AppGuard Beta is Live (64 Bit, MemoryGuard)

OK, thanks Eirik for the info. Still looking forward to the release. As of now, I haven't allowed/added the propertypage etl and probably will not. Reason being, I'm not understanding MS's need to read that log file before VSS can attempt to initialize a supposed scheduled backup. I say supposed backup simply because there is no backup scheduled. This is why I stated earlier that I'm glad most of this MickeySoft stuff is stuffed by AppGuard. Lol, Typical Microsoft, scheduled backup is disabled, all scheduled tasks related to backup are disabled but MS has to start a service to read a log file to give it's official blessing on the fact that the tasks are disabled.

 

ok,

so i got rid of the Chrome Portable and use the regular install.

i seem to be having the same kind of problems as this poster with the regular Chrome install:
https://www.wilderssecurity.com/showpost.php?p=1709276&postcount=21

i'm afraid i'm gonna have to watch from the sideline because this stuff is more involved and technical than i thought.

 

moon, you can disable the Memory Guard protection from just the Chrome app. It's located on the far right in the Guarded Applications tab, the down arrow and select No. I know that's not the ideal thing to do but I have had to do it with IE myself. If I don't, IE will not open. Memory Guard protection is one of the features that is being heavily tested during the Beta releases and should have the kinks worked out by the time of release, I hope.

 

tnx Greg, will do!

 

Erik, what extension were added as protected in the upcoming release? It seems like i remember .dll, and .bat as being added. Am i remembering correctly? Were there any more? I ask because we are discussing Appguard on this thread. https://www.wilderssecurity.com/showthread.php?t=287923

 

Eirik, any word on a release date yet?

 

Yes. However, we recently identified another show-stopper. Our policy dictates that we cannot release software FOR SALE with a defect of this nature.

The defect has been present in all of the betas and in what we were about to release this month. It does not affect WinXP, only WinVista/7, both 32/64 bit. There are certain conditions where a guarded process with local admin rights and when UAC is disabled whereby some registry changes can be made that shouldn't be. This does not apply to 'all conditions'. For example, with RegEdit guarded, it cannot make Registry changes that AppGuard policy forbids. So, we cannot release AppGuard this month as a paid-for product.

So, recognizing that we've disappointed folks...again. We've decided to release the December AppGuard as another beta so you all can see first-hand the significant changes we've made per YOUR feedback.

AND, there will be a new feature. We don't have a name for it yet. Perhaps you might have some ideas.

The new feature protects the memory of designated processes from malware that is designed to read its memory to steal credentials, session data, or any other sensitive data that resides in an application's process memory. We're not claiming this would block something with a kernel-level presence, btw.

So, those interested in beta testing, we'd like you to try it out, relay any application-specific side-effects, and maybe use a hacker tool to test it. I believe one of our engineers has used the following:

http://ntsecurity.nu/toolbox/pmdump


The engineer asked me if I knew of other tools. So, I'm asking you guys who probably know a lot more than I do on such tools.

Me personally, I'm most interested in how well web browsers operate with this protection because I feel they are primary targets.

I don't advise trying this on services. One might be tempted to do so on something like a disk encryption service--risky. I'm afraid that might represent a very different animal not even benefiting from this, and perhaps not needing it. At this stage, we're most interested in how the feature performs with user-space / user-context applications.

We will release the beta for download Thursday afternoon (eastern) next week. Again, I'm deeply sorry that we couldn't deliver in December as promised.

Cheers,

Eirik

 

More companys like your's are needed in the security business Eirik!
Nice information for us, a good new beta release and a company policy which is unmatched by any other security company i know.

 

Happy to test the new beta. Really appreciate you not rushing out a buggy product to the marketplace.

 

Eirik, your last post makes me have much more faith in your company than most of the companies out there. I'm glad to see a company that wants to make sure they get things right before releasing their product. I would not care to wait several more months to ensure that everything that can be done has been done to insure that a high quality product is being released! Keep up the good work!

 

As eager as I am to use the new AG; I'll wait patiently until it's ready. I must say I am impressed by Blue Ridge Networks quality control as well as your open communication with your users. It is appreciated.

