AppGuard 4.x 32/64 Bit

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,217
    Location:
    USA
    Ok, I see now. Your response seemed to be in direct response to mine since I was quoting you.

    I think it needs to be made clear to some that AG will not block payloads that execute from the System Space, and Program Files. Maybe they will read the last few post, and understand how AG protects those areas.

    AG protects the System Space, and Program Files by not allowing Guarded Apps (Vulnerable Applications) to write to those areas. You obviously can't guard most System Process like lsass.exe without trashing your System so if a System Process is exploited, AG can't prevent it from writing to the System Space, and dropping it's payload there.

    In the case of EternalBlue, it was outside the scope of AG protection. I honestly would like to see Blue Planet-Works think outside the box on threats originating from exploited System Processes. Maybe they could come up with policies to block the payload in System Space without the policies harming the System. I'm not sure how possible that is.

    Btw.. I'm hoping to do a Capstone Project on Exploits next Spring where I will test AG, VS, ERP, and some others. I'm not sure I will make the results Public. If I do I will allow the vendors to see the results before releasing them to give them time to address any problems. I definitely will release the results to the vendors regardless.
     
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    I understand what you are saying. However, AppGuard is SRP; it is not an anti-exploit. SRP stops the post-exploit payload - as in the case of WannaCry ransomware using the EB\DB exploit. The best practice to deal with exploits per se is not to run unpatched Windows and keep all software up-to-date. This is industry-wide recommended best practice.
     
    Last edited: Jun 4, 2017
  3. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    294
    Location:
    USA
    :D
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    YES, because System Space is excluded from protection (Windows, both Program Files folders and some areas of Documents & Settings) ,

    But how a dropper can come in your System Space? only from User-Space ( which is blocked by default). so threat blocked.
    A malware need a dropper (exe, etc..) or use a network vulnerability to get in the system from outside the network, they don't popup in the System Space by magic.
    So block the initial dropper, it won't load anything and the system is secure. This is what SRPs are made for. (many products does the same too but prompt instead of directly blocking)
    All the videos we saw , assume that the dropper already compromised and is delivered in the network, which is obviously necessary to demonstrate the attack but unrealistic in real world.

    Don't misunderstand what is Guarded Apps , Guarded Apps are processes from User or System-Space that will be ran "limited" , by "limited" it means they will be restricted to access certain folders and prohibited to read & write the memory of other processes. (obviously some critical processes should never be added as guarded.)

    What is important with AG, is the understanding of the User-Space tab; in it, you can add any file or partition even from System-Space and those will be blocked to run.
    However if you add something in this tab , don't have it also (ticked) in Guarded Apps because the later take prevalence.
    Some process/apps in System-space can be added to user-space (and blocked) or Guarded (and run limited)


    - In the case of EB, AG will do nothing, why? Because the EB part of the attack is a network exploit ran at "Ring 0" so once in a network, it can't be stopped by AG because AG isn't a network tool.
    However the initial dropper , that deliver EB in one machine in the network, would be blocked by common products (SRP/BB/HIPS/anti-exe). if the dropper is ran, it is game over in the network, unless it has some network monitoring tool.

    - in the case of DP , Blue Planet could do something, but since they don't want AG to be an full anti-exploit , i don't think they will do something. AG protect the execution of some exploit (like those based on non-critical vulnerable processes like powershell, etc..)

    "if you disarm the shooter of his gun, you won't have to care of the bullet"
     
    Last edited: Jun 4, 2017
  5. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    This whole exploit\anti-exploit debate has been seen on this thread before - multiple times. It was the basis of past advice that users should consider combining AppGuard with NVT ERP and\or HMP.A. The principle being that adding an anti-executable at maximum settings will be a safeguard for System Space processes and an anti-exploit to safeguard against application exploits. In fact, as I remember it, @Peter2150 and @Umbra were a part of those discussions somewhere on this thread or the prior one.

    Making AppGuard an anti-exploit is not in its future - just like adding a firewall, a HIPS, a sandbox, an ad-blocker, secure DNS, web-filtering, hardened browser, browser extensions, and so on to it are not in its future. There are good products already on the market that fit those bills, along with security updates from Microsoft. As a SRP, AppGuard is solid and does what it was designed to do very well. And it is not like AppGuard protections are static; user-created custom policies that include enhanced System Space protection policies can be created.
     
    Last edited: Jun 5, 2017
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    Indeed the oldest users of Appguard here are used to combine AG with ERP (for most of us), because ERP had a very powerful and configurable Command Line Parser.
    Personally i have Appguard (to prevent malicious exe to run) + HMPA (to prevent exploit) + ReHIPS (to isolate browsers/apps and monitor parent/child processes)
    With those 3 i can safely say "i'm secured"
     
  7. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    363
    Well here we are, over a month later and stuff still stands. So....
    https://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=24343&p=128116

    As it turns out an Admin User (even inside SBIE w drop rights) could mount an wim image. This is odd because with a normal SUA they can't do this outside of the sandbox. Yet via Sandboxie even a SUA can end up mounting a WIM this way if certain flags are set.

