AppGuard 4 Update Thread (current v4.4.6.1)

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,763
OS
Windows 10
Antivirus
Default-Deny
#1
An AppGuard update has been published. You should get see an announcement soon (if AppGuard is configured to check for updates).

The version is 4.3.14.5. This basically fixes the update issues that we had when we rolled out 4.3.13.1.
  1. There are a couple policy changes:
    1. [LocalAppData]\apps\2.0 is excluded from user-space. These are where click-to-run applications are stored.
    2. [LocalAppData]\apps\2.0 has been added as a protected resource.
    3. Schtasks blocking messages are now ignored.
  2. *.cmd files can be added as user-space exceptions.
  3. As many of you reported, when we published AppGuard 4.3.1.13, the auto-update was too silent. It basically resulted in AppGuard being turned off and there was no indication that the installation was successful or complete. The reason was that the install was considered a major upgrade by the OS which turned off our service. Our update logic didn't handle it properly. Though the update was successful, there was no indication it was and AppGuard was turned off. We recalled the update (from the perspective of automatically updating, the release is still good and can be installed - just not through our auto-update feature). Anyway, we think this version will properly alert you that the update occurred and will prompt you to reboot.
  4. A few minor bug fixes:
    1. The GUI was crashing adding c:\windows\assembly as user-space folder (why you would do that, I don't know).
    2. AppGuard was blocking but not reporting a user-space folder that had a wild card in the policy.
    3. Signed applications were not being permitted from a user-space folder that had a wild card in the policy.
    4. If a sub-directory of c:\windows was added to user-space, AppGuard was permitting unsigned applications to launch (but they were Guarded).
If for some reason you don't get the announcement you can download the new release here:

https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup_4_3_14_5.exe.

No need to uninstall the previous version.

If you see any anomalies with the update process, please email me at appguard@blueridge.com.
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,763
OS
Windows 10
Antivirus
Default-Deny
#2
I just installed via GUI, no issues so far.
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,763
OS
Windows 10
Antivirus
Default-Deny
#6
As many of you have discovered, we have a new release of AppGuard available. Version
4.4.4.1 has been available for new purchasers for about a week. It has only minor changes and bug fixes:

Bug Fixes:
  1. No way to clean up wildcard reconciliation policy. This was causing user policy to become large and number of Guarded applications growing too large. This was due to entire user policy being saved when ignored messages to be applied for all users were being saved.
  2. AppGuard reports Event 312 (can’t locate Guarded app) for wildcard paths.
  3. Browse folder dialog not remembering last path when a file is selected.
  4. Changed position of the close bottun ("X") on the deactivation toaster and the blocked event toaster.
  5. Fixed a bug where Major Update was never completing resulting in endless notification that a major upgrade was performed.
  6. Red-listed applications from system space were being allowed to run (if wildcard in the policy).

Enhancements:

  1. Allow user to exclude these file types from user-space policy: *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat
  2. *.reg files are prohibited from running from user space.
  3. License Activation screens now support high-resolution screens.

Policy Changes:

  1. Click to run policies that were added in 4.3 were removed. Must be added by user.
  2. Recycle bin added as a protected folder exception and included in user-space.
  3. PowerShell.exe added as Guarded application.
AppGuard should be announcing the upgrade shortly. In the meantime, you can download it from here: https://blueridgenetworks.s3.amazonaws.com/UpdateFolder/AppGuardSetup-4-4-4-1.exe
 
Likes: XhenEd
H

hjlbx

Guest
#7
Under "Enhancements" - 2. *.reg files are prohibited from running from User Space has been officially removed by BRN.

4.4.4.1 is NOT blocking *.reg files.

I suppose there are two possibilities:

Someone forgot to add the policy - or - there was a last-minute change.
 
H

hjlbx

Guest
#9
4.4.4.1 is NOT blocking *.reg files. what does it mean ?
4.4.4.1 was supposed to block execution of registry scripts, but it is not. Evidently the policy wasn't added or it is not working or it was removed at last minute.
 
Joined
May 11, 2014
Messages
1,622
OS
Windows 10
Antivirus
Sophos
#11
Does the ability to exclude *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat files mean they won't run, if so how do you add them to the user-space?
 
H

hjlbx

Guest
#12
Does the ability to exclude *.exe;*.dll;*.ocx;*.ps1;*.vbs;*.vbe;*.js;*.jse;*.hta;*.wsf;*.cmd;*.bat files mean they won't run, if so how do you add them to the user-space?
Don't add exclusion to User Space - they will run...

You just add *.file_type, e.g. *.dll for any.dll to User Space.
 
Last edited by a moderator:
Likes: Tony Cole
H

hjlbx

Guest
#13
it looks no good. Is any solution on it ?
Don't execute any unknown\untrusted files from User Space - that's all that is needed.

If you execute *.reg file that is disguised as something else - like *.doc, *.pdf, etc - then it will execute.

Don't visit, download and execute files that are shady or from sites that have anything but a known, super-clean reputation. If you did that all the time, then you would have little need for security softs.

You can always rename a file to *.txt - open it - and inspect it to see if there is malicious code -- but that's a lot of work and you have to know what you are doing.
 
Last edited by a moderator:
H

hjlbx

Guest
#15
@neon

For those that are paranoid about *.reg files, just add both regedit.exe and regedt32.exe to User Space for:

C:\Windows\regedit.exe
C:\Windows\SysWOW64\regedit.exe

C:\Windows\System32\regedt32.exe
C:\Windows\SysWOW64\regedt32.exe

That is all that is required.

If you need either one, just temporarily exclude both file paths from User Space. Do your thing. And then re-include both file paths in User Space.
 
H

hjlbx

Guest
#17
Do You use this also ?
No, I don't add this policy - because I occasionally use the registry editor - and too lazy to temporarily exclude it from User Space so I can use it.

If you want to lock your system down against malicious *.reg files, then you can add them. If you never use the registry editor, then you will not even notice that they are blocked from execution on a day-to-day basis -- unless, you attempt to execute a *.reg file.

Like I said, if you don't want *.reg files executed on your system, then add the registry editor paths to User Space.
 
Likes: _CyberGhosT_