AppGuard instead of sandbox?

Discussion in 'other anti-malware software' started by zakazak, Sep 28, 2011.

Thread Status:
Not open for further replies.
  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I read a bit about Appguard and if I got it right then appguard will deny any execution of files that were loaded with protected apps? This could be a bit more annoying than a sandbox (since you would always have to stop the protection when downloading smth) but it would need less resources? And I'm not a big fan of having my half browser in a sanbox folder and the other half in %appdata%. So if that is was Appguard is doing, it would be a great addition to my current security setup (CIS + Mbam pro) ?

    thanks
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    totally agree. It is a great app and I to prefer it to a Sandbox.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Hmm but for example if i use media player classic and want to load a subtitle with it, it won't be able to load that subtitle (them pc is protected?). Same goes for foobar & lyrics & album art ?
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    you have the ability to do a temp disable
     
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    well in case of foobar, everytime i play a song it will try to download the lyric & album art (if it doesnt exist already).. so that would be kinda annoying :p Or I simply won't protect foobar.
    And probably HIPS (comodo d+) and mbam pro are already enough to detect drive-bys/exploits :/

    @edit: since comodo should auto-sanbox any unknown file anyway I won't use Appguard.
     
    Last edited: Sep 28, 2011
  6. chris1341

    chris1341 Guest

    AppGuard prevents or restricts (depending on settings) execution of ungaurded apps or executable files from User Space. How is that preventing you downloading lyrics and subtitles?
     
  7. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I thought it would block the execution of everything i download with protected apps.. and in case of foobar/mpc it downloads the lyrics/subtitles to their temp folder and then the app tries to execute it.
     
  8. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I found this comment about AppGuard and Sandboxie at a user's review of AppGuard at CNET. Does this make sense to anyone? He's saying that 'stealth methods' work against them:
    "I find humor as a software engineer and veteran security-researcher, that security solutions like this and Sandboxie hook/detour/underprivlage most syscalls on a platform, but still get logic-bombed out of with a single call to LoadLibraryA and VirtualProtectEX by VB and .NET 'malware' written by children(literally in most cases), which you can use from D.O.D. grade privileges in any process. What's sad is stealth methods that worked on them 3 years ago work today, but the authors and end-users have officially labeled it 'not a hole'."
     
  9. chris1341

    chris1341 Guest

    Ok. Depends what it is then. If they are files that foobar or mpc execute or more likely read then there should be no issue as long as foobar & mpc are gaurded. If they are excutable files in their own right then you would have a problem. I doubt they are though, more likely data files used by the apps you mention.

    Appgaurd does not prevent opening/reading of files in user space just the running of executables like software installers etc (and Malware of course :) ). It does stop gaurded apps reading or writing to system space so sometimes if a gaurded app needs access to files/resources elsewhere you need to add some exception but I'm not sure this would be the case on those 2 , certainly not for mpc which works flawlessly gaurded for me.

    If you do have issues you could always try adding the publisher of the software to the trusted list when running in the default mode (High?).

    I notice you are running CIS. You can get very similar anti-execution functionality to AppGuard (with a wider scope and a whitelist) by changing the Execution settings in CIS to 'block', rather than limited or whatever the default is.

    Cheers
     
  10. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Hmm you are right.. if I change it to blocked, every unknown/not whitelisted file won't be able to run. But I guess I would rather choose:

    So I can still run them but they can't really do anything to the system.
     
  11. chris1341

    chris1341 Guest

    Understood, I guess you have more faith in Comodo's whitelist than me! :D Only joking Comodo fans!

    AppGuard is great in lock-down mode for me because I know it is straightforward. Nothing executes in user space unless I reduce the level and thereby allow it. Some will find the restrictive and I understand why but it suits me.

    Seen this before in a number of places not only CNET but I'm unaware of a single SBIE POC Tzuk has not fixed. If memory serves the author was challenged to produce such a bypass and declined to do so, maybe even on this forum? If it was that simple I would have thought there would be many instances out there. Maybe not. Until I see it I'll write it off a shameless trolling.

    Cheers
     
  12. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Thanks chris1341, that's what I suspected, since we would have heard if these programs were being bypassed.
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    For anybody who likes the idea of virtualization but doesn't want to use an application sandbox, I've found AppGuard to work well in conjunction with a lightweight virtualization application such as Returnil or Shadow Defender. I've been using a combination of AppGuard and Shadow Defender alongside Comodo Firewall with Defense+ enabled without experiencing any conflicts or performance issues.

