AppGuard 4.x 32/64 Bit

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

  1. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    Congrats to the Blueridge Appguard team. It is working great for me so far!:thumb:

    It seems to me like a good time for a new thread.
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'd love to see some screenshots, if anyone should be so inclined.
     
  3. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    Still need to tweak some but here it is

    1.PNG
    2.PNG
    3.PNG
    4.PNG
    5.PNG
     
  4. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    AppGuard v4.0 Getting Started Tutorial for New Users

    1. Introduction

    This is a guide for new users to getting started with AppGuard v4.0. It should be read in conjunction with the official help file and release notes to gain a full understanding of product features. A previous version of this guide for AppGuard v3.x can be found here: AppGuard - New Getting Started Tutorial wanted.

    Before looking at how to customize AppGuard, a few remarks on the approach that AppGuard takes to securing the system may be helpful.

    AppGuard looks at the whole computer system as consisting of two parts. There are files, processes, and registry keys forming a sub-system within the whole that must be protected against being compromised by malware. This sub-system is called a trusted enclave. The primary goal of AppGuard is to protect objects within the trusted enclave. Objects that lie outside the trusted enclave may be compromised by malware but they must be prevented from compromising objects within the trusted enclave.

    To enforce this security model, AppGuard has some basic concepts.

    1.1. System-Space

    System-Space consists of objects located within the trusted enclave and contains everything that is not considered to be User-Space. System-Space includes the Windows and Program Files folders. System-Space executables run as unguarded applications unless they are explicitly defined as guarded applications.

    1.2. User-Space

    User-Space consists of objects located outside the trusted enclave and contains the current user profile plus any additional partitions. User-Space executables automatically run as guarded applications, except where some are explicitly unguarded by customization.

    1.3. Guarded Applications

    Guarded applications are untrusted applications that have the potential to compromise the trusted enclave if not restricted on execution. If located in User-Space, applications are automatically untrusted and guarded on execution. If located in System-Space, applications can be explicitly defined as untrusted and guarded on execution. Applications that should be untrusted include Internet-facing applications and applications that load data files that may contain malicious code.

    Guarded applications have read/write access to User-Space, but read-only access to System-Space. Any child process spawned by a guarded application will also inherit the same set of restrictions as its parent and run guarded.

    1.4. Unguarded Applications

    Unguarded applications are trusted applications located within System-Space. All applications located within System-Space are automatically trusted unless they are explicitly defined as guarded applications.

    Unguarded applications have read/write access to both User-Space and System-Space.

    1.5. Protection Level

    The protection level determines the way in which the various AppGuard features are applied and the degree of restriction and protection that AppGuard provides.

    Medium is the default. For many users, it represents the best compromise between security and usability. It will allow automatic updates for guarded applications. Medium will allow applications to run guarded from User-Space if digitally-signed by a trusted publisher.

    Locked Down is the most secure level but will not allow installation or updates from the Internet. It should be used in situations where increased security is required. Locked Down will only allow applications to run from User-Space if explicitly listed as guarded applications in the Guarded Apps tab.

    Install allows protection to be lowered when installing, uninstalling, or updating software. If the installation requires a reboot, the “Automatically resume . . .” checkbox should be unchecked. This checkbox will be displayed when the protection level slider is lowered to Install from within the GUI. Unchecking this will cause AppGuard to remain in Install mode throughout the restart to allow the installation to complete without risk of interference.

    Off is self-explanatory. Protection cannot be turned off from within the GUI. To turn off all AppGuard protection, right-click the tray icon and select Off from the Protection Level menu.

    1.6. MemoryGuard

    MemoryGuard prevents guarded applications from being able to read from or write to the memory space of other running applications. Most MemoryGuard blocked events don’t impact the normal functioning of applications and can usually be ignored. MemoryGuard applies to all guarded applications, except for applications listed in the Guarded Apps tab when running at the Medium protection level. At the Medium protection level, MemoryGuard will work as configured in the Guarded Apps list. At the Locked Down protection level, MemoryGuard will apply to all guarded applications, irrespective of configuration in the Guarded Apps list.


    2. AppGuard Customization

    The AppGuard customization tabs are accessed by clicking the Customize button in the GUI. There are five tabs: Alerts, User-Space, Guarded-Apps, Publishers, and Advanced.

