AppGuard Guarded Apps Project

Discussion in 'other anti-malware software' started by Cutting_Edgetech, Apr 16, 2015.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    The purpose of this thread is to allow AppGuard users exchange information about the applications they guard, and to give feedback to Blue Ridge Networks. It is very important to report whether guarding a specific application causes problems on your system. Also it is equally as important to report if guarding a specific application mitigates a specific threat.

    There are a few things to keep in mind when choosing which applications you should guard. Some applications should never be guarded, and will cause system instability. You should only guard applications that are vulnerable, or can be used to infect one's computer. You should never guard other security applications. Below is a list of applications that should be guarded as long as it does not cause functionality problems for the application. Some of the below software comes guarded by default. You will have to check your guarded apps list to see which of your applications are already guarded. Microsoft Office applications should already be guarded. Information you report about applications that are not guarded by default will probably be more important. If you have problems with applications that are guarded by default you should still report it here, or in the main AG thread.

    Applications that should be guarded
    Web Browsers
    Mail Clients
    Pdf Readers
    Media Players
    Instant Messenger Clients
    P2P File Sharing Clients
    Archive Software (winrar, 7zip, etc.)


    It is solely your choice which applications to guard. Just use caution when choosing which applications to guard. Guarding the wrong applications can cause system instability as already stated above. Please report back if guarding a particular application causes any problems on your system. I also recommend reporting back after 5 days if you have not experienced any problems after guarding an application. It's just as valuable to know that guarding a specific application does not cause problems. Also report if guarding an application mitigates a specific threat. For example: guarding Javaw.exe will mitigate threats originating from JAR files. This information could help Blue Ridge Networks choose which applications to guard by default. All feedback is appreciated. I am in no way affiliated with Blue Ridge Networks. I am an AppGuard user like other members on this forum. Blue Ridge Network Employees do read, and participate in the AG threads so this information will be valuable.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I have added all of the below applications to my guarded apps list on Windows 7X64 Ultimate, and I have not experienced any problems in doing so.

    7-Zip Console (guarded for about a month)
    7-Zip File Manager (guarded for about a month)
    Wise Downloader for Youtube videos (guarded for about 2 years)
    java.exe (guarded for about 3 months)
    javaw.exe (guarded for about 3 months)
    javaws.exe (guarded for about 3 months)
    Jitsi messenger (guarded for about 3 years, but I rarely use Jitsi)
    Tixati Torrent Client (guarded for about 3 years)
    Media Player Classic 32 bit, and 64 bit (guarded for about 1 year)
    cscript.exe (system32 folder) (guarded for about a month)
    wscript.exe (system32 folder) (guarded for about a month)
    powershell.exe (C:\Windows\System32\WindowsPowerShell\v1.0) (guarded for about 3 months)
    powershell_ise.exe (C:\Windows\System32\WindowsPowerShell\v1.0) (guarded for about 3 months)
    winrar archiver (guarded for about 2 months)

    I am currently unable to guard any applications from the Window's SysWOW64 Folder. I tried guarding the following from SysWOW64 folder: cmd.exe, rundll32.exe, cscript.exe, wscript.exe, powershell.exe, and powershell_ise.exe. They all drop off the guarded apps list after a reboot. I checked the policy file, and they were not listed anywhere in the policy file. I reported it to BRN as a bug.
     
  3. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    I use to service Windows images (install.wim - integrate stuff, multi-index AIOs, etc) then when tinkering with AppGuard settings I notice that SysWOW64 issues months ago but didn't give just importance to that matter.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I didn't discover the problem until a month ago.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    At Barb's suggestion I guard all my VMware applications. Prevents memory transfer
     
  6. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    424
    Location:
    Canada
    Other than the default settings all the apps I have guarded are Jangle, PDF Xchange Viewer and Burnaware.

    Nice job setting this thread up CE.
     
    Last edited: Apr 16, 2015
  7. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    I guard just about every app that I run in a sandbox plus a few others. I also use the sbie 'block process access' addon which seems to prevent (guesstimate) 90% of the events appguard normally blocks in my experience anyway but appguard has proven useful in my setup anyway.

    Here's a cursory list, pretty sure I missed a few but I also run in locked down mode most of the time and have many files existing in user space which means I have to add them in order for them to launch while AppGuard is active 'locked down'.

    My list likely won't help much for normal installations though especially since I haven't included paths or rules.

