Q&A Appguard Configuration & Setting Discussion Thread

Discussion in 'AppGuard (Blue Ridge Networks)' started by Umbra, Nov 29, 2015.

?

do this thread is informative to you?

  1. Yes

    100.0%
  2. No

    0 vote(s)
    0.0%
  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #1 Umbra, Nov 29, 2015
    Last edited: Nov 30, 2015
    Rengar, Moose and maximus like this.
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #2 Umbra, Nov 30, 2015
    Last edited: Dec 30, 2015
    what you should put in Guarded Applications:

    - every internet-facing apps (browsers, P2P, etc...)
    - Mail clients (thunderbird, etc...)
    - Virtual Machines (VMware, Virtual Box)
    - Portable apps
    - Media Players (Foobar, VLC, etc...)
    - Archive softs (WinRAR, 7zip, etc...)
     
    Moose, pneuma1985, bitbizket and 2 others like this.
  3. Purshu_Pro

    Purshu_Pro Level 29
    Trusted

    Aug 3, 2013
    1,818
    3,069
    EMSISOFT Re-Seller
    India
    Windows 10
    Emsisoft
    I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
     
    Moose and Online_Sword like this.
  4. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,606
    8,417
    Philippines
    Windows 10
    Default-Deny
    Guarded Applications can run, but they won't be able to touch areas which AppGuard (hard-coded) has set.
    Google Chrome, for example, runs fine even if it is Guarded.
     
    Moose and Online_Sword like this.
  5. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    yes

    No, you have to select this prior launching a Guarded apps:

    [​IMG]
     
    Moose and Online_Sword like this.
  6. hjlbx

    hjlbx Guest

    #6 hjlbx, Feb 13, 2016
    Last edited by a moderator: Feb 13, 2016
    Guarded Application:
    • Application added by user to Guard List or included in preloaded list
    • Digitally signed application (not on Guard List) that executes from User Space while in Protected mode
    Guarded Application policies:
    • Any digitally signed application executed from User Space will be automatically guarded while in Protected mode (AppGuard allows only digitally signed applications to execute from User Space and prevents them from modifying Protected Resources - without the need to add them to the Guard List)
    • Only applications on the Guard List can execute from User Space while in Lock Down mode (User must manually add applications to the list; AppGuard comes with small pre-loaded list of Guarded Applications)
    Guarded Applications cannot affect Protected Resources:

    Protected Resources include Process Memory (protected by MemoryGuard), and critical Operating System Components.


    The critical OS Components that AppGuard protects (Guarded Applications cannot affect) are:

    • Windows system folder
    • Program files folder
    • Selected registry keys
    • Process memory
    Source: AppGuard Help File
     
    shmu26, Moose and Online_Sword like this.
  7. Purshu_Pro

    Purshu_Pro Level 29
    Trusted

    Aug 3, 2013
    1,818
    3,069
    EMSISOFT Re-Seller
    India
    Windows 10
    Emsisoft
    Still confused with the Guarded Application rule. I read it again and again, but not able to understand the algorithm. @Umbra so if I want to run a update for for a program like Adguard or Firefox, how do I add exception? I mean I dont want to manually set Appguard to install mode, instead run automatically like it does with Microsoft one's.
     
  8. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Go here:

    [​IMG]

    You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)

    The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)
     
    Online_Sword and Purshu_Pro like this.
  9. yashiscool

    yashiscool Level 1

    Jan 10, 2013
    37
    46
    I think Comodo Internet Security already has a similar feature to Sandbox applications as per application's requirement. I am using Malwarebyte's Anti Exploit in addition.
    Is this anything different?
     
  10. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Appguard is another level of protection than CIS. CIS is jut fancy and buggy. To make CIS as strong as Appguard , you need hours of tweaks... Not saying Blue Ridge Network get 1st rank in Homeland Security for 2 consecutive years.
     
