AppGuard Beta is Live (64 Bit, MemoryGuard)

Eirik, could you also post the instructions for the beta testers...on how we are supposed to obtain and submit the logs etc?

Thanks

 

That's good news! Kudos to the engineers - the current build is completely stable on my Windows XP system and the boot time has improved!

 

I thought AppGuard Beta only runs on Windows 7 and Vista .

 

the memoryguard part of appguard is for vista and seven only

 

Thanks.

 

your welcome
i wanted to try it for my xp2 and no luck only in my vista but still appguard is his good moments

 

For Windows Vista/7, here's a screenshot with arrows. The second arrow pertains to the tear-down menu that appears after the right-click. XP is actually simpler in that there are fewer 'things' in the GUI. As for the GUI, one usually finds it in 'administrator tools' from the 'start' menu or in the 'control panel'.



Then name it, save it somewhere you can find, then attach it to an email to appguard@blueridgenetworks.com

Cheers,

Eirik

 

very clear big arrows

 

As usual, I'm confused. Is the button for collection of needed info for BRN or is the button for use with Memory Guard on the user level? User level as in click the button and AG surveys the system and installed apps etc.. and from the gathered info will determine each user allowances for Memory Guard. It would be great if AG could inventory what a user has installed/running and use the info for Memory Guard tolerances. Of course if it could be done, it would have to come with the warning of make sure the system is Malware free before applying which shouldn't be a problem since AG's security is protection and not cleaning. I'm just thinking out loud.

 

I'm guessing is for BRN...

(Hey Eirik)

 

The 'button' is a convenience for end-users that need assistance from Blue Ridge. Assistance requires us to know their system environment, sometimes their AppGuard policy, what AppGuard has blocked, the status of AppGuard, and sometimes a mini dump file. I would like this to give users discretion in what they send us, unchecking items they do not wish to send us.

Gathering this data can intimidate non-tech users. And, helping them do so takes up our time too.

For the beta and the next, the button also makes it easier to share log data. And yes, MemoryGuard data is our top interest.

Greg is actually telegraphing future capabilities we might not implement this year. We have some building blocks we should complete first.

Cheers

Eirik

 

Hi All,

There are a couple of items I'd like to share.

First, the download issue has been corrected. The webmaster fixed a Javascript that resulted in serving the wrong install file, as well as in some cases, serving the old and the new install files both. The correct version of the 2nd beta is 2.0.6.

Second, there is a GUI ambiguity concerning MBRguard. When you can see the "Enable MBRguard" button in the AppGuard 'Settings' tab, MBRguard is not enabled. When you see the "Disable MBRguard" button, that means MBRguard is enabled. Clicking either actually installs or uninstalls the driver, which requires a restart.

Second and a half, the MBRguard driver is not digitally signed. We will do so after we make changes necessary to generate log events, alerts, and no longer require a restart to implement enable/disable. Yes, at present, MBRguard blocks attacks but doesn't brag about it.

So as you know, installing unsigned drivers causes Windows to suspend the installation and ask the end-user if he/she wants to install an unsigned driver. Once a user has clicked 'ok' to the Windows prompt that says the driver is not signed, Windows remembers that driver as trusted if it should be removed and reinstalled again, eliminating need for another 'ok' prompt.

The other AppGuard driver 'BRNfilelock.sys' does NOT require user-approval for installation.

BTW, I've met with the engineering team a few times in the last few business days to discuss simplifying the end-user experience, the GUI. We've defined stretch items for the third beta that would incorporate some non-trivial changes. However, if we cannot, the GUI may actually get a little more complex than it was before we began the beta process this summer: 'darkest before the dawn', as it were. Anyway, the engineering team and I are quite excited and motivated per these discussions.

As always, we welcome your inputs. We've received a lot of good feedback and ideas from all over the world. The Internet still amazes me sometimes.

