AppGuard Beta is Live (64 Bit, MemoryGuard)

I'm running Comodo Firewall and AppGuard together with Defense+ disabled. Whilst there would no doubt be some overlap in protection between AppGuard and Defense+, IMO it would not be an overkill to run them together as the underlying philosophy behind each is different.

In capable hands, Defense+ may provide slightly stronger protection against infection than AppGuard, but I find AppGuard easier to work with. As AppGuard has the option of a Privacy Mode for guarded applications, it is well positioned to guard against data theft should a problem occur.

Personally, I prefer AppGuard's silent automatic blocking approach to the HIPS alerts of Defense+ but that's just a personal preference. As I rely on virtualisation and imaging for system recovery it wouldn't be the end of the world if something did get through providing that data theft didn't occur prior to removal.

 

Hi All,

The third beta is posted and ready for download. The following link takes you to the revised beta support page. BTW, a requirements typo in the release notes (minimum requirement for Win XP is SP2, and for Vista is SP1) has been fixed. [update]

I'm particularly interested in your observations regarding MemoryGuard.

In case you missed it, this beta delivers MemoryGuard to Win XP.

Cheers,

Eirik

 

Does this Beta address the issues of MG being too strict with such things as Avast updating it's definitions?

 

Yes. However, we're doing this beta in part to confirm that we got it right. Also, this is our first implementation of MemoryGuard on WinXP.

Cheers,

Eirik

 

Good news, bad news and some questions. Good news, installation over the top went very smooth this time! No BSOD or paralyzed black desktop. Bad news, with MG enabled, my Internet Exploder 8 will not start. Questions,

1) Have you added some kind of protection for .bat files? I use a bat file for a quick enabling/disabling of SRP. In previous versions I didn't have to add the folder that housed these two bat files for them to work. Now I do.

2) Has the indvidual file exclusions been taken away or am I missing it somewhere in the GUI again?

Also, I'm getting quite a few of these in the status tab, I assume it's OK to use the very useful feature of "Ignore" on these

Code:

09/23/10 18:46:42 Prevented process <Host Process for Windows Services> from writing to <e:\windows\prefetch\audiodg.exe-bdfd3029.pf>.

 

MemoryGuard to XP.


THANKS

 

Eirik, disregard my last reply. I found all my answers in the link you posted. Sorry, I missed that earlier.

 

I'd love to see the C:\Documents and Settings\user\My Documents\MyPrivateFolder removed so users can create their own directory.

Even if you remove and make your own, it always keeps making this MyPrivateFolder on startup...


THANKS

 

What's the purpose of this "MyPrivateFolder"? I guess I missed that new option also,lol

 

It was actually present in beta 2. It's a private folder that guarded applications running in privacy mode can't access. You can adjust it from the Guarded Applications tab -> Private Folders -> Settings.

 

MemoryGuard is not working for me on Windows XP. As soon as I launch Firefox, MemoryGuard starts repeatedly blocking the AppGuard Agent service with the following message: "Prevented <C:\Program Files\Blue Ridge Networks\AppGuard\AppGuardAgent.exe> from writing to memory of <C:\Program Files\Mozilla Firefox\firefox.exe>."

AppGuard repeatedly writes this message to the Windows Event Log until eventually AppGuard becomes totally unresponsive and the tray icon disappears. At this point there is no alternative but to reboot.

I realise that, as a workaround, I could try disabling MemoryGuard for Firefox but this shouldn't be necessary just to get MemoryGuard to work. A screenshot of the AppGuard Status tab showing AppGuard looping is attached.

EDIT: It's not just Firefox; it's happening with ALL guarded applications. What's more it's not just the AppGuard Agent that is getting blocked. MemoryGuard is also preventing Prevx from doing memory injection. In order to co-exist with those security applications that need to inject themselves into the memory of runnning processes in order to establish control, an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection. For the moment, I've now disabled MemoryGuard.

 

I like this Beta as much or more than the last one. I only have one issue, with Memory Guard enabled for IE8, IE8 will not run. It opens up then closes quickly. Status Tab in AG dialog reports the prevention of Internet Explorer from writing to the memory of Internet Explorer. Could this happen because I run everything in Tabs with IE8 and not multiple windows of IE8? Any ideas?