    Code:
    palemoon.exe
    palemoon-portable.exe
    plugin-container.exe
    plugin-hang-ui.exe
    iexplore.exe
    firefox.exe
    helper.exe
    skype.exe
    ventrilo.exe
    pirate101.exe
    pirate.exe
    wizard101.exe
    wizardgraphicalclient.exe
    battle.net launcher.exe
    diablo iii launcher.exe
    hearthstone.exe
    world of warcraft launcher.exe
    wow.exe
    wow-64.exe
    hearthstone beta launcher.exe
    wowbrowserproxy.exe
    steam.exe
    steamerrorreporter.exe
    steamwebhelper.exe
    cs6servicemanager.exe
    afterfx.exe
    adobe audition cs6.exe
    adobe premiere pro.exe
    adobe prelude.exe
    photoshop.exe
    adobe media encoder.exe
    indesign.exe
    illustrator.exe
    flash.exe
    flashbuilder.exe
    fireworks.exe
    adobe encore.exe
    dreamweaver.exe
    speedgrade.exe
    foxit phantompdf.exe
    setlang.exe
    ksoxmled.exe
    ksomisc.exe
    et.exe
    wpp.exe
    wps.exe
    launcher.exe
    chaosrebornwin64.exe
    gauntlet.exe
    payday2_win32_release.exe
    borderlands2.exe
    lanshark.exe
    conhost.exe
    
    As a side note, be careful what you post here. I'm sure CE's intentions are good but if you think you might actually be targeted as an individual, posting here may not be the smartest idea as it gives people a general idea of the software you use and thus may open you up to any vulnerabilities and exploits specific to that app (paranoid much?) though my faith in AppGuard is fairly strong so I listed mine anyway.
     
    Last edited: Apr 16, 2015
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
  9. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    My guarded apps list:
    360wangpan.exe
    7zfm.exe
    digitaleditions.exe
    autoruns.exe
    baiduyunguanjia.exe
    computehash utility.exe
    convertxtodvd.exe
    copyagent.exe
    fscapture.exe
    firefox.exe
    chrome.exe
    googleearth.exe
    imgburn.exe
    idman.exe
    iexplore.exe
    i_view32.exe
    java.exe
    javaw.exe
    javaws.exe
    jdownloader2.exe
    jotta.exe
    excel.exe
    powerpnt.exe
    winword.exe
    minecraftlaucher.exe
    mpc-hc64.exe
    notepad.exe
    notepad++.exe
    pdfxcview.exe
    pidgin.exe
    mstsc.exe
    snaptimer.exe
    skype.exe
    procexp.exe
    firefox.exe (tor)
    winrar.exe

    My installed programs list:
    360云盘 360安全中心
    7-Zip 15.00 (x64 edition)
    Adobe Digital Editions 4.0 Adobe Systems Incorporated
    Adobe Flash Player 17 NPAPI Adobe Systems Incorporated
    Adobe Shockwave Player 12.1 Adobe Systems, Inc
    AntiLogger Zemana Ltd.
    Blue Ridge Networks AppGuard Blue Ridge Networks
    Blueline 1.1.1
    CCleaner Piriform
    ConvertXtoDVD
    Copy Barracuda Networks, Inc.
    EaseUS Partition Master 10.2 Trial Edition EaseUS
    Google Chrome Google Inc.
    Google Earth Pro
    Hard Disk Sentinel HDS
    ImgBurn LIGHTNING UK!
    Intel(R) Management Engine Components Intel Corporation
    Intel(R) Processor Graphics Intel Corporation
    Intel(R) Rapid Storage Technology Intel Corporation
    Intel(R) SDK for OpenCL - CPU Only Runtime Package Intel Corporation
    Internet Download Manager Tonec Inc.
    IrfanView (remove only) Irfan Skiljan
    Java 8 Update 45 Oracle Corporation
    Java 8 Update 45 (64-bit) Oracle Corporation
    Jottacloud version 3.0.24.205 Jotta AS
    KeyCrypt SDK version 1.8.1.199 Zemana Ltd.
    Malwarebytes Anti-Exploit version 1.06.1.1018 Malwarebytes
    Microsoft Office Professional Plus 2013 Microsoft Corporation
    Microsoft Silverlight Microsoft Corporation
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Corporation
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Corporation
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Corporation
    Minecraft Mojang
    MiniTool Partition Wizard Professional Edition 8.1.1 MiniTool Solution Ltd.
    MiniTool Partition Wizard Professional Edition 9.0 MiniTool Solution Ltd.
    Mozilla Firefox 37.0.1 (x86 en-US) Mozilla
    Mozilla Maintenance Service Mozilla
    MPC-HC 1.7.8 (64-bit) MPC-HC Team
    Notepad++ Notepad++ Team
    NoVirusThanks EXE Radar Pro (x86/x64) v3.1 NoVirusThanks Company Srl
    NVIDIA Graphics Driver 340.52 NVIDIA Corporation
    PDF-Viewer Tracker Software Products Ltd
    Pidgin
    PowerISO Power Software Ltd
    Realtek Ethernet Controller Driver Realtek
    Realtek High Definition Audio Driver Realtek Semiconductor Corp.
    Sandboxie 4.17.2 (64-bit) Sandboxie Holdings, LLC
    Shadow Defender ShadowDefender.com
    Skype™ 7.3 Skype Technologies S.A.
    SoftPerfect RAM Disk 3.4.6 SoftPerfect Research
    UltraISO Premium V9.62
    Unity Web Player Unity Technologies ApS
    Unity Web Player (x64) (All users) Unity Technologies ApS
    VMware Workstation VMware, Inc
    Windows Assessment and Deployment Kit - Windows 10 Microsoft Corporation
    WinRAR 5.21 (64-bit) win.rar GmbH
    百度云管家 百度在线网络技术(北京)有限公司

    Any suggestion whether I need to guard any program else?
     
