Why not just AppGuard?

Discussion in 'other anti-malware software' started by chris1341, Oct 22, 2011.

Thread Status:
Not open for further replies.
  1. chris1341

    chris1341 Guest

    Evening All,

    I'm getting more and more keen on AppGuard in 'lock-down' mode.

    I guess my view is that it prevents guarded apps writing to anywhere that a file can execute (system space) and prevents execution from where they can write to (user space). This to me is pretty bullet-proof so I've been using it on its own with Windows firewall and some OD scanners.

    I appreciate my risk is that I have to install something sometime but I'm happy to use OD scanners, lite-virtualisation, VM's and VT/Jotti etc before lowering protection to install.

    I'd like some views on what, if any, risk areas AppGuard does not cover and get some suggestions from AppGuard users as to what they pair with this great little programme, preferably in lock-down mode on Win 7 64 bit.

    Sandboxie does not work well in 'lock-down' on 64 bit for me or would have been the default choice.

    Thanks in advance.
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    AppGuard pairs very well with a lightweight virtualization application such as Returnil or Shadow Defender. The combination of system-wide policy restriction and system-wide virtualization is about as close to bullet-proof as it's possible to get IMO. Sandboxie is excellent but doesn't run well on my system for some reason.

    I use a combination of AppGuard and Shadow Defender with no real-time AV. I also use the Comodo Firewall but that's because I happen to like it; I would feel just as secure using the Windows firewall. Although I'm currently on 32-bit Windows XP, I see no reason to change my setup when I get a 64-bit machine next year.


    EDIT: As you also asked about the risk areas of using AppGuard alone, I thought I'd better expand on this a little.

    For me, the main risk would be if a banking trojan got onto the system. Although unlikely, the consequences could be severe if my bank credentials or credit card details got stolen while banking or shopping online. I am less concerned about the machine itself getting infected because, in the unlikely event that it did, I can always restore the system from a clean Acronis image.

    The main advantage for me of using a disk virtualization application is that a reboot prior to banking or shopping eliminates the small risk that something nasty might have got past AppGuard and onto the virtual system.
     
    Last edited: Oct 22, 2011
  3. chris1341

    chris1341 Guest

    Thanks. Good points. How is the banking trojan executing with AppGuard (other than me erroneously allowing it)?
     
  4. pintas

    pintas Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    171
    Why not just Comodo's D+? :)
    You can do practically the same with more stability, and it's free.
    I could never recommend AppGuard, but maybe that's just me.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    free is better;)
     
  6. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    couldn't agree more :thumb:
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    It shouldn't but I prefer to have that little bit of extra security just in case AppGuard ever gets bypassed. Because I do a lot of banking and shopping online, I prefer not to rely on a single approach to security, however good, as the consequence of getting compromised could be severe even if the risk is low.

    One of the things that makes Sandboxie so good is the combination of virtualization and policy restriction within a single application. AppGuard combined with a lightweight virtualization program achieves a similar thing to Sandboxie on a system-wide basis.
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Actually, they complement each other quite well as the feature sets are different. Just to give one example: A feature that AppGuard has, which is missing from Defense+, is the ability to lock down read access to private and confidential data.

    I run Comodo Firewall with Defense+ alongside AppGuard, and they're both stable on my system. Both run very light with no conflicts, slowdowns, or other performance issues.
     
  9. tomazyk

    tomazyk Guest

    Not necessary. IMO Sandboxie Paid is better than Sandboxie Free :)


    Back on topic - I agree with OP and also love the lock-down setup. I use combination of MD and SBIE to achieve similar protection. I didn't try Appguard yet but will take it to the test on VM to see if it could be my cup of tea.

    I also agree with pegr that adding light virtualisation would make your setup almost impenetrable.
     
  10. chris1341

    chris1341 Guest

    I find it strange how many threads about seemingly unconnected subjects become Comodo threads, since you ask though I simply don't trust the Comodo whitelist or sandbox and without them D+ is a pop up nightmare. AppGuard is silent. I have experience of both the whitelist and sandbox allowing things I'd rather have blocked, so.......

    I'm also using AppGuard on 64 bit so prefer the straightforward 'deny' rather than relying on HIPS that may be restricted in protection scope by Patchguard.

