AppGuard Beta is Live (64 Bit, MemoryGuard)

Yes, I am getting the same except mine is with Windows Media Player. If left alone, the event viewer quickly fills up with the 102 event from AG. My alert rule is the same as yours.

 

I think you'll find that 'Disable Event Log' is referring to the AppGuard GUI Events log.
'Disable Status Display' refers to the tray icon showing a log entry when you mouse over it.

 

On my system, Disable Status Display prevents the events from being recorded in the Status Screen that is displayed when the GUI is opened. I would have expected Disable Event Log to have also disabled Windows Event Logging but that doesn't seem to be the case.

 

Easy enough for me to find out for sure. I'm getting one every three seconds with an extra one(doubled up) every other three seconds. I'll drop the slider to Quiet and see if Event Viewer gets any relief. .......


OK, with the slider set to Quiet for five minutes, No Event Viewer entries have shown in that time. Hmm, what are we missing here?

Something wonky is going on here. I just now moved the slider back to Normal and get this in Event Viewer.

 

That is what I would expect also. It appears that something is not working properly. Maybe Eirik will drop by and provide input.

 

I caught this thread this morning and asked Barb or someone from her team to look.

Eirik

 

I keep getting a lot of these which crashes IE8 entirely. Not just the one tab.




It appears to be related to this.

 

Tried it. Looks nice indeed.

However it failed with:

1- link exploit( dll loaded- execution not denied)

2- Conficker .vmx file executed manually via cmd.exe and rundll32.exe, No Interception
However autorun.inf is blocked.

3- I found no way to test against dll execution vulnerability like in VLC but seems it will fail just like .lnk exploit.

AG has potential but needs a lot more active development.

 

Disappointing for AG; I hope Eric and the team can comment on these results.

 

I'm surprised AG missed those! Lets see if BlueRidge Networks can reproduce your results. If AG does indeed miss those then I'm sure they will fix it. I wonder if Anti-executables 4 from Faronics blocks those. I've been wanting to see a comparison of features, and protection offered between AG & AE.

 

It just came out of beta, are you saying it needs to go right back in.

 

I agree with your findings on Item #1
Cheers

 

Hi Pete,

The original exploit required a specific USB device since the LNK file had to point directly to that USB device, and the specially crafted LNK files used the long path ID of the USB device rather than a drive letter, since drive letters could be different from machine to machine.

However, later exploits created a different scenario:

ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon
http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/

And subsequently, these attack vectors have been noted:

• USB drive infection. That is, in the same style as the autorun trick without needing autorun.inf.
• 
  
• Network shares. The hole can be exploited through the network by copying the malicious shortcut file to a shared network location frequently used by users in a Windows network.
  
  
• Malicious website. If the bad .LNK file is placed on a website that displays file icons, it can force Internet Explorer to check the right icon to be displayed, thus triggering exploitation. The likely candidates are pages that let users upload and download files such as a webmail client.
• 
  
• Documents. Office productivity suites (including but are not limited to Microsoft Office) allow files to be embedded within documents. If a bad shortcut file is packaged into some kind of document, the software accesses the icon file so that it can be displayed. This allows the possibility of an email attack by means of a regular document file with an embedded shortcut. In addition, some email clients might be affected when displaying attached files.

Patched systems are now immune, of course.

regards,

-rich

 

An easy way to test against DLL execution without using malware is to use the hmmapi.dll file that comes with Windows. You will need a version different from your own OS version that won't be white listed. I've attached the Win2K version as hmmapi.txt if you would like to try. Rename to .dll

It's just 14KB.

The Windows hmmapi.dll is Microsoft's HTTP Mail Simple MAPI (Messaging Application Programming Interface), and it starts an instance of IExplorer to connect out to Windows Live Login

To run a DLL you need a loader; that is, you just can't d-click on a DLL file and get it to execute. The loader is rundll32.exe.

So, just put the DLL file on a USB drive, for example, or anywhere else you want. Then, open a Command Prompt to that location and copy/paste this code:

Code:

rundll32.exe hmmapi.dll,MailToProtocolHandler %1

If the DLL is not blocked, you will see an instance of IExplorer launched:



If you would like to try with an autorun.inf file, create this file on your USB drive, along with the DLL file:

Code:

[autorun]
shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1 

----
rich

 

Thanks a lot. Very handy, I will try it.

 

@Rmus
Thanks for that, I will try it.
Cheers

 

I tried a file infector with it. Ran it isolated/ secured by AG. AG stopped file infector from infecting C drive but file infector was able to infect the files on an attached USB memory stick( althouhg it could not create an autorun.inf file there). Also the malware infected the files on my VM,s shared folder that was`mapped as a network drive.

 

did you tried it in high security level or medium?thanks for testing

 

Thanks, AIGLE. I have my test department checking this out. We'll get back to you with our findings and perhaps more questions.

 

Thanks, good to know.

 

I think when you run an application guarded, it doesn,t matter whether your overall security is set to high or low because the application being tested is already running guarded( isolated).

BTW I used High security.

 

Hi Pete

I saw you mention this App in the other place and it sparked my interest. It is an interesting combination you have which I had not thought of.

I have had a brief play with it but there are one or two things I don't understand about it.

It comes with some programs already configured, IE being one of them, and those that are listed cannot run until added. As you probably remember, I don't lke IE to run and so block it but I could not see any way to remove IE from the list. I am probably missing something but not sure what.

Any advice welcome.

 

If you don't like running IE, why remove it from the list? The default config apps are not removable from the UI. Recently in the beta's there was rumor to add that option back in. In the past, I've edited the AppGuardPolicy.xml to remove certain things and you may still be able to do that. If you do, take precautions by making copies of the original.