AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    A breath of common sense. I've used a wide variety of security programmes over the years but AG has me scratching my head at times. Outside the rarified world of Wilders this prog must be a complete mystery. Following the help file is rather like playing an adventure game; interpret and solve one clue before tackling the next one!

    Has Blueridge ever tested the GUI and terminology on outsiders to see if it's understandable. I think not.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,354
    Location:
    Hawaii
    AG is a bit complex, it's true. However, whenever I have encountered an AG issue that I did not know how to handle, all I did was to right-click the corresponding entry on AG's activity report, & then click Help. So far I have found that the resultant contextual instructions are always clear and directly applicable to my issue at that moment.
     
  3. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    Yes it is complex - but worth persevering with. However, for somebody unfamiliar with the programme, statements like this one from the help file are meaningless:
    • "If MemoryGuard interferes with a User space application or if you want to access a Private Folder with a user space application, add the application to the Guard List and set the MemoryGuard and Privacy Mode settings accordingly".
      My point is, just what does "accordingly" mean in this context?
    Plenty of other examples like this in the help file.

    Regards
     
  4. Okay, got your point, did not know it was that funny :argh: and meaningless :eek:
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,354
    Location:
    Hawaii
    IMO, "accordingly" means that (rightly or not) the help file is assuming that the reader already knows the basics of how to enter settings for a guarded folder.
     
  6. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    Exactly the point I was trying to make, albeit clumsily. Too many assumptions about the ability of the average (i.e. non-IT or Wilders savvy) user to grasp the concepts of AG while it is wrapped in a bunch of uniquely-named concepts.
    Frankly, I don't know how to simplify the learning curve unless all options are taken away as VoodooShield has done, for example - but that's not feasible I think.
     
  7. Well, with new trusted vendor signing feature and applying Memory Protection only on Browsers (with flash, shock, PDF, Java and Silverlight and Libre/Office aps), I think they could launch an install and forget application for Home Users.

    I would opt for allowing trusted vendor aps installations only and drop the allowing signed aps feature to simplify things in guarded mode.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    So if you´re using EXE Radar you don´t really need AG and vice versa, I guess? :)

    Yes, but isn´t that the same as what other HIPS also offer? With that I mean, trying to stop malicious apps from injecting code into other processes? This doesn´t sound like true anti-buffer-overflow protection, like EMET and MBAE offer.
     
    Last edited: May 28, 2014
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I'd take AppGuard over an anti-executable any day, because it offers memory guard and restrictions of apps, which are already running, as well.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I would prefer using them together, or with a good HIPS. AG provides additional protections as already mentioned that are not provided by an AE alone. AG also utilizes ASLR, and DEP protection.
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What is the difference between AppLocker and AppGuard, they seem to be the same thing of the same coin, similar to SRP, DEP and HIPS combined-I still don't know why AG is better in what way, maybe because it's more all-round application as others mentioned (more all-round than NVT Exe Radar Pro, although I decided to use both NVT and AG at the same time on my computer), however I like AG's approach the way it's protecting my computer, and that's why I'm using it.
     
    Last edited: May 29, 2014
  12. AndyBell

    AndyBell Registered Member

    Joined:
    May 29, 2014
    Posts:
    2
    Does anyone know if AppGuard is compatible with Logmein?

    Thanks...
     
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Just a quick question.

    I am currently using a VPN client which is installed in regular system space at C:\Program Files\... .
    I have noticed that, even though I run it from there, it needs to drop and launch an executable from C:\Users\Username\AppData\Local\Temp\ocr19A6.tmp\bin\ . The bold location is ever changing.

    Naturally it breaks everything if user-space launch protection stops it or if it is guarded because this process needs to write to the location of the installation folder in system space in order to function properly. Hence I have added the parent application as a power app, because I didn't know what else to do.
     
  14. chris1341

    chris1341 Guest

    Not really related as you've tracked the reason's down here but I've had problems with AG & VPN services in general. Currently (temporary?) not using AG & I have no issues. They manifested themselves in a number of ways but always either impossible or very difficult to connect out. I could not really track them down just they worked with AG turned off and didn't even on install. Didn't add as power app basically because I don't really want to have any power apps.

