AppGuard 4.x 32/64 Bit - Releases

Are you logged into an Admin account ?

 

It's a topic I won't cover in any detail on a publicly open forum. Some stuff not even in PM.

 

Admin acc. same here.

 

Unless someone sees some kind of problem, I won't discuss it any further. And if there is a problem reported it will get moved to the PM system.

I know why this topic has been raised and being discussed here - and my answer is keep that discussion over there as it doesn't belong here. It's not wanted.

 

I understand and the only thing I will say then no more is I don't think it fair for some to bash other companies for their self protection by locking down the sys and requiring a hard shut down and not accepting others do it. That is all I am trying to say.

 

Your guess is as good as mine on that one. Different people with differing opinions.

 

I will briefly discuss an important point about a "fail safe" lockdown protection mechanism that no one has considered.

How many users - home, advanced, power, IT security geek, or otherwise - knows how to proceed when all of a sudden a system goes into unexpected lockdown with perhaps little to no obvious reason ?

The answer is not to simply hard restart your system to immediately get it back up and running.

If I were in an Enterprise environment and unexpected lockdown happened, the system would be hard shutdown, power and network disconnected, the hard drive(s) would be pulled, and they would be analyzed using a closed shell system. What is discovered during that analysis would dictate what needs to be done next. That's just me - when protecting a high value corporate\government system.

 

Hopefully those you listed would have a backup on an external drive , USB ect. If not they are not professionals.

 

Heh, heh... but you probably haven't seen SMB\Enterprise IT up-close. "Backups... what is that ?"

The point that I am making is that if a system goes into self-protection lockdown it's safe to assume that it could be an indication of a targeted attack - among other possibilities - and a home user, in particular, is almost certainly not going to know how to proceed. How to proceed is not something that can be easily or readily documented due to wide-ranging variability. So, with that, in a home product the value of such a feature is debatable - so I can understand some people's point of view about it. Anyway, it's an undocumented feature in AppGuard Consumer.

 

No
I was only curious. After seeing "AG prevented process [XXX] from terminating ..." (or something similar, i don't know the exact words at the moment) in the Windows Event Viewer and seeing the self-protection hype in the other popular thread i tried to terminate the service.
But now i know that this is a known feature and it wasn't a fault of my PC

A hard boot wasn't needed.
I knew that unexpected things could happen after terminating the service, so i had no "important stuff" running.
I closed all opened applications while i had the "lockdown", did a "regular reboot".
Except that the process Logonui.exe couldn't be spawned after logging out, nothing spectacular happened. No freeze, hangs or other unexpected things.

Good to know
The self-protection is working as intended.

My last post on this special topic, i won't mention it anymore.

 

When system lockdown happens - how the locked-down system will behave depends upon what is - and more importantly - what is not running on the system at the time of lockdown. This can determine whether or not a hard shutdown is required. If you have access to system Restart via the Start menu or CTRL + ALT + DEL or other ways - then a regular shutdown can be done.

 

@Lockdown I'm having a lot of blocking event in Windows 10,

Spoiler: blocks

Prevented <igfxEM Module> from writing to <\registry\machine\software\intel\display\igfxcui\misc>.
Prevented <Windows® installer> from accessing <c:\program files (x86)\dropbox\update\install\{5d766226-c4f8-41aa-b6ff-81c106f1951e}\dropboxoem_3.1.18.0_hp2014_releng.msi <Dropbox 25 GB>>.

would setting it to protected for the time being resolve the issues?!

 

That igfxEM block is expected. But the other one, I think, is also expected given that you have "hardened xml". But @Lockdown might be able to answer you better.

 

Why is that to be expected?! Can't remember if I asked this before...too busy at work. Probably the hardened.xml is causing such fuss but only in my Win10 Laptop

 

I have that, @Lockdown has that, and the other AppGuard users have that. So, yeah, it's expected because it's trying to write to a protected registry entry. But it doesn't break the graphics functioning, so it can be ignored.

 

Ok... +1 to my list of ignored message.

 

Early in boot sequence:

Intel Graphics (igfx)

2017/03/20_02:38:57 > C:\Windows\System32\services.exe > C:\Windows\system32\igfxCUIService.exe

2017/03/20_02:38:59 > C:\Windows\System32\igfxCUIService.exe > C:\Windows\system32\cmd.exe /c "C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"

.bat file:

@ Echo off
if exist igfxEM.exe start igfxEM.exe
if exist igfxHK.exe start igfxHK.exe
if exist igfxTray.exe start igfxTray.exe
del /Q {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat

cmd.exe (Guarded) > .bat (Guarded) > igfxEM.exe (Guarded)... igfxHK.exe (Guarded)... igfxTray.exe (Guarded)

Unless something is obviously broken, just pay no attention to the block event(s) - you don't have add it to the Ignore Messages list.

If I say "ignore it" - I mean pay no attention to it - and not add it to the Ignore Messages list

 

Windows Installer (msiexec.exe) is blocked from accessing = reading *.msi files in both User and System Space as part of AppGuard's InstallGuard protection in Locked Down mode.

So that block event for *_releng.msi is expected for Locked Down mode.

Set AppGuard to Protected mode - and navigate to the *_releng.msi and you will be able to execute it. You cannot execute it in Locked Down mode.

Check for yourself...

You can't make the *_releng.msi block event not happen by setting AppGuard protection level to Protected mode (if I remember correctly).

If you keep seeing that Windows Installer block event, you can pay no attention to it or add it to the Ignore Messages list.

 

AppGuard - PROTECTED mode

Anyone see Windows Installer (msiexec.exe) from accessing any *.msi in System or User Space ?

Please post block events here.