What is AppGuard

im running windows 7 32bit and i use IE8 and appguard keeps logging this

why is this ?

 

Hi Brocke,

A generic malware attack vector involves coercing an application such as IE8 into adding or modifying stuff in critical areas of the host such as in the Windows or Program Files directories. AppGuard protects computers, in part, by blocking ALL write operations by a 'guarded application' to the Windows directory and all of its child directories.

Some web browser add-ons and client software applications do NOT conform to the Windows NT Security Framework, even some Microsoft applications. Your example may illustrate a legit, blocked action that I do not recognize.

Ultimately, only the developers of the respective applications and add-ons know all of the idiosyncracies of their software. Which means, we security vendors can only make inferences as to whether an action is legitimate or malicious.

So, what can you do about this now? And, what should you do about it?

Most likely, this is not malicious. But, keep an eye on this. Most blocked actions like these do not impair a guarded applications to operate as it should. Some do. Most commonly, auto-updates are hindered.

For a few versions, Windows Messenger would not operate normally when guarded by AppGuard. Since then, that's no longer the case because Microsoft developers changed something. I don't know if they did so in response to our requests or if it just happened for other reasons.

If this only happens with each start up, I would ignore it. If it happens numerous times daily, I would either disable 'alarms' for IE8 or consider 'custom settings' adjustments. I'm leery of 'custom settings' adjustments, however, because they are ultimately opening a hole that malicious actions could use too.

There's one other, and perhaps more important consideration. Sometimes, blocked actions such as these would only be one-time and would go away if one allows such a 'first-use' or 'set-up' action to occur. I cannot say if this particular 'blocked action' is legit or malicious. Some folk around here use a security virtualization program to safely answer such a question. I personally don't have one to recommend because I so seldom do anything like this anymore.

There are quite a few Win7/32-bit AppGuard (daily) users here. Have you all encountered this?

Cheers,

Eirik

 

just trying dont mind

 

thank you for the replies, but the odd thing is happening almost every 30secs. my pc is clean of Malware so im not really sure what this is about. same log file keeps come up over and over.

 

hey buddy unprotect your browser and if you have the privacy mode on for your browser disable it and reboot and enable again and enable your browser protection may work

 

didnt work, same log file keeps popuping up.

 

strange isue

 

any news on the app lately? updates ?

 

hey brocke how are you man? and where is this boy hiding? Eirk where are you?

 

Yeah, I've been waiting on news about AppGuard and AppGuard settings lock down with a password...

 

Hi Guys,

No need to issue an all points bulletin (APB). I couln't respond yesterday as I was in the middle of publishing some new content on a new product line called Pixie, in case you're curious. It combines virtualization and cryptography technologies to compartmentalize risk away from one's assets. One example is a 'PC on a USB stick', which compartmentalizes an organization's legit telwork activities away from the potentially malware infested employee-owned PC.

Anyway, I've been trying to chase down a date on the next AppGuard release. I'll post the date and features as soon as I can. We always include password protection in our discussions. So, it'll probably be in the next release but I'm not certain yet.

Cheers,

Eirik

 

I'm booted into Win 7 alot more now a days and am giving AG a try in Win 7. So far it's lighter than on XP, no noticeable difference in boot time and doesn't show some of the quirks I had with it in XP. Seems to be working really well. I do have a question though about my USB drive. Shouldn't AG be blocking the running of .bat files?

 

I don't believe AG blocks bat files or msi's either. I am able to run batch files even with cmd.exe guarded.

 

Interesting. I could swear that when running AG on XP I had to make an exception for two bat files on my USB storage drive. The bat files are used to turn SRP on or off without having to do it from Local Security. On Win 7 the execute. Maybe I was wrong about XP. I also have cmd.exe guarded but was under the impression that it would execute everywhere except user space and external drives.

 

I need to make a correction. I am able to run .bat's from the desktop (with cmd.exe guarded), users, or program data; but not from a USB.

 

Hi All,

With AppGuard 1.3, as some here have observed, .bat files will "run" regardless of their location. One can 'guard' and/or apply 'privacy mode' to cmd.exe to restrict .bat file actions just as one does when doing the same to IE.

Just a couple of weeks ago, we released a new version of AppGuard Enterprise and EdgeGuard that extends "drive-by download" and USB protections to suppress .bat files from launching at all from user-space and USB thumb drives. Without doubt, this will be included in AppGuard, version 1.4.

I'll provide more details and release estimate as soon as I can.

Cheers,

Eirik

 

Is AppGuard reporting that it blocked the .bat launch from your USB?

 

Yes. I can't launch anyfile from a USB drive with AG protection enabled. It is odd that .msi's will launch from Userland without a peep from AG. I suppose msiexec.exe should be guarded though...right?

 

Whatever happened to EdgeGuard Solo?

 

I wouldn't expect AppGuard to block the launch of a .bat file from a USB drive. That AppGuard is reporting that it is in fact blocking the .bat file is more so. The next version of AppGuard is supposed to do just what you're observing. I've asked an engineer to check 'my facts'.

On MSI files, yes you can guard msiexec.exe. However, doing so can significantly disrupt legit activities. For example, if windows updates were set at automatic, this guarding could disrupt updates. So, do so cautiously, looking for issues. We've been working this MSI issue and have something under development that may not make it into the next AppGuard release.

Cheers,

Eirik

 

I have still been able to find it on their site if you Google hard enough, but from what I can tell it looks like it has been discontinued.

 

EdgeGuard Solo is my first child (in anti-malware). Unfortunately, I can't send her back to school until the economy picks up. So, I'm afraid I don't have a satisfactory answer to your question.

Sorry,

Eirik

 

02/03/10 20:19:23 Prevented launching from Removable Mass Storage Device.

Above is what AG reports after trying to run a .bat file from a USB flash drive.

 

Hi Eirik,

Any news on when 64-bit Windows 7 may be supported. I would like to make the move from 32-bit Windows XP to 64-bit Windows 7 soon but the one thing that is deterring me is that I would have to give up AppGuard which I am reluctant to do.

Regards

 

Will 1.4 include the Opera web-browser in its default configuration?