AppRanger add in the cloud:)

acr1956,

Could it be that something else caused the problem? AppRanger comes with an uninstaller and is easy to remove. As someone else mentioned, you may need a newer version of Chrome. Please let us know as I don't think it is due to AppRanger.

 

Catcher,

you are correct.

Sarceno,

You will be able to run programs from sandboxed applications if the setting is "Med/Lo".

With "High" settings, you will be able to run only known good programs from the sandboxed applcation.

 

I updated chrome and still had the same results. The yahoo email issue may be due to ad muncher as they recently had an upgrade which is beta. They make you install betas or they will stop updating the filter list. I made a post in their forum.

 

Thanks for the replies Jay.

Well, logging alone, AppRanger gets top marks from me as there is an abundance of information - seeing which process started, when it started, and which ones are relatively known.

I like being able to search through google, or just plain remove it.

Some screenshots:

Event log



Status

Note - Noticed the AVZ tool driver appears in the list uzg2...

 

some one is digging and exploring deep inside under this hood

 

I think the scan is efficient in finding/listing new files as well.



Noticed the above installer file found in a temp directory was suddenly listed. Has no metadata, seems to be unknown file. Most likely an Adobe flash installer - Ccleaner is able to remove the directory, but interesting AppRanger identified the temp file as a a new 'file', and I was able to simply remove it.

Did the same with the avast anti-rootkit driver as well listed a few above.

 

@Saraceno how is AppRanger runing so far?any testing?

 

Going well JM.

Where the scan misses a few files considered 'malicious', the user can sort through additional drivers etc that are listed and considered 'unclassified'. These files will be highlighted if they have loaded recently.

I tried the lockdown feature against a simple .exe (not a virus, just a system explorer program - can reveal logins etc), which was blocked. Repeatedly tried to open the file, and once it loaded I received the following prompt.

See alert given in lockdown, once .exe was repeatedly open


Scan picked up the .exe and dll file (prevx identified the .exe as harmful, which it isn't, but program can be used to 'retrieve info'), I also selected an old Sunbelt Vipre driver, and a couple of files from a Buffalo USB stick which installed encryption software.


I also tried it against against two AVZ tool drivers, which I've struggled to uninstall (shows the effectiveness of the AVZ tool), and AppRanger asked for the computer to be rebooted. Upon reboot, the drivers were gone.

Not bad at all. Removing some unnecessary junk from the system.

 

Saraceno,

In this case you removed drivers that were not malicious. As you do more tests, you will see that AppRanger will be of great help in getting rid of malicious rootkit drivers and polymorphic malware.

 

Jay, I'll send you a PM.

 

I'm not clear on what happened ..
It allowed the exe to run ? in lockdown ?

 

i think he allowed this exe in low security level and then put back the protection in lockdown mode and try to run the file i think that is what he meant

 

JM, you're right, I did have security level set to 'low'. Even on the low setting, a problem file won't be repeatedly trying to run. You'd receive the alert, and then just remove the problem file.

 

yes agree i tested in low same results as you and in high no even windows updates installs

 

Good stuff JM. I'll test on medium. Either way, this program has so much to it. No wonder you've chopped and changed programs, but kept this for so long.

 

this project is big and fun appranger keep me bussy,plus a cup of coffee ofcourse

 

You're right JM, set to high, nothing can install or no program not previously installed can run.

Setting changed to 'high'


Program install blocked


Log of repeated attempts to install all blocked


Right-click and set the blocked application to 'allow'


Tried running a media program from an external drive while under 'high' lockdown - application blocked.


Set to 'high' is definitely workable - especially how quick you can enable/disable lockdown.

The good part with the previous 'low' setting. Applications not initiated by me (that were trying to launch in background) were blocked. Programs initiated and launched by me, were allowed after the second/third attempt. Quite a flexible program.

 

to fully lockdown system just rigth click and hit hi

 

it will be a good idea to combine appranger and a firewall for outbound protection

 

i am testing defensewall againts same malware i tested againts appranger and blue point security
note:man defensewall dont give malware a chance no wonder the wall at the end

 

I didn't even think to right-click on the system tray icon to change the setting to high or view blocked events. That makes it easier. Thanks chief.

At the moment I'm just using Windows 7 firewall control.

 

your welcome

 

Good stuff.

If you install something big , say a gig or 2 and then hit lockdown , does it take a while for it to respond ?

With AE it sometimes can take 30-60 seconds for a install of that size .

Also I have a vague memory of seeing a malware that repeatedly tried to run itself in remote code execution exploit, but would not think that's very common.

 

Lockdown is instant - well a few seconds to enable.

I'd recommend 'creating a reference state' every few days - which analyses programs that are already installed and allows these programs to run while in lockdown.

Create a reference state takes about 20 seconds, and can be done every few days, depending if you've installed new programs or not. If you haven't had a change in programs, you can keep the previous reference state.

Hitting 'lockdown' takes about 5 seconds. Clicking the button is instant, but you see the progress which says '100 per cent'.

Disabling 'lockdown' is instant. You can enable and disable as much as you want.

I can post some screenshots tonight. But definitely use the 'high' setting if you want don't want anything not already installed to launch or install.

Low will allow a program to install/launch after a few attempts. With high setting, repeated attempts will be denied, not matter how many times.

 

Some brief setup instructions - well for me anyway.

Set AppRanger protection to 'high'


You'll notice I've disabled web content protection and sandbox protection - lockdown prevents any new files from executing, and this is what I'm after


To disable sandbox settings, access the following


Then uncheck all programs


cont...