AppGuard Beta is Live (64 Bit, MemoryGuard)

Discussion in 'other anti-malware software' started by Eirik, Jul 7, 2010.

Thread Status:
Not open for further replies.
  1. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi All,

    For those of you interested in a 64 bit AppGuard or the new feature MemoryGuard, the beta is now "Live". Participants that provide us the requested feedback will get a Lifetime License (3 concurrent seats). More details:

    AppGuard 64/32 Beta Tests (Advancing Zero Day Protection)

    In addition to 64 bit support and MemoryGuard, there's also InstallGuard, which one might argue would be better named "msiGuard" because it simply suppresses MSI launches unless they're digitally signed by Microsoft.

    The Beta is Not Just for 64 Bit Computers

    With MemoryGuard, we really want to expose it to a lot of diversity to try to find unknown unknowns early. So, we expanded the beta to 32 bit support also.

    Supported Operating Systems

    - 32 Bit Windows 7
    - 64 Bit Windows 7
    - 32 Bit Windows Vista
    - 64 Bit Windows Vista

    Yes, that's 64 bit Windows Vista. The test group confirmed AppGuard 64/32 works fine on Vista 64. However, if Win 7 and Win Vista should diverge over time, we are not guaranteeing that we'll ensure AppGuard works on 64 bit Vista.

    This beta does not work on any version Win XP. The reason for that is primarily MemoryGuard. We've got some R&D underway seeking a practical means to do MemoryGuard in WinXP. Unfortunately, it probably won't bear fruit. One hopes!

    Cheers,

    Eirik
     
  2. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    It's like Christmas in July! :thumb:
     
  3. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    551
    Location:
    Moon
    I would like to test but im using Win Xp :(
     
  4. Warklen

    Warklen Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    107
    Sweet cant wait to try it.
     
  5. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    07/07/10 16:48:31 Prevented <Microsoft Windows Search Indexer> from writing to memory of <Microsoft Windows Search Protocol Host>.

    Apparently MG doesn't allow M$ processes to manipulate each other. I got a whole log full of these on a 64-bit Win7 machine.



    Prevented <C:\Program Files (x86)\SRWare Iron\iron.exe> from writing to memory of <C:\Program Files (x86)\SRWare Iron\iron.exe>.

    However Iron's memory is protected from itself.
     
    Last edited: Jul 7, 2010
  6. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Do what?

    Untitled.png
     
  7. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    there are exceptions, the beta may identify others, possibly these.

    Remember, if MemoryGuard gets in the way, please try suspending it.

    Cheers

    Eirik
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    yo da man, Eirik. :thumb:

    Good to see that at least you folks will give it a try. There are plenty of 64 bit Vista users that have, money.;)
     
  9. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Logging in to Wilders from my wifes laptop. My laptop appears to be hosed after installing the Beta. I restarted like it asked, I get the login screen fine, enter password which proceeds to load the desktop which is nothing but a black screen with my Windows Build numnber in the bottom right corner. Bummer
     
    Last edited: Jul 7, 2010
  10. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Ouch!!! I'm very sorry. Your PC is 32 bit win 7 isn't it?

    Were you able to try starting Win in safe mode?

    Consider this escalated!

    Eirik
     
  11. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    No. I had to kill the power. Rebooted, auto chkdsk thingy runs. This time I get the taskbar only. No desktop icons, no apps loaded in system tray. Desktop is still black with no way of getting out of it other than killing the power again. Yes Win 7 32bit

    https://www.wilderssecurity.com/showpost.php?p=1708863&postcount=6

    Just to let you know, prior to where I'm at now, stuffed, it did install. Task manager shows the 32/64bit process running. I opened AG GUI but it was still the same version. I hit the install app again which ask to repair it. It did it's thing, rebooted, here I am,lol

    Do you want me to try and startup in Safe Mode? What if any info do you need before I roll this install off, if I can?
     
    Last edited: Jul 7, 2010
  12. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    email us msinfo file. Unfortunately, we won't have an engineer working your ticket until morning ( eastern time zone)

    Sorry about this inconvenience Greg.

    Eirik
     
  13. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Can't this time around. I had to get back up and running to do something that needed to be done, sorry.
    Do you know what the reason is for the error when first trying to install? I'll try it again but really need to get past that installation error. This time around I can give you the msinfo.
     
  14. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    I'll know more after talking with the development team in the morning.

    Eirik
     
  15. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    It seems that MG is enforcing its policy on all processes instead of just the ones in userland. MG should only apply to inter-user processes such as ones that are initiated within userland affecting system level processes. If this is true is it a departure from AG's philosophy?
     
  16. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Yes. However, if I recall correctly, the OS itself restricts lesser privileged processes from modifying the memory of higher privileged processes. This represents an example of something that MemoryGuard can ignore.

    Eirik
     
  17. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Running win7 32-bit, MemoryGuard is blocking all kinds of things that it shouldn't be blocking. Once MG starts, there's a steady stream of events coming up in the log. Here's a sample of a few;

    07/07/10 21:39:34 Prevented <Application Host Service> from writing to memory of <Host Process for Windows Services>.
    07/07/10 21:39:17 Prevented <Application Host Service> from writing to memory of <Reflect Service - Enables mounting of images>.
    07/07/10 21:53:15 Prevented <Application Host Service> from writing to memory of <Windows Explorer>.
    07/07/10 21:52:53 Prevented <Application Host Service> from writing to memory of <Notepad>.

