AppGuard Beta is Live (64 Bit, MemoryGuard)

This one I'm sure of due to personal experience. Most of my MS downloaded new app installs with the exception of one are placed on an USB dirve and installed from there. I don't know if that's the reason MS uses it for temp install placement during an update or not but I don't think so. Here's why, Microsoft Malicious Software Removal Tool is part of the monthly cycle of updates and it will not work unless AG is disabled. MRT is the most noteable one that comes to mind but there have been system type updates that would fail also due to the fact that for whatever reason, the installer/updates were placed on the USB drive and could not run with AG's Deny all or Slider High. Here's a few day to day apps that come to mind that will not update(Program App update) because of what I mention. .Net any flavor, Silverlight and MSE. Bottom line, if the updating installer is dropped on the USB drive in a folder that is named with a unique identifier and AG is set to High/Deny All, it will not update.

 

thanks Eirik

 

I think it needs to be configurable, otherwise High Protection Level becomes a useless setting for the 'average' user. Generally, people want the most secure setting (High), but if that comes at the cost of not being able to run certain applications, then surely they will look elsewhere for a security solution.

 

agree with stackz as long as appguard dont get that weak or just make a litle white list application list such windows updates so it gets excluded from being blocked

 

I can confirm this from my own experience. In my case, the installer/updates were placed on a data (i.e. non system) partition on the hard disk, not a USB drive. The net upshot is the same either way though, as additional partitions, USB drives, etc, are all treated as extended user space.

 

It's only a small point but I've noticed that when disabling protection, the system tray icon no longer changes automatically to provide visual confirmation that protection has been suspended. Manually clicking the tray icon after suspending protection does cause it to change though. Although only a minor irritation, it would be good to see this fixed before the final release.

 

Should Privacy Mode, and Memory Guard say N/A when protection is set to high? It just makes more since to me that it should say on if protection is set as high

 

As it is right now, n/a just means that it's not applicable because it can't be adjusted when the slider is set to High which makes sense.

 

I noticed similar quirks this time around with the tray icon. Some times when it's supposed to blink it didn't and vice versa.

 

When i see N/A on anything I read that as meaning Not Available. In this case i believe this could mislead people into believing that particular guard is disabled. They will know soon enough though if that will be an issue when it goes public if they keep it as is. I guess that's just me.

 

I'm in agreement with you. My explanation was coming from what I thought their explanation would be.

 

Anyone have any issues saving word documents to my folders with protection setting on high?

 

Privacy mode is enforced and currently not configurable or suspendible on High. So if the folder you are saving to is listed in Guarded Apps -> Private folders or is a subfolder of these folders, then write will be blocked for all Guarded Apps.

 

Think I figured it out. Had to go into private setting and delete "my documents". Worked after that.

 

Hi Eirik,

I've noticed that only the last exception added to the MemoryGuard Application Exception List has any effect. All other entries in the exception list created prior to the last entry are being ignored and blocking event messages are continuing to be displayed. This appears to be related to the bug where only the last exception created is being saved after the GUI is reloaded.

BTW I've noticed from the blocking event messages that Memory Guard appears to work in both directions: i.e. a guarded application is both prevented from writing to the memory space of other processes and other processes are prevented from writing to the memory space of the guarded application. I assume therefore that the purpose of the Application Exception List is to allow code injection to take place in both directions between the memory spaces of guarded applications and processes in the Application Exception List for which write access has been granted.

Is this a correct understanding of how MemoryGuard is supposed to work?

Regards

 

The reasoning behind the "N/A" is that "High" mode suppresses user-space launches, making further restrictions moot (I.e. MemoryGuard, Privacy Mode). Any user-space App that can launch is effectively treated as a system-space App in the Status view. Thus, the further restrictions do apply.

I can see the point of confusion though,

Cheers

Eirik

 

Quick clarifier...

MemoryGuard whitelisting is intended to allow designated Apps to inject code. The reverse is not intended, however. A guarded App should not inject code into a whitelisted App (MemoryGuard).

Cheers

Eirik

 

In my case all that is irrelevant being that it is IE trying to read memory of IE or IE trying to read the memory of Explorer. IE can not be added to the whitelist according to the help file. In short, I'm stuck with no memory protection for IE period.

 

I totally agree, the only way round this is unguard IE or drop protection level to Medium and disable Memory Guard for IE. To me, neither of these options is acceptable.

 

I'm looking forward to taking a closer look at the causes of these IE issues that inhibit IE with MemoryGuard after folk return from the holidays.

Eirik

 

Enjoy your Holidays!

My issues with IE's MemoryGuard bugs me for one reason only, I haven't been able to track down what's causing the problem and that gets next to me. My suspicions were 4t Tray, GDI ++, Prio, UnsignedThemesSvc or CTM. It could possibly be a browser addon but to the best of my knowledge, I at one time uninstalled all of them as well.

 

I just had another issue with AG choking down the system. I've made an exception for the log folder since that's the only way to cure it. The alert options for anything I apply don't really seem to be doing anything with this version. It's not honoring the options set for alerts for some reason.





Event Viewer had just been cleared prior to this. Take a look at how many events took place in the event viewer, 3,039

 

With browser protection utilities such as Prevx SafeOnline and Trusteer Rapport the reason for code injection into the browser process is almost certainly to allow the injected components to communicate out to the protection utility's components running on the system.

Is it possible that the communication out may be perceived by MemoryGuard as the browser trying to inject code into a whitelisted application? If it is possible, then MemoryGuard must allow two-way code injections between guarded applications and whitelisted applications.

 

Can someone please explain to me what MemoryGuard actually is, and how it's different to other solutions? It just seems to me that they're hooking the usual system calls like NtRead/WriteVirtualMemory, etc. (or setting up some object manager callbacks). Every decent HIPS does that.

And please don't give me some vague statements - I want some low-level, detailed explanation.

PS: Now if everyone actually has UAC on and doesn't run random programs as admin, we wouldn't have any problems, would we?

 

Check the following thread https://www.wilderssecurity.com/showthread.php?t=222424

Panagiotis