AppGuard 4.x 32/64 Bit - Releases

If you set Privacy Mode to ON for Edge, you will find that you can still save files to Private Folders - like MyPrivateFolder in Documents - and also launch PDFs from MyPrivateFolder. This is because Guarded protection blocks a registry write by PickerHost.exe - if I recall correctly - that needs to be allowed.

 

I think I encountered a bug with appguard: I've added qbittorrent.exe to the Guarded Applications. Its settings are set to Privacy Off, MemWrite and MemRead On, and what happens is, when qbittorrent opens a torrent and asks me where to start downloading the files, I can't access D:\ in the "Choose Save Path" window, it says access denied. D is my hdd disk, it's added to the user space and it's added to Guarded Applications Settings as Private(Deny Access), but qbittorrent.exe has Privacy off, so it shouldn't matter, right? But when I do remove D:\ from the Guarded Applications Settings window, I can access it through the qbittorrent choose save path window, this must be a bug, right? This only happens if D:\ is added as Private(Deny Access), if it's not in the settings or set as Protected(Read Only) or Exception(Read/Write) it's all fine (If it's protected I can access D:\ in the choose path windows but qbittorrent can't save the files there, working as supposed to). The bug happens in Protected mode, in Allow Installs mode it works as intended. Removing D:\ from the user space doesn't make a difference though

 

1. Is D:\ your OS drive, a secondary data drive, or a user-created partition\non-system drive ?

2. What settings have you applied to D:\ in the User Space list - YES or NO ?

3. To which directory (file path) is qbittorrent.exe installed ?

4. Are you using installed qbittorrent.exe or portable qbittorrent.exe ?

5. Does qbittorrent.exe execute a process that resides in User Space (OS Drive or Other Drive:\Users\User\*) when downloading a file ?

 

1. User-created partition, non-system drive
2. Yes
3. C:\Program Files (x86)\qBittorrent , C:\ is the system drive
4. the not portable one
5. How do I check this?

I found out that when I start qbittorrent.exe shortcut from the program files folder where it's installed everything is fine, but if I exit qbittorrent and open a torrent file, it opens automatically asking me where to save the downloaded files and the bug happens. After that the bug persists for the entire duration that qbittorrent is opened, I have to exit it and open it from the shortcut to make it work normally

 

Process Explorer, Process Hacker, or System Explorer

What shortcut ? You mean execute it using the qbittorrent executable (qbittorrent.exe) in C:\Program Files (x86)\qBittorrent ?

Would you please copy-paste any block events associated with qbittorrent from the Activity Report ?

 

Someone asked if there is any advantage to using Chrome for Business & Education over using Chrome.

The answer is that there is no advantage whatsoever in terms of the browser itself. Protection-wise, there is no difference between the two versions.

Chrome for Business & Education offers management capabilities that an enterprise Admin will find convenient. If you have a LAN and want to create policies, force install extensions, use an online management console and then push Chrome over the LAN to each PC\workstation, then Chrome for Business & Education is intended exactly for that scenario. That's it. That's the difference.

 

Ok, so I opened process explorer and it turns out that the process qbittorrent.exe, the one that is automatically started when I open a torrent/magnet link through my browser, is under chrome.exe, instead of being under explorer.exe if I open it using the C:\Program Files (x86)\qBittorrent shortcut, and chrome.exe has Privacy On, so that explains the "bug", and I learnt a bit about how processes work :O

 

Since I have never used qbittorrent it would be helpful if you could answer a few additional questions.

1. Is the torrent download actually made by Chrome or qbittorrent ?

2. Does qbittorrent only initiate the download ?

3. Does qbittorrent function as a browser extension ?

Just a FYI... qbittorrent has 2 vulnerabilities that were reported this month - one is a cross-site scripting vulnerability and the other is listed as x-frame vulnerability that can result in clickjacking. I don't see any information that these vulnerabilities are being exploited in the wild. They were both discovered and reported by the qbittorrent publisher. It appears from the language that one of the vulnerabilities is limited to Linux systems. It could also be interpreted as being applicable to Linux-embedded systems. Either way, just be aware of it.

https://bugzilla.redhat.com/show_bug.cgi?id=1429530

4. Would you point me to the qbittorrent client download link that you are using ?

5. Also, provide a magnet link or .torrent that you are using ?

I want to replicate what you are seeing exactly.