    With Mulvad I think it might have been to do with the program using cmd.exe (always guarded) to launch open vpn. With Security Kiss it may well have been to with temp files created when trying to connect. Not sure.

    Anyone else have issues with those 2 (or others) and resolved it?

    Thanks
     
  15. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    If this is PIA let me know; I've come across a solution for this and I'll post it here.
     
  16. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Yes it is PIA.
     
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Have you tried temporarily suspending launch protection from the tray icon before starting the VPN then immediately re-enabling launch protection again as soon as the VPN is up and running?

    If that works, it could be an alternative to making the parent application a Power App.
     
  18. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    Two solutions. Either add the local\temp folder to user space with a NO to include
    or
    See this post in the PIA forum. It's a bit long-winded but it works. It solved a similar issue I had with Outpost.

    EDIT: Wrong link!
     
  19. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I'd rather make the parent process a power app than excluding the primary drop and launch location of malware from AppGuard's user space launch protection. Alternatively I would use the original OpenVPN client with the preconfigured profiles supplied by PIA, but thanks anyway ;)
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Yes, now that I think of it, EXE Radar is not only about stopping exploits, it´s also about locking down a PC to protect against less knowledgeable people, so why not use them both. :)
     
    Last edited: May 30, 2014
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Has anyone tried to inject P2P apps into AppGuard yet?
    I gave it a shot, both AppGuard and the P2P app throw up errors. However the downstream and upstream still work properly... added an entry in User Space ("Roaming" folder in User Profile with Include set to No) and in Guarded Apps (3 On's).
     
    Last edited: May 31, 2014
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I have the Torrent Client Tixati on my guarded apps list with memory read/write protection, and privacy mode enabled. Tixati is working flawlessly, and I have not even seen any blocked events from Tixati in AG's activity report. I guess the developer of Tixati follows good security coding practices for there not to be any blocked events in AG's activity report.
     
  23. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Sweet, I will give it a shot and see if I can bask in the glory of no blocked events!

    Now, another question, which has to do with Firefox 29.0.1 in a Sandbox on Windows 7 Home Premium 64bit...
    This isn't much of an issue for me, since it is the first time I have actually clicked on this button, and I doubt I will ever click on this button again. I just wanted to mention it here to see if any settings in AG can be tweaked.
    In a non-sandboxed Firefox, when I go to "Open File" it pops up with a dialog box, naturally to open a file. There is also a button in the dialog box called "Organize". When clicking on it, it pops up with a dropdown like this.
    dropdown.jpg
    When I try to click on that button in a sandboxed Firefox, it tries to expand but doesn't, also causes Firefox to stall and I see the following errors in AG:
    -------
    Prevented process <a2hooks64.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\program files (x86)\emsisoft anti-malware>.
    Prevented process <sechost.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <advapi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <imagehlp.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <msvcrt.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <usp10.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <lpk.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <gdi32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <user32.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    Prevented process <hmpalert.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\sandbox\marzametal\defaultbox\drive\c\windows\system32>.
    -------

    Any ideas?
    I saw some comments in previous posts about rundll32 and browsers, but the ones I read were related to emptying a sandbox after browser shutdown. Not really the same thing here since I don't get issues when emptying sandbox at all. I run AG in Lockdown Mode.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    What sandbox application are you using? What button are you talking about clicking on that you probably want click on again? I don't use any sandbox applications, but we have a lot of user's here that use Sandboxie with AG. It looks like you are using a sandbox with EAM from the event logs. I did not know Emsisoft had a sandbox with EAM. I may have to install EAM to see if I can help you if that is the case.
     
  25. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    The sandbox application is called "Sandboxie" - http://www.sandboxie.com/
    The button I am talking about is seen in Firefox... click on FILE and select OPEN FILE. The dialog box that pops up looks like this:
    openfile.jpg
    Emsisoft does not have a sandbox with EAM or with Online Armor. I think EAM is trying to inject a hook. Since the highlighted button does work outside of the sandbox, but not in it... I guess it's a sandbox issue. 'Cause it works out of the sandbox properly, I can assume the event logs can be ignored?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.