    Not always, there are some free products talked about here you would have to pay me to use :)
     
  11. chris1341

    chris1341 Guest

    Thanks Tomazyk. I was using Shadow Defender (and still do on-demand) but others use this machine to who would not necessarily know how to 'commit' what they want to save and I've had issues with the SD Exclusion folders not saving to the real system causing family members some real issues. Returnil even with the AV part disabled is too heavy for me and the others I tried only protect the system partition I'd like all partitions covered.

    Ideally I'd use Sandboxie and I know others have managed it but on Win 7 64 bit it won't happen for me. I did run them both happily on Vista 32.
     
  12. tomazyk

    tomazyk Guest

    I also couldn't get used to have system wide virtualisation, but Sandboxie is just perfect for my security needs.

    I hope you'll find the solution to your problem and use it on 64 bit OS.
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I suspect the reason for this is a difference in philosophy between the two applications.

    The basic philosophy behind Comodo Firewall, as I understand it, is 'deny the unknown'. The philosophy behind AppGuard on the other hand could be expressed as 'restrict the unsafe'. There are many Internet-facing applications - browsers, mail clients, etc - that are known good programs but their allowed behaviour needs to be restricted because of their potential to be exploited by malware.

    All that's needed with AppGuard is to add high risk programs to the guard list and AppGuard does the rest, silently blocking potentially dangerous behaviour according to a predefined policy chosen by the experts at Blue Ridge Networks. This approach works very well for applications that are already installed, and is potentially stronger than the approach used by Comodo Defense+ which tends be overly permissive towards known good applications on its whitelist.

    AppGuard has two weaknesses though. Firstly, if an unguarded application in System-Space gets exploited by malware, AppGuard may not do much to prevent it. Secondly, the AppGuard protection level must be lowered to install new software.

    Comodo Defense+ has the advantage that it never needs to be disabled or the protection level lowered; and is constantly monitoring untrusted applications for potentially dangerous behaviour which will be alerted. This is especially useful when installing software where the AppGuard protection level has been lowered.

    It's because they are different, that they can be used effectively together. AppGuard provides security for all guarded applications and unguarded applications in User-Space, and Comodo Defense+ provides security for all applications, including unguarded applications in System-Space.

    BTW I'm not recommending Comodo Firewall, just analysing and drawing out some of the differences between AppGuard and a classical HIPS like Defense+. Both programs provide excellent security, either separately or together.
     
    Last edited: Oct 23, 2011
  14. chris1341

    chris1341 Guest

    Thanks Pegr, a good summary of the differences of the 2 approaches.

    Actually I had set Comodo to 'block' unknown in the execution control settings and (what I consider at least) an insidious little spyware PUP was allowed to be installed by my daughter without a peep from Comodo because it was signed ('scanned online and found safe'). With AppGaurd that would not have happened. My intervention would have been required and I would have seen that 30/44 vendors on VT flagging it as bad.

    I also agree with your previous point that a real time back-up to AppGuard is required hence the OP.

    Cheers
     
  15. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    What about something like PrivateFirewall? Would that be a good choice to add to AppGuard and allow me to not use a realtime av?
     
  16. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I would say for 32-bit OS, privatefirewall would be a nice companion to AppGuard.
     
  17. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Why not 64-bit? Does it have a weakness that's not present in 32-bit?
     
  18. chris1341

    chris1341 Guest

    PW have not been as successful at getting around the patchgaurd restrictions on 64 bit as others but in conjunction with AppGuard it might work well.
     
  19. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Thanks. I'm giving it a try.
     
  20. chris1341

    chris1341 Guest

    Excellent. Feedback on how you get on please.

    Thanks
     
  21. molhopicante

    molhopicante Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    112
    May I use OA free instead of Comodo (with AppGuard)?

    Thanks.
     
  22. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Running good so far. Haven't noticed any conflicts yet. Will be installing on my daughters 64-bit laptop tonight. Will see how privatefirewall fares.
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    buck, you talked me into it. The reality is this is all you need.
     
  24. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Good choice. It really is awesome.
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree:thumb:
     
Loading...
Thread Status:
Not open for further replies.