AppGuard Guarded Apps Project

I guarded gimp-2.8.exe, and gimp-console-2.8.exe, and just launching Gimp did not cause AG to block anything from Gimp on my Windows 7X64 machine. What executables did you guard from GIMP, and what was you doing with Gimp that caused Script-fu, and Pythonw.exe to be blocked?

 

I actually haven't touched GIMP since the day I installed it (couple weeks ago used it as a test) and either it was automatically added to the list of guarded apps or I went ahead and added it the day I installed it, but I haven't touch any features regarding GIMP or its association with Appguard. So when I clicked on it to load, it simply brought up those two messages for python and script fu came up. Again, haven't touched any GIMP settings within Appguard itself, but GIMP is located on a partition.

 

what do you mean GIMP is located on a partition? Is it located on a partition other than C?

 

Yes, I created a separate partition (Q) to put other third party apps and store certain files on. C: contains my OS, and other security apps, (APP/NVT/MBAM etc.)

 

Should you guard picture viewers and what about Ad Guard ?

 

You don't need to guard Windows built in picture viewer, but you can guard third party picture viewers. You definitely should not guard Ad Guard. That will likely cause an application conflict, and guarding it will not increase your security. Applications that need to be Guarded are web applications that are vulnerable, and able to infect the system. These are Web Browsers, Pdf Readers, Microsoft Officer Applications, Mail Clients, Media Players, Instant Messengers, P2P file sharing clients, etc.. Adobe pdf Reader, Windows Media Player, and Microsoft Office applications should already be on the guarded list.

 

hi are you working for blueridge?

 

So if I add powershell to user space, do I need to untick it in guarded apps?

 

You can, but you don't have to. AG will block Powershell execution after you add it to the userspace, even if you leave it Guarded. Do you want to block Powershell execution, or do you want to run it restricted?

 

Thanks, that is what I thought. It is restricted (guarded) by default, and adding it to user space will block it.

 

That is correct.

 

lol i wasn't aware of this thread ^^

 

You have to disable the checkbox in Guarded Apps if not it takes prevalence. just try with rundll32.exe; add it to both user space and Guarded Apps , no alerts; remove it from Guarded Apps, lot of alerts.

 

I found the exact opposite to be true when using AG. Userspace took prevalence over Guarded Apps. I don't have AG installed right now to test again. I would recommend the user just try executing Powershell after adding Powershell to the userspace, and leaving it Guarded to see what the behavior is.

 

Indeed you are right. just did the test. maybe powershell is an exception...

 

edit: re-made the test; powershell in User-space YES and guarded, it isn't blocked; maybe it was a glitch.

 

I just received a pm about my post. Powershell in User-Space YES and Guarded, it was blocked when I tried it before. It always was AFAIK, if I had AG installed then i would check it again, but I don't. Lockdown said it should be Guarded instead of blocked with those settings so I guess you better go with what he says, and what you are seeing when testing.

 

Actually, @Lockdown PMed me, saying like guest did, that Guarded apps takes precedence: "The Guarded Apps list supersedes the User Space list."

I wonder if it depends on which mode you are in, i.e., Protected as opposed to Lockdown?

 

This is the reason, why a guarded App needs to be unticked in "Guarded Apps" if the user has added it to "User Space" (Include=Yes) and want to block it.
"Guarded Apps" has a lot of power. If you switch to Locked Down and want to launch a program in User Space, just add it to "Guarded Apps" and it can be executed.
If Guarded Apps don't have precedence it would be not possible to launch Guarded Applications in folders which have been declared as User Space (for example in Locked Down)

 

Lockdown says it doesn't matter which mode you are in. Guarded apps will always take precedence.

 

Just consider Appguard as a switches panel with 3 positions for each application/process: On (user space yes)- Limited - Off

Guarded Apps = Limited, the apps run but can't do as much as Off.

So if you set it as Limited , it means you obviously want to use it, so it takes precedence over ON (which block the process execution).

 

Does the trusted publishers list override guarded apps?
Let's say, for instance, that Microsoft updates a windows store app by means of a powershell script. Powershell is guarded, so it should not be allowed to write the new files to system space. But Microsoft is trusted. Which takes precedence?
This example assumes that Appguard is running at default settings.

 

Again the setting in Guarded Apps takes precedence.
And: the setting in Trusted Publisher has only an effect if the application has been in launched in User Space and the application has not been added to Guarded Apps.

 

Thanks, mood.