- Jul 30, 2017
- 54
1: when i install or update one of my few installed softs.Thank you, @Umbra.
I am looking to understand the processes/procedures you use surrounding these settings. E.g.,
1- what are the scenarios where you take your machine out of lockdown mode?
2- what steps do you take when you would like to update applications other than those made by your "security soft's vendors"?
2:
a- find the file checksum on the vendor site, compared it with my downloaded installer by using checksum comparator.
b- check the file in Virus Total to be sure.
c- install it , but keep my other Application Control software enabled so i can inspect what installer does.
it's not 100% safe but better than doing nothing.
Note that i am using rollback RX so if i pinpoint some weird behavior afterwards, i reload my system to the baseline in a minute.
old setting, it didn't have the xml file yet, and the Guarded Apps list changed since ( obviously ^^). but the rest is still valid.
He knows my config very well, because except for some minor differences we have the same methodology
- Jul 30, 2017
- 54
- Jul 30, 2017
- 54
Not yet. Next release of 5.X. No ETA at this time.
For the time being, just remove all the publishers in the default Trusted Publisher List that you do not need.
- Jul 30, 2017
- 54
@Umbra and @Lockdown I have additional questions for you:
3. In @Umbra 's above AppGuard configuration, when you install new software or update of already-installed software, do you change your AppGuard mode from Lockdown to Allow Installs?
4. What elements of @Umbra 's above configuration allow you to perform updates to your software that you don't categorize as security software (i.e., software written by vendors that you do not add as Trusted Publishers within AppGuard)?
5. have you had to account for any software installers that uses Powershell (e.g., DropBox and Office365)?
Reference:
Appguard's News Thread (2017)
6.a What do you recommend for users who want to both:
- use Lockdown mode, and
- utilize apps that run from within User Space (e.g., OneDrive, Windows Maintenance service, etc.)
?
E.g., might you recommend:
6.b - add publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Trusted Publishers List (TPL) and set their levels to Install, and temporarily change from Lockdown Mode to Protected Mode in order to run these apps from within User Space?
References:
Appguard's News Thread (2017)
Appguard's News Thread (2017)
Appguard Configuration & Setting Discussion Thread
OR
6.c. - add the publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Guard list, and remain in Lockdown mode while running these apps from within User Space?
Reference:
Appguard Configuration & Setting Discussion Thread
OR
6.d - in the User Space list, exclude the file paths of OneDrive, Windows Maintenance service, and any other apps within User Space [User Space (NO)] , and remain in Lockdown mode while running these apps?
Reference:
AppGuard 4.x 32/64 Bit
"I assume you are running AppGuard in Locked Down mode. AppGuard will block all processes from executing from User Space in Locked Down mode - unless they are added by the user to the Guarded Apps list.
...
If you don't want to see it blocked, then you have to allow it (Software Reporter).
To allow it, exclude its file path from User Space (NO) in the User Space list.
"
7. Do you have any guidance for which sorts of apps users can set as Guarded without causing interference to functionality and operation, and which should not be set as Guarded?
Reference:
AppGuard 4.x 32/64 Bit
"Alternatively, you can add it to the Guarded Apps list instead of creating an exclusion for it in the User Space list. However, if you add it to the Guarded Apps list, you should keep an eye on it until you are sure that the Guarded Apps protections do not interfere with its functionality and operation."
- Jul 30, 2017
- 54
@Lockdown , for users who utilize Protected Mode, what do you typically advise them to add to the Trusted Publisher List - e.g., add only MS, BRN and security software products, and add them as allow Install?
I recognize there are multiple strategies regarding this... might the most common AppGuard configuration strategies be documented somewhere?
I suggest keep both Microsoft and BRN. If you have any programs that use digitally signed updates from C:\Users\<User>\* you can add those too. The update run sequence has to be digitally signed all the way through. The best way to learn is simply to start with Microsoft and BRN in the Trusted Publisher List and make note of any block events from C:\Users\<User>\*. When you see such a block event you want to navigate to the blocked file, right-click and select Properties. Check if there is a Digital Signature tab. If there is such a tab then the file is digitally signed and you can add it to the TPL. Even after you add such a file to the TPL, if it has any unsigned children those will be blocked. Learning it is a trial-and-error effort. Make sense ?
yes, and maybe your hardware vendors.
nope, because SRP is all about adjusting the options and rules for a specific system so there is no "guide" ; allow what you need to be running, guard (if possible) those that connect internet , block all the rest.
Your best bet is start out using Protected Mode. Locked Down mode disables the Trusted Publisher List. This even the digitally signed files from publishers on the TPL will not launch. If you start out slowly, you will understand. Please don't try to build and anti-NSA\CIA policy right from the beginning.
- Jul 30, 2017
- 54
@Lockdown , given your stated strategy, can System Space apps (e.g., other security software such as Adguard) perform their automatic updates without any need for their publishers to be in the TPL, while in Protected Mode?
