AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Not open for further replies.
1. TomAZRegistered Member

Joined:
Feb 27, 2010
Posts:
1,131
Location:
USA
There seems to be some question about Driver protection with AG, so I just installed NVT Driver Radar Pro to give it a try. Seems to be pretty light on resources and a nice little app. May just keep it.

2. Cutting_EdgetechRegistered Member

Joined:
Mar 30, 2006
Posts:
5,648
Location:
USA
I just wonder why something like Driver Rador Pro has not been integrated into a security product yet. Maybe it has, but i'm not aware of any product doing it. If you are going to monitor executables, dlls, scripts, etc.. then why not monitor drivers. I guess most developers assume malicious drivers would be contained within a malicious executable which would be blocked.

3. FleischmannTVRegistered Member

Joined:
Apr 7, 2013
Posts:
1,094
Location:
Germany
If I recall correctly, when you plug in a device Windows itself installs the driver. It is not installed from the device you plugged in. So of course AppGuard doesn't do anything here. If a driver installation originates from the device itself, AppGuard should block it.

Just to clarify things. As far as I know Driver Radar Pro is not needed to block driver installations because ERP already covers that, as does AppGuard. It is designed to notify the user in scenarios when the protection level is lowered. For example you want to launch or install a simple program, but it tries to install a kernel mode driver instead.

4. lucien_phoenixRegistered Member

Joined:
Oct 20, 2012
Posts:
131
Location:
Germany
What the Hell is AG doing..
How i get rid of this Messages is AG blocking some
importent System Operationens.Here are the AG
Log on this Event and Screenshots on my AG
maybe ther are something wrong,please have a look
at this.

And sorry for the long Log.txt i found no Hide Function here.
-----------------------------------------------------------------------------------------------------
05/10/14 18:47:59 Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
05/10/14 18:47:59 Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
05/10/14 13:01:10 Prevented process <htmsw.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\client\vintdev\bin>.
05/10/14 13:01:10 Prevented process <dfolder.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\runimage\delphi40\bin>.
05/10/14 13:01:10 Prevented process <pic_eng.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\pif\pic>.
05/10/14 13:01:10 Prevented process <point32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
05/10/14 13:01:10 Prevented process <mswheel.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
05/10/14 13:01:10 Prevented process <msh_zwf.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
05/10/14 13:01:10 Prevented process <mspsec.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\i386>.
05/10/14 13:01:10 Prevented process <asadmin.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\program files\mmis>.
05/10/14 13:01:10 Prevented process <mny6stp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup>.
05/10/14 13:01:10 Prevented process <wnaspi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\nerovision\nerofiles>.
05/10/14 13:01:10 Prevented process <ldvpdist.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\rollout\avserver>.
05/10/14 13:01:10 Prevented process <dolntdrv.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\snovant\core>.
05/10/14 13:01:10 Prevented process <dtspkg.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\x86\x86\binn>.
05/10/14 13:01:10 Prevented process <dtspkg.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\x86\binn>.
05/10/14 13:01:10 Prevented process <siwpca.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\pcany32\disk1>.
05/10/14 13:01:10 Prevented process <rsl.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\bin>.
05/10/14 13:01:10 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\files\showcpyr>.
05/10/14 13:01:10 Prevented process <vtest60.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\alpha build 1272a\old\vtest60.dll>.
05/10/14 13:01:10 Prevented process <iscustom.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\installs\pcanywhere\pca32\cd\disk1>.
05/10/14 13:01:10 Prevented process <wnaspi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\neromix\api>.
05/10/14 13:01:10 Prevented process <nsapphandler.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\common\dynamics nav\application handler>.
05/10/14 13:01:10 Prevented process <ztres.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\langs>.
05/10/14 13:01:10 Prevented process <qcinsenu.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\qcdriver>.
05/10/14 13:01:10 Prevented process <lvihlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\quickcam\temp>.
05/10/14 13:01:10 Prevented process <videoc.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup>.
05/10/14 13:01:10 Prevented process <fssync.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\program files\kaspersky lab\kaspersky anti-virus for workstation 5>.
05/10/14 13:01:10 Prevented process <dxg32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\dxguard>.
05/10/14 13:01:10 Prevented process <numbers.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\numbers>.
05/10/14 13:01:10 Prevented process <numbers.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\numbdata>.
05/10/14 13:01:10 Prevented process <bosres.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\bkoffice\i386>.
05/10/14 13:01:10 Prevented process <ascore.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\intelnt\arcserve.it>.
05/10/14 13:01:10 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\ui>.
05/10/14 13:01:03 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\ui>.
05/10/14 12:59:51 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}\ui>.
05/10/14 12:09:40 Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
05/10/14 12:09:40 Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
05/10/14 12:07:04 Prevented <Firefox> from writing to <\registry\machine\system\controlset001\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000>.
05/10/14 12:05:12 Prevented <Firefox> from writing to <\registry\machine\system\controlset001\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000>.
-----------------------------------------------------------------------------------------------------