    Horrible? Not so much but it does open the door to a true escape. As SBIE users (I at least) we are used to thing being contained, ALWAYS!
    Yet here we are with a WIM being able to mount and view-able [read launch-able] outside of the box. Yes, in all my tests SBIE continued to contain all mounted drives and their content when *launched* from within a sandbox!
    This still leaves the "/cough not so real escape vector" [yup already there] where the mounted file exists OUTSIDE of SBIE, eg in explorer! Where [this is the not so real part] some silly person might suddenly be tempted to click something they shouldn't.

    The most obvious 'actual' issue that popped into my mind was the Windows XP SP2 style 'auto-exec' .ini s

    yet XP doesn't have native support for WIMS so how serious is this really? Over a month later and no fix [That I know of] from Invincea yet?!
    /grr

    'potential security issue'
    +time=there we go

    I meant what THEY said:
    I'm gonna love you until you hate me and I'm gonna show you what's really crazy. You should've known better...

    /LOL
     
    Last edited: Jun 5, 2017
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    @syrinx what your post talk about? (because you quoted yourself , so i dont get it :) )
     
  9. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    363
    So it hasn't been fixed and I spouted the above :-/
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    but you are on Appguard thread, should it better be in sandboxie's thread :)
     
  11. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    363
    You have a decent point but I was just keeping my word [Offered in this thread]. The rest is up to the public now if they think it even matters.
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    ok i see :)
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Lets keep Sandboxie out of this thread!!!
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,217
    Location:
    USA
    The whole point I was making is that a kernel exploit such as EternalBlue is not coming from the User-Space, it is originating from the System Space therefore it can drop it's payload in the System Space. That's exactly what it was in the process of doing when it ran rundll32.exe to establish a session. The main goal of almost all malware is to eventually gain access to the System Space so it would make no sense to drop the payload in the User-Space if it's already running in the System Space. It would have to deal with escalation of privileges then.

    I know very well how AG works, I have been using it since it's very first alpha release. I still have builds of version 1 in my software archive. I could write the manual for AG. We should always be honest clear in the limitations of any product so we know how to tailor the rest of our Layered Security to cover areas not completely covered by the rest of our layered security.
     
    Last edited: Jun 5, 2017
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    what you are describing is EB already in the network and propagate via SMB vulnerability, the real question is how EB get into the network from outside in the first place? some articles said the dropper was an exe, (so AG should block it because executables doesn't pop in System-Space out-of-nowhere),

    Do you see what i mean?
     
    Last edited: Jun 5, 2017
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,217
    Location:
    USA
    I read that if they have your IP they can send you a malformed packet, and deliver the exploit payload by that vector. It's my understanding that it was also spread by email droppers using pdf files, and .exe as you described. I will read more into it when I have time.
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    i think it is why most victims were companies or large networks, where the IPs is easy to find.

    if it is indeed that, then AG (and most software) should block it , however if a machine in the same network was already compromised with EB-DP; then AG won't help much...
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Actually, lsass.exe does execute WannaCry. So this shows how important strict parent-child process control and the "vulnerable apps" feature is. It gives you a chance to block payloads that are created by trusted system processes.

    OK thanks for clearing things up. I guess it was indeed outside of AG's scope, on the other hand, other tools did manage to at least block the payload when the EternalBlue exploit managed to load the DoublePulsar backdoor.
     
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    This was released 3 or 4 days after the initial detection of WannaCry in the wild: youtube.com/watch?v=p_ZzMN8GOcg

    Since the whole WannaCry episode reaction was one of complete hysteria, I don't think anyone noticed it.

    In the video, AppGuard does what it was designed to do - and this has always been the case. It blocks the post-exploit payload according to policy points.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    So what are you saying? Would it have blocked WannaCry from running or from encrypting files, if launched by the lsass.exe process? Because I don't see anything about that on the video.
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    AppGuard blocked the post-exploit WannaCry payload as released into the wild in the first half of May. I think you already are aware of the reasons why it is appropriate to just leave it at that.
     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Even I with only one gray matter left can understand the injection was not stopped but the payload was. This thread almost to the point of making me wannacry.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    I assume you mean that normally speaking AG will block it on the "patient zero" PC, and after that it shouldn't spread over the network. I guess that's true, but it would be nice if this was clearly explained in these kind of videos or perhaps they did explain it in a blog post, who knows.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Actually, I'm afraid you're misunderstanding. The discussion is about what happens if EB manages to make DP load and spread WannaCry over the network. AG would not block it, once the exploit has managed to run. But it has already been explained, that this is out of AG's scope.
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Yes it can't stop the injection but does stop the install of the backdoor. that is all I need to know and understand.
     
Loading...