AppGuard 4.x 32/64 Bit - Releases

I have AG and SpS installed on one test system at the moment. They work perfectly together.

Overkill is OK as long as it is not to the point where all you do is manage security softs instead of using your system for its intended purpose - which is to use it.

 

I wonder when will AppGuard address hollow process injection...

 

I have not had any issues with the combo, but I have disabled action 53 on SpyShelter.

Very true regarding managing security softs - but I don't plan on having an overkill setup in the future

 

Hollow process has been discussed. I have specifically brought it up a number of times. Not sure what is going to be done about it, so it remains on my radar.

The basic argument is that it isn't needed since exploited applications are run Guarded and MemGuarded. That's if the user has added them to the Guarded Apps list correctly.

Poweliks, for a single specific example, uses hollow process post-exploit of a browser. AppGuard doesn't detect nor prevent the hollow process, but it does prevent the creation of the autoruns - so while the malicious key will be created in HKCU - it can't start. Poweliks is in the registry, but it's a dud.

I know that might drive some paranoid users absolutely bonkers, but it's no different than having a malicious file somewhere in C:\Users\User that never gets executed. It's inert and poses no threat to the system. In fact, a dud reg key is even more inert.

Also the argument is that if the user is running AppGuard in Protected or Locked Down mode 99 % of the time, it isn't needed.

 

Okay. Then I think AG users are very well protected for the foreseeable future. Thanks @hjlbx

 

Since hollow process is essentially parent > child, then it presents a challenge for AppGuard - because MemGuard doesn't protect parent > child. BRN found when they did that, it broke too many things.

So BRN can add something like MemProtect (not same as MemGuard), but then the user will have to create all the required parent > child rules. Even if BRN includes a rather large list of built-in rules it would still be a handful for most users. Hell... I don't want to do it myself = the reason I don't use Excubits MemProtect.

 

From @Barb_C

"AppGuard 4 will query the license server every 5 days, but it is not required. So if it doesn’t query the server it won’t disable AppGuard. It is done to keep track of which products are being used.


If AppGuard cannot call the licqueryapp.exe (at some point someone black listed it), then AppGuard is not able to even check that the license was ever activated and in that case it will not protect the system."

 

Yes, it would be stupid if AppGuard's continual protection needed internet connection.
But if licqueryapp.exe is prevented from starting by an anti-exe, then it will screw up AG protection. Like I found out, as a long time AG user.

 

"LicQueryApp.exe /QUERY" (Description: License Related Functions)
It's started shortly after "AppGuardAgent.exe", early in the boot-process. And i see it running after each reboot.

 

AppGuard must have some serious bug/conflict with Windows 10X64 & Shadow Defender. AppGuard keeps disabling itself when coming out of Shadow Mode. It could be coincidence though because it has done it before when not using SD also. It does it very often though when using SD. It says my license is no good for the current version. It's the same license I have been using all along which I was given for this build. Usually I can reboot, and reenter the license, but not this time. After a reboot the Customize button is still greyed out, and clicking on activate does nothing. Closing the GUI, and opening it again, appears to have worked though. The functionality of the GUI is working again. I was able to enable my protection again without entering my license key once I was able to use the GUI again.

I have AG installed on one other machine, and it's a Windows 10 X64 machines also. It has a different bug affecting it which causes AG to give an error message whenever attempting to make any changes to the settings. It gives the error message, and will not allow the change. I tried doing a reinstall 2 times, and that did not work. The 2nd time I tried deleting all orphaned files, and most of the registry keys after uninstalling AG, and that did not work either. It appears I will have to reformat that machine. AG has not been working well with Windows 10. Boy do I miss Windows 7X64. Too bad Microsoft broke it, and forced users like me to upgrade to Windows 10.

 

I work offline sometimes, and AG disables itself due to LicQueryApp failing to gain internet access also.

 

If LicQueryApp cannot perform the initial query of the BRN license server, then it will deactivate AG.

If anything causes LicQueryApp not to function properly - after the initial license query - then after 5 days or so the AG license will deactivate.

 

After how many days is AG disabling itself?

But, according to the following post, it isn't "required" and it "won't disable AppGuard"

 

The initial query is required to activate the license.

If there is any tampering with LicQueryApp.exe - either via firewall, blocking execution, etc - then the license will be deactivated.

There have been reports of this kind of behavior in the past, and in every case there was some form of tampering\blocking of LicQueryApp.exe by other security softs. Also, some malfunction in Windows itself, the network itself, etc can cause the reported behavior.

After the initial query, LicQueryApp.exe must function unfettered on the system; it isn't the post-initial blocking of the BRN server query that is the issue, it is the fact that any tampering\blocking of the LicQueryApp.exe process operation on the system that will cause a license deactivation.

 

It has been activated well over 5 days so that should not be it. I don't have any other Security software installed that would block LicQueryApp from executing. I only have Eset, and MBAE installed. I have Eset HIPS on Smart Mode.

I discovered that AG would disable itself if LicQueryApp is unable to run when scheduled months ago, and reported it to BRN. I was hoping they would change the behavior. I also discovered that blocking AppGuardAgent.exe would do the same thing if I remember correctly. I would have to go back, and look at my notes if I still have them, but AppGuardAgent was more troublesome than LicQueryApp.

I will send you the info you requested in your PM soon. I'm in the middle of watching a tv show, and want to finish it. I already collected the data requested.

 

AppGuard employs a licensed drop-in 3rd-party module for the AG license management - so fixes aren't necessarily within the purview of BRN.

Any how, these type of issues have been - and will continue to be - on my radar until we can get to the bottom of it all.

 

Yeah, I never have liked their third party license software. I hope some day soon they develop a better way themselves.

 

Without a determination of what precisely is\are the causes I am guessing - just pointing out that if it is a problem with the drop-in license module then any required fixes might not be straight-forward.

I made sure it was on the "To Do" list.

 

Then blocking of the process LicQueryApp.exe may be the reason, why the license was deactivated:

 

BRN rep. just said in the other forum that 4.x will only have license support, with no bug fixes and enhancements.
So, there is no expected update to come ever.
I guess 4.4.6.1 is the last version for AppGuard 4.

 

Oh
For how long is the "license support"?
And, what "other forum"?

 

I'm not sure how long the "license support" is.
The other forum is about tips and malware.

 

May I ask whether the other forum name or links are prohibited in here?

 

ok, i found it

If 4.x is EOL or the user wants furter updates, 5.x has to be bought.
Just for fun i wanted to look at the prices but: "Product not available"
Edit: Now i can see the price.

 

lol Xhen

No it isn't , but we like to joke around "the other forum" thingy.

back to the topic, AG v4.x will be only closed-beta builds , while v5.x will be the official public ones based on V4.x feedbacks from testers.