Attached Files:

File size:
12.6 KB
Views:
22
File size:
12.9 KB
Views:
20
• 10-05-_2014_18-56-47-3.png
File size:
11.5 KB
Views:
22
Last edited: May 10, 2014
5. Cutting_EdgetechRegistered Member

Joined:
Mar 30, 2006
Posts:
5,648
Location:
USA
I know Windows has drivers for many plug, and play devices so I understand what you are saying. I have other devices that came with their own driver installation packages, and I thought AG allowed the drivers to install. Maybe I was mistaken. BRN should reply on AG expected behavior for blocking, or allowing drivers soon.

6. Rasheed187Registered Member

Joined:
Jul 10, 2004
Posts:
14,592
Location:
The Netherlands
Actually, all regular HIPS offer this feature already, there´s nothing special about Driver Radar. Examples of HIPS who monitor this: Zemana, SpyShelter, Comodo and Kaspersky. Sandboxie will also block drivers automatically.

However, drivers should be less dangerous on Windows 64 bit (in theory), because of PatchGuard & Driver Signing. So this means that a malicious driver should not be able to take control of the system (as easy) as was the case in Windows 32 bit.

7. Rasheed187Registered Member

Joined:
Jul 10, 2004
Posts:
14,592
Location:
The Netherlands
IMO it wouldn´t be a bad idea to change it, but since hardcore fans of AG don´t like it, I would advise not to.

Last edited: May 10, 2014
8. KaptainBugRegistered Member

Joined:
Dec 26, 2013
Posts:
484
You can ignore all these messages from AG. I guess none of those blocking events are breaking any functionality of programs..
Use wild card character(*) to make exceptions generic.. For eg., When you add ignore message, use it like this,
*.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\*

9. Cutting_EdgetechRegistered Member

Joined:
Mar 30, 2006
Posts:
5,648
Location:
USA
Well come to think of it, OA already does this. Most users here use to consider OA the king of HIPS, but OA does not have active development during the entire year now. They only work on it certain periods of the year. They probably get tired of my request, and bug reports. Their new security suite does not have OA anymore. I don't know if they plan on stopping development on it, but their choice not to include OA in their security suite makes it look that way. Online Armor is the only Emsisoft product I use. I have been using OA since about 2003, or maybe 2004. I very rarely ever change my security setup. I always prefer to work with the developers, and make recommendations for additional features. A few features were added to OA at my request like the file, folder, and registry protection module.

10. guestGuest

OA will still be developed IF enough customers buy it so OA finances it own development...

11. Windows_SecurityGuest

@Cutting_Edgetech
When you install a driver for a USB stick, Windows finds the (trusted) driver for you, so you don't need to worry about this driver. Exception on this rule are printer drivers to which the user may choose a driver. Some intrusion through printer drivers are known. When an untrusted program (guarded) would try to install this AppGuard would block this. AppGuard offers maximum protection with minimal interception, they really focus on the chain of events of an intrusion. When you block one step in the chain, you don't need to monitor/block the rest.

