AppGuard 4.x 32/64 Bit - Releases

@Barb_C
You are still setting aside the AG's Settings Export/Import mechanism for easy maintenance. Again I eventually re-image my system drive or do full format and re-install OS hence this feature is needed.
Also the need to rise max number of added Power Apps. I would be glad to be able to add 35 apps, total.

 

Installed latest beta over last public release. All went well none of my added items were erased. So glad you kept locked down mode. I almost always surf the Internet in locked down mode.
I now get an alert when checking MS Office 2013 for updates (blinking tray icon):
02/06/16 12:22:30 Prevented process <schtasks.exe> from launching from <\Device\HarddiskVolume2\windows\system32>.
This occurs in both locked down and protected modes. Using Windows 7 Pro SP1 x64

 

I was able to recreate the problem using ImDisk. In fact I was able to see some anomalies in my system without even changing AppGuard's rules or levels. There seems to be an incompatibility with AppGuard and the ImDisk software. I'm sure my driver developer will consider it an issue with how ImDisk is interfacing with the Filter Driver Manager and I suppose we will have to find a way to prove that it isn't AppGuard that is causing the issue. I also tested with Ram Disk Plus and AppGuard and Ram Disk Plus were able to co-exist just fine. So the question becomes how do we warn the user about these types of issues? It seems that we will have to add additional self-diagnostics in the future, but in the meantime we will most likely post an application note (though is ImDisk a widely used program worthy of an application note - not sure BRN product management would agree?).

 

Schtasks.exe has always been part of our AppGuard policy (at least since version 4.1). There was an AppGuard bug that prevented the blocks from being reported. It seems that Office uses schtasks.exe to schedule something but it appears to work fine with AppGuard blocking. You you don't want to be bothered by the popups/toasters can elect to ignore the schtasks.exe event or you can remove schtasks.exe from the user-space policy (not recommended - this program is often used by malware to become persistent in your system!).

 

Not setting aside. Just haven't gotten to it yet. With this latest release your old policy should be merged into the new. Also I'll look into increasing the number of power apps. Our view is that there is rarely a need to add power apps. Even our largest enterprise customers only have to add about 10 at most (and that includes their software configuration management software which most home users wouldn't need). Would you provide me with a list of power apps that you envision that you need?

 

Weird I was able to fix the issues on my side by killing a file related to my sound card. I suppose I should go back and do more testing now to be sure it sticks. /sigh

Update: As long as I don't have that sound card dll loaded, it's working perfectly for me now, can't get the issue to pop up even once. If I restore the startup entry and reboot the issues are reproducible again. Killing the dll and toggling between protection modes in AppGuard then allows it to continue running perfectly.

I checked the filtermgr logs and it doesn't even seem that ImDisk makes use of it, it doesn't register with it at least... I had only three entries, two entries from MS and one from BRN all of which loaded properly. I suppose it's still possible ImDisk is at fault but as I and other have seen before, it doesn't just happen with ImDisk. (On another note, was it the awealloc driver doing the funky stuff? because I deleted that after install since I only create virtual, temporary disks <3GB in size for use with sandboxie) I tried checking the ImDisk source code for references to FilterMgr but searches for 'filter' and 'flt' only turned up one real hit which was just a #define
I'm no programmer though so I'm not sure what to look for.

I really like the idea of more diagnostics/reporting to let the user know if it can't do it's job so we don't continue on blindly thinking we are protected while we aren't. That's pretty much the biggest problem I had with this issue. AppGuard didn't seem to know it wasn't working and neither would most users.

I can live without a ram disk if it turns out ImDisk is at fault (tho it's odd they now get along fine with that dll entry removed on my system) as that's actually just a hold over from a workaround to an issue I had with sandboxie that I've since isolated and resolved by removing the user variable from the boxes.