    2.1. Blocked Events and Alerts

    The AppGuard Activity Report available within the GUI is where blocked events are displayed. Most blocked events do not impact the ability of a program to function normally and can be ignored. Future occurrences of a blocked event can be optionally be suppressed from being reported by right clicking on it and creating an Ignore Message rule. An Ignore Message rule does not suppress the blocked event itself: just the reporting and/or logging of it.

    Right-clicking on a blocked event and selecting Message Info enables the full path name to be displayed without creating an Ignore Message rule. This can be useful to identify the executable that generated the event.

    The Alerts tab allows the way different types of alerts are handled to be customized. It is also where Ignore Message rules are displayed and can be edited. Wildcards can be used to make Ignore Message rules more generic.

    2.2. Moving a System-Space Folder to User-Space

    Windows and Program Files folders may not be moved to User-Space as they are core components of the trusted enclave. Where allowed, this is a two-step procedure involving both the User-Space and Guarded Apps tabs.

    The System-Space folder to be moved is added to the list in the User-Space tab, setting the Include flag to Yes in order to guard its executables. The folder is also added as an Exception Folder via the Guarded Apps tab, with the Type flag set to Read/Write in order to unprotect it and allow all guarded executables write access.

    An example is Sandboxie. The sandbox container folder is by default located in System-Space. For Sandboxie to work, guarded applications running sandboxed must be able to write to it. For optimum security, all executables launched from the sandbox container folder should also be guarded. To achieve both goals, the folder has to be moved from System-Space to User-Space. Alternatively, the Sandboxie GUI could be used to relocate the sandbox container folder to an additional partition if there is one, in which case the folder would automatically be in extended User-Space without any AppGuard customization.

    2.3. Moving a User-Space Folder to System-Space

    This is also a two-step procedure involving both the User-Space and Guarded Apps tabs.

    The User-Space folder to be moved is added to the list in the User-Space tab, setting the Include flag to No in order to unguard its executables. The folder is also added as a Protected Resource via the Guarded Apps tab, with the Type flag set to Read Only in order to protect it and prevent any guarded executables from having write access.

    An example might be to prevent write access by guarded applications to an additional partition containing system objects. By default, AppGuard treats additional partitions as an extension of User-Space and allows read/write access. Any programs within the partition that require guarding would then be explicitly added as guarded applications in the Guarded Apps tab in the usual way.

    2.4. Unguarding User-Space Applications

    By default, User-Space executables are untrusted and automatically run as guarded applications. In order to override this, a User-Space executable or folder can be added in the User-Space tab with the Include flag set to No. Note that this only partially moves a User-Space folder to System-Space as write protection for guarded applications has not been applied.

    2.5. Guarding System-Space Applications

    By default, System-Space executables are trusted and automatically run as unguarded applications. In order to override this, applications can be listed as Guarded Apps in the Guarded Apps tab. Separate flags can be set for each guarded application that control whether Privacy and MemoryGuard features are enabled. Several untrusted applications are already predefined in the Guarded Apps list when AppGuard is first installed; others can be manually added later.

    2.6. Private Folders

    A folder can be made a Private Folder by adding a folder entry in the Guarded Apps tab and setting the Type flag set to Deny Access. This is useful to prevent guarded applications such as web browsers from having any access to folders containing confidential data. Private Folders will automatically be enabled for any application not in the Guarded Apps list that has been allowed to run guarded from User-Space. For applications in the Guarded Apps list, Private Folders will work as configured: Private Folders will only be enabled for applications in the Guarded Apps list where the Privacy flag is set to Yes.

    2.7. User-Space Protected Resources

    A folder in User-Space can be made a Protected Resource by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read Only. Note that this only partially moves the folder to System-Space as automatic guard protection for launches from the folder has not been removed.

    2.8. System-Space Exception Folders

    A folder in System-Space can be made an Exception Folder by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read/Write. Note that this only partially moves the folder to User-Space as automatic guard protection for launches from the folder has not been applied.

    2.9. Trusted Publishers

    The Publishers tab enables digitally-signed executables from trusted publishers to be run as unguarded applications from User-Space. This allows software installs and updates to be applied from trusted publishers in the list who sign their executables when running at the Medium protection level without having to reduce the protection level to Install.

