AppGuard 4 Update Thread (current v4.4.6.1)

D

Deleted member 178

Thread author
An AppGuard update has been published. You should get see an announcement soon (if AppGuard is configured to check for updates).

The version is 4.3.14.5. This basically fixes the update issues that we had when we rolled out 4.3.13.1.
  1. There are a couple policy changes:
    1. [LocalAppData]\apps\2.0 is excluded from user-space. These are where click-to-run applications are stored.
    2. [LocalAppData]\apps\2.0 has been added as a protected resource.
    3. Schtasks blocking messages are now ignored.
  2. *.cmd files can be added as user-space exceptions.
  3. As many of you reported, when we published AppGuard 4.3.1.13, the auto-update was too silent. It basically resulted in AppGuard being turned off and there was no indication that the installation was successful or complete. The reason was that the install was considered a major upgrade by the OS which turned off our service. Our update logic didn't handle it properly. Though the update was successful, there was no indication it was and AppGuard was turned off. We recalled the update (from the perspective of automatically updating, the release is still good and can be installed - just not through our auto-update feature). Anyway, we think this version will properly alert you that the update occurred and will prompt you to reboot.
  4. A few minor bug fixes:
    1. The GUI was crashing adding c:\windows\assembly as user-space folder (why you would do that, I don't know).
    2. AppGuard was blocking but not reporting a user-space folder that had a wild card in the policy.
    3. Signed applications were not being permitted from a user-space folder that had a wild card in the policy.
    4. If a sub-directory of c:\windows was added to user-space, AppGuard was permitting unsigned applications to launch (but they were Guarded).
If for some reason you don't get the announcement you can download the new release here:

https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup_4_3_14_5.exe.

No need to uninstall the previous version.

If you see any anomalies with the update process, please email me at appguard@blueridge.com.
 
D

Deleted member 178

Thread author
I just installed via GUI, no issues so far.
 
I

illumination

Thread author
Automatic update here as well, no problems.
 
D

Deleted member 178

Thread author
As many of you have discovered, we have a new release of AppGuard available. Version
4.4.4.1 has been available for new purchasers for about a week. It has only minor changes and bug fixes:

Bug Fixes:
  1. No way to clean up wildcard reconciliation policy. This was causing user policy to become large and number of Guarded applications growing too large. This was due to entire user policy being saved when ignored messages to be applied for all users were being saved.
  2. AppGuard reports Event 312 (can’t locate Guarded app) for wildcard paths.
  3. Browse folder dialog not remembering last path when a file is selected.
  4. Changed position of the close bottun ("X") on the deactivation toaster and the blocked event toaster.
  5. Fixed a bug where Major Update was never completing resulting in endless notification that a major upgrade was performed.
  6. Red-listed applications from system space were being allowed to run (if wildcard in the policy).

Enhancements:

  1. Allow user to exclude these file types from user-space policy: *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat
  2. *.reg files are prohibited from running from user space.
  3. License Activation screens now support high-resolution screens.

Policy Changes:

  1. Click to run policies that were added in 4.3 were removed. Must be added by user.
  2. Recycle bin added as a protected folder exception and included in user-space.
  3. PowerShell.exe added as Guarded application.
AppGuard should be announcing the upgrade shortly. In the meantime, you can download it from here: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup-4-4-4-1.exe
 
  • Like
Reactions: XhenEd
H

hjlbx

Thread author
Under "Enhancements" - 2. *.reg files are prohibited from running from User Space has been officially removed by BRN.

4.4.4.1 is NOT blocking *.reg files.

I suppose there are two possibilities:

Someone forgot to add the policy - or - there was a last-minute change.
 
H

hjlbx

Thread author
4.4.4.1 is NOT blocking *.reg files. what does it mean ?

4.4.4.1 was supposed to block execution of registry scripts, but it is not. Evidently the policy wasn't added or it is not working or it was removed at last minute.
 

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Does the ability to exclude *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat files mean they won't run, if so how do you add them to the user-space?
 
H

hjlbx

Thread author
Does the ability to exclude *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat files mean they won't run, if so how do you add them to the user-space?

Don't add exclusion to User Space - they will run...

You just add *.file_type, e.g. *.dll for any.dll to User Space.
 
Last edited by a moderator:
  • Like
Reactions: Tony Cole
H

hjlbx

Thread author
it looks no good. Is any solution on it ?

Don't execute any unknown\untrusted files from User Space - that's all that is needed.

If you execute *.reg file that is disguised as something else - like *.doc, *.pdf, etc - then it will execute.

Don't visit, download and execute files that are shady or from sites that have anything but a known, super-clean reputation. If you did that all the time, then you would have little need for security softs.

You can always rename a file to *.txt - open it - and inspect it to see if there is malicious code -- but that's a lot of work and you have to know what you are doing.
 
Last edited by a moderator:
H

hjlbx

Thread author
@neon

For those that are paranoid about *.reg files, just add both regedit.exe and regedt32.exe to User Space for:

C:\Windows\regedit.exe
C:\Windows\SysWOW64\regedit.exe

C:\Windows\System32\regedt32.exe
C:\Windows\SysWOW64\regedt32.exe

That is all that is required.

If you need either one, just temporarily exclude both file paths from User Space. Do your thing. And then re-include both file paths in User Space.
 
H

hjlbx

Thread author
Do You use this also ?

No, I don't add this policy - because I occasionally use the registry editor - and too lazy to temporarily exclude it from User Space so I can use it.

If you want to lock your system down against malicious *.reg files, then you can add them. If you never use the registry editor, then you will not even notice that they are blocked from execution on a day-to-day basis -- unless, you attempt to execute a *.reg file.

Like I said, if you don't want *.reg files executed on your system, then add the registry editor paths to User Space.
 
  • Like
Reactions: _CyberGhosT_

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top