    The combination of system-wide virtualization and policy restriction provides strong security without the necessity to run a real-time antivirus. In the unlikely event of something bypassing AppGuard, a system reboot should ensure a perfect cleanup. Occasional supplementary on-demand scans of the file system with a free anti-virus/anti-malware program should be more than enough.

    The main risk of relying solely on a lightweight virtualization program on its own is the risk of data theft should malware be running on the virtual system. This is where the Privacy Mode feature of AppGuard can help to secure folders containing confidential private information.

    With this configuration, if online banking and shopping is also a concern there are a couple of additional precautions that can be adopted. Reboot the virtual system in order to ensure that the system is clean prior to banking or shopping online and/or use a browser protection utility such as Trusteer Rapport or Prevx SafeOnline to secure the browser session.
     
  14. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    The only reason that I hesitate to use a light virt software is updating software and "whoops I forgot to commit that file" issue. I would like to use Shadowdefender, Comodo firewall and prevx safezone. I believe that would be a solid combo. My sandboxie license is up in a few more months, I may have to try out a few of these combo's. I might make the great leap into the No AV club.
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    What I did was to put all of my data files onto a separate data partition and also moved my Firefox and Thunderbird profiles to the data partition. This also helps when making and restoring system images. Any remaining folders on the system partition for which changes need to be regularly saved can then be added to the Shadow Defender Exclusion or Commit Now lists. (The paid version of Returnil has a similar auto-save feature which allows for scheduled file and folder exclusions.)

    I keep the system partition permanently in Shadow Mode, except for a routine maintenance slot where I apply system updates. The data partition is not normally virtualized unless I am engaging in some higher risk activity: For example, general web browsing where I might temporarily put the data partition into Shadow Mode to protect the Firefox profile. Preventing read-access to private confidential data while surfing the Internet is nicely handled by AppGuard's Private Folders feature.

    If you don't mind running a paid real-time AV and haven't already tried it, the new Webroot SecureAnywhere beta looks promising. It's very lightweight and has a browser Identity Shield, which is the replacement for Prevx SafeOnline. It also has a lightweight firewall, which is compatible with other firewalls. (For people who prefer using the Windows firewall, it provides a way to add effective outbound application control.) The beta causes my system to hang while saving settings on reboot so it isn't currently installed; but if that's resolved by the time it's released, I will consider adding it to the mix, mainly for the increased browser security.
     
  16. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Shame they don't have a FREEWARE version of AppGuard :'(
     
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    @themozart: indeed... Yesterday I did some malware tests with 50-60 0-day malware files/links.. altough my setup (CIS + Mbam Pro) blocked everything except one file, it still made me think about how usefull appguard would be and how greatly it would increase the protection. But you can't even add a coupon code on their site to get it cheaper :p and I'm not even sure if it is a lifetime license ?

    here is a link so we can maybe get it cheaper:
    http://www.bitsdujour.com/suggest/suggest=1071/

    and here is something i suggested :D
    http://www.bitsdujour.com/suggest/suggest=1254/
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Appguard is great, and is worth the money. Not sure what they could take out to make it free and also useful.

    I use Appguard with Sandboxie, and feel very secure.

    Pete
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I took the No AV leap over a yr ago and what difference in performance.From time to time I will run a AV just to test or beta test other then that None.

    I would never give up sandboxie for appguard but the addition of it,would probably be a rock solid combo.:thumb:
     
  20. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I'm really thinking about it. Since I'm still running 32bit and only have 2gb mem on a old laptop, I have a lot of choices. I know that sandboxie is always the first choice and maybe shadow defender to go with it. Maybe even sandboxie and comodo firewall with D+ on untrusted. I tend to worry too much about keyloggers getting into the system and grabbing something before a reboot or sandbox dump. I'll have to start testing things and trying different software and see what fits.
     
  21. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I just downloaded and installed Appguard. Comodo doesn't have it whitelisted and also windows (win7 prof.) itself gave me a warning that this application is trying to install an untrusted driver.

    Is that normal? :eek:
     
  22. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I assume you are but I will ask anyways are you sure its official blueridgenetworks and is it smart screen thats giving you an untrusted driver.I had appguard installed on win7 laptop and dont recall any warnings.
     
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    yep lots of choices with or with out resident scanners.You can try spyshelter excellent keylogger protection and light.
     
  25. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Dont know then,Like I said dont recall seeing that.perhaps others can shed some light.
     
Loading...
Thread Status:
Not open for further replies.