You add publishers in the event that updates are blocked in a way that causes obvious breakages. The last time I used Adguard, which was quite some time ago, I do not recall any of its updates being blocked. @Umbra uses Adguard so maybe he can chime-in.
Yes. you can't install in Lockdown Mode
if in Install Mode , yes. If not, no.
I disabled totally Powershell from running on my system, so i don't (want to) use any apps needing it.
Reference:
Appguard's News Thread (2017)
yep , it the best scenario.
nope, it may block the update process in some stages.
nope may cause updating issues too.
Yep.
All internet-facing/vulnerable apps/processes you're using should be guarded. Critical processes and security ones shouldn't.
remember that Guarded Apps prevails over User Space, so if you add one to user-space, disable the rulle in Guarded Apps.
- Jul 30, 2017
- 54
@Lockdown mode: the issue is that true AppGuard devotees and power users such as @Umbra are:
- very respected on these boards, and
- regularly post that Locked Down mode is by far the optimal configuration setup, even upon first using AppGuard
So users like me then ask you tons of questions in order to learn AppGuard
.E.g.,
After I review responses by you (thanks in advance for your help) and @Umbra to the questions I posed in reply
Appguard Configuration & Setup demo Thread
I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:
AppGuard Configuration:
- TPL: All security software vendors are in TPL (i.e., MS, BRN, plus a few others noted in my configuration: SECURE - Meltcheesedec Security Configuration 2017 )
- TPL: in addition, add publishers of apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) to the Trusted Publishers List (TPL) and set their levels to Install
- Guard List: Add "wscript.exe, cscript.exe and powershell_ise.exe to the Guarded Apps list" (Reference: Basic Hardened AppGuard Policy XML (continued) ) and "Commonly Exploited Programs" list you posted on Basic Hardened AppGuard Policy XML
AppGuard Usage/Process/Procedure:
- While installing software (in which installers may user Powershell): AppGuard is in OFF mode
- While initializing automatic updates of existing software in System Space whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While initializing automatic updates of existing software in System Space whose publishers are NOT in TPL: I'm confused on this; should AppGuard be in Protected Mode or Allow Installs mode?
- While running apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While web surfing, viewing email, and downloading any files: AppGuard is in Lockdown mode
What do you think?
Last edited:
1-good
2-seems ok
3-Still good, just remember that Guarded Apps is restriction not containment.
1- install is better, if it causes issues, just untick powershell in Guarded Apps temporarily.
2- yep,
3- install
4- it is ok.
5- it's fine , remember Guarded Apps overrides User Space.
for a beginner it is more than enough. Once you will be experienced, you will go tighter.
- Jul 30, 2017
- 54
@Umbra , questions:
7. might you be able to please provide me more detail concerning your statement, as it relates to my proposed configuration above? E.g.,
8. are you suggesting (concerning my configuration above) that I not add my "apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space)" as Guarded?
@Lockdown mode: the issue is that true AppGuard devotees and power users such as @Umbra are:
- very respected on these boards, and
- regularly post that Locked Down mode is by far the optimal configuration setup, even upon first using AppGuard
So users like me then ask you tons of questions in order to learn AppGuard
E.g.,
After I review responses by you (thanks in advance for your help) and @Umbra to the questions I posed in reply
Appguard Configuration & Setup demo Thread
I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:
AppGuard Configuration:
- TPL: All security software vendors are in TPL (i.e., MS, BRN, plus a few others noted in my configuration: SECURE - Meltcheesedec Security Configuration 2017 )
- TPL: in addition, add publishers of apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) to the Trusted Publishers List (TPL) and set their levels to Install
- Guard List: Add "wscript.exe, cscript.exe and powershell_ise.exe to the Guarded Apps list" (Reference: Basic Hardened AppGuard Policy XML (continued) ) and "Commonly Exploited Programs" list you posted on Basic Hardened AppGuard Policy XML
AppGuard Usage/Process/Procedure:
- While installing software (in which installers may user Powershell): AppGuard is in OFF mode
- While initializing automatic updates of existing software in System Space whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While initializing automatic updates of existing software in System Space whose publishers are NOT in TPL: I'm confused on this; should AppGuard be in Protected Mode or Allow Installs mode?
- While running apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While web surfing, viewing email, and downloading any files: AppGuard is in Lockdown mode
What do you think?
Send me a PM please. Let's cover item-by-item.
In the Guarded Apps list there is a tickbox.
1. ticked = launches as Guarded and MemoryGuarded
2. unticked = launches unguarded and unmemoryguarded
3. ticked & in User Space list set to YES = launches as Guarded and MemoryGuarded (Guarded Apps list supersedes User Space list)
4. unticked & User Space list set to NO = disabled\blocked (for Guarded Apps you must untick them to be blocked)
Lockdown answered you in details in the post above
Exact, choose one or the other, Guarded Apps is about items restriction, User-Space is made to fully "block" or "allow" items.
Similar threads
