AppGuard Beta is Live (64 Bit, MemoryGuard)

With this version, no combinations of Memory Protection will allow my IE8 to launch. The only way it will launch is to uncheck IE8 in the Guarded list. My protection for IE8 is dwindling with each new version of AppGuard. The message center is telling me that it is blocking the reading of memory from one process to another. I don't see how it determines that when the Memory Read column has No selected for all Apps.


Spoke too soon. I pulled the slider down to medium and IE8 will no launch. Is there anyway to make more use of your Events pane inside of the AppGuard GUI? Right click, yes or no for whatever it is reporting.


Ok, getting better,lol. I moved the slider back to high, checked IE8, yes in the Memory column for IE8, no in Memory Read column but added IE8 to the app exception list with type read, gave two winks and one nod. IE8 will now launch.

 

I get the following error on install and then it rolls back.

 

Today I replaced one of the security products I had on one of my machines with AppGuard beta. I'm not going to say which product I replaced, but I can tell you that my machine appears to be running twice as fast as it was before. I have not ran into any problems yet. If I find any bugs i will make sure to report them with all information needed. I'm using AG beta on a P4 3.4 Ghz with 4GB's DDR RAM. OS is XP Pro 32 bit.

 

Are any of the beta testers here using Prevx Safeonline with AG? I know there was a recent question posted about the possibly of foreseeing conflicts with AG not allowing Prevx Safeonline sufficient privilege to function correctly by blocking code injection into the browser. Has anyone here acqually experienced this? I'm using Prevx 3.0 with Safeonline. AG's event log says that Prevx has been blocked from reading, and writing to the memory of Firefox. I'm having no error messages or system stability issues, but could this potentially hinder Prevx Safeonline from doing its job?

 

Does MBRGuard only protect the MBR's when Windows is running?

I am thinking about installing MBRGuard, but I am concerned about whether or not I would be able to Restore a System Partition Image from a boot CD. If something happened to Windows such that Windows would not load, I will not be able to uninstall MBRGuard.

Also, does MBRGuard Protect all MBR's?

Thanks in Advance.

 

I forwarded this, and the other posts, to engineering. We may need an msinfo file from you to figure out what's happening.

Eirik

 

Some security tools do what they do via code injections into the applications they secure. It could be that Prevx Safeonline is not fully operational. I have no recommendation on how to confirm that it is properly functioning. However, one can add the process(es) for Prevx Safeonline to the MemoryGuard whitelist. That should allow required code injections.

Cheers,

Eirik

 

Yes, think of MBRGuard as a Windows driver. If Windows is running, so too is MBRGuard. If not, neither is MBRGuard. There is a gray area, however, with regard to the uncertainty of what order various drivers/services load, which can vary among computers, depending on a variety of factors. So, if MBRGuard were 8th in line, then ...

This latter point actually illustrates the importance of prevention. If the MBR were maliciously altered, then something malicious could act prior to the drivers/services of 'detection' tools.

Eirik

 

Email with requested info sent.

 

Installed with no issues. Quick question though. I'm also running GeSWall 2.9.1. Is that redundant with Appguard? Or is it ok to run together?

 

I think there's quite a bit of overlap between the 2. GW does more virtualization. I currently use AG but still have a GW license. They are both great but personally I wouldn't use them together.

 

I had major problems when using AG with Shadow User. AG would randomly become disabled after rebooting in shadow mode. All shields would be disabled, and not allow the user to enable them. The only thing that would remedy the issue was to reboot again. The customize box on the GUI would be unavailable (blank). Right clicking on the tray icon would only yield part of AG's options as shown in the screenshot below. Folders located in the users space settings would disappear. AG becomes completely disabled at random when using with Shadow User. I'm not sure if its an AG or Shadow User issue. It seems to happen when saving changes to a Shadow or exiting out of Shadow mode. AG also became completely disabled after placing AG in installation mode, and installing a program that requires a system reboot. I chose to reboot later instead of reboot now after the installation was complete so I could save changes across the Shadow for testing purposes. After rebooting only seconds after the installation was complete AG was disabled again and did not allow me to enable protection without having to rebooting again. Maybe its just my machine, but AG is only working about 70% of the time on my end. Also if you modify the suspension time, and then click cancel it keeps the changed value. Shouldn't it loose the value if you don't choose to click ok or save?

