AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I installed Sandboxie to look into the issue you are experiencing. I'm using Windows 7X64. I made the following two Sandboxie executables Power Apps as shown in the screen shot below. The organize button is working fine for me in Medium Protection Mode. It expands just fine when Sandboxed. I forgot to check it in Locked Down Mode, but I will as soon as I close my browser. I'm using Firefox Sandboxed with Sandboxie to make this post. It's been a while since I have used Sandboxie so I could do more testing to see if I discover any problems. Many users here use Sandboxie, and AppGuard together so they will work fine when configured correctly.
     

    Attached Files:

  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    It worked fine in Locked Down Mode also. I will do some more testing, and see if any other configuration changes are needed. If Sandboxie has anything that launches from the userspace then you could add it to the Publisher's List with the following settings to prevent AG from blocking Sandboxie launches from the userspace, but so far I have not needed to do this: Guarded: No, Privacy: Off, Memory: Off, Install: Allow. I could add Sandboxie to the Publisher's List just to be safe, but i'm going to hold off for now just to see if AG blocks anything from Sandboxie due to not making Sandboxie a Trusted Publisher.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Btw.. I forgot to mention that AG does not have any blocked events for Sandboxie after making the two Sandboxie executable Power Apps shown in the screen shot above. Sandboxie is working really good with AG. I may just keep Sandboxie installed.
     
  4. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Thanks CE! Woo hoo, no more stalls, it expands!
     
  5. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Wellcome to us sandboxers CE.

    You don't need to add anything from SBIE to Publishers or to Power apps.

    Add SBIE C\Sandbox folder to Guarded Apps/Settings ... with Read/Write.
    Add also that folder to 'User Space' with yes include flag for the programs sandboxed to be looked after by AG too.

    Those are normal settings to make in AppGuard regarding Sandboxie. I did not care to look what problems marza was having.

    When in case you want install some program into a sandbox instead a normal installation. Way to go is '"Allow User Space Launches from AG. After the install you disable back that option. Bear in mind that not all programs installed sandboxed work. The latest not working experience of mine was a math program I tried.
     
    Last edited: Jun 1, 2014
  6. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,838
    Is it possible to implement an option to "Deactivate current license from computer", rather than being in hopes that uninstalling deactivates the product?

    I am always afraid of loosing my license, because it didn't deactivate properly.

    To me, this would ensure reactivation for people who need to reinstall their Operating System.

    Just an idea
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Jarmo, if Marzametal makes the changes you suggested then he will end up with the same problem that he was able to resolve by making sbiesvc.exe, and start.exe a Power App. I did as you suggested, and it did not resolve the issue reported by Marzametal's. It only made the problem return. That is the behavior I am seeing on my machine anyways. It makes sense to add C:\Sandbox Folder to the userspace, but it is causing FireFox to freeze/hang. I also added to C\Sandbox folder to Guarded Apps/Settings ... with Read/Write. In FireFox try going to File in the upper left hand corner, and then click on Open File. Ok, now click on Organize in the upper left corner. Did Firefox freeze on your machine? I'm using Windows 7X64. I think adding C:\Sandbox Folder to the userspace will increase security, but it will cause Firefox to hang under some circumstances. I would have to do more testing to see if any other functionality is limited in FireFox with these settings. We definitely do not want Firefox freezing though. The only way to get Firefox to unfreeze is to disable AppGuard, and then wait approximately 20 seconds. Many user's will not know to do this.
     
    Last edited: Jun 1, 2014
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Marzametal, if you want to do as Jarmo suggested to get the added security of adding C:\Sandbox Folder to the userspace then just don't use the organize button anymore while sandboxed. You should also Add SBIE C\Sandbox folder to Guarded Apps/Settings ... with Read/Write as Jarmo suggested as well. It will not resolve the problem you encountered, but you can just avoid using the organize button for now. I have not found anymore conflicts yet with these settings, but I have only been testing these settings for about 5 minutes now. As long as these settings do not cause some other unforeseen problem you should be good to go. I will let the community know if I find any other conflicts with these settings. I will contact BRN to make sure this is not a bug, and see if they have any other advice.
     
    Last edited: Jun 1, 2014
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Well, tickle me pink and call me fruity... that works! It sure beats the approach I was using last night when I encountered the freeze (emptying sandbox and starting over). Thanks for the feedback. I did notice while I was working with your instructions CE, if the Include value for C:\Sandbox in User Space is changed to "No", then my problem is solved. However, from other posts in this thread, they all recommend a "Yes" setting for the Include value, so I will leave it as is.

    Adding this into AG: Advanced -> Power Apps -> From Sandbox directory "sbiesvc.exe" and "start.exe"... Since Power Apps are excluded from AG protection, wouldn't adding these two entries render the Guarded Apps and User Space entries moot?