 

Nuts!!!

Pegr

Would you please send an msinfo file and event logs so engineering can investigate? Appguard@blueridgenetworks.com

All,

Please do same when observing problems.

I hope you feel these betas have improved AppGuard. We're grateful for your help improving it.

Cheers

Eirik

 

Done, as requested.

Regards

 

hi

i am using eaz fix , May MBR protection conflict with eaz fix pre boot screen ?

 

It doesn't present any problems with Comodo Time Machine. I have a license for Eaz-Fix and more than likely will go back to it for awhile the next time I uninstall CTM. Personally, I haven't had any problems with CTM even with making and restoring hundreds and hundreds of snapshots.


Eirik,
Any ideas on how to correctify this Memory Guard issue I'm having with IE8?

Code:

09/28/10 18:31:19 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:19 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:17 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:17 Prevented <Internet Explorer> from writing to memory of <Internet Explorer>.
09/28/10 18:31:16 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.
09/28/10 18:31:16 Prevented <Internet Explorer> from writing to memory of <Windows Explorer>.

IE8 will not start with Memory Guard enabled for it.

I have also run into a situation where guarding Rundll32 can have an adverse affect. Start IE8 in InPrivateBrowsing, surf for awhile and close IE8. When InPrivateBrowsing session is closed, all tracks will be cleared. AppGuard Blocks the cleaning of the Temporary Cache etc..

 

Greg,

I expect engineering will ask what IE plug-ins or add-ons or anything else modifying it's behavior?

Thanks

Eirik

 

I can't get it to start even if I select Start IE with no addons.

 

Eirik,

Just 2 tips.

Memory protection
IE8 and Chrome start normally with Medium Rights (LUA) then they spawn processes running Low Rights (Protected Mode). In the spawning process IE8 injects itself, like Chrome injects itself. I would suggest two modes for memory protection
a) protect process infecting another process (mild, same process name injections are allowed)
b) total memory protection (aggressive = current implementation)

You can't Iron out ( also injects itself) all the different situations at customers. So choose a pragmatic implementation. When a customer faces a self injection which is blocked by B, fall down to level A [***], send a log file and let AppGuard support analyse and fix it.

For ease of support, I would ask the customer for an option to auto send an issue report (when memory intrusion is blocked). With some data intelligence and filtering this must give you a wealth of information.

You can stay in Beta for months with the current approach. Combine flexibility with pragmatism your marketing and sales department loves the time to market reduction, the development department enjoys the feedback of real life data, customers still have an option to use the feature (with the extra mild option, which is better than NONE).

Confidential file access Execeptions
In general when you create report logs, it is an elegant option to generate rules automatically. Malware Defender is a HIPS with such a sophisticated feature. A lot of geeks like that. Geeks are the ones that their friends to use application so and so (social networking as a marketing instrument). You could also provide a learning mode for confidentiallity exceptions.


Note [***]
Off course all sorts of preconditions can be set, like only when it is a signed program, only when it is on the list of officilally supported applications by AppGuard, only when this gracefull degration is allowed by central management (of the customer) etc

Regards Kees

 

I wonder if this Memory Guard can work the way it is intended?

I see a lot of legitimate applications trying to write to memory that this is blocking...

Hmm Hmm Hmm

 

Agreed, which is why in a previous post in this thread I suggested that an exceptions tab may need to be added to allow the user to define their own list of trusted applications that are allowed to override MemoryGuard's protection.

 

yes yes indeed

 

appgurad is getting alitle complicated i remenber when the company realeased EdgeGuard Solo,it was very simple

 

good request

I would only suggest for memory guard
a) Threatgate programs like mail and browsers
b) System Utilities to be misused
- regedit
- regini (change permission of registry)
- regsrv (register a dll)
-command
c) forget about office programs (to protect memory that is)

 

Well I wrote this post that no one ever answered:

https://www.wilderssecurity.com/showthread.php?t=282625

It sounds great in theory but can it be done, which I believe is what AppGuard is trying to do, enforce this...

BUT I don't see why legitimate applications should be stopped at all, unless AppGuard might have the ability to detect that what it sees might be malicious.

I actually thought the whole point of the Memory Guard was only to stop a malicious application from writing to memory, not stopping legitimate applications.