What is AppGuard

Hello Eirik,

I would like to beta test the new AppGuard. I want to try it on a dedicated laptop with XP Pro SP3. On this laptop I am experimenting with LUA, SRP and other kind of policy protection.
AppGuard seems a nice program to try.

Regards,

-Demonon.

 

Thanks Eirik I will uninstall SAS for testing or I will keep SAS without Guard and try to find away to make them play together!

TH

 

Good answers BlackCat.

 

The technical answer to this is that in your registry, at this location

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]

you will note that a USB key, will be seen as

Code:

"DeviceInstance"="USBSTOR\\Disk&Ven_Corsair&Prod_Flash_Voyager&Rev_1100\\AA04012700013561&0"

or

Code:

"DeviceInstance"="USBSTOR\\Disk&Ven_USB&Prod_Flash_Disk&Rev_PMAP\\9077030011CF&0"

wheras a USB hdd will look like

Code:

"DeviceInstance"="USBSTOR\Disk&Ven_WDC_WD36&Prod_WD-WMAH91015165&Rev_34.0\8D888A891015&0"

and a normal hdd would look like

Code:

"DeviceInstance"="IDE\\DiskWDC_WD800JB-00JJC0______________________05.01C05\\5&2fbd7a1b&0&0.0.0"

But if you follow down to this key

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

you will now see why they are handled differently. Examine the following to see how they have been labeled to make distinction of a hdd vs. usb memory stick

Code:

##?#STORAGE#RemovableMedia#7&1d7d8967&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
##?#STORAGE#VOLUME#1&30A96598&0&SIGNATUREFD21884AOFFSET7E00LENGTHF3BAD200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

So while they are both signed to device class USBSTOR initially, they are also segregated apart uniquely. This is what AppGuard sees, I believe.

As Blackcat says, this feature to guard USB sticks works fine, because your USB hdd is not the same as a stick, but treated as a hdd. And as Blackcat says, this will be in the next version. It is going to be called I believe 'extended user space'.

Sorry, had to post techno babble.

Sul.

 

Thanks for your good explanation. I think it's a good idea to have the option to block USB drives, because I think it can run autorun.inf malware on connecting to usb port.

Moreover, what's wrong with Excel files? (solver.xla, eurotool.xla and atpvbaen.xls). Appguard blocks them when i open excel. These files are macros used for data analysis. I know that I can suspend appguard protection, but it's not very logical, right?

I apologize for my insistence. I noticed that iexplorer doesn't open hxxp://update.microsoft.com/microsoftupdate/v6/default.aspx. I need to stop protection. So, appguard must be so strict? I think it should allow some exceptions.

 

I have used AG a lot. And I have had many conversations with Eirik. Let us see if we can find the logic of why those files are being blocked.

AG by default I believe will 'guard' excel.exe. So when in a 'guarded' state, it will for all intents and purposes give excel.exe a standard users rights in relation to creating/modifying anything in
c:\
%windir%
%programfiles%
HKLM
HKCU/autostart locations

There is also what I would call it's most confusing aspect, which is how it handles the 'user space'. For those not familiar with 'User space', it is your profile directory. For those not familiar with that, it is 'YOUR' directories/folders, such as My Documents and all items within. As well as your desktop and other areas.

Here is the thing. It might be a case of where those files live, or it might be a case of what they do. AG 'guards' excel, but still, those are what, files with vba in them? Perhaps the code in them is attempting to access areas restricted by AG. What about examining them, do you have code like FormOpen() where they try to access certain areas possibly being protected by AG?

First try moving those files to a new location and see if it works. If not, my bet is that the code they contain attempts things AG protects, and probably on a FormLoad or FormOpen type of call, thus it never get's loaded. I would imagine if the code was to execute the protected portions at a state after FormLoad, AG would block that code peice, but not block the spreadsheet or macro from starting initially.

But then, these are all guesses based of what I think I know, so who can say.

Sul.

