What is AppGuard

Thanks for the registry suggestions.

 

When the security is initiated during the windows install, there are certain permissions created for each group, for every file, every reg key and every service. Technically, it is not EVERY, but only those that are needing rights defined, and normally there is inheritance for objects/containers within.

Anyway, the list of default services are setup with thier permissions. The standard permission is for admins and system to have full control. Some have PowerUser allowed to start/stop. Most have the Users group with no options except 'special permission', which I am not sure what it means.

Are there ramifications? There should not be in a User environment. Since we want AG to stop the 'guarded' app from killing our Avira service (or whatever, you pick) we want the app to have the same rights and restrictions as a User, so it cannot stop or start a service.

Now, exceptions? What would you make an exception to for a guarded app? I dont' think you want anything excepted. But, there may be as I have only played with AG and see 'what if I were to do this' or 'what if this app were to try that'. I have left everyday functionality to the family and friends. And so far they don't seem to have any issues with it. So I guess look at it like this, if you put AG on a computer with a novice, and you tell the novice what to do and threaten to pull the plug if they don't, there seems to be no problem with AG use at all.

If you do that same thing, with say maybe your spouse's computer, under same laws, and perhaps your spouse gives your rules a VETO, AG still works, but now you have the 50/50 chance of poking holes in protections with exceptions. Privacy mostly from what I have experienced is the one piece they really want. I make exception for a custom directory for my music and my pictures stuff. I figure if the wife won't listen at least I mitigate it by having alternate name for those directores.

Sul.

 

Eirik,

Could you ceck whether AppGuard beta runs fine with the Avira Proactive Free beta when configuring Avira's drivers to load as early as possible (in secure mode).

regards Kees

 

Its too late to get this into the current test cycle. Instead, I've asked our chief software architect to take a look at this when he can. I'll relay what I can when I can.

Switching gears a bit, a couple of bugs were found late in the QA cycle that engineering concluded must be fixed prior to GA for version 1.2. I now expect GA for next week.

Cheers,

Eirik

PS Kees, would you mind sharing some info about your enviroment's customization? The version of AppGuard that you have should not be suppressing executable launches in that directory you mentioned (Documents and Settings/All Users).

 

Besides setting TEMP and TMP to D:\TEMP, these are all the changes

 

Hi Eirik,

Recently my computer gt hit gt a problem which i suspect to be caused by appguard. U can go to this thread to know what happened. So is this problem caused by appguard??

 

I had the same problem..but after first reboot it was back to normal

 

So this maybe really is appguard problem. Then I think i have to uninstall appguard 1st till Eirik get back to us.

 

The Window looks familiar!

You are trying to launch executables either from user-space-in my example, the Desktop, or from "non-system volumes" such as D:\, E:\ etc.)-your example?

If D:\ is not your main system drive, then AppGuard is preventing any programs that reside on this drive from being executed.

You can however run executables from non-system volumes by clicking on the Drive-by Download Protection Extension Settings button on the AG Settings tab.

 

Sry, i forgt to state that the pic is juz an example of the error message. I know the window look familiar. We will all get it when we execute any ".exe" file in userspace or other drive with appguard installed.

When i encounter the "problem", i cant open any programmes so i am unable to take down the pic of the error message. However i know how to reproduce the error message which is by executing an "exe" file with appguard on. And that's how i gt the example of the error message i posted.

Now back to the "problem", sry if i didnt describe properly just now, what i mean is i can't open all ".exe" file even on c: drive. All browsers even mbam, sas and avira can't be open.

 

I have experienced one vmWare machines issues where AG service does not install correctly. Or does not start correctly on boot. I have not seen this on a live machine. Perhaps the service is hung or a dependency is disabled?

Sul.

 

Sad to said that the "problem" is really caused by appguard. I have uninstalled appguard and the problem is gone.

 

Nice. Here is what I am using with AppGuard lately.

Sul.

 

What about restricting these?

- console based script host
- windows based script host
- registry server
- HTML Help executable
- NT virtual driver executable for 16 bits aps
- registry initialiser
- Command processor
- disk format
- dosx 16bits subsystem

 

Much is in works. Can you give filenames for
registry server -- regedit ??
HTML help exe
NT vd for 16bit
what is registry initialiser? regedt32 ?
dosx- you mean command.com?

Have you tested at all for how soon AG hooks before SRP, and what ramifications there are, especially if using Basic User? I have some, and found that AG basically hooks items first before SRP, and applies essentially a User type restricition. Although as I noted, it is not exactly a User. Maybe a modified PU or something. Since the services are still available to Guarded threads, I don't know what to think it does.

Ah well, still I find AG and SRP seem to play together with no apparent issues.

