AppGuard 4.x 32/64 Bit - Releases

Hello Wilders friends,

Does AG protect against malware exploiting a whitelisted program’s process memory.

Does AG protect the whitelisted program’s process (in memory) while the program is running.

For example > if Adobe Reader opens a PDF file containing Malware, this malware will poison the memory of Adobe Reader (not the file on the hard drive) and then attack other components of the system.

What say ye' AG

 

Barb showed me a video recently of AG mitigating an infected pdf file with an exploit. AG blocked the payload, and blocked multiple memory read/write attempts to other system components. I can't remember for sure what those components were, but I think many of them were to explorer.exe. I could be wrong though. I'm not sure if the exploit was able to poison the memory of Adobe Reader because the video did not show BRN checking Adobe Reader's memory. AG's activity report had a pretty long list of blocked attempts by the exploit.

 

AG may be my next tool. My path has been VS to ERP to maybe AG. While also traveling with SD and TTF. Retirement does wear on a body.

 

MemoryGuard will protect the memory space of all other running processes from being written to by a guarded application. For example, Adobe Reader running guarded will not be able to write to the memory of other running processes. Depending on MemoryGuard configuration, MemoryGuard may also protect the memory space of the other running processes from being read.

Data loaded by a guarded application containing malicious code - e.g. a PDF loaded by Adobe Reader - may result in the memory of the guarded application being compromised, but other AppGuard protections combine to prevent guarded applications from harming the system.

These protections can be summarised as follows: -

1. Any child process of a guarded application is automatically guarded, so a compromised guarded application can't step outside of AppGuard protection by spawning off unguarded child processes. This includes trusted system-space executables that would normally run unguarded, but will run guarded if launched by a guarded application.

2. All applications can write to user-space, but a guarded application can't step outside of AppGuard protection by dropping an executable into user-space then running it unguarded. User-space executables are only ever allowed to run guarded, and only then if they are digitally signed from a trusted publisher and the AppGuard protection level is set to Medium. At the Locked Down protection level, all user-space launches are automatically blocked.

3. Guarded applications are not allowed to write to system-space.

As there is no way that a guarded application can launch an unguarded application and guarded applications are unable to write to system-space, the system remains protected even if the memory of a running guarded application should become compromised.

The main thing to ensure with AppGuard is that all vulnerable (untrusted) applications run guarded. This includes Internet-facing applications and applications such as document readers, office applications, etc used to load data that may contain embedded code.

Many applications that should be guarded will already be present in the guarded apps list when AppGuard is first installed. The user should add any other applications that need guarding if not already present. Operating system components, security applications, etc, should never be added to the guarded apps list for obvious reasons.

 

@pegr
Excellent...

 

Yes, as AG and ERP make consideration for SBIE. I learned that from U

 

WOW ~ Excellent to the nth power

 

Glad you found it useful.

 

Thanks for the positive feedback.

 

Any reason why AppGuard does not run Windows PowerShell as guarded by default?

 

I recently enabled UAC - changed status from 'never notify' to default. Since then I've noticed AppGuardGUI.exe doesn't lanuch at startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppGuardGUI
C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe
I have Windows 7 x64 and licensed AppGuard 4.1.55.1. I'm able to start the app manually. I use locked down mode by default

 

I wonder why Windows Photo Viewer is not on the guarded apps list by default. I went ahead, and added it.

 

I have wondered the same thing. I'm going to try adding it, and see if I have any adverse effects.

 

AppGuard also needs an import, export feature to back up the policy files, and settings.

 

I added all of Windows PowerShell .exe's to the Guarded Apps list. There was 7 if I did not overlook any.

 

+1

 

Old topic and request. I did it once when I recently joined these forums and Barb said they will work on that on next release, I hope so.

 

What is the executable for windows photo viewer ? I thought it uses rundll32.exe which is guarded by default.

 

Exactly, good point from you. Thought the same as you, ever.

 

There are two for Windows 7X64, i'm not sure about other OS's.
C:\Program Files (x86)\Windows Photo Viewer
C:\Program Files\Windows Photo Viewer

Disregard, the Folder in Program Files is labeled Windows Photo Viewer, but the executable in those folders are for scanners, and cameras. I'm not sure if those executables should be guarded.

 

I would like to see additional memory mitigation added so I don't have to use additional applications like EMET taking up more resources. Also the more security applications one uses, the greater the chance of running into an application conflict.

 

I believe KaptainBug is correct...............

So there's no need to guard anything about Windows Photo Viewer.