AppGuard vs. Voodooshield or NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by micrei, Jun 23, 2015.

  1. micrei

    micrei Registered Member

    Joined:
    May 3, 2009
    Posts:
    12
    Hello,
    I'm looking for a second security layer for my PC (first defense is Sandboxie). I read that a lot of you guys are fans of AppGuard. But since AppGuard only protects system space doesn't it make more sense to use programs like VS or NVT ERP that can protect all data?
    Do you think that AppGuard offers a better protection or that the other programs can be bypassed easier by malware than AppGuard or what's the advantage of using AppGuard compared to the other programs?
    Thank you!
    Michael
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Michael

    1. What else needs protecting but system space?

    2. I run SBIE, Appguard, and ERP.

    Pete
     
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,129
    Location:
    USA
    Awesome thread. My first defense is sbie as well and it does a great job! I prefer NVTERP over VS and AG...I think it's just as powerful (or close to it).
     
  4. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,299
    Location:
    South Wales, UK
    From what I know of NVTERP it does a good job but I do not think that it is as simple to use as VS nor as configurable...but that is just my view. I think that it would be worth trying all options out as a trial and seeing which one suits best.

    Regards, Baldrick
     
  5. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    422
    Location:
    Canada
    Its been awhile since I tried VS but from what I remember I think NVTERP was simpler to use.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    AppGuard does not only protect System Space; AppGuard protects all the user-space as well. AppGuard has several protection features that whitelisting Anti-executable software does not have. AppGuard uses policy enforcement to prevent guarded applications (web facing applications) from writing to the System Space, and Program Files Folders. Guarded applications are also not able to read, and write to the memory of other applications unless you make an exception in the settings to allow it. This really makes a big difference when sandboxing applications in the user-space to contain a malicious threat. AppGuard only allows signed executables to execute in the user-space in Medium Mode of protection. In Locked-Down Mode of protection AG only allows Guarded Applications to execute in the user-space. I have made a request that AG give an option to only allow signed applications on the Trusted Publisher's List to execute in Medium Mode of protection in the user-space so I think you will see that in the next version of AG. AG also has registry, and .dll protection as well. I've been beta testing AG since first alpha builds so if you have any questions then feel free to ask. I should be able to answer most questions.
     
  7. micrei

    micrei Registered Member

    Joined:
    May 3, 2009
    Posts:
    12
    I have lots of photos, videos, documents and some programs in user space. I don't want e.g. Cryptolocker to decrypt all these files or any malware to delete/manipulate the stuff I have in user space. I think I can protect the files by AppGuard (making private folders etc.) but protecting all files on my PC by default would be more convenient.
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    Yes, you can make those folders private in AG settings, and not allow other applications access to those folders. It's easy to do.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    I've used AppGuard with VoodooShield, and NVP ERP without any problems. You may want to try using AppGuard with VoodooShield, or NVT ERP. Either one would make a good combo. There will be a lot of overlapping in protection though.
     
  10. micrei

    micrei Registered Member

    Joined:
    May 3, 2009
    Posts:
    12
    @Cutting_Edgetech:
    Ok, I see your point. But as a layman I find the concept of AppGuard quite confusing. I mean what an application is allowed to do or not to do depends on so many factors: is it installed in system space or user space, is it added to the guarded apps or not, is the privacy setting turned on or off, is memguard turned on or off, is it added to the publishers' list or not, is it digtally signed or not, is the protection level set to install, to medium or to locked down etc.
    Although I read AppGuard's manual and also Pegr's guide to AppGuard I still don't really understand how to configure AppGuard for best protection.
    What I miss is a simple guide. E.g. for optimal protection do this:
    Step 1: Install all programs in system space. Step 2: Add all programs in system space to guarded apps. Step 3: Turn privacy and memguard on for all guarded apps. Step 4: Make private folder for all important documents/files in user space...

    You mentioned that AppGuard only allows signed applications to execute in user space. Isn't there malware that uses fake digital signatures? An anti-executable would stop those malware because it's not white-listed.
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi micrei,

    I know you've addressed your reply directly to Cutting_Edgetech, but I hope you and he don't mind if I add a few comments of my own.

    1. AppGuard assumes that system space is where programs are running from and that user space is where user data is held. AppGuard works best if programs are installed into system space, so do this wherever possible.

    2. Do not add all programs in system space to guarded apps. Security programs and system utilities should not be guarded or they will be prevented from working properly. Programs that should be guarded are those applications vulnerable to being used to exploit the system, and which should not be trusted. This includes Internet-facing applications (browsers, email clients, etc) and applications used to load documents that can contain embedded code (office applications, media players, document readers, etc).