I wonder if you deny something in SRP, if AG allows it as guarded to run. I will try some of that tommorrow if I can find the time.

Sul.

 

Sul:

[deny_reg server]
Description=No Execute Allowed
ItemData=c:\windows\system32\regsvr32.exe
Level=Deny

[deny_reg init]
Description=No Execute Allowed
ItemData=c:\windows\system32\regini.exe
Level=Deny

[deny_command.com]
Description=No Execute Allowed
ItemData=c:\windows\system32\command.com
Level=Deny


[restrict_NTVDM]
Description=Contain in LUA
ItemData=c:\windows\system32\ntvdm.exe
Level=Restrict

[restrict_DOSx]
Description=Contain in LUA
ItemData=c:\windows\system32\dosx.exe
Level=Restrict


[restrict_help]
Description=Run as Limited User
ItemData=c:\windows\hh.exe
Level=Restrict


See see http://support.microsoft.com/kb/237607 for regini

Regards Kees

 

Has anyone tried AppGuard on Windows 7 RC1?

 

Regini is a very powerful tool. Never heard it described as registry initiator. It is very cryptic, and help documentation is poor. But I tell you from experience, some of the things you can do with it are very very cool. If you get into that sort of thing anyway lol.

Nice list. I will implement those and test.

Have you tried chrome with AG?

Sul.

 

Yes, I've been guarding Chrome with AppGuard for weeks.

Chrome's self-update is frequently blocked by AppGuard. One can modify drive-by download protection ("Allow" tab) to define a rule that allows Google's update executable to launch from a particular directory. However, one cannot be exact because Chrome randomly names the directory it places its update executable into.

This unguarded directory, does theoretically represent a gap in protection. This illustrates my aversion to self-updating software. Every vendor does it differently so there's no credible, consistent, automated means to distinguish a legitimate fromm illegitimate software change.

Its interesting that few if any significant software vendors have leveraged the available Microsoft BITS infrastructure to facilitate their software updates. BITS has robust cryptography from stem to stern. I vaguely recall a Black Hat research presentation last summer criticizing all others but praising MS, not a common thing at Black Hats. Well, I digress!

Cheers,

Eirik

 

Hi, I know that is not related to the objectives of the product but, would it be possible to include buffer overflow protection for guarded applications? I know that windows have DEP protection, but having a program that helps with DEP protection it's something good.

 

Excellent question. Years ago, we made a strategic decision to stay out of buffer overflow protection because of the advances being made by the operating system and CPU makers. This has not advanced as rapidly as we expcted due to slow Vista adoption and software application vendor implementation (I believe an individual application must do things to take full advantage of DEP).

We currently do not have plans to enter this space.

Cheers,

Eirik

 

Hi Erik. Comodo Memory Firewall protects against buffer overflow attacks, but it has been discontinued as standalone software (the latest version is in my signature), and included in CIS (Comodo Internet Security). I don't know if there is another program that provides this protection, and as there are still many Windows XP users (including myself), so I thought it could be an interesting idea.

Cheers.

 

I hadn't heard that Comodo discontinued this as a standalone. I imagine they did so to reduce the number of binaries they must support. I'd like to know what other reasons they had too.

I still think a memory firewall is helpful. However, a small company like us must strive to be highly focused or find itself torn apart if it spreads itself too thin. I'm sure the longtime Wilders regulars could generate quite a list of deceased firms. Blue Ridge has been around for over a decade, btw.
The need for a memory firewall effectively disappears with Windows XP, as you implied. AppGuard can already mitigate most of the expected risks associated buffer overflow attacks. However, it cannot prevent the execution of instructions in overflows, and it cannot prevent those from injecting code into other processes. The vast majority of malware in 2009 does not employ these vectors/vehicles. [This last sentence is sloppy. I do not mean to say that overflow attacks are uncommon. I'm referring to what the attacks do with the overflow. The results tend to be relatively simple: download and launch an executable. The frequency of more sophisticated actions will likely increase over time. So too, however, are other defensive measures coming from Intel, for example. But I digress, again!]

Blue Ridge strives to position AppGuard, not as the security product that stops the highest percentage of possible attack vectors/vehicles, but as the easiest security product that stops 90% or more of them. We literally have other means to stop additional vectors/mechanisms but do not employ them because they over complicate the user experience. I'd rather not enumerate these. Please just take my word on the concept.

Thanks for asking your question Chipo.

Cheers,

Eirik

 

Matt from remove-malware.com made a video review for AppGuard.

http://www.youtube.com/watch?v=sc1DwjZj9mk&feature=channel

 

thank you matt and i wish you also test AppRanger from http://appranger.com/ thanks again