AppGuard 4.x 32/64 Bit - Releases

Oh Oh this has turned into a hips verses Appguard thread and I am not liking it at all. You must all now go stand in the corner!!!!!!!!!!!!!!!!
This is not productive at all. And I know the instigator of it.
You even forced me to use an avatar.

 

It is no big deal. The user has decided, after learning more about AppGuard, that AppGuard does not offer what they want.

 

Yep Appguard isn't for everybody, the kind of users Appguard is destined are:
- those running a static system (means not much softwares testing) and want it to say at it is.
- those knowing what they install.
- those who don't need to monitor stuff and then decide to allow or block this or that because they will always choose block anyway.
- those with at least a good knowledge of their system and how it works.

 

I admit I may not be one of these kinds of users. But I'm used to how AppGuard blocks and allows. So, I never abandoned it.

I have an AV or ReHIPS (depending on my mood), and on-demand scanners, to be safe when I install.

 

For a personal-use system, I clean install the OS, the drivers, the softs I want to use, then lock it down. The system could be locked down indefinitely.

 

Hmm. Thanks for the good advice Pete. The more I test this puppy the better I am liking it.

Grown so tired over n over again of never getting SRP to work right for me but man this thing really sings!

All in a single set with a few tabs and rock solid LOCKDOWN as they say.

 

My system is not really static, but, like @XhenEd, I am managing well with AppGuard, toggling to Allow Installs when necessary, and also will not abandon it.

But I am probably unusual in that I generally run v4.4.6.1 in Protected Mode, but with 'hardened .xml'. Never experimented too much with Locked Down, but I guess I should..

When the time comes to switch to v5, I will probably run it more in 'vanilla' mode, but maybe Locked Down, and monitor / control vulnerable processes in the upcoming new NVT ERP only.

 

Why would you say that? If anything, it would be dumb to compare AG with HIPS, because they both have a different purpose, so one isn't any better than the other. AG is more comparable with tools like Sandboxie and Shade, because they are all about isolation.

BTW, I was thinking, why not make it so that AG will block apps from memory reading/writing of all other processes, or at least from Guarded apps when in "Install Mode"? Would this break app install? You could also block access to private folders.

 

No response just yet? I hope it was clear what I meant, so when in Install Mode, it shouldn't be possible to modify memory of for example the browser and system processes like explorer.exe and svchost.exe. If I understood correctly, currently AG does allow this when in Install Mode.

 

When you install something , you shouldn't have unknown processes running or any 3rd party softwares be online, so there is no real need for it even if the idea is nice.
And even if BRN could do it, they will surely never implement it, because AG is primarily a corporate software and corporate behaviors don't fit with this kind of features.
And i know BRN well enough to know that it will take ages to do it , if they even want do it...

By the way, an old (9 years old) documentation about AG technology.
Also mentioned are their view of HIPS being inappropriate in corporate environment, some comparison between products, etc...

http://ww1.prweb.com/prfiles/2010/05/11/1052624/AppGuardTechWhitePaper.pdf

What they explain is totally actual.

 

Hello,

I have not used AppGuard in a bit and am getting ready to install it again.
Is version 4.4.6.1 the latest available for the 4.x series?
I see 5.2.9.1 is the current version. What are the differences between it and the latest 4.x version? I am trying to make an informed decision as whether there is any reason to upgrade.
I am planning to install AppGuard either tonight or in the morning so any advice would be appreciated. I am mainly concerned in the differences between the two versions and whether the 5.x is preferred for Windows 10 Pro 64 bit Version 1703 (OS Build 15063.250)...

 

yes

None. actual v5 only introduced the yearly license renewal and just replace v4 for new customers.
Improvement will be implemented on the next v5 version. We will inform you when it will be released but don't expect it soon, especially since the latest merge.

There is no difference, and both versions works well on the latest CU (for the moment)
You can't purchase v4 anyway.

 

Hello guest,

Thanks for the reply. You confirmed what I thought.
I have six licenses and run the 4.x versions on other systems just not the one system that I have so far updated to CU (1703). It seems there is no need to switch to the subscription based 5.x series yet so I will go with the 4.x series on CU until there is a reason to update.

 

@puff-m-d

details about what you asked
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-287#post-2668862

 

Hello guest,

Thanks ...

 

Those feature are already integrated in AppGuard.

With AppGuard in Protected mode, a user can make installations using a digitally signed installer from one of the publishers on the Trusted Publisher List. If they want to block access to Private Folders during installation, then they just need to enable Privacy Mode for the publisher. By default, MemGuard is enabled during installation.

In Protected mode, Trusted Publisher List installations must be digitally signed all the way through the run sequence - including any *.tmp files; not signed all the way through = AppGuard will block the installation.

 

Thanks, Lockdown for your constant willingness to help. Your expertise is always acknowledged by me! Like you said,"The user should have a hands on approach." Well, don't have the time nor the inclination [real life]. But, 'Back in the Day' or 'When the World was Young'...

Appreciative,
Robert

 

I don't believe that corporate HIPS/BB's give alerts on endpoints, but I understand they need to market the product.

Yes, just like AV. But that isn't he point, AG is more about AE + isolation, while HIPS try to identify malware via behavioral monitoring.

I was reading the help-file, but I didn't read anything about this mode? So just to clarify, according to you there is a mode in AG that will let you install apps (if digitally signed), but those apps are not allowed to modify memory of other processes and can't access private data? And those apps will be able to install correctly because they can freely write to file system and registry?

 

That is all correct. The mode is Protected mode. Protected mode will allow the install of programs:

1. Publisher on Trusted Publisher List
2. The install sequence must be digitally signed all the way through the install run sequene
3. According to the settings set for the publisher on the Trusted Publisher List:

A. Guarded (don't use this - it won't install - no writes to registry and file system; I don't know why this option is even there)
B. MemGuarded
C. Privacy mode - can't write to Protected\Private Folders

The default settings is MemGuarded when adding a publisher to the TPL, but the user can enable Privacy mode

 

Of course you still have them, endpoint versions, give alerts (depending the settings , which can be suppressed on the workstations) but the alert is still relayed to the management console , giving the admin more works than any SRPs (which as you know just block) , i can tell you that an admin has way more stuff to do that monitoring every alerts on all the network. It is why HIPS are nonsense in a corporate environment. In corporate environment , SRP (mostly Applocker) is the default security method used. Endpoint solutions may be added on top depending the taste of the chief admin.

Symantec EP which has a BB (called Sonar) but also possess a "pseudo-SRP" called Application and Device control. Most serious endpoint solution have this feature (Sophos, etc...), because it makes it easier for the admin to control the system. I visited plenty of companies, and none has any HIPS "a la" Comodo. Most use those Application Control or SRPs.

AG is SRP , not isolation. Guarded Apps look like policy sandbox, but has nothing to do with it , it is still SRP.

 

A detailed review and explanation of Appguard , worth the read :

http://www.filecritic.com/blue-ridge-networks-appguard-review/