AppGuard Beta is Live (64 Bit, MemoryGuard)

Kees1958 · Oct 11, 2010

Eirik said:

Engineering characterized your recommendations as 'very thoughtful'.

I'm a bit confused about what tweaks to MemoryGuard we'll be doing next because I've been distracted with other matters. I have noticed the engineering team having quite a few discussions of late, sounds like they're having one now.

Cheers,

Eirik
Click to expand...

Thx,

They will get it right. Development prinicple of AppGuard was allways very transparent. It happens often when a team shifts paradigms (I think it is very ambitious to implement memory protection without user intervention). I have been there to, regretting a too high ambition level.

Working as a free-lance projectmanager for a re-insurer in the mid-eighties, I thought the company could outcompete the big ones (Swiss Re and Munchener Re) by developing a rule based risk assessment system with the system generating its own rules based on collective weighted value of expert's decisions.

We got funny results so we had to remove the auto-rules part of it. After I made that decision two weeks before scheduled implementation, the dev team threw me in the garden pool (they had been working 12 hours a day straight for at least a three weeks), minutes before I had to meet the CEO and CFO to ensure we would implement on-time.

In the meeting the CFO told me he would buy all the dev-members a 12 pack with excellent wine and would subtract the bill from my monthly invoice.

I guess I deserved that.

Regards Kees

Cutting_Edgetech · Oct 11, 2010

Keep up the good work. I can't wait for it to be 64bit compatible. I'm currently using it on XP Pro.

Cutting_Edgetech · Oct 11, 2010

Is anyone finding any bugs other than with memory guard at the moment? I had problems in the past with AG not blocking exe. files from external drives even when the protection was enabled. Also, is anyone using it with Online Armor or Comodo? I was wondering if AG was running well with those 2 HIPS. I had some minor issues with Online Armor blocking some of the functions of AG in the past. I would have to reboot 2 to 3 times, and keep allowing files manually because OA was silently blocking them, and not prompting me to allow or deny. I also randomly had times where AG's protection would stop working. I believe it may have had something to do with a driver conflict with AG, and OA. I never did figure that one out since it only happened randomly, and I could not reproduce the problem. I would have liked to beta test, but I gave my 64 bit beta machine to my mother. It looks like the beta phase is almost over with anyways. I could always try it in a VM i suppose.

Eirik · Oct 11, 2010

DasFox said:

I have a simple request, PLEASE change the icon.

Sometimes, unless you look really close you can't tell if you are looking at the green icon for enabled or the one for suspended. Both of them are too small.

But honestly, AppGuard needs a better looking icon too, time for a face lift is what I say!
Click to expand...

Probably not this year.

I would say, however, that if we received a great looking alternative ico file(s) of the proper dimensions (same as current tray icons) from an AppGuard user, we'd be open to replacing the existing one with it. From the looks of the schedule, that would have to be by the morning of 25 October at the latest.

Cheers,

Eirik

Eirik · Oct 11, 2010

Hi All,

With Beta 3 we're still seeing quite a bit of 'chatter' from MemoryGuard. Much of that appears to be trivial insofar as it doesn't actually impair anything. Much of that 'chatter' shows up because of how programmers/developers write their code, requesting access to 'the whole building [application], instead of just the one or two rooms [e.g., registry keys] that are needed'. The often seen result: MemoryGuard actually blocks nothing of substance, and thus impairs nothing.

So, we'd like to ask you all to try to correlate any MemoryGuard 'blocks' with actually impaired application behavior.

Thanks,

Eirik

Greg S · Oct 11, 2010

Eirik said:

So, we'd like to ask you all to try to correlate any MemoryGuard 'blocks' with actually impaired application behavior.

Thanks,

Eirik
Click to expand...
Code:
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
Just back from uninstalling Comodo Time Machine, made an image, uninstall all software down to the basic installation of Win 7, and still get the above. Restarts after uninstalls with registry leftovers cleaned as well. Looks like Memory Guard on my end doesn't play well with IE8 or Rundll32 which is needed for Clear My Tracks of InPrivateBrowsing.

pegr · Oct 12, 2010

pegr said:

I reported a problem in post #186 in this thread affecting beta 3 on XP. After some email correspondence between us, the engineers reported back as follows: -

"Based on msinfo, it seems the user installed other security software like comodo and prevx. We suspect that 3rd party software actually injects code to AppGuardAgent, and the injected code tries to inject code again to firefox from AppGuardAgent, which was blocked by AppGuard. To verify this, we need to inspect dlls loaded by AppGuardAgent."