 

OK, according to the help file, I'm not suppose to do the above. It appears that adding a Guarded App to the Memory exception list is a no no which makes sense considering it's crashing IE8 about every six hours. It also appears that with the slider set to High, one has no control over the Memory Protections and they are enforced regardless of what the Guarded Apps column choices are. As of right now, I'm having to set the slider to Medium with MemGuard and MemRead set to no for IE8. That's the only way it will launch and work. The help file also states that if an unguarded app is problematic with memory protection, one can add the unguarded app to the MemoryGuard Application Exception List. I've found that it makes no difference. The added unguarded app to the exception list still generates a prevention/blocking event.

 

Hi Greg,

Until we can take a closer look at your IE situation, the most expedient course of action is to disable MemoryGuard for IE only:
- Click on the "Customize" button
- Go to the "Guarded Apps" tab
- Locate the "Internet Explorer" row, change the "Memory" column to "No"
- Click the "Apply" button

If you'll send your msinfo and event logs to us, an engineer can look them over on Monday.

Cheers,

Eirik

 

I'm not an engineer. Though I'm confident there's a driver/service conflict afoot. From your screenshots, I'm inferring that your OS is WinXP. This tells me the probability for such a conflict is much higher than with Win7/Vista.

If you'd like us to take a closer look, you can send us an msinfo file as well as your Windows log events. An engineer can look at them on Monday. Please send me a private message or email if you'd like assistance with gathering this info.

Cheers,

Eirik

 

I concur. The more similar two utilities are the more likely they conflict.

The fact that they are co-existing makes me wonder if you're using Win7 and NOT WinXP. Am I correct? (just curious)

Cheers,

Eirik

 

That option doesn't work when the slider is set to High or am I missing something.

 

I did this on my Win7 machine immediately prior to my post so I could be precise. I've just looked back and noticed that the status window states that "MemoryGuard" is in force for "All". However, when going to the "Guarded Apps" tab, it still says that "Memory" for IE is set to "No". I'll ask engineering to make certain that the status should instead state "As Configured" whenever someone has manually disabled MemoryGuard for an individual App.

Does this align with your situation, or is it completely different?

Cheers,

Eirik

 

Yes it does and it's kinda confusing. If when the slider is set to High and MemGuard/Read are being forced without user intervention, then the columns of Yes/No within the Guarded Apps tab should reflect that. In this case, they should say Yes. As mentioned earlier, when my slider is set to High, Mem options set to No, Memory Protections are still invoked and protecting. Unless I misunderstood the Help file, that's what it states as well.

 

I can confirm this on my Windows 7 x64. The only way I can make IE work is to remove it as a guarded app.

 

WinXP SP3. No conflicts yet. Will be uninstalling one or the other. Haven't decided yet.

 

Let me confirm/clarify...

- set protection level to "High"
- set the "Memory" column for IE to "No"
- clicked the "Apply" button (finishing the above)
- the "Read" column for IE remains at "No"
- IE still cannot operate

Also, how many exceptions in total have you defined, just the one above, or more than one?

Would you mind emailing us an msinfo file? I'd like engineering to replicate your observations, which might require matching your environment.

Thanks,

Eirik

Instructions for Gathering Troubleshooting Data

System Information File
- Start Menu, select "Run"
- Type msinfo32.exe, click "OK"
- In System Info application, select from "File" menu "Save"
- Name, save (no type change), and email the file


To generate an AppGuard Windows Event Log file:
- Control Panel
- Administrative Tools (may need to be logged in as admin?)
- Click on 'Event Viewer'
• Click on to highlight “Application” in left-hand pane, then
• Event Viewer menu “Action”, select “Save Log File As”
• Name it, change type to .csv
• Save and email it

Identifying AppGuard Version Number
right-click on AppGuard tray icon
select ‘About’

The agent’s policy file is in the following location:

Documents and Settings\All Users\Application Data\Blue Ridge Networks\AppGuard\AppGuardPolicy.xml

 

You are correct. Setting protection level to High disregards the No setting in the Mem columns. The help file says this is normal for a High setting. I guess that's why you get the two indicators for each Mem setting as n/a. If the slider is set to Medium, the indicators show As Configured

 

it's, working good here yay

 

Upgraded previous AppGuard beta to this beta. Customize button is greyed out and I cannot change anything in the user interface - it seems to be stuck on medium protection. I tried running the GUI as administrator and switching to an administrative user with no luck.

Unlike what is shown in the bundled help file, when I right click on the appguard system tray the only choices I see are appguard, help, about and exit (GUI).