NVT driver & NVT exe "all" approach versus AppGuard "focused" approach
Take for instance NVT exe radar pro. The first version could be circumvaded, because developers did not know these workarounds (V2 has closed this gap). So what is the use of trying to monitoring everything when it offers only visible reassurance to the user. AppGuard 'only' blocks user space execution, but at the same time prevents memory intrusions. When you look at the flow of events of an intrusion, this is much more effective as trying to block 'all' drivers and 'all' program executions (since a lot of data formats include code and a lot of programs interpret code in scripts, which all could cause breaches in programs already allowed by NVT). NVT Radar does not respect ASLR so on newer OS-ses (than XP) this would be a show-stopper for me.

I am not using AppGuard, but I am impressed with their "less is more" approach

12. arsenaloyalRegistered Member

Joined:
Nov 1, 2009
Posts:
513
Are there any ongoing promotions for Appguard? I wanted to install one on a friend's Pc who is not tech savy.

13. Peter2150Global Moderator

Joined:
Sep 20, 2003
Posts:
20,590
On this driver install issue, I did some testing.

First test was with the Shadowprotect IT edition which runs SP from a unique USB stick. It is the desktop version without the need for install. I set Appguard by right clicking and allowing USB guarded. I also turned off NVT ERP. SP ran fine. except when you explore the image. Then SP says it needs to install a driver and you click okay. Appguard didn't object. I am not sure however where or how that driver actually installed as it is not there when you finish and reboot. Not an issue for me because that is a unique USB Stick vendor supplied and is actually write locked.

Second test. For this I used the Emsisoft EAM installation file. Placed in on my desktop and imaged the system.

a. I run Appguard in lockdown and I left it this way. Installer couldn't run at all.
b. Using the systray I set Appguard to allow user space launches unguarded. EAM installed properly as it should.
c restored the system.
d. set Appguard to allow user space launches guarded. Installer ran, but installation never got off the ground. System protected.
e Repeated the test in d. but using medium protection. Same result. System protected.

my conclusions:

1. Key thing is system was protected. Not only no driver installed, but virtually nothing installed.
2. Appguard, works, just have appropriate things guarded.
3. No other protection against Driver install is needed.

Pete

PS One thing I do is during an install I turn appguard off, and monitor the install with ERP

14. Jarmo PRegistered Member

Joined:
Aug 27, 2005
Posts:
1,207
Thank you Pete for testing. I am not as tech savy knowledge person as you. Just want know I am sort of safe against hackers/crackers with AppGuard and Sandboxie

15. reyesRegistered Member

Joined:
Dec 8, 2013
Posts:
48
Location:
INDIA
Before my update to Windows 8.1 update... when i run Firefox i uses to get lots of MemoryGuard events in the activity log of AppGuard such as
Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
Now i dont get any of these MemoryGuard events in AppGuard. Firefox is in Guarded apps and all options are set to "ON" Also AppGuard is in LockDown Mode

OS is Windows 8.1 Update 64 Bit

16. Cutting_EdgetechRegistered Member

Joined:
Mar 30, 2006
Posts:
5,648
Location:
USA
I was recently chatting with a developer about ASLR, and informing them not to use a fixed memory address space with their mitigation method. Here is an interesting article which I came across last week. I'm not trying to bash Comodo. They just happened to be the product in the article. The article has some really good information in it. If you have already read it then disregard. http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/

17. Windows_SecurityGuest

Yep, bypassing user mode hooks is a popular bashing activity (at Hacker's forums). I remember ThreatFire's behavioral blocker (except for file and registry hooks at system level) being removed, making it a behavioral blocker with no input. Sometimes developers obfuscate the static code, by compressing it, to raise the threshold for smart malware.

