowed to spawn new processes? If the unsigned application is inheriting all the permissions of the signed application on the Trusted Publisher's list it can do a lot of damage. Adobe, and Java applications are constantly being exploited. If the unsigned application launched by a Trusted Publisher is allowed to spawn new processes then it's game over because it will allow the infection to spread through out the system.

 

Making a mail client a Power App is dangerous so it will be nice to see what Barb recommends here. Maybe there is a bug that you can help them sort out. I definitely would not want to make any Web application a Power App!

 

I agree its the sort of app that you dont want as a power app.

Thankfully my main email client Eudora works fine on M:

 

Just, please make sure that is optional. I would feel much safer with that feature disabled. That definitely should be a feature aimed at making things easier for novice users.

 

Is M:\ a network drive, or a local storage device?

 

As all drives other than the system drive (usually the C: drive) are in User-Space, I doubt if AppGuard distinguishes between network drives and non-system local storage drives operationally.

 

I would suggest excluding the Thebat folder from the User-space. Have you tried that Trott3r? I have already used this method for a few applications in the past that would not work any other way. I'm sure it's much safer than making any Web application a Power App. If you did download an infection AG should keep the infection restricted to the Thebat folder so the infection should not be able to do any damage. I don't think the infected file would be able to break out of the Thebat folder to spread to the rest of the system. I'm sure there's always a chance some really cleverly designed malware can, but i'm sure it is much safer than making it a Power App.

You can go to the User-space tab, and click the Add Button. Then navigate to the folder, and select it. Then choose, "No" for the include field. If it's on a Network drive you may have to manually type in the application path. I have never had to add a remote network folder so i'm not sure. I would do this until BRN finds a better way of doing it.

What do you think Pegr? Will excluding the folder from the User-space allow an infection to spawn a process, or invoke an application outside the excluded folder?

 

Hmm didnt realise the forum was moving to a new server.


M: is a fixed drive on a hard disk.

 

Added it to user space and set include to no.

Still immediate exit from thebat and also nothing in the event log

 

Sounds like a bug to me if it's not logging anything in the activity log. I discovered a bug where AG only exports about half the events from the activity log when right clicking in the activity report, and choosing to save it. If AG is blocking something, and not recording the event at all then that is something that would definitely need fixed. I just discovered the export bug 2 days ago. I think it will be fixed in the next release.

 

I've installed The Bat! on an alternate partition and got it to work. I don't know exactly what problem it is that you are having but I would in any case suggest the following general procedure with additional partitions used as an extension of the system drive to install and run programs.

1. By default, additional partitions are in user-space. Start by moving any program folders to system-space. (If the entire partition is used as an extension of the system drive, the partition root directory can be moved to system-space.) Moving a folder from user-space to system-space is a two-step procedure, outlined in section 2.3 in the following link: https://www.wilderssecurity.com/showpost.php?p=2298875&postcount=5

2. Having moved the program folders to system-space, any sub-folders and files that contain application data must be moved back to user-space. (Sub-folders and files inherit the permissions of the parent folder.) In your case, this will depend on where the application data folder for The Bat! is located (it may already be in user-space). Moving a folder from system-space to user-space is also a two-step procedure, outlined in section 2.2 of the link above.

3. The program folders on the additional partition are now in system-space, so add any programs that need guarding, e.g. The Bat!, to the Guarded Apps list.

The additional partition has now been configured as an extension to the system drive operationally, which should work. Following this procedure also ensures that AppGuard's drive-by download protection model is enforced and that no security holes are opened up through customization.

I don't know if you've already tried all of this; if not it might be worth a try.

 

Hello,

Sounds like a great beta coming up... Eagerly awaiting news of its release!

 

now this is a good news

 

AppGuard will suppress the reporting of identical events within a few minutes of each other, but they are still counted in the suspicious activities count.

 

Haven't read the PM yet (usually when I bring up the site, I'm notified that I have a PM and I haven't been in a while - I just noticed that I have 5). I'll be getting to those between meetings this afternoon.

Anyway, I'm looking forward to reviewing your suggestions (again) to provide status on where we are with them wrt the 4.1 release.