 

Hi Eirik,

Any idea whether this new feature is compatible with browser protection utilities such as Prevx SafeOnline and Trusteer Rapport or will there be a conflict?

Thanks.

 

yeah i agree im glad that "deadlines" are almost non heard of in the company.

 

Eirik,

Question: Will the final have signed drivers and executable?

Suggestion: New feature could be called: Address Space Privacy Guard Technically this reflects the protection best.



You should rename the Memory Guard to Process Memory Modification Guard, this to differentiate the protection mechanism.


Two free consults on name giving , Could thing my customers don't know who is behind Kees1958

Regards Kees

 

Hi Eirik,

disappointed? Quite the opposite. Is refreshing to see that still exist companies like yours that value both their products and their customers.

The tools that I prefer are K2xMon, CurrProcess, HeapMemView and DLL Export Viewer.

Panagiotis

 

Hi Guys,

Thanks for the kudos and for affirming our belief that straight-talk is valued. We're far from perfect but always aspire to be better than we are.

Cheers,

Eirik

 

I'm afraid I don't know enough about how they do what they do. If they employ code injection methods to exert their controls, then adding their respective processes to the MemoryGuard whitelist might avoid conflicts. Ultimately, only testing would answer your question. Sadly, I'm pretty sure our test group doesn't feature those two products in their use-cases.

Cheers,

Eirik

 

Thanks. I like them.

I particularly like how descriptive your words are yet succinct and clear. Our CTO and I were discussing how we might avoid the use of branding words in our data sheet features sections. The above wording would work great in that context too.

Cheers,

Eirik

 

Thanks on both counts. I'll pass this on to the engineer that asked.

Cheers,

Eirik

 

Hi Eirik,

It wasn't MemoryGuard I was referring to, but rather this new feature which Kees has aptly named Address Space Privacy Guard. I already know (and previously reported) that, in the current beta, MemoryGuard conflicts with both Prevx and Rapport. We had email correspondence on this subject back in October.

I don't know how Prevx and Rapport work either but I imagine they probably do need full access to the browser's memory space to work correctly. What always worries me about running two products in tandem that do similar things is that any interaction between them is not always obvious. Instead of an overt conflict, sometimes a more subtle interaction occurs where everything appears okay to the user but the two products interfere with each other's correct functioning.

As you rightly say, these kind of problems can only be ascertained by testing against use cases to see if whitelisting will be needed. I assume that it will also be possible to exclude trusted processes from Address Space Privacy Guard where necessary, as well as from MemoryGuard. Otherwise, the only alternative in the event of a conflict would be to turn off the feature completely, which would be a shame.

Many thanks.

Regards

EDIT: The remark about not running two similar products at the same time was meant as a general statement. I realise that it could be misinterpreted that I'm trying to run SafeOnline and Rapport together. I have Prevx installed without SafeOnline as I'm currently using Rapport.

 

Reckon why everytime MSE updates, I get one of these in the event viewer?

 

We cannot be certain without explicit collaboration from the other vendor, in this case Microsoft. We believe that MSE is merely requesting the rights to terminate the AppGuard process, should it ever deem terminating the process to be necessary. However, AppGuard responds by denying the request.

Cheers,

Eirik

 

Probably not. That said, we are indeed nearing those milestones we had in mind for when we would do so. When we do, we'll do so across all of our product lines: AppGuard, AppGuard Enterprise, EdgeGuard, and Pixie. So, we may do so in the first quarter of 2011.

Cheers,

Eirik

 

Eirik, are we going to see the beta today? Really anxious to try out new features.

 

Yes, I'm awaiting completion by the webmaster. It will be posted here:

Anti-Malware Protection from Zero-Day and Targeted Attacks-including Code Injections

I anticipate it will be up within an hour of this post. Remember to look at the release notes also posted there. It provides a detailed explanation of what's new and what are the known issues (section 4.0).

The primary focus of this beta is to identify applications that cannot operate properly when MemoryGuard and Memory Read Protection (this name is not 'official') are in effect. Unnecessary AppGuard block 'reports' are of interest too. But, far in the way, we're looking for specific examples of applications unable to perform normally because of these protections. Some are listed in the 'known issues' section, which also factored into our postponing GA.

Cheers,

Eirik