18. TheKid7Registered Member

Joined:
Jul 22, 2006
Posts:
3,559
Without letting me know, Microsoft changed my Windows Update Settings on my Windows 7 Home Premium 64 bit PC. I typically have the Windows Update Settings such that nothing is downloaded or installed until I say so. Microsoft changed the Windows Update Settings to automatically download and install the Windows Updates.

I typically keep AppGuard set on Locked Down, unless I am installing/uninstalling software. The Windows Update Log showed that only one update Failed. I set AppGuard to Install and installed the Failed Windows Update and restarted the PC.

Questions:

1. Many times when I change AppGuard from Locked Down to Install and restart the PC, AppGuard will change back to Locked Down instead of the default of Medium (Recommended). This is what happened after restart after installing the Failed Windows Update. During the restart after Windows Update process, does Microsoft complete the installation of any Windows Updates prior to AppGuard loading?

2. If the Windows Update Log shows the successful installation of Windows Updates, should I feel confident that the Windows Updates are properly installed? I am just concerned about whether or not AppGuard my have damaged a Windows Update installation and this not showing up in the Windows Update Log. The PC appears to be functioning normally now with no hint of any problems.

Attached is my Windows Update Log (AppGuard always blocks Windows Defender Updates which doesn't concern me.).

File size:
62.8 KB
Views:
28
19. bolehvpnRegistered Member

Joined:
Oct 10, 2011
Posts:
84
Location:
Malaysia
Hey thanks! To be honest, we didn't see this thread until after we did the fix but I believe I did some user tickets and requests on the issue which also prompted us to look at it (as well as the GUI bug). We always value feedback so thanks for that.

I'm not the technical guy who's in charge of these things but I remember there were some elevation issues that were present before which in newer versions of OpenVPN seem to have been resolved but I think that's been fixed now and we can now install it in the regular system space.

20. syrinxRegistered Member

Joined:
Apr 7, 2014
Posts:
427
I recently uninstalled another security product which happened to bork up something with my installation of AppGuard, specifically Event Log issues. A re-install fixed my issues but I discovered something that I find slightly worrisome along the way.
The AppGuardAgent service is not set to auto-recover if it encounters an error and crashes.

Before my woes were fixed with a re-install the service happened to crash once and I was left with a big X and a mouseover message to the affect of 'service not running.' This is a huge oversight in my opinion and should be set to "Restart the Service" immediately (0 mins in delay) for at least the first and second failures by default though subsequent would be ideal.

Obviously I can disable tamper guard and change it myself, which I have done, but I'm surprised that it isn't set like this by default as it's something you need to keep running for protections to be applied!

21. Barb_CDeveloper

Joined:
Jan 7, 2011
Posts:
1,234
Location:
Virginia
Sorry I've been away so long. I'll catch up with the posts some time tomorrow, but I wanted to make this announcement: In honor of Memorial Day, our Product Management team extended the valid dates for two coupons (AppGuard1 ($10 off) and WildersAG (QTY 3 for$39.95)) through June 2.

22. Peter2150Global Moderator

Joined:
Sep 20, 2003
Posts:
20,590
HI Barb

Good to hear from you.

Pete

23. digmor crusherRegistered Member

Joined:
Jul 6, 2012
Posts:
929
Location:
I am using Appgaurd on the custom settings, have not changed anything. I have a question. Would it be a good idea to add any additional software I have on my computer such as Ccleaner,Burnaware, Nitro, Sumo, PotPlayer, MBAM, EIS, etc to guarded apps? Thanks.

24. Cutting_EdgetechRegistered Member

Joined:
Mar 30, 2006
Posts:
5,648
Location:
USA
I don't recognize Nitro, Sumo, and Potplayer. You should not add any of the other apps you listed. Under most circumstances you should only add web apps to the guarded apps list. You should add web browsers, instant messengers, pdf readers, media players, etc..

Joined:
Jul 6, 2012
Posts:
929
Location: