- May 11, 2014
- 1,639
How does AppGuard protect the 64 bit OS, and does it too have limitations??
64 bit systems and HIPS
- Thread starter shmu26
- Start date
Suffer from lack of time, I can make my input about it later, tested in the past long time ago on 7x64 and was impressed, nice piece of soft.
Every app has limitations on x64 8/10 until they hack.
OS producer did this "for security purposes"
))
- May 11, 2014
- 1,639
It seems very solid, as suggested by people I have AppGuard on lock down mode.
No limitations between 32 and 64 bit.
- Mar 15, 2011
- 13,070
Here is the problem on such concept, HIPS are sometimes passive or aggressive however the range of blocking differ, unlike Appguard which definitely a default-deny without any contradictions.
So if the file meet on dangerous ruleset then already block.
It's risky if the payload or whatsoever block but not the main program itself, because of possible side effects to mutate.
So if the file meet on dangerous ruleset then already block.
It's risky if the payload or whatsoever block but not the main program itself, because of possible side effects to mutate.
yep, Appguard is my first installed piece of security software after i tweaked my OS; i know with it , it got my back (in case my security tweaks are bypassed), i use it only on Lockdown Mode and wiped the vendor list except MS.
Because Appguard isn't an HIPS , it is an anti-executable, and as far as i know, it doesn't need kernel hooks to do the jobs since it doesn't needs to monitor every behavior. It just block everything, good or not.
- Jul 3, 2015
- 8,153
I am not an AppGuard user myself (it's kind of expensive), but I have heard that when you install a new program, you need to disable AppGuard. So that is the downside: it won't give you step by step control during installation of an app you don't totally trust. Other solutions will tell you what is happening every step of the way, so you can block when things look suspicious.
the total lockdown people like to use AppGuard + another solution such as ReHIPS or NVT ERP
the total lockdown people like to use AppGuard + another solution such as ReHIPS or NVT ERP
Installation of a malicious program is essentially the same as the installation of a malicious program. Even if a user does monitor every step of the installation process, it is highly unlikely that anyone will recognize a single malicious behavior - and the system will be infected. Furthermore, even if a user practices a whole bunch with malware using a HIPS, that user will still probably will not identify "malicious" behavior as alerts appear.
Disabling Appguard is not the issue. Not fully inspecting a file before installing\executing it on the system is the issue. In the first place, if you have any doubts whatsoever about a file, then you shouldn't execute it on your system without pre-execution inspection and using a means to revert your system to a pre-infection state.
Technically, the correct solution is not to execute the unknown\untrusted file at all; if you execute an unknown\untrusted file, then it can potentially defeat your entire security config right out of the gate. That's the premise of locked down security. The locked down security model patches the security holes permitted by more traditional security softs.
- Jul 3, 2015
- 8,153
It is why Smartscreen is so important, this is one of the strongest MS feature; if you get an alert from it, just VT the file to be sure.
- Jul 3, 2015
- 8,153
I can't argue the point, but I do think it's good to keep an eye open during installation, because it is becoming increasingly common these days for known and trusted sites to get hacked, and provide malicious downloads going by the old and familiar names. Even careful people can get fooled by that kind of thing.
Even a Cuckoo sandbox isn't 100 % reliable. For example, there are none that I know of that will catch malicious self-extracting archives (SFX).
That's why it is important to be able to rollback the system to a pre-infection state or contain the malware in a deletable sandbox:
- Rollback RX Pro
- Rollback RX Home
- Drive Vaccine RX
- Reboot Restore RX
- Shadow Defender
- ToolWiz Time Freeze
- Sandboxie
- COMODO Internet Security
- COMODO Cloud Antivirus
- ReHIPS (not rollback, but isolated user profile)
- Macrium Reflect with Delta Rapid Restore
- Other system restore softs
- Jul 3, 2015
- 8,153
yep, if you can't get your system back to the way it was, you are simply burning your bridges.
- Jun 22, 2014
- 717
Big yup to all the above, the only addition needed imo, would be outbound firewall monitoring to deny "phoning home" or data theft.
Regards Eck
Big yup to all the above, the only addition needed imo, would be outbound firewall monitoring to deny "phoning home" or data theft.
Regards Eck
If you lock down your system, then an outbound firewall isn't absolutely needed. On top of that, a home bound system doesn't need an outbound firewall whereas a laptop that is often used in public wifi hotspots does need one.
The usefulness of an outbound firewall is a debatable topic.
An outbound firewall is, at best, a just-in-case measure that has limited protection under certain circumstances. Malware can easily bypass a firewall. For example, by employing a simple hollow process or by abusing a trusted Windows process - not to mention the use of more advanced firewall bypass techniques that a firewall will not\cannot detect.
If you do use an outbound firewall and get an alert, your system is already compromised and, technically, it is too little, too late.
However, I do agree that an outbound firewall notification might be the only alert you get that indicates there might be a potential problem. So in that specific case I think an outbound firewall has value.
When I do use an outbound firewall, I select TinyWall - which is freeware and blocks all outbound network activity that does not have an existing out rule. TinyWall is a default-deny outbound firewall. It has no alert capability (it does not generate alerts). It's downside is that without any alerts, the user has no idea something has been blocked (safe, unsafe, or unknown) - other than the fact that the soft might not work. Because of this fact, TinyWall is better suited to IT security enthusiasts. A better solution for a beginner\novice would be along the lines of Emsisoft Internet Security or similar.
- Jun 22, 2014
- 717
While outbound control might not be considered an essential it`s still a very useful tool imo, in a sandboxing situation where technically the system has been compromised(but not really as it`s sandboxed)to stop any leak dead in it`s tracks.
Never tried Tinywall probably because of the nonalerts but am very happy with Comodo`s outbound screening not to mention the excellent autosandboxing.
Yes as long as you`ve got the main bases covered then all the other add-ons are debateble.I just happen to like knowing whats connecting out anyway even under "normal" circumstances
Regards Eck
While outbound control might not be considered an essential it`s still a very useful tool imo, in a sandboxing situation where technically the system has been compromised(but not really as it`s sandboxed)to stop any leak dead in it`s tracks.
Never tried Tinywall probably because of the nonalerts but am very happy with Comodo`s outbound screening not to mention the excellent autosandboxing.
Yes as long as you`ve got the main bases covered then all the other add-ons are debateble.I just happen to like knowing whats connecting out anyway even under "normal" circumstances
Regards Eck
I agree with you.
I think, generally, an outbound firewall with alerts for most users is a good thing. It's very unfortunate that this is not an integral capability of Windows Firewall.
* * * * *
If you use COMODO Internet Security and set the firewall to block all outbound connections for Untrusted\Unknown processes (which means that they should be auto-sandboxed), then that is exactly what TinyWall does (without any sandboxing). The firewall behavior is identical for both products... with that firewall setting, COMODO does not generate any alerts and TinyWall does the same - always.
The advantage to COMODO is that you can set the firewall to generate alerts.
As for sandboxing, rollback or user profile isolation with the ability to delete the maliciously modified user profile and "regenerate" the complete clean, base-line user profile are more comprehensive and effective protection mechanisms.
But I do admit, this gets into "splitting hairs" territory...
Similar threads
