- Oct 22, 2016
- 409
AppGuard against Ransomware
- Thread starter erreale
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Sep 22, 2014
- 1,767
I would like to see some other 2nd opinion scanner too, like MBAM, HitmanPro, Norton Power Eraser or Emsisoft Emargancy Kit.
Zemana AM only is not enough (by default don't check AppData).
Zemana AM only is not enough (by default don't check AppData).
- Oct 22, 2016
- 409
I think I was too hasty, in wanting to end the test. At one point we see a Worm activity in Isass.exe, I think it's due to Philadelphia Ransomware. I wanted to learn, but I had no time. Tomorrow I run the test again and verify better.
- Mar 1, 2014
- 1,708
Good test! 
"Philadelphia Ransomware" was expected to run. It's digitally signed. And AppGuard in Protected Mode allows all digitally signed applications to run even in user space. But all of them are Guarded, so that's why in the video the ransomware wasn't able to do its job.
But you observed something with the ransomware. Yes, please test it again.
The only reason why the others weren't allowed to run is not because of some next-gen AI algorithm of AppGuard (AppGuard has none, but it has patents for its technologies), but because of the simple implementation that all unsigned applications are not allowed to run in user space.
Protected mode in AppGuard may still pose a risk for the user. That's why @Lockdown here recommends the Lockdown mode. With it, all digitally signed (except Microsoft's) and unsigned applications are not allowed to run in user space. The Philadelphia Ransomware would not be able to run in Lockdown mode.
"Philadelphia Ransomware" was expected to run. It's digitally signed. And AppGuard in Protected Mode allows all digitally signed applications to run even in user space. But all of them are Guarded, so that's why in the video the ransomware wasn't able to do its job.
But you observed something with the ransomware. Yes, please test it again.
The only reason why the others weren't allowed to run is not because of some next-gen AI algorithm of AppGuard (AppGuard has none, but it has patents for its technologies), but because of the simple implementation that all unsigned applications are not allowed to run in user space.
Protected mode in AppGuard may still pose a risk for the user. That's why @Lockdown here recommends the Lockdown mode. With it, all digitally signed (except Microsoft's) and unsigned applications are not allowed to run in user space. The Philadelphia Ransomware would not be able to run in Lockdown mode.
If a file executes (like the signed Philadelphia Ransomware in the video), then it will be able to write to User Space directories (C:\Users). That's true whether you are using AppGuard or just about any other security soft. For example, execute a malicious file, and even though it is detected by behavioral detection, it can still write to AppData\*.
Malicious files that are "dropped," but not active on the system (loaded into active memory) are not an issue - unless the user navigates to the malicious file and executes it. In the case of AppGuard, a digitally unsigned file written to a C:\Users\* directory will be blocked and a digitally singed file written to C:\Users\* will be Guarded. AppGuard prevents the creation of autoruns by a digitally signed file from an untrusted publisher.
Last edited by a moderator:
Guarded ransomware can still encrypt C:\Users\* directories.
A user should make use of Private Folders - as these are document\data vaults. While everything in User Space can be encrypted, Private Folders will save valuable user data - if the user takes full advantage of Private Folders. The whole point is to save user data.
There are pending changes to the way that AppGuard will treat digitally signed files in next build of version 5.
- Mar 1, 2014
- 1,708
Thanks for the info!
But isn't it that before the encryption begins, the ransomware has to do critical actions? I assume that AppGuard at least blocks some, if not all, of these actions of the Guarded ransomware.
I got this insight through BRN's own documentation about the old CryptoLocker (simulated to be digitally signed).
Thanks for the info!
But isn't it that before the encryption begins, the ransomware has to do critical actions? I assume that AppGuard at least blocks some, if not all, of these actions of the Guarded ransomware.
No. This isn't how Guarded protections work. Some ransomware can encrypt User Space if permitted to run.