    I had the idea of putting svchost.exe into the guarded apps list, which stopped all the blocking actions, but it effectively disabled AppGuard. I was able to write and execute files from supposedly protected areas such as the documents and downloads folders. Any other ideas on how to fix this?
     
  18. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Thats good to know. Can I configure MG to ignore these processes through editing the policy somewhere? So far AG is running well on two different machines; one 32-bit and one 64-bit. Both are Windows 7.
     
    Last edited: Jul 8, 2010
  19. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    MemoryGuard, as it is now, is not user-configurable, other than on-off (suspend).

    Question to folk observing these unexpected blocks, are you also observing lost functionality?

    Eirik
     
  20. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    No, everything seems to be working normally, so I don't know if anything is actually being blocked or not. Just get constant alerts flashing the tray icon and a huge event log.
     
  21. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    MG is preventing Chrome (on 32-bit) and Iron (on 64-bit) from accessing accessing the memory of their own executables. Therefore they have lost internet capability.
     
  22. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    These are excellent examples of 3rd party software MemoryGuard issues that prompted the beta.

    I'm not terribly familiar with Iron. I didn't know it worked with Chrome. Is it installed as a plug-in/add-on or as a standalone application? I'm also wondering if Chrome would be affected if Iron were not involved. Any other beta folk have Chrome but not Iron?

    Thanks All,

    Eirik
     
  23. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    SRWare Iron is a chromium browser from the same source code that Googles Chrome comes from. Iron touts many privacy enhancements that Chrome lacks. So Iron is not a plugin but a browser cousin so-to-speak. I think the problem is that these two browsers (Chrome at least) has their executables in userland instead of program files.
     
  24. tonyf1971

    tonyf1971 Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    58
    Hi Erik

    I use Jetico BCwipe and have the Transparent Wiping enabled and MG is blocking the tray icon, the program is still working ok, but I have lost some minor functionality, if I disable MG I can restore the icon, when I re-enable MG it appears that I have my full functionality back.

    07/08/10 17:03:53 Prevented <BCWipe command line utility.> from writing to memory of <BCWipeTM>.
     
  25. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Yes, I'm losing functionality on three things so far. I'm getting messages on a few others but as far as I know, they are working fine. Is the Suspend option when checked, limited to the time configured just like it is when suspending from the context menu? I was under the impression that it is but am getting the feeling that it's not from what you are saying. It seems to me that you're implying that it's disabled until re-enabled. I could be wrong as I usually am but I hope I'm not and here's why. If the checked suspension is hinged on the time limit then here is what's going to be the big drawback of this MemoryGuard for those who lose functionality, especially if there are no exceptions <--> If AppGuard kicks in first at startup/bootup before the apps that are losing there functions, then in my opinion it's a no go. See my point. There's no way to gain the functions back outside of killing the process and restarting the app that it's associated with.

    Also, if there's no way of allowing exceptions and if there's not going to be a problem getting these every click in IE "07/08/10 18:31:48 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>"
    Then there has to be a way to selectively disable the blinking icon for this. I'm not talking about disabling the blinking icon globally but for a specific process and guard. In this example IE blocking IE with Memory Guard enabled. Somehow I feel this can't be done which is going to make the blinking icon more of a nuisance not to mention scare the average user to death with all this blinking going on. If it's an acceptable practice of AG and it's not going to hurt the system in any way, then why have the tray icon blink? Just report it to the Event Viewer or Status Panel tab in AG or is the Blinking icon, Event Viewer and Status Panel tab so tightly connected that losing the blinking icon breaks the other two?

    I guess one can assume that all this memory guard blocking of MS processes will not degrade the condition of day to day operations?
    Code:
    07/08/10 17:49:46 Prevented <Console Window Host> from writing to memory of <AppID Certificate Store Verification Task>.
    07/08/10 19:19:37 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft® Volume Shadow Copy Service>.
    07/08/10 19:19:37 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft® Volume Shadow Copy Service>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Host Process for Windows Services>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft Windows Search Indexer>.
    07/08/10 19:19:35 Prevented <Windows host process (Rundll32)> from writing to memory of <Microsoft Windows Search Indexer>.
    07/08/10 19:19:33 Prevented <Console Window Host> from writing to memory of <MUI Language pack cleanup>.
    07/08/10 20:45:12 Prevented <avast! Service> from writing to memory of <avast.setup>.
    07/08/10 20:45:12 Prevented <avast! Service> from writing to memory of <avast.setup>.
    07/08/10 20:45:11 Prevented <avast! Service> from writing to memory of <avast.setup>.
    07/08/10 20:45:11 Prevented <avast! Service> from writing to memory of <avast.setup>.
    
    The last four above cause Avast not to update meaning it can't auto update. I can supspend MG and do it manually I reckon.

    I have to ask the question which is similar to one I've asked in the past about Privacy Mode. If all these alerts are generic and apps shouldn't or probably in most cases will not lose functionality, then couldn't the same thing happen with a bad app? Somehow I vision
    Code:
    Prevented <BadAppMemoryDevil.exe> from writing to memory of <whatever.exe>
    and it not losing any functionality as well which may be ok because I really can't comprehend what it's actually blocking with these alerts.

    Where is it? Lol, nevermind it works as intended. I was looking for something different in the GUI. I just hadn't clicked as far as a file.
     
    Last edited: Jul 8, 2010
Loading...
Thread Status:
Not open for further replies.