AppGuard 4.x 32/64 Bit - Releases

That's why I give some credence to History channel's series Ancient Aliens.

Robert

 

I've held dice in my hands in my life, saw UFOs once or twice in my life, but no little green men... yet.

 

You might have missed this post. Would be interesting to know if AG's Memory Guard could indeed block the "Atom-bombing" code injection method.

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-281#post-2664511

 

Don't know. Have yet to locate a sample that can be definitively identified as Dridex_v4 and functions correctly. I located the samples identified by researchers, but those samples do not function.

Even if MemGuard does not block atom table bombing it is a moot point since the user would have to do one of three things:

1. Execute in Protected mode a Dridex_v4 that has a valid certificate from one of the Trusted Publishers

2. AppGuard tray icon > right-click > Allow User Space Launches - Guarded > execute Dridex_v4

3. Lower protection to Allow Installs or OFF > execute Dridex_v4

AppGuard uses strict blocking and therefore will block the execution. As long as the user adheres to that protection model, the source file is blocked from execution, and there is no need for the user to concern themselves about what a particular file does.

It is the same as setting SpyShelter to "Block all malicious actions" = Action 53 - Execution of an application will be auto-blocked.

 

Rasheed

AS far as I am concerned Appguard is FAR better the ProcessGuard ever was. You need to start using some of the programs you post in threads about. Maybe do some testing of malware yourself to understand the different powers of each software.

 

Do any of you use AppGuard's Private Folders ?

I see that some AppGuard users combo with Secure Folders and Excubits FIDES - both good products.

I just want to remind people that the same folder protection mechanism is present in AppGuard.

I think a lot of AppGuard users are unaware of it and\or don't know how to take full advantage of the Private Folder feature.

Then there are those that just like multi-replicated protections... and I get that.

 

I use it for my folder that has crucial files (files that would decide my school life).

 

Yes I was. Now taking advantage of it.

I'm one of those.

With SecureFolders or FIDES I protect an external UFD. Even File Explorer is not allowed.

 

I have my documents, music and basically all my data folders designated as private. Privacy is enabled only for web browsers and email client.

 

yes

i do

i know

in fact i use SF for some other features too

 

In addition i have set all drive-letters to read-only.
Example:
d:\ (Read Only)
d:\Secret (Deny Access)
d:\Portable-Apps (Read/Write)
After disabling of AppGuard, another folder-protection mechanism is taking over

 

I checked the BIOS, and could not find an option to disable the TPM chip. I looked for about 20 minutes for it, but was unable to find it. I have the latest version of the BIOS installed. I will have to find the manual for the Motherboard. There was nothing at all in the settings that looked odd to me. VT-d was turned off, I turned it back one.

My parents are using the computer, but it's mine. It was a very high quality machine when I built it about 6 years ago. It was valued around $5,000 then, but it's not worth any where near that now. I will find the manual soon, and see if there is a settings for the TPM chip. There should be.

I really wish I had time to put into it, but i'm on the verge of failing my Computation Thinking Class because I don't know how to make Flow Charts. I only have 2 1/2 weeks left to finish all my work for that class. I was suppose to have received a copy of Microsoft Visio at the beginning of the semester, but i'm just now getting it through my school. I have all A's in my other classes except for this computation thinking class. I'm more of a Network, and Database kind of guy. I didn't have any previous experience writing code so this class has been hard for me. I have to say, I really hate flow charts! I would much rather use Pseudocode. Maybe it would not be so bad if I knew how to use the software that makes them. I hope there is not much of a learning curve using Visio.

 

School before AppGuard. After you get on-track in your class we will still be here to get whatever issues you are having sorted out.

 

Did ask CS

was just about to add CCAV to power apps till I decided to remove it completely.... back to WD for me less hassle.

 

OK, thanks.

 

OK I see. But the point is that you never know if a user mistakenly executes malware, that's the whole point of HIPS. So MemGuard should protect against all kind of code injections methods. I have a feeling it will probably block Dridex from injecting code into the browser and other processes.

 

Appguard is SRP, there no such things as "click/execute mistakenly" , Dridex (or any malware) whatever the wrapping or method it uses, will just not execute his payload; because it is not authorized. And any decent user of Appguard knows that you don't authorize an exe out of the blue, you do proper research about it.

SRP like AG or Applocker is not about monitoring stuff legit or not (like HIPS does); it is to block unauthorized stuff, legit or not.

SRPs are for static system: clean install > install drivers & needed softs > lock it with AG.

If you need install a new soft: check it legitimacy (via checksum, VT, etc...) > install it > relock the system.

 

That is a no-brainer, no need to talk about doing research. But they implemented Memory Guard for a reason. If malware never executes on the system, then you also don't Memory Guard and the data protection feature. These features are clearly meant as a fail-safe. The only difference between HIPS and AG is that AG will auto-block, and HIPS will alert about stuff like code-injection and other things.

 

Fileless and other memory-based malware exist since long time.

he doesn't like, too alien ^^

 

HIPS concept was great in the past 10 years but now they become more an hassle, it is why those crappy "next gen i do everything for you" are popular.

 

If a user executes malware, then all bets are off as anything is possible no matter what protections are installed - SRP, HIPS, behavior blocker, or otherwise.

If a user lowers AppGuard protections and executes malware, then that is user error and not the fault of AppGuard.

MemGuard has never been guaranteed to protect against 100 % of all code injection techniques. No security software is guaranteed to protect against 100 % of all malicious actions once malware is executed. That' s why, no matter what security softs are installed on the system, all bets are off once the malware is executed. You can verify this fact by watching one of the countless bypass of this-or-that security soft videos published on the web.

The only guarantee is not to execute\prevent the execution of malware in the first place - which AppGuard, properly used, does very well.

• In Locked Down mode AppGuard isn't going to allow anything to execute (recommended).
• In Protected mode AppGuard will only allow digitally signed files to execute.
• Using "Allow User Space Launches - Guarded" will allow whatever file to execute that the user wishes - but it is not recommended to use this option unless the user knows for sure that the file is safe.

 

Yes, but it isn't only about file-less memory. It will also block user launched malware.

Correct, based on what I've seen, I don't like anything about it.

The whole point of HIPS is that it will try to safe the system when malware is executed. Normally speaking there are 2 ways to get malware on the system: via exploit or user. The first one is easily stopped by anti-code execution, no user action is necessary. But then there is always the user that might make the wrong decision.

That is where HIPS technology like Memory Guard comes into play, it will block code injection and memory scraping. But to me that isn't enough, I would also like the ability to block service/driver loading, block incoming/outgoing connections, block modification of certain registry keys and other stuff, that's why I'm using HIPS, because it's out of AG's scope.