AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    There seems to be some question about Driver protection with AG, so I just installed NVT Driver Radar Pro to give it a try. Seems to be pretty light on resources and a nice little app. May just keep it.:)
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I just wonder why something like Driver Rador Pro has not been integrated into a security product yet. Maybe it has, but i'm not aware of any product doing it. If you are going to monitor executables, dlls, scripts, etc.. then why not monitor drivers. I guess most developers assume malicious drivers would be contained within a malicious executable which would be blocked.
     
  3. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    If I recall correctly, when you plug in a device Windows itself installs the driver. It is not installed from the device you plugged in. So of course AppGuard doesn't do anything here. If a driver installation originates from the device itself, AppGuard should block it.

    Just to clarify things. As far as I know Driver Radar Pro is not needed to block driver installations because ERP already covers that, as does AppGuard. It is designed to notify the user in scenarios when the protection level is lowered. For example you want to launch or install a simple program, but it tries to install a kernel mode driver instead.
     
  4. lucien_phoenix

    lucien_phoenix Registered Member

    Joined:
    Oct 20, 2012
    Posts:
    131
    Location:
    Germany
    What the Hell is AG doing..
    How i get rid of this Messages is AG blocking some
    importent System Operationens.Here are the AG
    Log on this Event and Screenshots on my AG
    Menü Settings (USerspace,Guarded Apps,Advance.)
    maybe ther are something wrong,please have a look
    at this.

    And sorry for the long Log.txt i found no Hide Function here.
    -----------------------------------------------------------------------------------------------------
    05/10/14 18:47:59 Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
    05/10/14 18:47:59 Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
    05/10/14 13:01:10 Prevented process <htmsw.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\client\vintdev\bin>.
    05/10/14 13:01:10 Prevented process <dfolder.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\runimage\delphi40\bin>.
    05/10/14 13:01:10 Prevented process <pic_eng.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\pif\pic>.
    05/10/14 13:01:10 Prevented process <point32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
    05/10/14 13:01:10 Prevented process <mswheel.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
    05/10/14 13:01:10 Prevented process <msh_zwf.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup\program>.
    05/10/14 13:01:10 Prevented process <mspsec.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\i386>.
    05/10/14 13:01:10 Prevented process <asadmin.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\program files\mmis>.
    05/10/14 13:01:10 Prevented process <mny6stp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup>.
    05/10/14 13:01:10 Prevented process <wnaspi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\nerovision\nerofiles>.
    05/10/14 13:01:10 Prevented process <ldvpdist.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\rollout\avserver>.
    05/10/14 13:01:10 Prevented process <dolntdrv.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\snovant\core>.
    05/10/14 13:01:10 Prevented process <dtspkg.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\x86\x86\binn>.
    05/10/14 13:01:10 Prevented process <dtspkg.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\x86\binn>.
    05/10/14 13:01:10 Prevented process <siwpca.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\pcany32\disk1>.
    05/10/14 13:01:10 Prevented process <rsl.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\bin>.
    05/10/14 13:01:10 Prevented process <version.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\files\showcpyr>.
    05/10/14 13:01:10 Prevented process <vtest60.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\alpha build 1272a\old\vtest60.dll>.
    05/10/14 13:01:10 Prevented process <iscustom.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\installs\pcanywhere\pca32\cd\disk1>.
    05/10/14 13:01:10 Prevented process <wnaspi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\neromix\api>.
    05/10/14 13:01:10 Prevented process <nsapphandler.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\common\dynamics nav\application handler>.
    05/10/14 13:01:10 Prevented process <ztres.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\langs>.
    05/10/14 13:01:10 Prevented process <qcinsenu.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\qcdriver>.
    05/10/14 13:01:10 Prevented process <lvihlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\quickcam\temp>.
    05/10/14 13:01:10 Prevented process <videoc.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\setup>.
    05/10/14 13:01:10 Prevented process <fssync.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\program files\kaspersky lab\kaspersky anti-virus for workstation 5>.
    05/10/14 13:01:10 Prevented process <dxg32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\dxguard>.
    05/10/14 13:01:10 Prevented process <numbers.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\numbers>.
    05/10/14 13:01:10 Prevented process <numbers.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\numbdata>.
    05/10/14 13:01:10 Prevented process <bosres.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\bkoffice\i386>.
    05/10/14 13:01:10 Prevented process <ascore.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\intelnt\arcserve.it>.
    05/10/14 13:01:10 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\ui>.
    05/10/14 13:01:03 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\ui>.
    05/10/14 12:59:51 Prevented process <swdrm.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\package cache\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}\ui>.
    05/10/14 12:09:40 Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
    05/10/14 12:09:40 Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
    05/10/14 12:07:04 Prevented <Firefox> from writing to <\registry\machine\system\controlset001\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000>.
    05/10/14 12:05:12 Prevented <Firefox> from writing to <\registry\machine\system\controlset001\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000>.
    -----------------------------------------------------------------------------------------------------
     

    Attached Files:

    Last edited: May 10, 2014
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I know Windows has drivers for many plug, and play devices so I understand what you are saying. I have other devices that came with their own driver installation packages, and I thought AG allowed the drivers to install. Maybe I was mistaken. BRN should reply on AG expected behavior for blocking, or allowing drivers soon.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Actually, all regular HIPS offer this feature already, there´s nothing special about Driver Radar. Examples of HIPS who monitor this: Zemana, SpyShelter, Comodo and Kaspersky. Sandboxie will also block drivers automatically.