    2.10. Power Applications

    Applications listed as Power Applications in the Advanced tab will never run as guarded applications, even if executed as a child process of a guarded application. For this reason, this feature should only be used with trusted applications (e.g. other security programs), and only then when necessary to resolve a problem.

    2.11. Miscellaneous Features

    In addition to Power Applications, the Advanced tab is where some miscellanous features not covered elsewhere are managed.

    The Stop Protection checkbox controls the enabling/disabling of TamperGuard. TamperGuard should normally be enabled but it can be temporarily disabled if there is a requirement to manually stop the AppGuard service or to manually edit the AppGuard policy XML files that are located within the user AppData folders.

    The Enable Privileged Mode checkbox is unchecked by default. If checked, a hidden Reset all settings to default button will be displayed that enables all customization to be undone.

    Parental Control enables the AppGuard customization option permissions to be individually set for each user.

    Suspension Timeout enables the suspension timeout value in minutes to be specified. When protections are temporarily suspended via the system tray icon right-click menu or the protection level lowered to Install, any suspended protections and/or the previous protection level will automatically be re-enabled after the specified number of minutes has elapsed.


    Edited by Peter2150 to attach PDF file of this guide that can be downloaded
     

    Attached Files:

    Last edited by a moderator: Oct 30, 2013
  6. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Thanks, pegr for a nice, concise guide to the new version.:thumb: :thumb:
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thanks Blackcat. I hope people find it useful. :)
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thanks for posting the screenshots. :thumb:
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    nice guide:) :thumb:
     
  10. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Great showing of program pegr...Thanks...:)
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thanks guys. :)
     
  12. Clive T

    Clive T Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    189
    Location:
    Kent, UK
    I bought a license for v4 this morning and received a key which wouldn't work. Emailed support and they quickly came back to me and have sent me a new key which includes the message, " We are offering you, a current user of AppGuard, a free download to thank you for your support and to enlist your help to get the word out that version 4 is now available."

    So, the question is, have I shot myself in the foot by purchasing what is effect an upgrade so quickly after the announcement of this version, or was I entitled to a free upgrade had I waited a day longer? Just curious.
     
  13. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Very good work ! I already use AppGuard, but it may be equally useful.
     
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    And to Barb_C: the new GUI is nice ! :thumb:
     
  15. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    Thanks pegr! :thumb: I didn't get get a chance to post anything but a quick congrats. Np for posting the screenshots :D
     
  16. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    AppGuard 4.0.17 is running smoothly on my 7 x64 machine, no problems.

    Thank you for the tutorial pegr. I am new to AppGuard, jumping in with v.4, so your tutorial has been helpful getting started.
     
  17. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Was looking when I first bought AppGuard and was shocked it was March 13, 2009. I've been using it along time....:D
     
  18. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,098
    Location:
    Hollow Earth - Telos
    Is the MBRGuard available for 4.X yet.
     
  19. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    No release dated has been set yet on it.
     
  20. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,098
    Location:
    Hollow Earth - Telos
    I might as well stay with 3.5.6.0. I have not received a lic for 4.x anyway.
     
  21. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    Seeing as MBRguard is not included in Appguard 4 I was wondering what the MBRGuardInstall.dll and WdfCoInstaller01009.dll are in my C:\Program Files (x86)\Blue Ridge Networks\AppGuard\MBRGuard folder. I did a clean install of the program.
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    The MBRGuard folder should probably have been named "InstallerHelper" folder or something like that. The files in it are used to uninstall MBRGuard when doing an upgrade.
     
  23. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Please PM me if you feel that you are entitled to a free upgrade (and you want one). I will see what I can do.
     
  24. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    And we want you to continue using it. Please PM me and I will see what I can do. Anyone that has previously purchased AppGuard will get a free upgrade.
     
  25. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    This morning you could have only purchased version 3.5 (4.0 wasn't available for purchase yet - it only went live this afternoon). As a purchaser of 3.5 you are eligible for a free upgrade. If you purchased 3.x some time in the past then perhaps you jumped the gun (or shot yourself in the foot) as that also made you eligible for a free upgrade. Email AppGuard@BlueRidge.com for a refund if you have purchased multiple licenses.
     
Loading...