    Tiny likes this.
  11. Purshu_Pro

    Purshu_Pro Level 29
    Trusted

    Aug 3, 2013
    1,818
    3,069
    EMSISOFT Re-Seller
    India
    Windows 10
    Emsisoft
    What if I want to add an unsigned application to run? I am not able to run this portable application.
    Capture.PNG
     
  12. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Put AG on User-Space Launch Guarded.
     
  13. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,606
    8,417
    Philippines
    Windows 10
    Default-Deny
    @Lockdown

    Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?

    But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?


    Not that I'm paranoid that this will happen to my laptop (even then, I have KIS and HMP.A :D ), I just want clarification to better understand how AppGuard works in cerain situations. :)
     
    meltcheesedec likes this.
  14. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,814
    AppGuard LLC Virginia, U.S.
    #14 Lockdown, Feb 22, 2017
    Last edited: Feb 22, 2017
    There are pending changes forthcoming to significantly tighten security when executing digitally signed files in Protected mode. Anyhow...

    For a file that meets or exceeds the digital signature requirements, at worst, you will get a User Session infection; once the system is rebooted malware cannot run and will remain inert on system unless the user manually navigates to the file and re-executes it.

    The installer might be digitally signed, but if every file in the run sequence - including temp files - is not signed, then the installation will be blocked.

    Files that can meet the signature requirements are generally PUPs\PUAs and that sort of rubbish. The real criminal malc0ders don't get involved with certificates because of the paper trail it leaves behind - but they do manage to steal them from time-to-time. It's not unheard of, but at the same time it isn't common enough to be worrisome.

    If malware is digitally signed with full, extended authenticode (every file in the install run sequence), the publisher is on the Trusted Publisher List, and the certificate passes verification - then yes - it will be able to install on the system, create autoruns and persist on the system. This type of malware represents a minuscule fraction of all malware and is quite rare. The certificates very often are quickly revoked.

    You can manage the Trusted Publisher List. Some users just keep Microsoft and Blue Ridge Networks in their TPL. However you decide to manage the TPL, digitally signed malware of the truly dangerous kind is not statistically relevant. You also have the option of running AppGuard in Locked Down mode which disables the Trusted Publisher List and further restricts Microsoft signed files.

    * * * * *

    I hate to be the one to burst your bubble, but if a malware - for example - that is digitally signed, co-signed by Microsoft with an Extended Validation certificate is executed on your system then it is going to sail right past Kaspersky and Hitman.Pro - and any other security soft of the antivirus\internet security type. Security softs don't monitor every single file on your system - in case you didn't know that - and they all whitelist files based upon digital certificates. That's why it's important to use much more restrictive protections such as software restriction policies.

    You have a much higher probability of walking out your door and getting struck by lightning twice than getting smacked with a full Microsoft authenticode malware.
     
    davisd, Tiny, meltcheesedec and 4 others like this.
  15. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,606
    8,417
    Philippines
    Windows 10
    Default-Deny
    Thanks for the detailed explanation, @Lockdown! :)
     
  16. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,814
    AppGuard LLC Virginia, U.S.
    You already knew the answers...
     
    XhenEd likes this.
  17. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,606
    8,417
    Philippines
    Windows 10
    Default-Deny
    I just wanted to be sure. That's all. :D
     
  18. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,814
    AppGuard LLC Virginia, U.S.
    Since you already know the answers I am going to edit my post to make it more concise.
     
    XhenEd likes this.
  19. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    +1 :). Thanks @Lockdown :).
     
    XhenEd likes this.
  20. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    Thank you, @Umbra :).

    I am looking to understand the processes/procedures you use surrounding these settings. E.g.,
    - what are the scenarios where you take your machine out of lockdown mode?
    - what steps do you take when you would like to update applications other than those made by your "security soft's vendors"?
     
    SHvFl likes this.
Loading...
Similar Threads Forum Date
How to configure AppGuard to be use on a gaming PC? AppGuard (Blue Ridge Networks) Friday at 6:06 PM
Q&A AppGuard + Spectre/Meltdown General Security Discussions Jan 9, 2018
AppGuard LLC Partners with SheepDog Response AppGuard (Blue Ridge Networks) Jan 2, 2018