I supplied the requested information. On inspection it appeared that AppGuardAgent hadn't loaded anything by Prevx but it had loaded guard32.dll, which is part of CIS. I didn't have any other security software running at the time that could have interfered with the proper functioning of MemoryGuard.

I didn't hear any more regarding the outcome of the investigation but are you now saying that CIS was subsequently eliminated by the engineers as the cause?
Click to expand...

Hi Eirik,

Any further news on this?

Regards

Eirik · Oct 12, 2010

pegr said:

Hi Eirik,

Any further news on this?

Regards
Click to expand...

I've just sent an inquiry to engineering. For the first time in what seems like a long time, I don't think I dropped the ball on this one. Nonetheless, I'm very sorry we hadn't followed up sooner.

I'm also looking into Mike's ticket too.

Cheers,

Eirik

Eirik · Oct 12, 2010

Greg S said:
Code:
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
Just back from uninstalling Comodo Time Machine, made an image, uninstall all software down to the basic installation of Win 7, and still get the above. Restarts after uninstalls with registry leftovers cleaned as well. Looks like Memory Guard on my end doesn't play well with IE8 or Rundll32 which is needed for Clear My Tracks of InPrivateBrowsing.
Click to expand...
Greg,

Would you please explicitly describe your observations of how IE behaved when these log events occurred? We're finding that many such log events do not actually impair or in any way alter the behavior or capabilities of the related applications. So, we're trying to find those examples of where the MemoryGuard events are in fact impairing something. We suspect you're observing something like this but need more explicit details.

We are extremely grateful to you for uninstalling and altering your PC to zero in on the root causes of the observations you're reporting.

Cheers,

Eirik

pegr · Oct 12, 2010

Eirik said:

I've just sent an inquiry to engineering.
Click to expand...

Thanks for the update, Eirik.

I'm still hopeful that the problem with MemoryGuard on my system will be resolved before the release as I would like to be able to use MemoryGuard.

Regards

pandlouk · Oct 12, 2010

Eirik said:

Greg,

Would you please explicitly describe your observations of how IE behaved when these log events occurred? We're finding that many such log events do not actually impair or in any way alter the behavior or capabilities of the related applications. So, we're trying to find those examples of where the MemoryGuard events are in fact impairing something. We suspect you're observing something like this but need more explicit details.

We are extremely grateful to you for uninstalling and altering your PC to zero in on the root causes of the observations you're reporting.

Cheers,

Eirik
Click to expand...

Hi Eirik,

on my system when it happens, prevents IE from deleting the "Browsing History" cookies, cache, passwords, etc.

I noticed it only yesterday since I rarely use IE.

Panagiotis

Greg S · Oct 12, 2010

I have two different issues

1) Rundll32 is default protected by AG with Memory Guard enabled. With that in mind, open an IE8 session of InPrivateBrowsing. Surf as you normally would and typically when you close out an InPrivateBrowsing session, this is what happens

Code:

10/12/2010 15:38:53	e:\program files\internet explorer\iexplore.exe	Created new process	e:\windows\system32\rundll32.exe	Permitted	[App]*	Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024

The above command is the beginning of IE8 clearing all browsing history for that InPrivateBrowsing session. With Memory Guard enabled for the process of rundll32, the above does not happen. No IE8 InPrivateBrowsing history is cleared and remains.

