Catching in-progress memory management exploits?

Do you really need to ask this, you brought the whole thing up remember? And to answer your question, it's always handy to know what type of protection methods apps offer. This way you can make informed decisions.

 

I'm sorry, but I'm not competent to answer this. I'm not a security expert, just a normal user. I ran a test and got a result. As there was no attempt to attack the system, nothing can be concluded from this regarding AppGuard's ability to protect the system against a real-life attack of this type.

MemoryGuard is only one of a whole range of protection measures that AppGuard has. MemoryGuard wasn't even part of the original AppGuard version 1. MemoryGuard was added in AppGuard version 3 (the current AppGuard version is 4.1) in order to provide some additional protection.

MemoryGuard prevents guarded apps from invading the memory space of other running processes. Whether it covers all possible methods, I don't know. In this case, calc.exe wasn't an existing running process but was started by the HMPA test tool, which may make a difference, again I don't know.

As spawned processes of guarded apps are also guarded, and guarded apps are prevented from writing to system space and key areas of the registry, AppGuard should be able to contain an attack that uses the process hollowing method, even though MemoryGuard didn't stop it at the initial stage. This would of course need testing to confirm.

I think it best to wait now for a response from Blue Ridge Networks.

 

BOClean was very good at dectecting/preventing In Memory exploits/malware etc. It was incorporated into Comodo when they bought it. Might be an idea to test it & see how it fares ?

 

Seeing as the vast majority of malware cryptors use process hollowing aka RunPE, Appguard has no problem containing any of this garbage.

 

You make some good points, but to be honest, it was more of rhetorical question. I would be a surprised if AG could not stop this though, because "process hollowing" is related to "code-injection". I do wonder if other HIPS like Online Armor and SpyShelter would perhaps also fail, but sadly enough I can't test it at the moment.

Not the point, it was more of a general comment.