AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Yes he confirmed it yesterday with one of the EMET developers (while at Black Hat):

    EMET GUI is in .NET but the engine is a native code (C/C++).
    EMET purely works on the user level and has no Kernel component.
    Like AG’s Guarded app concept it is recommended for risky applications but not for all applications.
    He further commented (this is my expert - not Microsoft):

    AG has no conflict with EMET when properly configured and we welcome EMET as probably the best HIPS technology. But there are multiple cases in the past including for IE protection, out of the box EMET protection could not deter unless a particular (“signature”) EMET configuration suggested per the attack. Even then such remedy usually broke the functionality of the underlying application for the sake of protection. So in such cases until EMET remedy is provided still AG will effectively protect users.

    EMET is a great technology, not for every user, not for every company as the overhead of maintaining compromise between “breaking” for the sake of stringent protection vs application productivity is always a challenge as EMET in edge cases (which happens to be the case in the recent 0-day attacks on some applications including IE) relies on nondeterministic thresholds/heuristics controls. We still believe it is a great technology and we applaud Microsoft’s efforts to make this technology available for advanced users. But ultimately it is not a one-for-all tool as a 0-day protection by AG is still important protection step.

    AG does not compete with EMET nor it attempts to replace it. At the same time EMET cannot replace what AG offers as effortless 0-day protection.​

    Now can we stop talking about EMET in the AppGuard thread? Really, I'm just kidding!!!! These are great discussions and we welcome them.
     
  2. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks. I responded. It checked our license server and it does appear that at some point you installed 4.1 and reverted back to 4.0. I think something was left over from the 4.1 installation. Anyway, that is my theory for now (but I've been know to be incorrect before).
     
  3. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    Yes, Mam :blink:
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I had to chuckle when I read that as technically it is off topic, but there is such an interest and crossover with things like Appguard, ERP EMET, and others that in some cases the benefit outweighs the technicality. Hopefully you've answered them very well and we can wind it down.

    Barb, for me this was indeed very helpful, and it solidified a decision I've been toying with. Namely I've removed EMET. One huge difference... when Appguard causes a problem, the activity report aids in finding it and fixing it. When EMET blocks or crashes something it's a huge guessing game.

    Anyway thanks again to Barb and BRN for the good info.

    Pete
     
  5. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Let's hope that final release is close.....
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,631
    Location:
    The Netherlands
    Well, that´s the thing, even experts say it is quite hard to test these tools against ITW exploits. And yes I already knew about the difference between tools like EMET, MBAE and AG, but some others clearly did not. :)

    Perhaps an idea to still give this option for people who want total control.
     
  7. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    @Barb_C

    Regarding the "update not available" issue on my computer, may I manually upgrade to the latest Beta or do you need me to stay on the old one in order to test it again?
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    BRN have always said that AppGuard is intended to be easy to use for the average user. Expert users who want total control should probably consider using a classical HIPS instead.

    As regards MemoryGuard, I'm not sure that preventing unguarded executables from injecting code into the memory space of running processes would increase security by much, given that they already have the potential to infect the system by dropping other executables into system space and running them unguarded. Providing that the user ensures that all untrusted system space executables are explicitly guarded by adding them to the Guarded Apps list, MemoryGuard will work fine as is, and it does help to keep compatibility issues with other applications to a minimum.

    Guarding untrusted system space executables is absolutely key to AppGuard protection.

    Applications are untrusted, not because they are malicious in themselves, but because they have the potential to be exploited for malicious purposes. This includes all Internet-facing applications and all applications used to load data files that may contain embedded code. User space executables are automatically untrusted anyway, and will either run guarded or not run at all, depending on the protection level, whether they are digitally signed, and whether or not they have been added to the Guarded Apps list.
     
  9. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    It is fine for you to move on. Thanks for working with us on this.
     
  10. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    We found a bug. It is related to the Trusted Publisher List. I've reached out to the original developer on this because the bug looks too easy to fix (I want to know what his intention was before we make a change at this point). The bug is limited to Trusted Publishers that you want to Guard (or place in Privacy Mode). It appears that AG is not recognizing if you want to Guard a Trusted Publisher. Since our default policy is to not Guard any Trusted Publisher, it was only recently detected by QA. I did a quick search on this thread to see if anyone reported anything similar and with the exception of one post (related to iTunes) I don't think that anyone reported anything here (forgive me if I missed it). That doesn't surprise me though because I think most of you either remove the Trusted Publishers or leave them as is.

    Again, it looks like an easy fix, but if we make this change, I think we'll need to do extensive regression testing in the area of user-space protection. On the bright side, we'll get to go through another round of beta update testing (oh joy!).
     
  11. Yep on my netbook/tablet running win 8.1, I removed all except hardware related (adding updating programs as power aps). I thought I noticed it (requesting to exclude guarded programs from allowing to install even when they were from a trusted vendor), to me it looked like a potential entry which could be misused (when memory protection was not on for that guarded application).
     
  12. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Thanks for detailed answer, Barb! :)
    Take all the time you need.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,631
    Location:
    The Netherlands
    I still don´t get this "user vs system space" thing, but is it correct that if you run some trusted "digitally signed" app (from the desktop), it can inject code into let´s say the browser which is "guarded"? If so, then it is a huge risk, because what if you wrongfully trust some app? I think that´s why BoerenkoolMetWorst asked about this feature. :)
     
    Last edited: Aug 7, 2014
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    Could someone tell me where the latest beta is posted. I read it was posted somewhere in the thread, but I never did see a link to the installer.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    I don't think it would be allowed to inject code in the browser. I could be wrong though. AG will allow signed software to run from the userspace in medium mode of protection, but it basically sandboxes it. There's a video on youtube of AG allowing the flameworm to run due to it being signed, but AG still prevents the system from becoming infected.
     
