AppGuard - New Getting Started Tutorial wanted

Discussion in 'other anti-malware software' started by Feandur, Aug 26, 2012.

Thread Status:
Not open for further replies.
  1. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Any experienced users willing to post a brief "Quick Start Guide" or , as Sandboxie now has done, a "New Getting Started" tutorial with useful tweeks found from their experience to help interested newbie's like me get off the ground with appguard?



    A few dot points even? :doubt:



    Why?

    Well, I'm probably not the only one put off by the apparent endless tweeks [in the appguard post: https://www.wilderssecurity.com/showthread.php?t=294876 ] needed just to get appguard up and running smoothly without conflicts for my kids computer......same way I was put off sandboxie as a bit complicated to set up.

    Don't want to go back to University to have to study and work this blighter just to get it running smoothly.

    Already done? Well I did not find the release notes all that helpful as a quick start guide. http://www.blueridge.com/index.php/products/appguard-information

    Many of my Win 7 computers are just running the usual bread and butter stuff.........NIS, MBAM-pro, spyware blaster [no x64 bit Defence wall :'( ] .....probably same as a million other simple users. Honestly don't know if I want appguard, or just EXE Radar Pro - but just thought appguard would be more set and forget with less pop-ups for the kids [me too :D ] to worry about.

    Anyway, any assistance would be appreciated to help newbies like me get their heads around configuring this blighter in advance of buying / trying this out.

    - have a good day,

    feandur
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    See picture 1, 2 and 3

    1. USer-Space tab
    When you have split your harddrive in a programs partition and a data partition, you have to add this data partition to your user space protection (I added my d:\ just in the open box and it will add the drive entirely)

    2. Guarded Apps tab
    When you want to add programs to be guarded
    (I added extract now for instance)

    3. Publishgers tab
    When you want to allow installs and updates from some trusted publishers
    (I Added HitManPro)

    Choose HIGH as normal protection level.
     

    Attached Files:

    Last edited: Aug 26, 2012
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  4. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Kees:
    Thank you so much for your trouble and effort - very appreciated! :thumb:

    I'll study this before putting appguard on.

    Thank you again.

    PS:
    Appguard on x64, and DefenseWall on x32 is exactly my line of thinking....

    :thumb:

    - cheers,
    feandur
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    1. Introduction

    Before looking at how to customize AppGuard, a few notes on the approach that AppGuard takes to securing the system might be helpful.

    AppGuard looks at the whole computer system as consisting of two parts. There are files, processes, and registry keys forming a sub-system within the whole that must be protected against being compromised by malware. This sub-system is called a trusted enclave. The primary goal of AppGuard is to protect objects within the trusted enclave. Objects that lie outside the trusted enclave may be compromised by malware but they must be prevented from compromising objects within the trusted enclave.

    To enforce this model, AppGuard has some basic concepts.

    1.1. System Space

    System Space consists of objects located within the trusted enclave and contains everything that is not considered to be User Space. System Space includes the Windows and Program Files folders. System Space executables run as Unguarded Applications unless they are explicitly defined as Guarded Applications.

    1.2. User Space

    User Space consists of objects located outside the trusted enclave and contains the current user profile plus any additional partitions. User Space executables automatically run as Guarded Applications except where some are explicitly unguarded by customization.

    1.3. Guarded Applications

    Guarded Applications are untrusted applications that have the potential to compromise the trusted enclave if not restricted on execution. If located in User Space, applications are automatically untrusted and guarded on execution. If located in System Space, applications can be explicitly defined as untrusted and guarded on execution. Applications that should be untrusted include Internet-facing applications and applications that load data files that may contain malicious code.

    Guarded Applications have read/write access to User Space, but read-only access to System Space. Any child process spawned by a Guarded Application will also inherit the same set of restrictions as its parent and run guarded.

    1.4 Unguarded Applications

    Unguarded Applications are trusted applications located within System Space. All applications located within System Space are automatically trusted unless they are explicitly defined as Guarded Applications.

    Unguarded Applications have read/write access to both User Space and System Space.

    1.5. Protection Level

    The Protection Level determines the way in which the various AppGuard features are applied and the degree of restriction and protection that AppGuard provides.

    High is the default. For most users, it represents the best compromise between security and usability for normal use. Medium would normally only be used if High is causing issues. Locked Down is highly restrictive and would normally be used in situations where increased security is required. For many users, Locked Down may be too restrictive for normal use. Install allows protection to be lowered when installing or updating software. Off is self explanatory.


    2. AppGuard Customization

    2.1. Customizing Alerts

    The Alerts panel in the GUI allows the way different types of alerts are handled to be customized and is where blocked events are displayed. Most blocked events are harmless and do not impact the ability of a program to function normally. Future occurrences of a blocked event can be optionally be suppressed from being reported by right clicking on it and creating an Ignore Message rule. An Ignore Message rule does not suppress the blocked event itself: just the reporting and/or logging of it. Wildcards can be used to make Ignore Message rules more generic.

    If it has been decided to make an exception for a blocked event, right-clicking on the event in the Alerts panel and selecting Ignore Message without actually creating a rule enables the full path name to be displayed, which can be helpful in identifying the executable involved.

