AppGuard - General Impression

Status
Not open for further replies.
H

hjlbx

Thread author
Hello,

This is a short review of Blue Ridge Software's AppGuard.

Pros:
  • Simple installation.
  • Uses very little system resources (approximately 4 MB RAM).
  • Unobtrusive.
  • Effective (extremely).
  • Block events are recorded in Windows Events Viewer.
  • Comprehensive help file.
  • Learning to use and configure can be achieved with moderate effort.
  • Once completely configured it is essentially "set-it-and-forget-it"; occasional maintenance may be required - dependent upon how extensively new softs are added.
  • Extremely robust self-protection.
  • User can create a Trusted Publisher list to allow for softs updates in Medium Mode.
  • Can run all Windows Command Line utilities... even in "Lock-Down" mode without any settings changes (important only to advanced users).
Cons:
  • User-interface is out-dated and cumbersome.
  • Configuration is a manual affair that can make for a "busy" user experience.
  • Getting some applications to work properly\as-intended while in "Lock-Down" Mode requires advanced configuration.
  • Cannot add dll that functions as an executable to the "Guard List."
  • User manual is out-dated in some areas and infos are not always clear.
  • AppGuard terminology is not intuitive.
  • Novice will have difficulty making required "Lock-Down" Mode configurations.
  • Cannot export configuration\settings.
  • Block notifications consist of flashing tray icon; easily missed.
  • Configuration changes must be made "as-you-go."
  • Not really suitable for those that are continually installing\un-installing softs; works extremely well on static systems.
  • There are some minor GUI quirks that may cause confusion, but nothing that a seasoned security software user won't figure out in short order.
NOTE:

You cannot rely exclusively upon AppGuard, or any anti-executable for that matter, to protect your system. Please do as AppGuard recommends and use an AV and firewall... Windows Defender and Windows Firewall are the bare minimum.

Additionally, AppGuard will not protect against software vulnerability exploits, in and of themselves. Please do as AppGuard recommends and add any apps that use data\files downloaded from the internet to the "Guard List." For example, I placed Microsoft Office apps, Adobe Acrobat & Flash, Windows Media Player, Oracle's Java\Java Runtime Environment - the most exploited apps - into the "Guard List." It requires a bit of a rigmarole to configure writes to some protected folders, but nothing too onerous. The pay-off for your efforts is extremely robust protection.

General Impression:

On my W8.1 AMD system Blue Ridge Network's AppGuard has performed completely as described. It blocks executables, scripts, installers, dlls - you name it - when launched from designated "User Space" directories (= specific pre-defined locations on the PC).

It works... and works very well. As an anti-executable it is a first-rate product. Plus, it offers additional protections - memory and folder - that other anti-executables do not.

On my system I am able to update Windows even in "Lock-Down" Mode. With other software I am able to update while in "Medium" Mode. From reading various reports are the security software forums, others have problems with updating software while using AppGuard... so the issue appears to be system specific.

Despite my best efforts to disable AppGuard processes\service using GMER and IT Hurricane's Power Tool, I could not mess with it in the least.

What I find irksome about AppGuard is the out-dated \ "clunky" user-interface.

When AppGuard blocks an action it is recorded in its Activity Report. The block infos in that report are critical to properly configure AppGuard to permit some apps to function.

I find that accessing the Activity Report is not convenient. Its window cannot be enlarged\minimized; it is a static, one size window and many of the log entries extend beyond the viewable window - constantly requiring the use of the right-left scroll-bar.

To determine which apps to add to the "Guard List" or to create folder\file exclusions I have to constantly refer to the Activity Report for blocked events. This whole process is a tedious, cumbersome affair due completely to the user interface; configuration involves a lot of copy-paste actions and file\folder queries.

It would be a real convenience if there was a right-click, context menu "Add to Guard List \ Folder Exclusion" from within the Activity Report message.

In any case, all blocking events can be accessed in the Windows Events Viewer. I export a report of AppGuard events and use the infos to make necessary adjustments. This method is a bit more user-friendly despite requiring a few more steps.

It would be convenient here if there were a link to the Windows Events Viewer from within AppGuard.

The task bar icon cannot be used to minimize the GUI... and it doesn't bring it to the front when the AppGuard Help file is open. In fact, there is no way to minimize the GUI; it can only be closed.

I would much prefer a pop-up notification system as the current one is easily overlooked... or at least one that can be enabled\disabled at the user's discretion. Other softs I have used have an unobtrusive pop-up that demands attention. I'd much rather notice a notification immediately when a block event occurs so that I can make any necessary configuration adjustments at that moment... instead of having to go back and pour over the Activity Report log to see what was blocked. So, in short, a user has to keep a close eye on the tray notification... which, to me, is an inconvenience. A real convenience would be a means to add objects to the Guard List or Folder Exceptions from within an alert.

It is not difficult to learn to use. I rate Learnability as about average. The concepts aren't difficult to understand, although learning the terminology may take a minute. "Lock-Down" configuration requires more than a novice would know... for example that any apps that launch from data or temp folders need to be added to the "Guard List" to function in "Lock-Down" Mode.

If Blue Ridge makes the interface more user-friendly it will make for a much better user experience. In fact, the user interface is the only real complaint... as I understand that with the type of protection that it offers, AppGuard requires a good bit of manual configuration... the user-interface just makes configuration a real rigmarole.