    However, drivers should be less dangerous on Windows 64 bit (in theory), because of PatchGuard & Driver Signing. So this means that a malicious driver should not be able to take control of the system (as easy) as was the case in Windows 32 bit. :)
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    IMO it wouldn´t be a bad idea to change it, but since hardcore fans of AG don´t like it, I would advise not to. :)
     
    Last edited: May 10, 2014
  8. KaptainBug

    KaptainBug Registered Member

    Joined:
    Dec 26, 2013
    Posts:
    484
    You can ignore all these messages from AG. I guess none of those blocking events are breaking any functionality of programs..
    Use wild card character(*) to make exceptions generic.. For eg., When you add ignore message, use it like this,
    *.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\installmate\{84481a87-2316-4923-8fab-3ba8ca29323d}\*
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Well come to think of it, OA already does this. Most users here use to consider OA the king of HIPS, but OA does not have active development during the entire year now. They only work on it certain periods of the year. They probably get tired of my request, and bug reports. Their new security suite does not have OA anymore. I don't know if they plan on stopping development on it, but their choice not to include OA in their security suite makes it look that way. Online Armor is the only Emsisoft product I use. I have been using OA since about 2003, or maybe 2004. I very rarely ever change my security setup. I always prefer to work with the developers, and make recommendations for additional features. A few features were added to OA at my request like the file, folder, and registry protection module.
     
  10. guest

    guest Guest

    OA will still be developed IF enough customers buy it so OA finances it own development...
     
  11. @Cutting_Edgetech
    When you install a driver for a USB stick, Windows finds the (trusted) driver for you, so you don't need to worry about this driver. Exception on this rule are printer drivers to which the user may choose a driver. Some intrusion through printer drivers are known. When an untrusted program (guarded) would try to install this AppGuard would block this. AppGuard offers maximum protection with minimal interception, they really focus on the chain of events of an intrusion. When you block one step in the chain, you don't need to monitor/block the rest.

    NVT driver & NVT exe "all" approach versus AppGuard "focused" approach
    Take for instance NVT exe radar pro. The first version could be circumvaded, because developers did not know these workarounds (V2 has closed this gap). So what is the use of trying to monitoring everything when it offers only visible reassurance to the user. AppGuard 'only' blocks user space execution, but at the same time prevents memory intrusions. When you look at the flow of events of an intrusion, this is much more effective as trying to block 'all' drivers and 'all' program executions (since a lot of data formats include code and a lot of programs interpret code in scripts, which all could cause breaches in programs already allowed by NVT). NVT Radar does not respect ASLR so on newer OS-ses (than XP) this would be a show-stopper for me.

    I am not using AppGuard, but I am impressed with their "less is more" approach
     
  12. arsenaloyal

    arsenaloyal Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    513
    Are there any ongoing promotions for Appguard? I wanted to install one on a friend's Pc who is not tech savy.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    On this driver install issue, I did some testing.

    First test was with the Shadowprotect IT edition which runs SP from a unique USB stick. It is the desktop version without the need for install. I set Appguard by right clicking and allowing USB guarded. I also turned off NVT ERP. SP ran fine. except when you explore the image. Then SP says it needs to install a driver and you click okay. Appguard didn't object. I am not sure however where or how that driver actually installed as it is not there when you finish and reboot. Not an issue for me because that is a unique USB Stick vendor supplied and is actually write locked.

    Second test. For this I used the Emsisoft EAM installation file. Placed in on my desktop and imaged the system.

    a. I run Appguard in lockdown and I left it this way. Installer couldn't run at all.
    b. Using the systray I set Appguard to allow user space launches unguarded. EAM installed properly as it should.
    c restored the system.
    d. set Appguard to allow user space launches guarded. Installer ran, but installation never got off the ground. System protected.
    e Repeated the test in d. but using medium protection. Same result. System protected.

    my conclusions:

    1. Key thing is system was protected. Not only no driver installed, but virtually nothing installed.
    2. Appguard, works, just have appropriate things guarded.
    3. No other protection against Driver install is needed.

