AppGuard & NVT

Would running AppGuard and NVT at the same time be redundant? Or do they serve different purposes?

 

I wish I knew more about NVT. This seems to be a hot topic. I have received so many questions wanting to know if they run well together or what the difference between the two are. I miss my test machines!

 

Thanks Pete! I can't wait to get my test machines back so I can give NVT a try. I've been using AG since 2006 or 07, and understand it pretty well. Hard to remember how long exactly. I guess that's why I get so many PM about AG. Recently users have asked if me if AG, and NVT run well together. I don't have a clue since, and even if they did run well together for me it may not be the case for there particular setup. I know VS will run well with AG, but VS will run well with just about anything since it is compatible with just about anything by design.

 

I am running this combo, but I get a lot of these messages in the Win 7 Application Event Log

Source: Blueridge Appguard
Eventid: 104

Prevented required process <C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe> from terminating by <c:\program files\novirusthanks\exe radar pro\erpx64svc.exe>.

And yes Appguard is in Whitelist Processes and Trusted Vendors in ERP

 

Overlap AppGuard & NVT
To understand the overlap, I will explain the normal flow of events of intrusion.

1. Code is executed in memory

A lot of data also contains code nowadays. Sometimes this code is dynamic (like Javascript, XML), sometimes embedded (PDF, Flash) or sometimes used to describe the structure or meta data (e.g. images have tiny bits of code to describe the image or its structure), some times data comes with code to select and use it (e.g. SQL code in a relational data base on a website), etc, etc.

No anti-executable will protect you from these starting points of most (nasty) intrusions. We need this code for the user experience of our digital world. Due to sloppy programming and unknown errors in the 'hosting' program itself (e.g. flash running script) complex malware is able to execute arbitrary code and take control over the program while in MEMORY.

AppGuard has a feature called memory protection to protect 'threat gate' programs (e.g. your browser, windows media player connecting to the internet, your e-mail program connecting to the internet) against memory intrusions.

I don't know NVT , so maybe NVT power users can join in and explain NVT's protection on this topic., but normally anti-execution programs don't provide additional memory protection.


2. Code executed from disk: user space

Additional code is executed in your user folders (anything outside Windows & Program files). After the first step, additional code is often downloaded to a user folder. Both AppGuard and NVT will stop downloaded exe files in the user folders (incl USB) from executing. So they overlap here (100%).


3. Code executed from disk: admin space

Surviving re-boot, involves moving code to the Windows & Program Files folders and getting a link/reference of this code in a load point (auto start in the registry, registrating OLE-compontents, etc).

NVT has by default the option enabled to allow execution from Windows and Program Files directories. Paranoid users, disable this default and scan those directories for the existing executables to allow them. NVT looks at EXE's, so (I think) it depends on UAC to protect you from 'bypasses" like changing a DLL or a DLL path, overwriting drivers etc. Anti-Executable of Faronics had protection against illegal DLL loading in the past. Maybe NVT power users can join in and explain NVT's protection on this topic., but NVT in default mode won't protect you here, in Pete's setting it WILL protect you!

AppGuard blocks guarded applications from touching these directories. Since Vista Windows & Program Files are considered 'safe places'. Because UAC will warn you when you want to change something in those safe places. So UAC (for the rest) and AppGuard (guarded applications) will keep these safe places clean for you.

So they don't overlap, but protect in a different way (NVT looks at all exe's, but looks at exe's only, while AG looks at guarded applications only, but isolates them completely). This is why some members use them together. To be honest the synergy (using Pete's setting) is highly theoretical, in practise the malware would have come from a theat gate. In the default mode NVT will auto allow these executables from Program Files


First disclaimer
When you compare Faronics AE with Comodo, the latter will protect you against much more attack vectors (hence its high score in Matousec), but because an Anti_executable like Faronics AE is so clever to protect against one the first attack vectors, it is in practise as effective as Comodo. Comparing a program on its features is useless, some programs concentrate 100% on one attack vector to stop the chain of events, that does not make them less effective as program looking at a lot of attack vectors.

Second disclaimer
Comparing features needs the user context to decide what is best for your personal situation. There are many roads leading to Rome. In the comparison above NVT looks to cover less than AG. But when you use Chrome and adobe reader with its internal low rights sandboxes, those will cover the memory attacks NVT does not guard and NVT with Chrome or IE might be safer as AppGuard with Firefox. Using Noscript on block with FF will block the host (browser) from executing this code in memory, so you are only faced with exploits bypassing memory limitations and now AG+FF+NS is a sound combination. When you add EMET and MBAE, you reduce the risk of exploits bypasses the combo NVT+Chrome+EMET+MBAE is even more effective , etc. etc ...

Third Disclaimer
Considering all the friends NVT has on this forum, it is a good program. Also as a general rule there is nothing wrong with some overlap. Overlap when not causing problems is also a reassurance you have no holes in your defense.

Fourth Disclaimer
Every poster has it preferences, I am a minimalist, using as much security as possible from what is available in Windows itself.

Regards Kees

 

@DX2

You can run both togheter, we received a lot of feedbacks from users that run them togheter without issues. Personally I don't use AG but as I see it protects /guard the memory and prevent processes from touching the disk in specific folders or in specific situations. ERP is used to block any unknown process and allow only trusted and safe processes (and commandlines), so basically it stops an attack from the begin: if you block malware.exe execution, no other events will be needed to be monitored. Some users use also the combo EMET+NOSCRIPT+ERP (because EMET is used to mitigate memory exploits and ERP is used to block payloads/unknown-processes from being executed in the system) or SBIE+NOSCRIPT+ERP, or AG+NOSCRIPT+ERP, etc.

@Windows_Security

True, AEs generally do not guard the memory but are focused in monitoring execution of processes. Anyway, from what I noticed, all exploits in the wild tend to download the payload from a remote website, drop it in temp folder (or any other writeable folder: appdata, user profile, etc) and then execute it or they download a .dll payload and then using regsvr32.exe / rundll32.exe they load the dll in the system. If you test ERP with recent infected links (see MDL) used to exploit Java, Flash, PDF, IE/FF/Chrome, etc vulnerabilities you will see that the payload execution is detected by ERP. As you recommended, you can use AG or/and EMET to guard the memory.

A malware to be able to modify a DLL, driver, etc always needs to be executed in the system, ERP can block it from the start. Regarding DLL injection, a DLL to be injected system-wide needs to be injected from (example) malware.exe that is executed with admin rights or it can be loaded using system processes such as regsvr32.exe / rundll32.exe. ERP has these two processes listed in "Vulnerable Processes", so everytime they are executed with an unknown (not whitelisted) commandline string, the user is prompted to allow/block the execution.

 

@ NoVirusThanks thanks for the explanation.

What I don;t understand of ERP why not add a 'guarded programs option' for e-mail, browser, media players (in short all internet facing software) which has the capabilities of
- Write Process Memory Monitor
- PE Dropper Monitor (with an option to whitelist directories to auto allow downloads and minimise alerts)

Maybe add dll injection protection for these 'guarded' programs to?