    3. The default for programs added to the guarded apps list is that MemoryGuard flags will be set to On and the Privacy flag set to Off. All programs running from user space (where allowed) without an explicit entry in the guarded apps list will automatically be guarded and MemoryGuard and Privacy mode will both apply. Of the default programs already in the list, only browsers have the Privacy flag set to On. If the Privacy flag is set to On for all guarded apps, they will not be able to create or access their data files in private folders.

    4. It is a good idea to put ALL personal data files in user space into private folders. There is no disadvantage to doing this and it provides protection against ransomware introduced via the browser. For normal web browsing, browsers should run in privacy mode as they have no legitimate reason to access personal data.

    5. AppGuard only allows signed applications to execute in user space if running at the Medium protection level. At the Locked Down protection level, no applications are allowed to run from user space unless they are explicitly added to the guarded apps list. Personally, I prefer the Locked Down protection level because it's more secure. However, something to bear in mind is that some signed program automatic updates that would be allowed at the Medium protection level may be prevented at the Locked Down protection level. It's a trade-off between convenience and security.

    Regards
    pegr
     
    Last edited: Jun 24, 2015
  12. micrei

    micrei Registered Member

    Joined:
    May 3, 2009
    Posts:
    12
    Hi pegr,
    thanks for the info. That was very helpful. I think I'll use AG as second security layer now. :)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    It also took me a while to figure out how AG exactly works, it was a bit too complex for me. I'm using Sandboxie + ERP, so basically, isolation is done by SBIE, everything that is running inside the sandbox can't touch files outside of it. And ERP controls which apps are allowed to run (also inside the sandbox), no matter where they are launched from. VS also seems to be a bit too aggressive for me.
     
  14. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You're welcome. :)
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I forgot to mention that AG also has some HIPS capabilities, as it monitors certain processes. This is an advantage over ERP and VS. But I prefer ERP (simple anti-exe) + advanced HIPS like SpyShelter.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,278
    +1
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    I said AG only allows signed executables to execute from the user-space in Medium Mode of Protection. AG will block signed executables from executing from the user-space in Locked Down Mode of Protection. I have requested that BRN only allow certificates on the Trusted Publisher's List in Medium Mode of protection. The chance of the Malware being signed by one of the certificates the user has on their Trusted Publisher's List would be very slim. Barb informed me they may give an option to do this soon. Everyone thought it would be the smart thing to do. That would allow the user's applications to update in Medium Mode of protection while providing a much higher level of security. AG has videos of Crypto Malware being allowed to execute in the user-space due to being signed, but AG prevented any damage by sandboxing the threat. The Crypto-Malware was not able to encrypt any of the user's files. It's still best not to allow a threat to execute in the first place so I hope they make the change I recommended.
     
    Last edited: Jun 24, 2015
  18. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,694
    Location:
    Zagreb, Croatia
    Yes, that would be great! :)
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    AG has an option to specify which vendors you trust, which reduces (as long as you don't include Comodo :argh:) risk of signed malware to minimum. Many Anti-Executables don't block dll's or other loadpoins (e.g. driver through inf file). Don't know whether VS or NVT-ERP block DLL loading. Not looking at DLL's poses a greater risk as the FUD-ded signed malware threat.

    Best answer is allready given by Peter2150. When your PC has enough power to push it: go for AG + NVT ERP + SBIE (SBIE is nessecary when you use a browser without a sandbox, like Firefox)
     
    Last edited: Jun 24, 2015
  20. Antivirus Tester

    Antivirus Tester Registered Member

    Joined:
    Jun 14, 2015
    Posts:
    6
    Appguard is better
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    The trusted list problem is handled by removing all the trusted publishers. I don't trust certificates, so I don't like those lists.
     
  22. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    422
    Location:
    Canada
    Peter, I assume your talking about the publisher lists in AG, so you remove them all including Google, Microsoft, BlueRidge Networks etc? That doesn't bugger anything up?
     
  23. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Good Evening! I Like AppGuard...a lot...I basically set it and forget it. Now on the other hand I've also used Voodoo Shield...like me it can be a tad aggressive at times. Otherwise it's a Superb App. I Had AppGuard...Voodoo...and WSA Security Plus...in Tandem...Homeland Security at it's finest. I know I'll be using the Power of Voodoo...in the not too distant future. You simply can't go wrong with AppGuard. Like the BlackHawks! Sincerely...Securon
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi digmor

    I left BRN in there, but that's it. Haven't had any issues, it just can't use trusted publishers, so it treats everything untrusted in that sense which is fine with me. And I run in Lockdown mode.
     
  25. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,763
    Location:
    Mexico
    +1
    I do exactly the same as you... me a bit paranoid? Yes but I "feel" secure.
     
Loading...