AppGuard 4.x 32/64 Bit - Releases

Version 4.X beta keys will not activate 5.X.

 

Thanks
so work on 4.4.6.1 or buy new version ? maybe 4.4.6.1 is still good?

 

At this point in time there is essentially no meaningful difference between 4.4.6.1 and version 5. The chief difference being the transition to annual subscription for version 5. In the next release of 5 I expect there will be some major differences between version 4 and 5 feature sets and perhaps even default policies.

To be perfectly honest, in terms of protections, 4.4.6.1 is every bit as capable as the current version 5.2.9.1. You can greatly increase system security by hardening the User Space configuration, tightening-up the Trusted Publisher List, always run in Locked Down mode, etc - the same general recommendations that have been repeatedly made on this sub-forum.

 

OK Thanks Jeff_T

Regards

 

indeed it is still good, essentially if a new feature appears in v5, then if you want it , you have to buy v5 to get it.

 

Ok thanks

 

How is this going to happen Jeff?
Would we get versioning numbers like 4.4.X.X?

 

There are no details covering this scenario at this time; it would all be determined if and when such a fix is pushed.

 

@Jeff_T Testing Group

Two rundll32.exe events:

Code:

12/12/16 09:41:07 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\appcompat\programs\aeinv_previous.xml>.
12/12/16 09:39:27 Prevented process <Windows host process (Rundll32)> from writing to <c:\windows\appcompat\programs\aeinv_previous.xml>.

Details:

Spoiler

 

Just to make sure I have to ask - you have been running AppGuard in Protected mode for the past few days ?

 

Yes.

 

Can you provide any further details - was it after system reboot, automatic maintenance, update, etc ?

You're running Windows 8.1 - correct ?

 

Did you installed something at that moment?
In the mentioned file i can see: <ProgramList> <Program Id=" ...."> Source="AddRemoveProgram"
Installing or deinstalling a program may has triggered a change of this file

 

Sorry. I can't recall exactly what I was doing or the machine itself.
Next time I'll check that.

 

Had a couple today. Using Win7 Pro x64 with AppGuard, NVT (Alert mode), WSA, and Sandboxie.
Machine always starts in Lockdown mode, had dropped to Protected mode to play a small game I play and then went for dinner forgetting to re enable Lockdown. The two rundl32.exe occurred while the machine was idle with no browser etc open. Noticed them when I came back later on. Hope this is of help

 

Thanks for the report @Dark Star 72

Just a FYI...

The first dll I have seen before - it's for Webroot phishing filtering. The second one, is unfamiliar to me. You should confirm that it is safe and connected to one of your installed programs. An online search for videoc.dll turns up Logitech and Wix - but online searches are extremely unreliable in determining a file's publisher based solely on the name of the file, since many publishers use the same, identical file name.

If videoc.dll turns out to be legitimate, then both of those *.dlls should be added to the User Space list and set to (NO). Since C:\ProgramData is User Space, AppGuard will continue to block their loading until you exclude them from User Space.

 

Just an update, haven't seen any Rundll events since enabling "Protected Mode" on both my Win 8.1 and Win 10 machines.

Can't test any further as we are going to Singapore tmrw and we will be back after Christmas.

Happy Holidays you Guys !

 

Thanks for testing. Happy Holidays.

 

Can anyone help me with this
Prevented process <msiexec.exe | c:\windows\system32\services.exe> from launching from <c:\windows\system32>.
Not sure what's the cause as I just reformat this PC a few days ago.

 

Set msiexec.exe to User Space=No (temporarily) because, I presume through your signature, you're using the "hardened" setting of AppGuard.

 

@Duotone

Also by looking at your sign. there's written v4.6.6.1. Do you mean v4.4.6.1 or did I miss a new version?

 

There is no version 4.6.6.1; it is 4.4.6.1.

Version 4.X is no longer being developed.

If we do any vulnerability fixes, I assume that the version number will be advanced. Something like 4.4.6.1 => 4.4.6.2.

 

@Duotone

The block did not break anything.

You are using the hardened xml. In that configuration xml, msiexec.exe is included in User Space (YES). That means msiexec.exe is disabled from launching.

It will block Windows Updates and installations using msi\msp installers.

You have to set msiexec.exe in the User Space list to (NO) to allow Windows Updates or an msi\msp installer. Then you set it back to (YES) after you are done.

If you don't want msiexec.exe to be blocked again, simply set msiexec.exe in the User Space list to (NO). It won't affect anything. Besides, AppGuard default policies protect against inadvertent msi\msp installations.

The hardened xml is for maxxed-out protection within AppGuard. It requires toggling ON\OFF settings once in a while.

If that doesn't meet your needs, then simply Restore all default settings on the Advanced tab and run AppGuard in Locked Down mode. In Locked Down mode you will have to make some exclusions. Which ones depends upon the OS version and what you have installed on your system.

 

@Mister X
Typo error...

@Jeff_T Testing Group & @XhenEd Thanks... just didn't this exp before the reformat.

 

How to deal with Chromes constant nagging;
Prevented <Windows® installer> from accessing <c:\program files (x86)\google\update\1.3.32.7\googleupdatehelper.msi <Google Update Helper>>.
Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\jr\appdata\local\google\chrome\user data\swreporter\15.85.1>.

Any suggestions other than ignoring those blocked messages?!