Q&A Appguard Configuration & Setting Discussion Thread

do this thread is informative to you?


  • Total voters
    42

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#1
Last edited:

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#2
what you should put in Guarded Applications:

- every internet-facing apps (browsers, P2P, etc...)
- Mail clients (thunderbird, etc...)
- Virtual Machines (VMware, Virtual Box)
- Portable apps
- Media Players (Foobar, VLC, etc...)
- Archive softs (WinRAR, 7zip, etc...)
 
Last edited:

Purshu_Pro

Level 29
Verified
Joined
Aug 3, 2013
Messages
1,850
OS
Windows 10
Antivirus
Emsisoft
#3
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
 

XhenEd

Level 27
Content Creator
Verified
Joined
Mar 1, 2014
Messages
1,661
OS
Windows 10
Antivirus
Default-Deny
#4
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
Guarded Applications can run, but they won't be able to touch areas which AppGuard (hard-coded) has set.
Google Chrome, for example, runs fine even if it is Guarded.
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#5
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself
yes

unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
No, you have to select this prior launching a Guarded apps:

 
H

hjlbx

Guest
#6
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
Guarded Application:
  • Application added by user to Guard List or included in preloaded list
  • Digitally signed application (not on Guard List) that executes from User Space while in Protected mode
Guarded Application policies:
  • Any digitally signed application executed from User Space will be automatically guarded while in Protected mode (AppGuard allows only digitally signed applications to execute from User Space and prevents them from modifying Protected Resources - without the need to add them to the Guard List)
  • Only applications on the Guard List can execute from User Space while in Lock Down mode (User must manually add applications to the list; AppGuard comes with small pre-loaded list of Guarded Applications)
Guarded Applications cannot affect Protected Resources:

Protected Resources include Process Memory (protected by MemoryGuard), and critical Operating System Components.


The critical OS Components that AppGuard protects (Guarded Applications cannot affect) are:

  • Windows system folder
  • Program files folder
  • Selected registry keys
  • Process memory
Source: AppGuard Help File
 
Last edited by a moderator:

Purshu_Pro

Level 29
Verified
Joined
Aug 3, 2013
Messages
1,850
OS
Windows 10
Antivirus
Emsisoft
#7
Still confused with the Guarded Application rule. I read it again and again, but not able to understand the algorithm. @Umbra so if I want to run a update for for a program like Adguard or Firefox, how do I add exception? I mean I dont want to manually set Appguard to install mode, instead run automatically like it does with Microsoft one's.
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#8
@Umbra so if I want to run a update for for a program like Adguard or Firefox, how do I add exception? I mean I dont want to manually set Appguard to install mode, instead run automatically like it does with Microsoft one's.
Go here:



You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)

The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)
 
Joined
Jan 10, 2013
Messages
37
#9
I think Comodo Internet Security already has a similar feature to Sandbox applications as per application's requirement. I am using Malwarebyte's Anti Exploit in addition.
Is this anything different?
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#10
Appguard is another level of protection than CIS. CIS is jut fancy and buggy. To make CIS as strong as Appguard , you need hours of tweaks... Not saying Blue Ridge Network get 1st rank in Homeland Security for 2 consecutive years.
 
Likes: Tiny

Purshu_Pro

Level 29
Verified
Joined
Aug 3, 2013
Messages
1,850
OS
Windows 10
Antivirus
Emsisoft
#11
You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)

The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)
What if I want to add an unsigned application to run? I am not able to run this portable application.
Capture.PNG
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,212
OS
Windows 10
Antivirus
Default-Deny
#12
Put AG on User-Space Launch Guarded.
 

XhenEd

Level 27
Content Creator
Verified
Joined
Mar 1, 2014
Messages
1,661
OS
Windows 10
Antivirus
Default-Deny
#13
@Lockdown

Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?

But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?


Not that I'm paranoid that this will happen to my laptop (even then, I have KIS and HMP.A :D ), I just want clarification to better understand how AppGuard works in cerain situations. :)
 
Likes: meltcheesedec

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,517
#14
There are pending changes forthcoming to significantly tighten security when executing digitally signed files in Protected mode. Anyhow...

Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?
For a file that meets or exceeds the digital signature requirements, at worst, you will get a User Session infection; once the system is rebooted malware cannot run and will remain inert on system unless the user manually navigates to the file and re-executes it.

The installer might be digitally signed, but if every file in the run sequence - including temp files - is not signed, then the installation will be blocked.

Files that can meet the signature requirements are generally PUPs\PUAs and that sort of rubbish. The real criminal malc0ders don't get involved with certificates because of the paper trail it leaves behind - but they do manage to steal them from time-to-time. It's not unheard of, but at the same time it isn't common enough to be worrisome.

But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?
If malware is digitally signed with full, extended authenticode (every file in the install run sequence), the publisher is on the Trusted Publisher List, and the certificate passes verification - then yes - it will be able to install on the system, create autoruns and persist on the system. This type of malware represents a minuscule fraction of all malware and is quite rare. The certificates very often are quickly revoked.

You can manage the Trusted Publisher List. Some users just keep Microsoft and Blue Ridge Networks in their TPL. However you decide to manage the TPL, digitally signed malware of the truly dangerous kind is not statistically relevant. You also have the option of running AppGuard in Locked Down mode which disables the Trusted Publisher List and further restricts Microsoft signed files.

* * * * *

I hate to be the one to burst your bubble, but if a malware - for example - that is digitally signed, co-signed by Microsoft with an Extended Validation certificate is executed on your system then it is going to sail right past Kaspersky and Hitman.Pro - and any other security soft of the antivirus\internet security type. Security softs don't monitor every single file on your system - in case you didn't know that - and they all whitelist files based upon digital certificates. That's why it's important to use much more restrictive protections such as software restriction policies.

You have a much higher probability of walking out your door and getting struck by lightning twice than getting smacked with a full Microsoft authenticode malware.
 
Last edited:
Joined
Jul 30, 2017
Messages
52
OS
Windows 10
Antivirus
Microsoft
#20
Thank you, @Umbra :).

I am looking to understand the processes/procedures you use surrounding these settings. E.g.,
- what are the scenarios where you take your machine out of lockdown mode?
- what steps do you take when you would like to update applications other than those made by your "security soft's vendors"?
 
Likes: SHvFl

Similar Threads

Similar Threads