Discussion in 'other anti-malware software' started by DX2, Jul 7, 2013.
Would running AppGuard and NVT at the same time be redundant? Or do they serve different purposes?
I run them both and yes they do serve different purposes.
NVT ERP can keep something unknown from running at all, where as Appguard, and let a known program run, but keep it from touching the system. Good example of that would be Java
PS. I do run them both
I wish I knew more about NVT. This seems to be a hot topic. I have received so many questions wanting to know if they run well together or what the difference between the two are. I miss my test machines!
Appguard is policy based, but NVT ERP is a traditional Anti Executable, with some excellent features. For Example
To make life easy I first white list everything in Program Files, and Windows.
But somethings have special requirements. Run32DLL can be a problem. So it is set as a vulnerable exe. This means it will alert in spite of the white list. I also set Java as a vulnerable exe, so it always alerts if it runs.
A lot of Rundll things run as commandlines, and these can be whitelisted, so they don't bother you. Taking it a step further, when Sandboxie closes it use a command line string using CMD.exe which also is defaulted as a vulnerable exe. The problem with Sandboxies delete command line is that it has a unique number at the end of the string. This number changes everytime. So ERP has a wildcard string, so that solves the problem.
The common command line string and the common wildcard commandline strings are defaulted into the system at install.
It also has a trusted vendors capability
Also password protection.
Anyway this gives a flavor of the product.
Thanks Pete! I can't wait to get my test machines back so I can give NVT a try. I've been using AG since 2006 or 07, and understand it pretty well. Hard to remember how long exactly. I guess that's why I get so many PM about AG. Recently users have asked if me if AG, and NVT run well together. I don't have a clue since, and even if they did run well together for me it may not be the case for there particular setup. I know VS will run well with AG, but VS will run well with just about anything since it is compatible with just about anything by design.
I am running this combo, but I get a lot of these messages in the Win 7 Application Event Log
Source: Blueridge Appguard
Prevented required process <C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe> from terminating by <c:\program files\novirusthanks\exe radar pro\erpx64svc.exe>.
And yes Appguard is in Whitelist Processes and Trusted Vendors in ERP
Overlap AppGuard & NVT
To understand the overlap, I will explain the normal flow of events of intrusion.
1. Code is executed in memory
No anti-executable will protect you from these starting points of most (nasty) intrusions. We need this code for the user experience of our digital world. Due to sloppy programming and unknown errors in the 'hosting' program itself (e.g. flash running script) complex malware is able to execute arbitrary code and take control over the program while in MEMORY.
AppGuard has a feature called memory protection to protect 'threat gate' programs (e.g. your browser, windows media player connecting to the internet, your e-mail program connecting to the internet) against memory intrusions.
I don't know NVT , so maybe NVT power users can join in and explain NVT's protection on this topic., but normally anti-execution programs don't provide additional memory protection.
2. Code executed from disk: user space
Additional code is executed in your user folders (anything outside Windows & Program files). After the first step, additional code is often downloaded to a user folder. Both AppGuard and NVT will stop downloaded exe files in the user folders (incl USB) from executing. So they overlap here (100%).
3. Code executed from disk: admin space
Surviving re-boot, involves moving code to the Windows & Program Files folders and getting a link/reference of this code in a load point (auto start in the registry, registrating OLE-compontents, etc).
NVT has by default the option enabled to allow execution from Windows and Program Files directories. Paranoid users, disable this default and scan those directories for the existing executables to allow them. NVT looks at EXE's, so (I think) it depends on UAC to protect you from 'bypasses" like changing a DLL or a DLL path, overwriting drivers etc. Anti-Executable of Faronics had protection against illegal DLL loading in the past. Maybe NVT power users can join in and explain NVT's protection on this topic., but NVT in default mode won't protect you here, in Pete's setting it WILL protect you!
AppGuard blocks guarded applications from touching these directories. Since Vista Windows & Program Files are considered 'safe places'. Because UAC will warn you when you want to change something in those safe places. So UAC (for the rest) and AppGuard (guarded applications) will keep these safe places clean for you.
So they don't overlap, but protect in a different way (NVT looks at all exe's, but looks at exe's only, while AG looks at guarded applications only, but isolates them completely). This is why some members use them together. To be honest the synergy (using Pete's setting) is highly theoretical, in practise the malware would have come from a theat gate. In the default mode NVT will auto allow these executables from Program Files
When you compare Faronics AE with Comodo, the latter will protect you against much more attack vectors (hence its high score in Matousec), but because an Anti_executable like Faronics AE is so clever to protect against one the first attack vectors, it is in practise as effective as Comodo. Comparing a program on its features is useless, some programs concentrate 100% on one attack vector to stop the chain of events, that does not make them less effective as program looking at a lot of attack vectors.
Comparing features needs the user context to decide what is best for your personal situation. There are many roads leading to Rome. In the comparison above NVT looks to cover less than AG. But when you use Chrome and adobe reader with its internal low rights sandboxes, those will cover the memory attacks NVT does not guard and NVT with Chrome or IE might be safer as AppGuard with Firefox. Using Noscript on block with FF will block the host (browser) from executing this code in memory, so you are only faced with exploits bypassing memory limitations and now AG+FF+NS is a sound combination. When you add EMET and MBAE, you reduce the risk of exploits bypasses the combo NVT+Chrome+EMET+MBAE is even more effective , etc. etc ...
Considering all the friends NVT has on this forum, it is a good program. Also as a general rule there is nothing wrong with some overlap. Overlap when not causing problems is also a reassurance you have no holes in your defense.
Every poster has it preferences, I am a minimalist, using as much security as possible from what is available in Windows itself.
You can run both togheter, we received a lot of feedbacks from users that run them togheter without issues. Personally I don't use AG but as I see it protects /guard the memory and prevent processes from touching the disk in specific folders or in specific situations. ERP is used to block any unknown process and allow only trusted and safe processes (and commandlines), so basically it stops an attack from the begin: if you block malware.exe execution, no other events will be needed to be monitored. Some users use also the combo EMET+NOSCRIPT+ERP (because EMET is used to mitigate memory exploits and ERP is used to block payloads/unknown-processes from being executed in the system) or SBIE+NOSCRIPT+ERP, or AG+NOSCRIPT+ERP, etc.
True, AEs generally do not guard the memory but are focused in monitoring execution of processes. Anyway, from what I noticed, all exploits in the wild tend to download the payload from a remote website, drop it in temp folder (or any other writeable folder: appdata, user profile, etc) and then execute it or they download a .dll payload and then using regsvr32.exe / rundll32.exe they load the dll in the system. If you test ERP with recent infected links (see MDL) used to exploit Java, Flash, PDF, IE/FF/Chrome, etc vulnerabilities you will see that the payload execution is detected by ERP. As you recommended, you can use AG or/and EMET to guard the memory.
A malware to be able to modify a DLL, driver, etc always needs to be executed in the system, ERP can block it from the start. Regarding DLL injection, a DLL to be injected system-wide needs to be injected from (example) malware.exe that is executed with admin rights or it can be loaded using system processes such as regsvr32.exe / rundll32.exe. ERP has these two processes listed in "Vulnerable Processes", so everytime they are executed with an unknown (not whitelisted) commandline string, the user is prompted to allow/block the execution.
@ NoVirusThanks thanks for the explanation.
What I don;t understand of ERP why not add a 'guarded programs option' for e-mail, browser, media players (in short all internet facing software) which has the capabilities of
- Write Process Memory Monitor
- PE Dropper Monitor (with an option to whitelist directories to auto allow downloads and minimise alerts)
Maybe add dll injection protection for these 'guarded' programs to?
Separate names with a comma.