    Pete

    PS One thing I do is during an install I turn appguard off, and monitor the install with ERP
     
  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Thank you Pete for testing. I am not as tech savy knowledge person as you. Just want know I am sort of safe against hackers/crackers with AppGuard and Sandboxie :)
     
  15. reyes

    reyes Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    48
    Location:
    INDIA
    Before my update to Windows 8.1 update... when i run Firefox i uses to get lots of MemoryGuard events in the activity log of AppGuard such as
    Prevented <Firefox> from reading memory of <Adobe Flash Player 13.0 r0>.
    Prevented <Firefox> from writing to memory of <Adobe Flash Player 13.0 r0>.
    Now i dont get any of these MemoryGuard events in AppGuard. Firefox is in Guarded apps and all options are set to "ON" Also AppGuard is in LockDown Mode

    OS is Windows 8.1 Update 64 Bit
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I was recently chatting with a developer about ASLR, and informing them not to use a fixed memory address space with their mitigation method. Here is an interesting article which I came across last week. I'm not trying to bash Comodo. They just happened to be the product in the article. The article has some really good information in it. If you have already read it then disregard. http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/
     
  17. Yep, bypassing user mode hooks is a popular bashing activity (at Hacker's forums). I remember ThreatFire's behavioral blocker (except for file and registry hooks at system level) being removed, making it a behavioral blocker with no input. Sometimes developers obfuscate the static code, by compressing it, to raise the threshold for smart malware.
     
  18. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,560
    Without letting me know, Microsoft changed my Windows Update Settings on my Windows 7 Home Premium 64 bit PC. I typically have the Windows Update Settings such that nothing is downloaded or installed until I say so. Microsoft changed the Windows Update Settings to automatically download and install the Windows Updates.

    I typically keep AppGuard set on Locked Down, unless I am installing/uninstalling software. The Windows Update Log showed that only one update Failed. I set AppGuard to Install and installed the Failed Windows Update and restarted the PC.

    Questions:

    1. Many times when I change AppGuard from Locked Down to Install and restart the PC, AppGuard will change back to Locked Down instead of the default of Medium (Recommended). This is what happened after restart after installing the Failed Windows Update. During the restart after Windows Update process, does Microsoft complete the installation of any Windows Updates prior to AppGuard loading?

    2. If the Windows Update Log shows the successful installation of Windows Updates, should I feel confident that the Windows Updates are properly installed? I am just concerned about whether or not AppGuard my have damaged a Windows Update installation and this not showing up in the Windows Update Log. The PC appears to be functioning normally now with no hint of any problems.

    Attached is my Windows Update Log (AppGuard always blocks Windows Defender Updates which doesn't concern me.).

    Thank in Advance.
     

    Attached Files:

  19. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    84
    Location:
    Malaysia
    Hey thanks! To be honest, we didn't see this thread until after we did the fix but I believe I did some user tickets and requests on the issue which also prompted us to look at it (as well as the GUI bug). We always value feedback so thanks for that.

    I'm not the technical guy who's in charge of these things but I remember there were some elevation issues that were present before which in newer versions of OpenVPN seem to have been resolved but I think that's been fixed now and we can now install it in the regular system space.
     
  20. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I recently uninstalled another security product which happened to bork up something with my installation of AppGuard, specifically Event Log issues. A re-install fixed my issues but I discovered something that I find slightly worrisome along the way.
    The AppGuardAgent service is not set to auto-recover if it encounters an error and crashes.

    Before my woes were fixed with a re-install the service happened to crash once and I was left with a big X and a mouseover message to the affect of 'service not running.' This is a huge oversight in my opinion and should be set to "Restart the Service" immediately (0 mins in delay) for at least the first and second failures by default though subsequent would be ideal.

    Obviously I can disable tamper guard and change it myself, which I have done, but I'm surprised that it isn't set like this by default as it's something you need to keep running for protections to be applied!
     
  21. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Sorry I've been away so long. I'll catch up with the posts some time tomorrow, but I wanted to make this announcement: In honor of Memorial Day, our Product Management team extended the valid dates for two coupons (AppGuard1 ($10 off) and WildersAG (QTY 3 for $39.95)) through June 2.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI Barb

    Good to hear from you.

    Pete
     
  23. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    946
    Location:
    Canada
    I am using Appgaurd on the custom settings, have not changed anything. I have a question. Would it be a good idea to add any additional software I have on my computer such as Ccleaner,Burnaware, Nitro, Sumo, PotPlayer, MBAM, EIS, etc to guarded apps? Thanks.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I don't recognize Nitro, Sumo, and Potplayer. You should not add any of the other apps you listed. Under most circumstances you should only add web apps to the guarded apps list. You should add web browsers, instant messengers, pdf readers, media players, etc..
     
  25. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    946
    Location:
    Canada
    Nitro is a pdf reader, Sumo checks for software updates and Potplayer is a media player. So by your advice I would add Nitro and Potplayer. Thanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.