The key to protecting datas stored in User Space is to use Private Folders. A Guarded program is allowed Read-Write access to almost all folders in User Space except Private Folders.
- Mar 1, 2014
- 1,708
I understand.
But I thought that ransomware has to do things prior to encryption. That's why I assumed that ransomware would still be blocked or crippled just like what happened to the simulated-as-digitally-signed CryptoLocker.
I understand.
But I thought that ransomware has to do things prior to encryption. That's why I assumed that ransomware would still be blocked or crippled just like what happened to the simulated-as-digitally-signed CryptoLocker.
If you mean the video that was produced by BRN a few years ago, if you re-watch that video, you will see User Space is encrypted except for the Private Folder ("My Private Folder").
Until the revisions are made for digitally signed files, do this:
1. Use Lock Down mode
2. Take full advantage of Private Folders ("My Private Folder" and the ones you designate as Private Folders
3. Don't use tray icon context menu option "Allow User Space Launches - Guarded"
- Mar 1, 2014
- 1,708
No, I don't refer to that. I'm referring to a pdf file, entitled AppGuard Stops CryptoLocker, I downloaded through the official AppGuard website. But I can't see the pdf in the internet already.
I didn't know, or just forgot, about that video. I'll watch it. Can you post the link?
Last edited:
I see no point of using Appguard outside Lockdown Mode except to install trusted and verified software's installers.
1. Use Lock Down mode
2. Take full advantage of Private Folders ("My Private Folder" and the ones you designate as Private Folders
3. Don't use tray icon context menu option "Allow User Space Launches - Guarded"
4. Do Steps 1 - 3 and there is no need to sweat yourself and be paranoid
2. Take full advantage of Private Folders ("My Private Folder" and the ones you designate as Private Folders
3. Don't use tray icon context menu option "Allow User Space Launches - Guarded"
4. Do Steps 1 - 3 and there is no need to sweat yourself and be paranoid
- Mar 1, 2014
- 1,708
There's the convenience of automatic updates.
But yeah, if one needs to be fully secured, AppGuard in Lockdown mode is the best option.
Some people prefer it - because they just want the "perceived" convenience of not having to lower protection level from Locked Down to Protected mode and, more importantly, they don't have to create any User Space exclusions
There are enough legitimate\safe unsigned programs out there that those same people will have to lower protection level to Allow Installs
Protected mode = high protection
Locked Down mode = locked system protection
We will be making Protected mode closer to Locked Down mode - without the perceived "inconvenience" of having to make User Space exclusions - here in the near future
There's the convenience of automatic updates.
For some programs, automatic updates can be achieved in Locked Down mode. For others it cannot be done. And for others still, automatic updates cannot be achieved at-all - and the user must lower protection to Allow Installs.
No matter what the case, it is not difficult. I mean how difficult is it to use a tray icon to lower protection from one level to another, do what needs to be done, and then immediately after raise protection to previous level ?
- Mar 1, 2014
- 1,708
Yeah, I agree that it's not difficult to lower protection if necessary. But it's highly convenient if you don't have to do anything to get the updates of some programs.
People who are choosing Locked Down mode accept this little inconvenience, anyway.
I use Locked Down or Protected mode from time to time, depending on my state of mind.
I use Locked Down or Protected mode from time to time, depending on my state of mind.
Exactly, in my case i'm in "extreme vetting" Lockdown Mode and reduce protection to install/update softs.
- Oct 22, 2016
- 409
Good test!
"Philadelphia Ransomware" was expected to run. It's digitally signed. And AppGuard in Protected Mode allows all digitally signed applications to run even in user space. But all of them are Guarded, so that's why in the video the ransomware wasn't able to do its job.
But you observed something with the ransomware. Yes, please test it again.
To perform properly the test would have to:
1) run Philadelphia
2) perform scanning where it was shown the worm loaded into memory
3) restart Guest
4) run the scan again
- Mar 1, 2014
- 1,708
Similar threads