Cheers,

Eirik

EDIT: See how I started this post saying 'two items' but actually more than doubled it? Now you know how our engineering team feels when I talk to them. 'Oh, one more thing...'

 

Mine shows as enabled(Disable MBRguard). I was reluctant to do this during installation since I do use an ISR app for quick restore and the MBRguard kinda skeeered me. I've made numerous snaps and restores without any problems though.

Since installing beta 2, I have added the above to the guarded list. Not a peep out of AG so far. I added these to an earlier version of AG some time back but removed them after a few days because AG was a little too noisy on some of Windows SOP's. So far this time around it's not that way. I know it's been asked before, but are there any other apps that should or could be added to the Guarded Applications list?

 

I do wonder if explicitly guarding all Java engines would be beneficial without adverse consequences. Generally the applications that use them are themselves guarded. So, when they use them, they dynamically become guarded while used. Should an application unguarded do so, they would not.

I don't know whether there would be adverse consequences from explicitly guarding them.

Cheers

Eirik

 

So, how is the password/parental control implemented in the beta builds? Did they abandon the 2 user account approach? (I hope I hope!!!)

 

Eirik,

I think I know what caused my problem. Lately I tried Spyshelter and it would not work also. I think is because I have restricted legacy aps from starting up in RUN HKLM through group policy. I noticed that Vista business had virtualised Spyshelter installation. I also found AppGuard in the virtual store.

I have no idea what combo of GP-settings this has forced virtualisation (I installed with right click run as Admin). I known some guy managed to use an undocumented API to virtualise appplications (when you can do it through task manager, it is somehow possible).

After the failed install of Spyshelter, I has lost again all my restore points. So it is not related to AppGuard, but because I have set some strange combo in GPO.

Regards Kees

 

Hi Han,

I might have answered your question earlier. But, I was hoping to hear what others say. We are in beta afterall. But, I hate to see your question unanswered.

So, yes. It does require at least two login accounts. This can coincide with a best practice recommended at Wilders and other security circles: one admin account, one LUA account. AppGuard asks nothing more than that.

Cheers

Eirik

 

Thanks for the update. I'll pass this on. Are you running AppGuard ok now?

 

No I am writing content and managing the design for a website of a small IT company (I did the repositioning earlier and due to low work stretched the job until my holiday in september - it is a hard time for one man band consultancy). So constantly waiting for the new designs, reviewing increments and killing those minutes with lurking on Wilders. I need my play PC for this, so leave my configuration as is.

 

Sorry to hear that. It eliminates AppGuard from any potential use I might have, either at home or at work. Complicates things beyond what I would be willing to accept.

**EDIT**
Some additional thoughts...

If this is a beta, maybe it's not too late to beg for what I see as a more realistic solution. Why do you (meaning the developers, not you personally!) feel the multiple account approach is the best way? Seems to me this is not being looked at from a real, day to day users perspective. Logging on back and forth between user accounts to change a protection setting/solve a user issue? I feel there may be a bit of not seeing the forest for the trees going on.

My feeling is that THE reason for programs like AppGuard is solely for running only as an Admin. I am no expert but there seems to be very, very little malware that infects limited accounts. I have ran as a Limited User for years and never had any issues. It's the Admin users that need the help. And contrary to what you see here, most users in Windows run as Admins. And most have only 1 account on their machine. And IMO, no amount of discussing this situation at forums such as Wilders will ever change that. So if that's the way it really is, why not design to deal with that reality instead of the sophisticated, multiple account (including Limited) users you encounter here?

 

Hi HAN,

I appreciate your original feedback but didn't feel I had anything constructive post regarding it. I just now noticed your edit/update, which offers raises good points.

If one wishes to do something from within a Windows account contrary to parental controls, one can tell AppGuard to engage 'privileged mode'. AppGuard responds with an authentication challenge. One must answer this challenge with credentials associated with a Windows account NOT restricted by parental controls. Once in this mode, one is no longer restricted, and can do whatever, and when done, turn off the mode. All this without logging out and into another account.