    Last edited: Apr 16, 2015
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
  12. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Is guarding flash player necessary? AFAIK guarded applications pass on their guarded status to child processes. So if the browser launches flash, it should be guarded automatically.
     
  13. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    Yes, I already know that and I think the same applies for Shockwave and Unity Web Players.
    But just wanted to guarded it to be twice as safe, I guess.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Do you have to make any special configuration exceptions when guarding VMware to prevent conflict?
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I'm using Windows 7X64, and I only have java installed in Program Files (x86) Folder.
    That's strange. It looks like you may have found a bug. Could you report that to BRN? AG retains my guard settings for java in the Program Files (x86) Folder on Windows 7X64. Maybe the problem is only with Windows 8, or maybe AG is not able to guard the same file from two different paths. I wonder what would happen if I remove cscript.exe, wscript.exe, etc. from the guarded apps list (currently guarding from the System32 folder), and then try adding cscript.exe, wscript.exe etc.. from the SysWOW64 Folder again. I wonder if it would guard them from the SysWOW64 Folder if AG was not already guarding them from the System32 Folder. I will try that now to see what happens.
     
    Last edited: Apr 17, 2015
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I removed cscript.exe, and wscritp.exe in the System32 folder from the the guarded apps list, and rebooted. Then I added cscript.exe, and wscript.exe from the SysWOW64 folder to the guarded apps list. I rebooted, and they were still there. I checked to see what path they showed by hovering my mouse over them, and it showed them being located in the System32 Folder. I checked my policy file, and it has both listed in the System32 Folder. I removed cscript.exe, and wscript.exe again. Then I adding cscript.exe, and wscript.exe to the guarded apps list again from the SysWOW64 folder. Then after rebooting AG changed them back to the System32 Folder again. My conclusion is that the bug is specific to guarding applications from the SysWOW64 Folder. AG is unable to guard anything from the SysWOW64 Folder on my Windows 7X64 machines. I don't have other OS's to test from.
     
  17. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    CE, interesting findings, thanks.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I would try guarding Unity Web Player. I'm glad I saw Notepad on your guarded apps list. I forgot to add it back to my guarded apps list after rolling back my image sometime recently.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I thought about adding flash plugin once, but I didn't because it is suppose to already be guarded since the browser is it's parent. The child should inherit the privilege of the parent. I do break this rule though by guarding Firefox plugin-container.exe Flash Player Plugin is the answer you are looking for though. I don't think you need to guard it though.

    Edited 4/17/ @4:50: You might try guarding FlashPlayer App the SysWOW64 Folder. I have never tried that. I would not guard the plugin. I just don't know. I will have to look more into Flash Player. If you are able to play a flash video outside the browser then it would need to be guarded. I will look into it more.
     
    Last edited: Apr 17, 2015
  20. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    Fine! Awaiting for your reply on this matter. Thanks
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Can you report not being able to guard java from Program Files (x86) Folder to BRN? I would also check to see if you are able to guard java from the Program Files (x86) folder if you are not already guarding it from the Program files Folder (x64). Maybe the problem is AG is not able to guard the same file from two different paths. I would test this theory just to eliminate the possibility.
     
  22. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,780
    Location:
    Mexico
    I report the bug to Barb_C pointing to this thread of yours for details. Hopefully she will speak about these bitness issues soon.

    Regarding the java x86 thing I've got this:
    1. Deleted java entries in AppGuard GUI
    2. Reboot
    3. Added java.exe, javaw.exe and javaws.exe (all x86)
    4. Reboot
    5. Outcome: http://i.imgur.com/Gc8IjtQ.png
    It doesn't retain x86 path and files. Odd.
     
    Last edited: Apr 17, 2015
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Why do you guard Burnaware? I see other users also guarding burning software. Is it to protect against exploit payloads?
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I don't have Irfan View on my computer, but I do have Gimp. I'm not sure if it can be guarded becauses it has so many different components to it. I will try guarding it to see what happens. I worry about spoofed media Files in general. I have found spoofed image, audio, and video files containing malicious code on P2P networks.
     
    Last edited: Apr 17, 2015
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Not really. Just making sure that Memory guard was on.
     
Loading...