Code:

Log Name:  System
Source:  Microsoft-Windows-FilterManager
Date:  2/6/2016 2:05:10 PM
Event ID:  6
Task Category: None
Level:  Information
Keywords:
User:  SYSTEM
Computer:  AG_TEST
Description:
File System Filter 'FileInfo' (6.1, ‎2009‎-‎07‎-‎13T18:34:25.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-FilterManager" Guid="{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}" />
  <EventID>6</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-06T19:05:10.936800800Z" />
  <EventRecordID>5491</EventRecordID>
  <Correlation />
  <Execution ProcessID="4" ThreadID="8" />
  <Channel>System</Channel>
  <Computer>AG_TEST</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data Name="FinalStatus">0x0</Data>
  <Data Name="DeviceVersionMajor">6</Data>
  <Data Name="DeviceVersionMinor">1</Data>
  <Data Name="DeviceNameLength">8</Data>
  <Data Name="DeviceName">FileInfo</Data>
  <Data Name="DeviceTime">2009-07-13T18:34:25.000000000Z</Data>
  </EventData>
</Event>

Log Name:  System
Source:  Microsoft-Windows-FilterManager
Date:  2/6/2016 2:05:11 PM
Event ID:  6
Task Category: None
Level:  Information
Keywords:
User:  SYSTEM
Computer:  AG_TEST
Description:
File System Filter 'BrnFileLock' (6.1, ‎2015‎-‎02‎-‎13T15:43:21.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-FilterManager" Guid="{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}" />
  <EventID>6</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-06T19:05:11.420401600Z" />
  <EventRecordID>5492</EventRecordID>
  <Correlation />
  <Execution ProcessID="4" ThreadID="8" />
  <Channel>System</Channel>
  <Computer>AG_TEST</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data Name="FinalStatus">0x0</Data>
  <Data Name="DeviceVersionMajor">6</Data>
  <Data Name="DeviceVersionMinor">1</Data>
  <Data Name="DeviceNameLength">11</Data>
  <Data Name="DeviceName">BrnFileLock</Data>
  <Data Name="DeviceTime">2015-02-13T15:43:21.000000000Z</Data>
  </EventData>
</Event>

Log Name:  System
Source:  Microsoft-Windows-FilterManager
Date:  2/6/2016 2:05:16 PM
Event ID:  6
Task Category: None
Level:  Information
Keywords:
User:  SYSTEM
Computer:  AG_TEST
Description:
File System Filter 'luafv' (6.1, ‎2009‎-‎07‎-‎13T18:26:13.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-FilterManager" Guid="{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}" />
  <EventID>6</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-06T19:05:16.194010000Z" />
  <EventRecordID>5500</EventRecordID>
  <Correlation />
  <Execution ProcessID="4" ThreadID="56" />
  <Channel>System</Channel>
  <Computer>AG_TEST</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data Name="FinalStatus">0x0</Data>
  <Data Name="DeviceVersionMajor">6</Data>
  <Data Name="DeviceVersionMinor">1</Data>
  <Data Name="DeviceNameLength">5</Data>
  <Data Name="DeviceName">luafv</Data>
  <Data Name="DeviceTime">2009-07-13T18:26:13.000000000Z</Data>
  </EventData>
</Event>

Update 2:
So the more I think about it, the more I feel that diagnostics/reporting is the way to go. As long as we are aware there's an issue we can at least try to find or fix it. It might even help uncover a few other issues we may not yet be aware of.

If you want to keep checking ImDisk or AppGuard for issues, feel free to do so and I'll be open to more tests if needed but I'll be removing ImDisk from my main system shortly (I'll keep it on the test OS for now) because frankly those 'vague' anomalies you mentioned worry me despite no longer seeing the rules causing AppGuard to fail no matter how many times I try it with the sound card dll removed. Better to be safe rather than sorry when the program isn't actually needed anyway.

 

Thanks Barb. I set to ignore event alert.

 

Just want to say you guys are great! Love the feedback we get here.

 

More on the ImDisk issue: We did find a bug at our application layer in this case. So not an issue with the way ImDisk is interfacing with the Filter Manager. Hopefully will have another beta for you to try tomorrow or Monday.

 

installed the new beta over stable without issues or uninstallation, very good; i won't have to annoy BRN Support so often to reset my license

However, does the "toast" alert enabled; i dont get them ; only classic popups alerts.

 

@Barb_C

AppGuard blocks schtasks.exe, but it does not block tasks created via mmc.exe\Task Scheduler.

I think you should get with an Engineer and explain in the Help file that AppGuard does not block important, legitimate tasks that are included with the OS\legitimate softs. This will save you from needless user questions.

However, I have seen where AppGuard blocks the writing of *.job (tasks) - for example, update tasks written to Task Scheduler during installation - in Install Mode.

I am not sure whether the above is problematic or not.

I have noticed AppGuard will block something one time - and not another - during installations - even of the same installer\application.