You've hit the crux of it. There's no eluding your point, not that I would wish to do so.

There are two reasons for our two-account minimum approach.

First, we sought to avoid the customer support issues of lost parental control passwords. This approach keeps us out of that entirely. Self-serving? Sure. However, this benefits customers too. Consider how many days responding to such a trouble ticket could take and what circumstances a customer might be in while waiting.

Second (cynics, you'll love this!), our choice is an act of 'tough love' and 'integrity'. [he says in his best Bill Clinton empathetic voice]

We feel that we ought to be encouraging security best practices among consumers.

As effective as we believe AppGuard to be at stopping zero-day malware attacks, running a PC with local admin rights increases the odds of something, somehow getting through. That's bad for our customers, which is bad for us too.

So, if we lose some sales because we want to spare customers from support headaches and reduce their exposure to sophisticated attacks, we'll live with it.
I don't want to lose customers. But, we cannot please everyone.

We're sincerely disappointed that we've displeased you with our parental controls. If the majority of folk felt this way, however, we'd reconsider. For now, I can only say that we are listening to you and taking your feedback very seriously.

Cheers,

Eirik

 

I'm currrently evaluating the beta and am impressed so far. I do have one question regarding Memory Guard though. Does memory guard prevent read operations on another application's memory to prevent data leakage? If not, I believe it would be a good idea to add a 'private processes' list to the current private mode, complementing the private folders list. Memory Guard would then protect these processes from memory reads from guarded applications, just like the private folders list.

Also, how widespread is the registry protection offered? I would hope it covers more than just the obvious Run, RunOnce and the like. Is Appinitdlls protected, for example?

 

Well, perhaps I spoke too soon, as I am now experiencing a rather serious problem. AppGuard insists that all protections are active, but no protections are actually being applied. Not to guarded applications and not general user-space execution prevention. I've attached a screenshot showing Firefox reading data from a file in the private folder, which it should not be able to access. All protections are listed as on in the status page.

Let me know what steps you want me to take in order to troubleshoot this. I have restarted my machine a few times and AppGuard continues to provide no protection. The only thing I can think of that may have caused problems was either running Windows Update and applying the 40-odd updates or adding and subsequently removing both svchosts from the guarded applications list. I also applied an update for Adobe Reader and attempted to install ZA before I restarted. The installation of ZA failed, I suspect, because of pending file operations from the Reader update. I can now install ZA with nary a peep from AppGuard.

 

Hi Ace,

Thanks for trying AppGuard. As I'm sure you know, this beta is all about finding issues and other opportunities for improvement. Clearly, you are observing abnormalities.

One generally shouldn't 'guard' operating system services. This can cause unforeseen consequences as they can be extremely inter-dependent and dynamic. As you have unguarded one or more of such items, did you restart your PC after doing so? This would give the services a chance to reassemble/regroup.

I would like to ask that you contact our support at appguard@blueridgenetworks.com so we can better assist.

Cheers,

Eirik

PS To your questions:

- MemoryGuard preventing 'reads': not presently, we're always assessing the value and practicality of such possibilities

- Registry: all of HKLM is protected, which includes the key you mentioned. I'm not up to speed one all of the HKCU keys.

 

Thanks for your prompt reply Eirik. I had guarded a few applications per the suggestion in the AppGuard whitepaper found on your site. It only now occured to me that that document was not written with knowledge of MemoryGuard.

This may or may not be a bug: I unchecked the Operating System components I had added and rebooted, operating under the assumption that they would disabled until such time as I chose to enable them again. Upon reboot, the ones I had unchecked had been enabled again.

Is this intended behavior?

Regardless, I then deleted these components from the guarded application list and rebooted. Lo and behold, protection is now working. I will add the OS components to the list again one at a time and try and isolate which one is causing these problems.

If you like, I can email the address you mentioned with my results as well as continuing to post here.