AppGuard Beta is Live (64 Bit, MemoryGuard)

Stackz, when you see the events you referred to (where IE 8 is trying to write to its own memory), is IE working or is AppGuard preventing IE from doing something? We often see these events with no adverse side effects.

 

Greg S, there is a bug in the current Beta which does not recognize more than one entry in the memory exception list. Perhaps that is why it didn't work for you. As I read the bug description, only the first entry is recogized. The memory exception list is supposed to apply to all levels.

I spoke to my engineer about adding a guarded application to the exception list. It is definitely not recommended but he claims there may be cases where it might be useful so he didn't want to prohibit it entirely. If we can fit it in, we will display a warning message when a user tries to add a guarded application to the memory exception list.

 

I have the same issue. When AG is set to High, IE8 will NOT open. This has been mentioned by me no less than a dozen times. The best I can manage out of AG is setting protection level to Medium and the Read Memory for IE set to Yes. If protection level is set to High or if it's set to Medium with the Memory column set to Yes, IE 8 will not open. The only messages given are IE preventing IE, IE preventing Explorer.

 

Thanks for the info. Is this to be fixed for the Release?

 

Sorry, I think I was confusing Stackz posts with your posts. Stackz says that MemoryGuard needs to be disabled for IE8 to work.

You are correct that Memory Protection is enforced for all Guarded Applications regardless of the settings in the Guard List in the high proteciton level, but AppGuard should (remember there is a bug which is preventing AppGuard from recognizing more than one exception program) be applying the Memory Protection exception list in all protection levels. So for example, if I have my AV software listed as a Memory Protection exception, it will be able to read the memory of my Guarded Applications even in High Mode.

 

I also want to point out that you can make the change to "Off" or "Install" levels persistent by unchecking the "Re-enable" checkbox that appears with either of these levels. Also, even if the re-enable checkbox is checked, the timer will continue through a reboot since sometimes installations require access after the PC is rebooted.

 

This is baffling. The differences between low and medium levels are:

1. MemoryGuard: In Medium, the Guard List MemoryGuard settings are enforced. In Low, MemoryGuard is not enforced no matter what the setting is in the Guard List.
2. User-Space Protection: In Medium, user-space launches are auto-Guarded and MemoryGuarded. In Low, user-space launches are auto-guarded but not MemoryGuarded. Scripts are not allowed to launch in Medium level, but they can be launched when in Low Level.

If MemoryGuard is disabled for Chrome in the Guard List settings, there should be no difference between MemoryGuard Protection for Chrome in the medium and low levels. So unless User-space protection is somehow interfering with Chrome, I am at a loss as to what is going on here. Anyway, again, if you could provide us with the events that you are seeing when Chrome is trying to load, maybe it would shed some light on this.

 

Thanks for clarifying. So MemoryRead protection is not interfering with IE, but the original MemoryGuard protection is causing problems.

 

Yes, it will be fixed.

 

Here are the events from Chrome when protection is set on High, Medium, and Low. Chrome will not load until protection is set at Low. Chrome continues to say loading, but it will never load. I believe the problem may be that AG is blocking Rundll 32, and Windows Explorer from reading & Writing to Chrome.

 

That is correct. My issue goes all the way back to the first time Memory Protection was first intro'd. I have never been able to run IE with the Memory Protection enabled. I tried really hard to track down the issue by un-installing everything I had with no love. I may have missed something but to the best of my knowledge, Program Features was bare with the exception of Comodo Time Machine. At Eiriks request, I even uninstalled it which didn't help. I may try the uninstall all apps thingy again. I'm iced in for a few days down here in BamaVille and the only thing I have on my agenda is tonight, watching the Ducks whoop the dog mess out of our in state rival for the National Championship,lol. <--- I'm only kidding. Will be pulling for that West Georgia Cow College, Auburn

 

Hi Cut, have you identified in task manager what those processes(pid) are?

 

No, I cannot see them in task manager. If I were to guess I would say they may have something to do with Prevx Safeonline.

 

Hi Cut, what are the MG settings for RunDLL32 on the Guard list?

 

I did not know Rundll32 was protected by default in memoryguard. I didn't change anything. Here is a screen Shot of the settings which i have not changed since I installed AG. I left them at their default.

 

I just changed MG settings for Rundll32 to no for Memory, and it did not make a difference. Chrome still will not load.

 

you have a strange isue budy

 

I had the same issue with beta. Couldn't get chrome to run either.

 

it is running fine here

 

Yes, it's strange that i seem to be the only one having an issue with Chrome. What platform are you guys testing on? I'm testing on W7 64bit Ultimate, and XP Pro 32 bit SP3. It's W7 64 bit Ultimate i'm having the problem with Chrome on. I don't have Chrome installed on XP Pro 32bit SP3.

 

Update: I sent an email to AppGuard[at]blueridgenetworks.com describing what i believe to be the cause of the BSOD i reported on 1-10-11. So I don't have to type all of this out again i'm just going to copy, and past what I posted over at Online Armor's beta forum. Hopefully OA, and AG can work this out.

I believe I have discovered the cause of the BSOD i had Yesterday. The minidump points to BrnFileLock.sys (belongs to Appguard) as being the cause, but it didn't happen until after I installed OA. BrnFileLock.sys is located in the following directory: C:\WINDOWS\system32\drivers. BrnFileLock.sys is essential for Appguard to function, and must be trusted or it will cause your system to hang, and then BSOD. When i installed OA i added AG's programs folder (C:\Program Files\Blue Ridge Networks) to OA's exclusion list to prevent conflict between the two. I was not given a chance to make BrnFileLock.sys trusted before my system hang, and BSOD. BrnFileLock.sys has to be a trusted file by default by OA to prevent this in the future. My system was unusable until i set BrnFileLock.sys as trused. Now so far I am not having any more problems with system hangs, windows explorer crashes or BSOD's. I was having all of them before making BrnFileLock.sys trusted. BrnFileLock.sys is in the latest version of AG beta which i am beta testing. What can I do to make this file automatically trusted by default in the future? Do they need to send you a sample?

 

Not the only one; on Vista, 32-bit, Chrome/ChromePlus/Chromium will not load here when protection is set to High or Medium.

But SRW Iron will run on the Medium setting; go figure

 

Iron runs from Program Files where Chrome runs from the users directory (I think).

 

google chrome in my vista 32 runs good in my win7 64 is also good with my IE and in my xp2 32 homeis just perfect

 

Ok, this is another one that we haven't been able to reproduce in our test lab. In the current beta release, changing the protection level (i.e. High, Medium, Low, Install, Off) does not change the tray icon. This is functioning as designed (although in the next release we will have the icon change when the level is changed to Install or Off). Also in the current beta release, if you suspend protection (for instance Privacy Mode or Guarded Execution or allow UnGuarded launches) from the tray menu, the tray icon should change immediately (and definitely works for me on WinXP SP3).

We are definitely not seeing the behavior described where the icon is changing after clicking manually. We will continue to try to reproduce the issue (I am sure that we have one since you are all reporting it), but if you have any more information (such as which level you are running in and then what protection you are suspending) I would appreciate it.