I am a huge advocate of the default-deny protection model... and AppGuard's protection is probably the best to be had in the anti-executable class. If you are willing to put forth the effort to configure it such that apps will work in "Lock-Down" Mode, then... as far as what I am seeing, no other anti-executable can match its protections.

NOTE:

I tested the current beta against Malware1's by-pass. Blue Ridge fixed it.

Just to make sure I tried a similar bypass using Power Shell. File execution was blocked by AppGuard.
 
Last edited by a moderator:

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Is AppGuard similar to VoodooShield, and if so, which one is better? I am currently trying Voodooshield and it's okay, takes along-time to set-up the white list.
 
H

hjlbx

Thread author
Is AppGuard similar to VoodooShield, and if so, which one is better? I am currently trying Voodooshield and it's okay, takes along-time to set-up the white list.

The current leading anti-executables (AEs): AppGuard, NoVirusThanks Exe Radar Pro, and VooDooShield.

All anti-executables require time-intensive configuration.

AppGuard blocks executables based upon file path (directory).

VooDooShield and NVT ERP block executables that are not white-listed.

AppGuard is more powerful (has memory and privacy guards), but requires advanced configuration for apps to work in "Lock-Down" Mode.

VDS and NVT ERP offer ease-of-use and will be less likely to require configurations to get apps to work.

Tony, it comes down to personal preference.

I like VooDooShield. If it is working well for you, then I would say stick with it...
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
but only Voodoo Shields is FREE
 
H

hjlbx

Thread author
but only Voodoo Shields is FREE

NoVirusThanks Exe Radar Pro will be free upon release of next stable version.

There are links to the most recent beta (which is without issue) here at MT.
 
H

hjlbx

Thread author
Why do so few people use anti-executables? Inconvenience?

It makes no sense... it's the one almost bulletproof means of protecting a system in probably 98 % of cases.

Default-deny (system app white-listing) should be the bed-rock foundation of every security config... just my opinion.

System app white-listing is a whole lot more manageable than trying to black-list everything else.
 

Oxygen

Level 44
Verified
Feb 23, 2014
3,316
I really do enjoy these General Impression threads, please keep making these types of threads.
 

DrySun

Level 1
Verified
Jul 8, 2014
23
Why do so few people use anti-executables? Inconvenience?
For me it is an inconvenience. I've only done application whitelisting throught Windows 8 family security feature and typing the administrator password for every executable is time-consuming. I use many applications on my computer so it is a complete drag to setup. I haven't looked into third party solutions but I will most likely give it a go when I reformat my computer.
 
H

hjlbx

Thread author
For me it is an inconvenience. I've only done application whitelisting throught Windows 8 family security feature and typing the administrator password for every executable is time-consuming. I use many applications on my computer so it is a complete drag to setup. I haven't looked into third party solutions but I will most likely give it a go when I reformat my computer.

Hello DrySun,

If you are tedious-configuration-averse, then VooDooShield or NoVirusThanks Exe Radar Pro will probably satisfy you.

Of the two, VooDooShield will be easier to configure... I like it.
 
  • Like
Reactions: DrySun

Overkill

Level 31
Verified
Honorary Member
Feb 15, 2012
2,128
Why do so few people use anti-executables? Inconvenience?

It makes no sense... it's the one almost bulletproof means of protecting a system in probably 98 % of cases.

Default-deny (system app white-listing) should be the bed-rock foundation of every security config... just my opinion.

System app white-listing is a whole lot more manageable than trying to black-list everything else.

Whitelisting is the future, blacklisting is hopeless since there's so much malware being created daily.
 

Rolo

Level 18
Verified
Jun 14, 2015
857
Put all your eggs in one basket, watch that basket! is how the quote goes. The problem with whitelists is that they aren't complete. When a program isn't whitelisted, then what? The user has to decide but with what other information does the user have in which to make a decision? Scans...

If you've already adopted a "I'm never running anything that isn't made by a big, trusted developer with a long enough file age and is popular enough with millions of installs" then why have security software at all?

Note: I'm not saying whitelists aren't useful; they're just limited in their current implementation. I'm an advocate of free market competition but this is a situation where collaboration would likely be win-win for all.
 
H

hjlbx

Thread author
Put all your eggs in one basket, watch that basket! is how the quote goes. The problem with whitelists is that they aren't complete. When a program isn't whitelisted, then what? The user has to decide but with what other information does the user have in which to make a decision? Scans...

If you've already adopted a "I'm never running anything that isn't made by a big, trusted developer with a long enough file age and is popular enough with millions of installs" then why have security software at all?

Note: I'm not saying whitelists aren't useful; they're just limited in their current implementation. I'm an advocate of free market competition but this is a situation where collaboration would likely be win-win for all.

Essentially all the white-listing is left completely to the user...

So, clean install OS, install AE, do not connect to internet, whitelist installed apps, lockdown PC...

Afterwards, install desired softs - and white-list them as they are installed.

NOTE: I use off-line soft installers to configure system immediately after clean installing OS; in this way I do not have to connect to internet prior to installing AE. This is my preferred method, but the one outlined above works just as well...
 
Last edited by a moderator:
D

Deleted member 178

Thread author
When a program isn't whitelisted, then what? The user has to decide but with what other information does the user have in which to make a decision? Scans...

hash, VT, google :D
 
D

Deleted member 178

Thread author
Essentially all the white-listing is left completely to the user...

So, clean install OS, install AE, do not connect to internet, whitelist installed apps, lockdown PC...

exactly what i do with AG and ERP
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top