AppGuard Beta is Live (64 Bit, MemoryGuard)

I believe you can look at AG's logs to see what memory guard is blocking, and make the appropriate exceptions in AG's memory guard.

 

It may be a little much, but I'm actually able to use the HIPS, and AG together now. I made a few exceptions in OA, and AG so they do not interfere with one another and they have been running great together for over a week now. They are on my 3 machines anyway. AG's memory guard is not blocking anything from OA since I made some memory guard exceptions for OA, and everything from AG is either set as an exception in OA or is configured as a trusted application. I had OA, and Prevx on those machines before. I replaced Prevx with AG, and they are actually running faster now than before.

 

Yes you can, but the thing I'm uncertain about is whether it's necessary to allow this for the proper functioning of certain security applications such as Sandboxie for example. Without a deep technical understanding of how these programs work, it seems to me that it's impossible for a normal user to make an assessment. I suppose that where a program that you trust is involved (e.g. Sandboxie), it's probably safer just to make the exceptions in case the code injection is necessary. Even then the exceptions operate in one direction only.

What I've noticed in relation to Sandboxie, and other unguarded trusted applications that write to the memory of guarded applications (e.g. Firefox), is that in each and every case on my Windows XP Pro system, the guarded applications also attempt to write back to the memory space of the trusted application to establish a two-way communication between the memory spaces of the two processes.

Due to the way MemoryGuard works in relation to guarded applications, the attempt to write back is blocked even though the trusted application's processes had been added to the exception list. Whether it is necessary to allow this two-way communication between the two memory spaces in specific cases is hard to say. If it is necessary in some cases, then the only viable options that I can see are: either to set the AppGuard protection level to High with MemoryGuard completely disabled OR set the protection level to medium and disable MemoryGuard selectively against specific guarded applications where necessary.

The one anomaly that I've noticed - which I've already mentioned in a previous post - is Trusteer Rapport. Even though I added the two Rapport services to the MemoryGuard application exception list, the Rapport processes are still blocked by MemoryGuard from writing to the memory of all guarded applications, the most important of which in my case is Firefox as the whole point of Rapport is to protect the browser when not using Sandboxie. This looks like a bug in AppGuard as I would expect anything I add as an exception to be honoured.

Given the large number of blocking messages that are being generated by guarded applications trying to write to the memory of various running processes, I've had to add every guarded application to the list of ignored messages in order to suppress the alerts and prevent large numbers of blocking events being recorded in the Windows application event log. I don't know whether other people are seeing this behaviour or whether this is specific to my system.

 

OA has the best Tabbed UI in a firewall I have ever used. It has many options, and is extremely easy to use. If it did not have any HIPS at all it would still be my choice of Firewall. I would also feel perfectly safe running AG without OA's HIPS enabled. AG is one of the most effective products I have ever used, and I have tried just about everything at one time or another. The only thing I feel is as effective as AG is Shadow Defender which I will use until it is no longer supported by my OS.

 

So far using the final release version I've had a lot of blocked events but no noticeable loss in functionality. I do a few online games and tons of browsing using Iron as my primary browser. One of my children, while playing an online game, had downloaded a fairly common trojan. Due to AG this file became benign even through my kids incessant clicking on everything. AG quietly stopped this in the background never allowing the file to execute or interfere with other processes. If I had any doubts about the efficacy of AG before they are gone now. I've also noticed no increased usage of resources compared to the last released version.

 

That's my setup. Windows firewall + AppGuard + ClearCloud DNS. Totally safe!

 

Only runing AppGuard here and very happy customer

 

I have 2 P4 3.4 ghz machines that i'm going to go back to just using Window FW, AG, and NOD 32. I have OA installed on them at the moment without any conflicts, but I can tell a considerable slow down in performance. I may even give LnS FW another try.

 

AppGuard is on all my machines here but i think i may need a firewall to protect my outbound connection other than that i am safe
i have appguard in medium security level

 

That's the thing with me being reluctant to use Windows FW. I want good outbound protection, and Windows FW does not cut it. I'm already behind a gateway with IPS, DPI, and GAV. No need for any additional inbound protection. I might just try disabling OA's HIPS, and see if that does the trick to speed up system performance on my P4's. My other machines are ICore7's and I don't notice any slow down in them.

 

Not making any recommendations here - just reporting my own experiences. I'm running Comodo Firewall v5.3 (just the firewall, not CIS) alongside AppGuard.

Comodo Defense+ is configured purely as an anti-executable: Execution Control is enabled but all HIPS Monitoring and the Sandbox is disabled. The only alerts are when an unknown program tries to execute or gain outbound network access, or when any program attempts to execute another which compensates for the lack of parent/child network access control in the firewall.

AppGuard protection level is set to high on my system but I have created some ignored message exclusions for each guarded application in order to reduce the number of MemoryGuard blocking message alerts recorded in the Windows Event Log.

Even with AppGuard protection level set to high, AppGuard and Comodo Firewall are running well together on my system with no conflicts or slowdowns.

 

Is there a way to stop AG from continuously populating the Event Viewer with certain events?

The ones in the picture are for Windows Media Player. I've tried every combination of checks with no joy.

 

Is it good to have AG in quiet mode?

also when will AG have program updating or does it have a popup message saying about a newer version?

 

is there a place where you clear the Events screen in AG?

 

in high security level even better

 

Check out the Ignore Messages Dialog section in the AG Help document. One of the options when you add an item to ignored messages is to disable event log. Perhaps that would help. I'm going to experiment with this.

Dave

 

Just right-click on the Events screen and select Clear All.

 

Let me know how it goes. I've tried what I consider everything but with no joy.

 

I found that every guarded application tries to write to the memory of other running processes which causes a fair number of MemoryGuard blocking messages to be generated. To reduce the number of events logged, I added an ignore message for each guarded application of the following form: -

Prevented <guarded application> from writing to memory of <*>​

making sure that the Disable Event Log checkbox is checked (and optionally the Disable Status Display and Apply for All Users checkboxes as well).

So far, MemoryGuard blocking of guarded applications writing to the memory of other processes doesn't seem to have adversely impacted anything on my system, at least as far as I can tell.

 

These are my sentiments too. I'm much more concerned to deny the unknown in the first place than to monitor what is happening once the unknown is running. For me, AppGuard and Sandboxie make a good strong combination with no popups.

 

Just now tried this. Thought for a few minutes that it was working but the Event Viewer is filling up again. Can you show a screenshot for one of your <*> rules?

 

Here is the one for Firefox: -

 

I just thought I'd check something and it looks like AppGuard may be ignoring the setting to disable writing to the event log.

Here is the corresponding entry for Firefox in the customisation screen for the screenshot of the <*> rule I just posted: -



and here is a screenshot of an event that was recorded in the Windows Event Log a short while ago: -



Looks like event 1074003976 for Firefox is still getting written to the Windows Event Log even though I created a <*> rule to disable this event, or maybe I'm misunderstanding something here.