  16. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    The latest beta isn't posted separately to my knowledge- just the one public link that I don't know has been updated. However using that links file you can install then update to the latest beta after the fact.
    https://blueridgenetworks.s3.amazonaws.com/AppGuardSetup.exe


    @Rasheed187
    In medium digitally signed apps may launch but are guarded automatically if launched from user space such as the desktop so they can not alter the memory of other programs. This is because the desktop exists within a folder in the user directory.

    Think of it like this, the OS drive is by default treated entirely as 'System Space'

    System Space or the 'rest' of the drive the OS resides upon- is left alone. (except where specific rules exist) This results in a simplistic but rather effective method where key intrusion points are guarded and prevented from messing with the 'rest' without the need to monitor or guard everything.

    You could almost think of 'System Space' as trusted and 'User Space' as untrusted areas.

    The rules within the User Space tab are directly responsible for applying 'User Space' areas to the OS drive. (generally the OS drive will be C:\)
    This results in ProgramData and "User" Folder paths being retrieved and written into the settings file upon first launch.

    On medium, Anything launched within these 'untrusted areas' or user space-is stopped from running unless it is digitally signed. Even if it is signed and then allowed to run, it is unable to make changes to the 'trusted' area, (system space) or any programs memory, effectively isolating it and making it unable to propagate or change the system.

    It is not just Program Files and Windows that are considered 'System Space' but any space not strictly defined inside the "user space" tab of the interface.
    Note that this holds true only for the system drive (eg c:\) as all others drives are are treated as user space (untrusted) by default.

    Hopefully I didn't confuse you even more.
     
    Last edited: Aug 7, 2014
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,542
    Location:
    North Carolina, USA
    Hello,

    That is correct (and the last beta installer link that was posted). See Barb_C post here: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-73#post-2395859
    Since a few issues have been encountered, Barb_C has not made that update to the site yet.
    The only way at the moment to get the current beta is to install the older beta version and let it update itself to the current version...
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    Ok, thanks Syrinx, and puff! I think that's the build I already had. I just did not expect to use the same installer since the auto update feature failed on my machine with the previous installer. If the auto update failed for me before with this installer then i'm not sure how it will work for me now, but I will try. Thanks!
     
  19. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    If you have problems with the auto-install you can find the downloaded exe at
    XP
    Documents and settings\All Users\Application Data\Blue Ridge Networks\AppGuard

    Vista+
    ProgramData\Blue Ridge Networks\AppGuard
     
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    I see that syrinx has already answered this - thanks syrinx!

    As syrinx said, the desktop is part of user space. Any executable launched from user space will automatically be guarded and will not be able to inject code into the browser or any other running process.

    System space consists of all files and folders on the operating system drive, except for the current user profile which is user space. Additional local drives, network drives, and removable media, are all user space. As the desktop is a subfolder within the current user profile, it is part of user space.

    What is unique to AppGuard is the concept of a trusted enclave. It is this that distinguishes AppGuard from other approaches based on behavioural monitoring; although as with other behaviour blockers, AppGuard has HIPS and AE features in its implementation.

    The trusted enclave is the core part of the computer system that, because it is trusted, has full access. The primary purpose of AppGuard is to protect the enclave. Whilst the region outside the enclave may be compromised, it must never be allowed to compromise the region inside the enclave. Everything that lies outside the enclave is placed under AppGuard protection to ensure that it can't compromise the enclave.

    There is a close relationship between system space and the trusted enclave but they are not the same thing. Some executables located in system space cannot be trusted and must be outside the enclave. This is done by adding them to the Guarded Apps list. By default, user space lies outside the enclave, so any executables run from user space will automatically be guarded.
     
    Last edited: Aug 8, 2014
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    One other thing to note. There are times I will run an exe from the desktop that I am not 100% sure of, so I use the sys tray menu and select allow user space launches>guarded. This way if they misbehave I am still protected.

    Pete
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    If you run a digitally signed application from the desktop, it will be Guarded as well and can't inject code into any application unless it is signed by a trusted publisher and the trusted publisher's MG setting is set to No. Even with the bug in 4.1, the default policy of memory guarding a trusted publisher works.
     
  23. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    The auto-update should work with the new installer.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    I'm using Windows 7X64 Ultimate. I uninstalled the latest stable build of AG, and installed AG beta using the latest beta installer. Opera is on the Guarded apps list 3 times now. I was using launcher.exe to guard Opera, and AG added the two additional opera.exe files from each of the Opera installation folders as you can see from the screenshot below. I would suggest that BRN uses launcher.exe to guard Opera instead of the Opera.exe file since Opera always has 2 installation folders. I definitely don't want Opera on the guarded apps list 3 times.
     

    Attached Files:

  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    AppGuard has C:\users\current user with the include flag set to yes. Why not just add C:\users with the include flag set to yes so all user profiles are included? The current policy allows executables to execute from C:\users, and C:\users\public on my machine. I did test to see if AG would allow my browser to write to those paths, and AG did successfully block Firefox from writing to those two paths. If an application not on the guarded apps list is able to drop executables to C:\users then it's game over. Is there any reason that C:\users should not be added to the userspace with the include flag set to yes?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.