    2.2. Moving a System Space Folder to User Space

    Where allowed, this involves a two-step procedure. The System Space folder to be moved is added in the User-Space tab, setting the Include flag to Yes in order to guard its executables. The folder is also added in the Guarded Apps tab with the Type flag set to Read/Write in order to unprotect it and allow all guarded executables write access. Windows and Program Files folders may not be moved to User space as they are core components of the trusted enclave.

    2.3. Moving a User Space Folder to System Space

    This also involves a two-step procedure. The User Space folder to be moved is added in the User-Space tab, setting the Include flag to No in order to unguard its executables. The folder is also added in the Guarded Apps tab with the Type flag set to Read Only in order to protect it and prevent any guarded executables from having write access.

    2.4. Unguarding User Space Applications

    By default, User Space executables are untrusted and automatically run as Guarded Applications. In order to override this, a User Space executable or folder can be added in the User-Space tab with the Include flag set to No.

    2.5. Guarding System Space Applications

    By default, System Space executables are trusted and automatically run as Unguarded Applications. In order to override this, applications can be added to the Guarded Apps tab. Separate flags can be set for each Guarded Application that control whether Privacy and MemoryGuard features are enabled. Several untrusted applications are already predefined in the Guarded Applications tab when AppGuard is first installed; others can be manually added later.

    2.6. Creating User Space Private Folders

    A folder in User Space can be made a Private Folder by adding a folder entry in the Guarded Apps Tab and setting the Type flag to Deny Access. This is useful to prevent Guarded Applications such as web browsers from having any access to folders containing confidential data. When the Protection Level is set to High or Medium, Private Folders is only enabled for Guarded Applications where the Privacy flag is set to Yes.

    2.7. Creating User Space Protected Resources

    A folder in User Space can be made a Protected Resource by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read Only. An example use for this might be to prevent write access to an additional partition containing system objects. By default, AppGuard treats additional partitions as an extension of User Space and allows read/write access.

    2.8. Creating System Space Exception Folders

    A folder in System Space can be made an Exception Folder by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read/Write. An example use for this might be to allow write access to Sandboxie’s sandbox folder, which by default is located in System Space. As part of System Space, AppGuard would normally prevent guarded applications from writing to it. As an alternative, the sandbox folder could be moved to an additional partition if there is one, in which case it would automatically be in User Space and no folder exception would be needed.

    2.9. Trusted Publishers

    The Publishers tab enables digitally signed executables from trusted publishers to be run as Unguarded Applications from User Space. This allows software installs and updates to be applied from trusted publishers in the list who sign their executables without having to reduce the Protection Level to Install.

    2.10. Power Applications

    Adding an application to the PowerApps tab means that it will never run as a Guarded Application, even if executed as a child process of a Guarded Application. For this reason, this feature should be used very sparingly only where necessary. Other types of AppGuard exceptions should be considered to resolve issues before adding executables as Power Applications.

    2.11. Miscellaneous Features

    The Advanced tab is where miscellanous features not covered elsewhere can be managed. The feature that is most likely to be customized is MemoryGuard.

    MemoryGuard prevents Guarded Applications from being able to inject code into the memory space of other running applications and vice versa. The Advanced tab is where MemoryGuard exceptions can be made. This should only be done if MemoryGuard blocking events are occurring and only then if MemoryGuard is preventing an application from working correctly. Most MemoryGuard events don’t impact the normal functioning of applications and can usually be ignored.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good explanation my friend;)
     
  7. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Does AppGuard work with Standard/Limited users? If so, any special things one would need to know?
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it works and nothing especial my friend:)
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Admin space protection means that it prevents at kernel level access to disk and registry. Programs launched by guarded application (except the trusted publishers) are also prevented to write to Windows and Programs Files directories and the HKLM hive of the registry. This provides LUA like protection (for selected programs) at kernel level simular to AppGuard. It is a different technique. The MBRGuard implements LUA like protection of the Master Boot record (also implemented differently through a driver).

    User space protection means a deny execute of unsigned programs to user directories and USB drives. This is simular to a deny execute Software Restriction Policy but works more like a deny "traverse folder/execute file" Access Control List settting. Like ACL this also implemented on drive/directory level, so applies for all users and all programs trying to execute in these data directories). It is also a different technique than SRP or ACL.

    Execution space protection means it prevents memory writes which are not following regular 'in process' programming practises. This means that (like dll injection is a normal technique) programs not listed in the default list of guarded programs could dump/terminate unexpectedly. The programs listed by default should work ok, even when you might see some reports of memory write prevention.

    Windows 7 Ultimate is more expensive than Windows 7 Home Premium with AppGuard, while you get simular security goodies (not entirely fair comparison because BitLocker and Windows Image backup is also an extra with Ultimate).

    Regards
     
    Last edited: Aug 27, 2012
  10. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Pegr:

    Very good background info my friend :thumb:

    thanks all

    - cheers,

    feandur
     
  11. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Kees. How does having Google as set to No on Guarded not prevent malware that comes from Chrome from being installed?
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It does not, good point, picture is wrong
     
Loading...
Thread Status:
Not open for further replies.