2) Memory Guard is enabled for IE8 as well. When I click the IE8 icon to open IE8 up, the IE8 window appears for a brief second and then closes. Before the window briefly appears, AG tray icon starts blinking and of course I get this in AG status tab

Code:

10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Here is an example of what happens when closing out an InPrivateBrowsing session when Rundll32 has MemoryGuard set to No and ClearMyTracks is allowed to run

Code:

10/12/2010 15:38:53    Create new process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:38:54    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:54    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:55    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:56    Modify thread of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:00    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\Shared[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:01    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\lazierLoad.js,prototype.js,ph.js,base.js,submenu_ph_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:02    Create new process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:39:03    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fb_input.js,autocompleter.js,autocompleter_dyn_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:04    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:04    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:08    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:08    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\jquery_2[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:09    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:09    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\scroll_hr[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:10    Modify thread of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:11    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\prototype.js,ph.js,base.js,thumb_resizer_v1239092002.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:12    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\BingDefs[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:13    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\search_tags[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:14    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:15    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\swfobject[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:16    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fade_script[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:17    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\submenu_items[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:19    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:20    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\iframes[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:21    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\prototype.js,ph.js,base.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:22    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:23    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\PostContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:24    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\rm_swfobject-1284507810[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:25    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\hpvR3[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:26    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:27    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[4].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:30    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\javascript[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:31    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:33    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[3].js
Rule: [File Group]All Executable Files -> [File]*; *.js

Eirik · Oct 12, 2010

Greg S said:

I have two different issues

1) Rundll32 is default protected by AG with Memory Guard enabled. With that in mind, open an IE8 session of InPrivateBrowsing. Surf as you normally would and typically when you close out an InPrivateBrowsing session, this is what happens

Code:

10/12/2010 15:38:53	e:\program files\internet explorer\iexplore.exe	Created new process	e:\windows\system32\rundll32.exe	Permitted	[App]*	Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024

The above command is the beginning of IE8 clearing all browsing history for that InPrivateBrowsing session. With Memory Guard enabled for the process of rundll32, the above does not happen. No IE8 InPrivateBrowsing history is cleared and remains.

2) Memory Guard is enabled for IE8 as well. When I click the IE8 icon to open IE8 up, the IE8 window appears for a brief second and then closes. Before the window briefly appears, AG tray icon starts blinking and of course I get this in AG status tab

Code:

10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:09 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:08 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
10/11/10 20:26:07 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
10/11/10 20:26:06 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

Here is an example of what happens when closing out an InPrivateBrowsing session when Rundll32 has MemoryGuard set to No and ClearMyTracks is allowed to run

Code:

10/12/2010 15:38:53    Create new process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:38:54    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:54    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:55    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:38:56    Modify thread of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:00    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\Shared[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:01    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\lazierLoad.js,prototype.js,ph.js,base.js,submenu_ph_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:02    Create new process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Cmd line: rundll32.exe E:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess 1024
Rule: [App]*

10/12/2010 15:39:03    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fb_input.js,autocompleter.js,autocompleter_dyn_v1276045795[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:04    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:04    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:08    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:08    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\jquery_2[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:09    Access memory of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:09    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\scroll_hr[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:10    Modify thread of another process    Permitted
Process: e:\program files\internet explorer\iexplore.exe
Target: e:\windows\system32\rundll32.exe
Rule: [App]*

10/12/2010 15:39:11    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\prototype.js,ph.js,base.js,thumb_resizer_v1239092002.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:12    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\BingDefs[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:13    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\search_tags[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:14    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:15    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\swfobject[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:16    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\fade_script[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:17    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\submenu_items[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:19    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:20    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\iframes[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:21    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVYUQ3OE\prototype.js,ph.js,base.js,submenu_ph_v1217449216[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:22    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\AC_RunActiveContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:23    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\PostContent[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:24    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\rm_swfobject-1284507810[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:25    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\hpvR3[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:26    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[2].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:27    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[4].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:30    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H2NCKHPZ\javascript[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:31    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S1F0ZTOU\index[1].js
Rule: [File Group]All Executable Files -> [File]*; *.js

10/12/2010 15:39:33    Delete file    Permitted
Process: e:\windows\system32\rundll32.exe
Target: E:\Users\Seven\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0SHSP8IM\index[3].js
Rule: [File Group]All Executable Files -> [File]*; *.js

Click to expand...

Thanks for specifics. I've passed this on to engineering.

Eirik · Oct 12, 2010

pandlouk said:

Hi Eirik,

on my system when it happens, prevents IE from deleting the "Browsing History" cookies, cache, passwords, etc.

I noticed it only yesterday since I rarely use IE.

Panagiotis
Click to expand...

I rarely use IE as well.

Thanks for the specific impairment examples. We'll have a closer look and try to re-create and all.

