appguard question

Discussion in 'other anti-malware software' started by Arcanez, Oct 30, 2011.

Thread Status:
Not open for further replies.
  1. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    hey there,

    I'm kinda new to this software and there are a couple things I don't understand. When I installed it it was set to "high" so I guess that is the default setting for appguard. Well currently running it on locked down mode and added my legit programs to the guarded list but however some programs don't launch in locked down mode although I added them to the guarded list such as ProcessExplorer. Set all protections of ProcessExplorer to "no". Another example is EMET. Also added it to guarded list but it won't start in locked down mode.

    Also I don't really get how it should protect you when let's say you download a software that you think is legit but you downloaded form a foreign source and the file is a dropper but you don't know that obviously. So you want to install that "legit" software and set your appguard to "install mode". Then you install the software and it unleashed the malware during setup process. I mean appguard is turned off. So I don't really get how it should protect you. When you want to install something you just have to turn appguard off. I don't get it...

    For me the only point that makes sense it denying malware execution from other sources like pdf files etc...

    Also I don't get the whole user space, system space thing. Appguard says that non admin users can save files to user space locations which is pretty much the c drive and user folders for me but I can as well save files to my whole D drive and anywhere else as standard user.

    Do I have to set it up correctly first? Can anyone explain the correct usage of appguard. Or are there any good tutorials out there further explaining the usage of that program? Please enlighten me.
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    New to Appguard my self but all my programs open in lockdown mode,So not sure why your programs will not launch.I know in lock down I cant install or uninstall exsisting programs but I can still use there functions.


    As far a protection its not ment to be a resident scanner for detecting malware but a prevention of and any unwanted changes to the default areas and user space.Think of it a Default deny policy nothing executes with out your say so.

    Try to open application in the install mode and then put it back in lock down and see if it helps any.Maybe the appguard experts can help or provide a tutorial would be nice.
     
    Last edited: Oct 30, 2011
  3. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    ok figured it out at least for process explorer. the executable file creates another executable on launch that is basically a x64 file and I just had to put em both on the guarded list and it works now. But Emet for example still does not show up but I guess Emet itself works properly cause my browser shows up the EMET.dll in process explorer... However I can't get the emet gui to run in locked down mode. But that's actually not a big deal at all....

    maybe it's simply not possible to run Emet with restricted rights like it would be the case when running in guarded mode. I don't configure it hourly anyways so I won't need the emet gui very often.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Good news glad you got it:thumb: It could be a Pita to get everything working but once you do its protection is strong.
     
  5. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    does it actually make sense using EMET along with Appguard or would that be just too much/ not needed really. Currently testing and they do work together however not sure if that's really necessary.
     
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    EMET should not be run as a guarded application at all. To my knowledge EMET forces the OS to use certain protections to prevent exploits. I don't know if EMET is too much overlap as it is a specialized type of protection.

    To comment on your original question one of the weak points of AppGuard is that you have to drop your defenses to install programs. AG works great for me since I don't download a lot of apps nor do I allow those who use my computer to do so either. I would recommend using a traditional blacklist AV scanner with AG to check the files you download and intend to install. As an alternative you could also upload your files to Virustotal or the like to check them.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    or hitman pro;)
     
  8. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    but what would you say running EMET and AppGuard at the same time? Does that make sense actually? Those programs work very similar I guess. EMET for example is capable of denying exploits like pdf exploits or flash player etc whatever...Appguard however simply does not allow any program execution at all. So is it recommended to use one or the other or does it make sense using them both in a single security setup?
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    appguard in high or lockdown is all you need champ:thumb: :thumb:
     
  10. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    noticed something really weird when trying to open pdf attachments diretcly from emails. I use Opera browser and pdf x change viewer. So when trying to open a pdf directly from an email opera somehow freezes not giving further response. The pdf reader doesn't even start. Taskmanager can't be openend nor can I start any other programs when this happens. I guess opening that pdf from the email attachment + appguard causes a whole system freeze. Pressing the reset button on my pc case is the only thing I can do then.

    However first saving the pdf to desktop or somewhere else and then opening it works just normal....

    Opera and the pdf reader are guarded programs (running in locked down mode)
     
  11. chris1341

    chris1341 Guest

    This is not an issue for me with AppGuard in lock down mode albeit with a different browser and pdf reader. It might be because the browser tries to use another ungaurded process to invoke the pdf viewer rather than a direct launch of the viewer as will happen when you have downloaded the attachment.

    Can you try it with the AppGuard GUI open to see what if any blocking events are noted? Sometimes it is just a matter of giving guarded apps access to certain files/folders that by default are not classified as user space or adding a memory guard exception.

    If not can you also try it with AppGuard set to 'high' rather than locked down with the pdf developer added to the trusted publishers list to try to narrow it down?

    Thanks
     
  12. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    ok seems like appguard doesn't cause that crash cause I tested the pdf attachment with appguard turned off and Opera/PDF X-Change Viewer crashed/ froze again.

    EDIT:

    ok just to get that out of the way. I had to install a browser plugin for pdf x-change viewer in order to directly open pdf files from the browser. I disabled that plugin during the install process of the pdf reader cause the plugin was called "mozilla plugin". I thought that was only for firefox but when you click on it it is for opera and other browsers as well. :p
     
    Last edited: Nov 1, 2011
Loading...
Thread Status:
Not open for further replies.