 

Thanks for reply. Sorry to tell you that I don't understand you've written. The files are in c: \ program files \ microsoft office \ Office11 \ Macros \ * \ *.xla. These files are excel files themselves.
Moving those files to a new location is not feasible, they don't work.

Don't worry. It's boring to stop the protection all the time . See you tomorrow.

 

Is ok. Eirik will probably post here tommorrow with some explanation.

Sul.

 

Hi Chipo,

Without seeing the AppGuard block event log text, or what you may see in the 'status' tab of the GUI, I'm not certain what is happening.

From your last post, it appears that Excel is trying to perform write operations to content within 'program files', which is blocked by AppGuard.

I'll work offline with you to extract some log data for me so I can better understand and assist.

Cheers,

Eirik

 

Sully,

Excellent posts. You nailed them accurately and precisely.

And yes, in version 1.2, by default, AppGuard assumes all other drives (including all those mentioned in your post) connected to a system are part of "user-space" and therefore does not allow unguarded executable launches. Users can, however, specify what drives/directories can allow unguarded executable launches when circumstances require exceptions to this protection intended to thwart drive-by download attacks.

Cheers,

Eirik

 

Thanks Erik, i send you a mail. I'm at work now, so i can't send you the log.

 

I missed this point earlier. Providing exceptions for this is problematic. How does one reliably distinquish a legitimate from a malicious action of this nature? Given the inherent insecurity within web browsers, and other complications, we block these actions and require an end-user to suspend this protection until the user is confident that it is safe to do so.

To this end, as stated in the AppGuard help guide, when updating a browser, or allowing a browser to faciliate an update of something else, I strongly recommend that one close all tabs in the browser, leave the last tab to a simple trustworthy page, and then restart the browser to flush out all Javascript, Flash, and any other dynamic content prior to suspending AppGuard protection for the update to occur. Otherwise, one might leave something nasty lurking within the browser while protection is suspended.

Cheers,

Eirik

 

Thank you very much. What a pity that all the technical supports are not as efficient.

 

Hi All,

I didn't realize there was a cap on the number of private messages one could send. So, I'm posting the 'letter' to those that volunteered to evaluate the pre-release of AppGuard version 1.2 and its download link.

The number of downloads is capped. If we should reach it, please let me know and I'll extend it.

Please look at my earlier post regarding the new features.

Cheers,

Eirik


Hi there,

Thank you for participating in this exercise.

The link and SHA1 hash checksum are for the AppGuard version 1.2 pre-release that will run for about a week.

http://www.yousendit.com/download/dV...UnJUME4zZUE9PQ
SHA1 Checksum: 489dea4432e70dd28f2e28999e4550794145afbb

You do not need to uninstall an earlier version of AppGuard before running the 1.2 install file. Of course, you would need to suspend drive-by download protection. Remember, restarting the PC after the install is not merely recommended, its absolutely necessary.

There are two ways to provide us feedback
- Post to an AppGuard thread @ Wilders
- Email: appguard@blueridgenetworks.com

The kind of feedback we're looking for...
- bugs
- software conflicts (if so, we'd appreciate a systeminfo file)
- use-cases (how do you see yourself/others using one or more features; I cannot over-state the value of use-cases helping us converge toward the ideal product.)
- GUI and functionality improvements (please note one or more problems per improvement) regarding existing features
- (Bonus) Relay any feedback from novices: points of confusion, misunderstanding, usability, etc.

Again, I'd like to thank you for participating in this exercise. Oh yeah, feel free to share the install file with others but please caution them regarding this beign a pre-release.

Cheers,

Eirik

 

Bad link, Eirik.

I'm getting...

http://download_link/

It should be this...

http://www.yousendit.com/download/dVlxSkhWUnJUME4zZUE9PQ

I got it to download with the above.

Also, do we need a key for this to install?

(Never mind. Yes you need a key)

Later....

 

I got the link from what Trespasser posted. Installed. Asked for key, so I continued eval. There seems to be no real interface to change anything, or am I missing something? I only see the status screen as available to change settings.