Cheers,

Eirik

1000db · Oct 13, 2010

It seems that AG is blocking a google installer:

10/13/10 11:21:06 Prevented <Google Installer> from writing to memory of <Google Installer>.

Even with protections disabled.

1000db · Oct 13, 2010

AG also blocks Adobe AIR and Reader from updating. We all know Adobe products need regular updating too.

Greg S · Oct 26, 2010

Eirik said:

Thanks for specifics. I've passed this on to engineering.
Click to expand...

Eirik, I've found the problem with Memory Guard enabled for Rundll32. At least for me and my setup. It's taken me quite a long time to figure this one out,lol. It appears that it's not compatible with having InPrivateFiltering(Not InPrivateBrowsing) enabled permanently via the registry. From me testing, it looks like if AppGuard is first installed without the registry entries for permanently enabling InPrivateFiltering, it will work. If the registry entries are in place with an imported ad block list and AppGuard is installed after that, then Memory Guard enabled for Rundll32 seems to break for some reason and causes IE 8 to not fully load up. Another fix for it if InPrivateFiltering is permanently enabled and AppGuard is installed after that, export the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE reg code, delete it from the registry, enable Memory Guard for Rundll32 and launch IE one time. Close it out, import the previously exported reg code and Memory Guard for Rundll32 will now allow IE8 to fully open.

The other issue of Rundll32 not allowing clearmytracks to run after an InPrivateBrowsing (Not InPrivateFiltering) session is closed is still present and one that really needs to be fixed.

adik1337 · Nov 1, 2010

How come one of my Firefox's add-on was able to update without appguard nagging about it?

Greg S · Nov 1, 2010

adik1337 said:

How come one of my Firefox's add-on was able to update without appguard nagging about it?
Click to expand...

It could be the option allow guarded launches is checked. I've noticed that with that checked, alot of things now will run such as windows updates etc.. as opposed to the way it used to be which would be checking/dotting deny all launches. I prefer the deny all launches and disable protection during an update.

jmonge · Nov 1, 2010

ofcourse it's more secure this way

adik1337 · Nov 1, 2010

I know appguard is in Beta phase for x64, but don't feel very safe now ...

jmonge · Nov 1, 2010

LoL

Greg S · Nov 1, 2010

adik1337 said:

I know appguard is in Beta phase for x64, but don't feel very safe now ...
Click to expand...

You have to check the deny all launches option in advanced settings. That's as safe as one can get.

adik1337 · Nov 1, 2010

too late dude .. it's off my pc now ... I might try it again once it's out of Beta

reeaws · Nov 2, 2010

works like a charm on my windows xp 32bit.!! i love this program .

Log in or Sign up

AppGuard Beta is Live (64 Bit, MemoryGuard)

Kees1958 Registered Member

Cutting_Edgetech Registered Member

Cutting_Edgetech Registered Member

Eirik Registered Member

Eirik Registered Member

Greg S Registered Member

pegr Registered Member

Eirik Registered Member

Eirik Registered Member

pegr Registered Member

pandlouk Registered Member

Greg S Registered Member

Eirik Registered Member

Eirik Registered Member

1000db Registered Member

Attached Files:

ag_disabled.jpg

1000db Registered Member

Greg S Registered Member

adik1337 Registered Member

Greg S Registered Member

jmonge Registered Member

adik1337 Registered Member

jmonge Registered Member

Greg S Registered Member

adik1337 Registered Member

reeaws Registered Member

Log in or Sign up

AppGuard Beta is Live (64 Bit, MemoryGuard)

Kees1958 Registered Member

Cutting_Edgetech Registered Member

Cutting_Edgetech Registered Member

Eirik Registered Member

Eirik Registered Member

Greg S Registered Member

pegr Registered Member

Eirik Registered Member

Eirik Registered Member

pegr Registered Member

pandlouk Registered Member

Greg S Registered Member

Eirik Registered Member

Eirik Registered Member

1000db Registered Member

Attached Files:

ag_disabled.jpg

1000db Registered Member

Greg S Registered Member

adik1337 Registered Member

Greg S Registered Member

jmonge Registered Member

adik1337 Registered Member

jmonge Registered Member

Greg S Registered Member

adik1337 Registered Member

reeaws Registered Member

Useful Searches