 

On Windows Embedded 8.1 x64:

1. Power apps in (x86) or system32 should have the correct paths shown in the GUI. Checked
2. Java runtime programs are now Guarded (you might have to reboot to actually see these in your list and of course they need to be installed). Checked
3. When adding user-space and other folder/file policies, AppGuard will remember the last path. Checked
4. .Jar files are now prohibited from running from user-space. Not working, but later in the day it worked. Don't know what happened.
5. You can now delete schtasks.exe and at.exe from your policy if you desire (but we DO NOT recommend that). Not checked
6. You can update from 4.x without uninstalling first. Checked.

 

If you over-installed, then I think that your old alert settings are honored. So if you want to see them, then you must enable on the alerts tab.

 

On item 4, are you saying it didn't work or are you saying that you don't like this new policy? Do you have another program that is running the jar files, or are they being executed with javaw.exe?

 

Can you be more specific about the last line? The only explanation that I can think of is that sometimes installers are not completely digitally signed. The wrapper may be digitally signed, but some of the sub-programs are not.

 

Another update on the IMDisk issue. It seems that there is something non-standard about the underlying naming of the ram disk that is causing AppGuard to have problems. We'll enhance our program to at least warn when this is the case.

 

Thanks for the update, would you suggest not using ImDisk alongside AppGuard then? Also is this related to the application layer thing you mentioned before or is that a separate issue?

 

I was saying it didn't work. Strangely a few minutes ago I tried again and the jar file was blocked. Minecraft is the only one which runs jar files but at the time of testing it wasn't running.

 

The installer was for Kingsoft WPS - which all of the modules are digitally signed.

I tried my best to replicate the issue - by uninstalling and reinstalling WPS - but could not reproduce at will.

So, at this point it is an intermittent issue; AppGuard sometimes blocks and other times does not.

It is difficult to figure out why this happens.

 

I brought your post to AppGuard thread to not hijack @alexandrud's one, hope you don't mind. Now I have a question why do I want to add netsh.exe to User Space and then set to "No"? Isn't the same to just not add those lines in the first place?

 

Yes and 'maybe' no. By default that's a part of system space so setting up a rule that way should result in the same things happening (or not) but it could depend on how manual rules are handled with AG and that's not something I've tested myself. Might be interesting to explore if they are handled differently in a situation like this. Won't be starting any such tests tonight...

Update: reread the original post you quoted. S/he apparently set netsh to user space=yes

which isn't the same as I got from your question since it is starts off as part of system space. S/he basically told AG it was 'to be considered user space' so it's no wonder s/he had issues with it there...unless I'm so drunk I misunderstood some other part of it!

Go ahead, laugh, someone deserves to and it'll only help when Barb puts me in my proper place yet again after all my spams to her about ImDisk!

 

Alright I understand that "maybe", thanks syrinx. Now if @hjlbx could explain this type of config. in the meantime, it would be great.

 

I think I know why BRN blocked .JAR files in this release. I think maybe they misunderstood me unless they are aware of some bypass i'm not familiar with. I recommended that Java be Guarded by default even when ran outside the Browser, and as you can see my request was granted. I didn't know they would choose to completely block .JAR files from running. I think .JAR files can be allowed to execute safely with limited rights as long as the .JAR file can not write to Program Files, System Space, C:\, registry, and other Processes Memory.

I never play video games so can you tell me what I need to do to run Minecraft so that I can test with it? I use the computer mainly for Academic purposes (research, learning, etc.). I think it would be best to allow .JAR files to run with limited rights like I explained above because the users will not be protected at all if they have to disabled AG to run some .JAR file. I will send Barb an email. In my own testing .JAR files can be safely executed as long as javaw.exe is Guarded. If javaw.exe is not Guarded the .JAR file can be used as a dropper to drop executable payloads in Program Files, and System Space. That executable will then execute on it's own, and it's game over. It can do whatever it wants after that. That is if you are using an Admin Account.

 

@Mister X - I am not sure what you mean.

 

It looks like you well be able to use ImDisk with AppGuard together, but you won't be able to set the disk as a protected resource. AppGuard will be updated to warn you when you try to add it as a protected resource. It looks like AppGuard will treat it as user-space and prohibit exe's from launching out of the ram disk, but unfortunately if you try to exclude the ram disk from user-space protection, AppGuard does not honor it. This has to do with the way the volume is named. Unfortunately there is no quick way to get in a warning about the user-space rule. We'll incorporate the user-space warning in a future release.