I am wondering if this is the wrong version I have? It says it is
1.2.3.0

Is there a key available?

Sul.

 

Thanks for pointing out and correcting.

 

There should be three tabs appearing in the GUI, as below:


This usually happens when something has prevented the appguardagent.exe service from starting. You might try manually restarting the service or restarting the PC. I've never heard of the licensing having anything to do with this. Another security product might interfere with the service launching. If this doesn't do the trick, I'll open a trouble ticket.

Cheers,

Eirik

 

Our engineering director reminded me that Terminal Services is required. If disabled, this too causes missing tabs.

Switching gears a bit, Sully asked offline, as far as what to look for and test, please experiment with variations in user-space, particularly external, internal, or partitioned drives. Please confirm that any customization you make to "Drive-by Download" protection (i.e., defining specific drives/directories that allow or deny unguarded application launches) survives restarts, disconnect/reconnect, etc.

Thanks,

Eirik

 

It would seem there is some strange issue. I installed it in a vmWare box with xp home on it. Only windows defender and avira free v8 exist there. I have trimmed the services a little, but otherwise a snapshot state of a typical xp home install. Refreshing to snapshot states makes no difference. This is one vmWare box I have used to test AG scenarios on many times.

The service is not running. It is set to automatic. Manually starting it gives a promtp like 'the service started and then stopped because there was nothing for it to do, some services do this: for example performance logs and alerts'. I have never seen that prompt before now.

Any thoughts? Nothing is in the AG status report area.

Sul.

 

Right now I'm running Vista SP2 and there are three tabs showing. All's well here.

Sorry for going off topic, but, Sully, have you checked out Windows 7's SRP yet? I'm curious as to your experience with it. Mine has been less than satisfying.

Later...

 

Installed, but on reboot Vista went into Startup Repair Window!!!!! Stayed on for over 15 minutes without any sign of a repair so I did a hard shutdown and AppGuard appeared on second bootup. I had not seen any startup problems with the previous version.

Flashing icon now starts up but not sure the average user needs this level of warning just because " Prevented process < Chromium from writing to its dictionaries ".

As stated before I think the tray icon warnings need to be toned down and become much less frequent as average Joe will start to panic too much.

On the bright side it appears to be as light on performance as before.

EDIT; on bootup this morning only 1 tab shown. A manual start gave me back all 3 tabs. Problem seemed to be the Host protection on OutPost. AG is running smoothly now through reboots.

 

Yes, this version does work correctly. My snapshot must need some work

This version is much better. The exceptions for privacy and extended user space work well. The resource usage is still quite acceptable, for me about 8mb. The GUI portion, I would like to see it password protected so you can shut it off once you get it set up.

I will start installing for tests on mulitple systems this weekend. See how those novice users respond. For me, after I get done with my current little project I will place my xp image back on this machine and then give it a go with everyday use. See what it does in conjunction with as many strange SRP rules as I can think of.

Great job on this version I say

Sul.

 

Eirik,

Does this version also protects against direct disk access?

Thx Kees

 

Eirik,

The usability of the private folders would be greatly enhanced when we can set exceptions for guarded applications, for instance

Webbrowser:
a) I want my webbrowser to not touch my data partition where my documents reside (D:\)
b) I would like to make an exception to D:\Downloads, D:\TEMP and D:\TEMP IE

E-mail client
a) I would my e-mail client to not touch my documents
b) I would like to make an exception for the D:\Mail directory where I have put my Windows Address Book and the mailbox

P2P program
a) I would like to deny access to my data partition
b) I would like to make an exception for D:\LimeWire (where the shared directory resides and incomplete downloads)

MS Office
b) I would like the privacy override to My Documents

Windows Media Player
a) I would like to deny access to my documents
b) I woud like to give access to My Music and the shared directory of LimeWire


With the above I would be able to seggragete/contain untrusted/guarded applications from each other, increasing the usability of the Privacy mode feature and security.

Thanks Kees