 

1. I don't know what you mean by "torrent download"
2. I open chrome while qbittorrent is closed (process isn't running), click on a magnet link to download a torrent, choose open qbittorrent like this http://i.imgur.com/KTdLYqR.png inside the chrome window, and then qbittorrent opens and asks me where to save the files
3. I haven't installed any qbittorrent extensions or the like
4. I'm using qbittorrent 3.3.11 64-bit for windows: https://www.qbittorrent.org/download.php
5. Kickass.cd, choose any torrent you want and click on the Download Torrent button :O

 

What process actually downloads the file - Chrome or qbittorrent ?

 

With magnet links there's no torrent file, otherwise it's qbittorrent doing the downloading of the files once I open the magnet

 

Thanks for all the infos. I have to test it, but just don't have time to do so at the moment. A priority project has me occupied at the moment.

 

I tested it. When qbittorrent is launched after selecting a magnet link, then it does indeed inherit Chome's Privacy mode - even when qbittorrent is added to the Guarded Apps list with Privacy mode set to OFF. It's not a bug, it's intended design.

@Floyd 57 thanks for all your infos.

 

So, it's a bug?

 

Re-read the post. "It's not a bug. It's intended design."

 

Thanks!

But if it's not a bug, then it seems to be a bad design.

I think the better design is that if a certain Guarded app, under a different parent, has a specific configuration (e.g. Privacy Off), then no matter what the parent's own configuration is, the Guarded app should retain its own configuration. The problem is apparent with what @Floyd 57 experienced.

 

Browser > exploit webpage > browser exploit > powershell (Privacy Mode set to OFF) > ransomware script >>> encrypt your files in Private Folders

It is designed so that any process - even a Guarded App with Privacy Mode set to OFF - will inherit Privacy Mode to protect files stored in Private Folders.

If you want convenience, are you willing to accept completely compromised Private Folder protections ?

 

Thanks for the explanation, @Lockdown!

 

Btw, every time that I open google chrome, and randomly every 10-15 mins or so, appguard tell me this:

Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>
Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\lastwasdefault>

And sometimes this as well: Prevented <Google Chrome> from writing to memory of <Windows Command Processor>

I also saw the same things in the event viewer:

Prevented <c:\program files (x86)\google\chrome\application\chrome.exe | c:\windows\explorer.exe> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>
Prevented <pid: 9872> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\lastwasdefault>
Prevented <pid: 8684> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}\lastwasdefault>.

So far I haven't noticed it affecting anything, but is that normal when using chrome or is it just me?

 

All expected block events. You will see them regularly in the Activity Report and Event Viewer. Nothing should be broken. I have all the same blocks as shown above on my test systems.

 

I have a question. What if certain apps do need to inject code into a Guarded App, is this possible?

 

Only if the program doing the code injection is not a Guarded App (on the Guarded App list) or launched as a completely Guarded App itself (digitally signed from User Space when running AppGuard in Protected Mode) with MemWrite set to ON.

I've never seen an adjustment in the MemGuard settings necessary to correct a breakage - because I have never seen MemGuard cause a breakage. In fact, there has been prior internal discussions about completely removing the MemGuard settings as they have not proven themselves to be needed. They remain only "just-in-case" for the user to make an exception if need be.

There are only a very few, limited cases where the MemGuard ON must be changed to OFF in the Trusted Publisher List when running AppGuard in Protected Mode. For example, in Protected Mode when running portable Process Explorer, MemGuard must be set to OFF otherwise Process Explorer will not be able to read other process memory. In such cases involving the default Trusted Publisher List settings it is not a breakage, but intended design.

 

I have guarded WinDjView and injected a dll from 7-zip. Result:


The result is different if the injection is being done from a Guarded Application:

 

Should be blocked: "AppGuard prevented <Guarded_Injecting_Process_Description> from writing to memory of <WinDjView>" or something close to it.