    I will wait patiently for any reply you receive from BRN in relation to the Organize button problem. Thanks once again for your help, and cheers Jarmo P.

    EDIT: I just had a beer and felt some liquid courage come on, so I tried a Windows 7 registry tweak. The tweak removes the Organize button from Explorer. My thinking was that the other apps would inherit the new mod as well... Alas, my assumption was incorrect. Firefox still showed the Organize button.
     
    Last edited: Jun 1, 2014
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Yeah, I was saying in my last post you can do as Jarmo recommended. It just want resolve your problem. It will provide better security though. If you don't add C:\Sandbox Folder to the userspace then AG will not block executions in the Sandbox. I will let you know what BRN says when I get time to report it. I should be able to report it within the next few days. I'm testing several other application right now so it's taking up a lot of my time.
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Adding user-space launch protection for sandboxes used for web browsing does increase security but if it is causing Firefox to freeze under some circumstances, rather than disabling AppGuard entirely, an alternative method would be to temporarily suspend launch protection by right-clicking the tray icon and selecting Allow User Space Launches -> Guarded from the context menu.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Yes, that should work as well, or he could just not click on the organize button in Firefox Lol I don't have sandboxie installed right now due to testing some other software, but i'm going to report this to BRN as soon as I get a chance. They can look at it just to make sure it is not a bug. I don't have much time to spend on it presently, but I will do more testing as soon as I get a chance. I forgot to save my AG log when I rolled back my machine so I will need to reproduce it again to send BRN the activity log, or they can very easily reproduce this one on their own.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Yes you´re right, let´s continue in this thread. The way that I see it: apps like EMET and MBAE are trying stop exploits in stage 1, and apps like ERP and AG are trying to stop exploits in stage 2. In stage 1 an app gets terminated as soon as memory corruption is detected, in stage 2, the payload gets blocked, in other words, the exploit can´t load another malicious process. Am I correct? :)
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    This is a question from another thread, perhaps better to post it here?
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I'm not sure that you are correct. If the memory is prevented from becoming corrupted then how is that not stage 1?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    That´s why I would like to know more about the memory protection feature in AG. Because if I´m correct, AG can not stop stage 1 of the exploit.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I would have to leave that one up to the developers to answer. AG blocks executions, but it uses a different method than whitelisting. You can consider a HIPS, and a BB an AE in the fact that they all block executions. AG uses something BRN calls conclaves if I remember their terminology correctly. I will send you some info I have on AG. It's a bit outdated, but still covers how AG functions better than anything else I have found.
     
    Last edited: Jun 5, 2014
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Yes, you can PM me. :)
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    PM just sent.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Perhaps it´s better to delete this post, and post it over here. It´s best not to hijack ERP´s thread.

    https://www.wilderssecurity.com/thre...ks-exe-radar-pro.300552/page-143#post-2378847

    And I´ve read part of the manual, way too complex if you ask me. :cautious:

    This is from the ERP thread, but I will respond over here. Can you tell me how these attacks where stopped? Is it because of the anti-exe function? Or did AG´s Memory Guard also play a role? EMET does not have any anti-exe function, but if it´s true, then it´s proof that anti-exe is quite powerful protection against exploits. It almost makes you wonder if memory protection like in EMET is even needed?
     
    Last edited: Jun 5, 2014
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Rasheed, here is some information from the literature I sent you on how AG handles dlls. Loading of DLLs is now conditioned based on digital signature and trusted publisher policy. So for instance if a DLL’s publisher is on the trusted publisher list, it will be allowed to load. The DLL will be Guarded if the process that is loading it is Guarded. Also, User-Space DLLs can now be white-listed. I'm not aware of any changes being made to this, but it's possible some were made that i'm not aware of.

    I think the biggest change to the literature I sent you is High Mode of protection is now called Medium. There were also some changes made to the memory protection to prevent conflict with some applications.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Yes, thank you for bringing that to my attention. I thought I was in AG's thread when I made the post. I had multiple tabs open, and clicked on the wrong tab. I know it looks bad that I did that after switching the discussion to this thread due to it not being related to ERP. It has been deleted.
     
    Last edited: Jun 5, 2014
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    You don't have to understand how it accomplishes mitigation of malware though in order to use it. It helps though when deciding if something needs to be a guarded app, power app, trusted publisher, etc.. I would say AG's default configuration is optimal though for most users. The most common exploitable applications are already on the guarded apps list. They do not have to be on the guarded apps list though for AG to protect you when using them. I could explain the difference in having them on the guarded apps list, but I honestly do not have the time at the moment.
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,353
    Location:
    Hawaii
    May I also have a copy of that PM? (I thought this silly forum called it a conversation vice PM?)
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.