Q&A Appguard Configuration & Setting Discussion Thread

Discussion in 'AppGuard (Blue Ridge Networks)' started by Umbra, Nov 29, 2015.

?

do this thread is informative to you?

  1. Yes

    100.0%
  2. No

    0 vote(s)
    0.0%
  1. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    @Lockdown done.
     
  2. Mr.X

    Mr.X Level 6

    Aug 2, 2014
    289
    877
    PC Tech
    Mexico
    For the sake of a perfect installation :p I always set to OFF, proven I downloaded a trusted installer/vendor file. :cool:
     
    SHvFl and meltcheesedec like this.
  3. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    @meltcheesedec
    @Mr.X
    @Umbra

    AppGuard's Guarded and MemoryGuard protections are not completely OFF for some programs until the protection level is set to OFF. When the protection level is set to Allow Installs some programs on the Guarded Apps list continue to be fully prevented from messing with the system and programs that are auto-detected and auto-added by default to the Guarded Apps list - some registry and file system blocks will occur, but nothing that should prevent the program from being installed.

    A program being MemoryGuarded during installation has never been reported to cause an issue.

    I know there has been a lot of user confusion about this. If you see block events while using Allow Installs when installing a program, disregard those logged block events unless there is an obvious breakage. I have never seen an obvious breakage happen. With IDM if the user selects certain buttons during with Allow Installs, then AppGuard will prevent it. However, if the user just allows IDM to install normally then afterwards everything works fine. That's the only case where I have seen an issue, but technically it is not a breakage.

    The Activity Report is to be used to identify obvious block event breakages. Everything else is logged protection events. Do not even attempt to create exceptions such that trusted programs will have zero block events in the Activity Report. A user who does this is lowering AppGuard's protections and opening security holes.
     
    shmu26, SHvFl and meltcheesedec like this.
  4. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    @Lockdown , is it true that you have however seen breakage happen while using Allow Installs when installing a program that uses Powershell (e.g., DropBox and Office365)?

    Pardon my ignorance but what is IDM in this context?
     
    SHvFl likes this.
  5. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    #45 Lockdown, Aug 11, 2017
    Last edited: Aug 11, 2017
    1. No; even with powershell disabled there isn't a permanent program breakage

    DropBox update command lines for Powershell:

    2017/08/11_16:42:48 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"

    2017/08/11_16:42:50 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"

    2. Internet Download Manager
     
    shmu26 and meltcheesedec like this.
  6. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,539
    Utopia
    So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?
     
    meltcheesedec likes this.
  7. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    Don't know. Nothing is broken so didn't even bother to check. I've been using DropBox with AG forever without issue.
     
    meltcheesedec and shmu26 like this.
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,539
    Utopia
    I bet this has been asked somewhere, some time, but the official configuration recommendation for the AppGuard + Sandboxie combo is: "c:\sandbox an exception folder (on the Guarded Apps tab) and NOT to add c:\sandbox to user-space policy."
    Sounds like AppGuard is not going to provide much memory protection for sandboxed apps, if you do this. Correct?
    Any suggestions?
     
    meltcheesedec likes this.
  9. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    For those of you who read this aforementioned post ( Appguard Configuration & Setting Discussion Thread ), please pardon my ignorance. I was an AppGuard newbie. Thankfully @Lockdown guided me item-by-item via PM's. I am now using a @Lockdown -guided, light and effective configuration of AppGuard in Locked Down mode, as part of SECURE - Meltcheesedec Security Configuration 2017 . I documented my entire AppGuard installation and configuration via text and screenshots - which I will soon share here on malwaretips. Stay tuned.
     
    XhenEd and shmu26 like this.
  10. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    Powershell is being used to remove DropBox Windows\Metro App. It is probable that "DropBoxOEM" is the preinstalled Windows App shipped on some OEM systems. Therefore, if a person does not have DropBox Windows App installed, blocking powershell isn't going to cause any DropBox troubles. If they do, then they can drop AppGuard to Allow Installs or OFF when they see the powershell block. DropBox will attempt to run powershell a few times before it will go silent. So there is enough time to lower protection and let Dropbox do its thing and then re-enable protection.

    The only reference I can find regarding the *.DropboxOEM AppXPackage is from the Windows 8 Metro Apps era (2013).
     
    meltcheesedec, XhenEd and shmu26 like this.
  11. meltcheesedec

    meltcheesedec Level 1

    Jul 30, 2017
    45
    111
    Israel
    Windows 10
    Microsoft
    @Lockdown :

    can you please tell us how AppGuard functions in use cases:
    5. ticked & in User Space list set to NO
    6. unticked & User Space list set to YES
    ?
     
  12. aragornnnn

    aragornnnn Level 11

    Aug 18, 2016
    524
    6,236
    Warehouse Employee @ Nike ELC Belgium
    Belgium
    Windows 10
    Kaspersky
    To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

    08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

    08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.
     
  13. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,643
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Yep
     
    aragornnnn likes this.
  14. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    #54 Lockdown, Aug 26, 2017
    Last edited: Aug 26, 2017
    Use the wildcard * in file path locations that will change over time - such as version or random numbers.

    For software_reporter_tool.exe, add this to User Space list and set to NO:

    c:\users\stef\appdata\local\google\chrome\user data\*\software_reporter_tool.exe, where * = version number that will change over time.

    For dismhost.exe, add this to User Space list and set to NO:

    c:\users\stef\appdata\local\temp\*\dismhost.exe, where * = random number generated each time dismhost.exe is run.
     
    shmu26 and aragornnnn like this.
  15. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    #55 Lockdown, Aug 26, 2017
    Last edited: Aug 26, 2017
    5. If a program is added to the Guarded Apps list then there is no need to add to the User Space list unless you plan on only using it temporarily and then disabling it after you are done with it (set back to YES)
    • With this setting\configuration the process is going to run as a Guarded App
    • Untick it, in Protected mode if the publisher is on the TPL it is going to run according to the TPL settings (TPL enabled), otherwise will run as un-Guarded
    • Untick it, in Locked Down mode it is going to run as un-Guarded (TPL disabled)
    These are just permutations of the same thing - basically for convenience so that you do not have to keep adding\deleting programs from the lists. There are also tray icon context menu options that provide the same convenience.

    There are no defined use-cases. If it achieved what you wanted it to do, then it worked. One way might involve one or two more steps than the other. Users figure out which method works best for them.

    6. Guarded Apps list supersedes User Space list; must untick a process on the Guarded Apps list to disable it
     
  16. aragornnnn

    aragornnnn Level 11

    Aug 18, 2016
    524
    6,236
    Warehouse Employee @ Nike ELC Belgium
    Belgium
    Windows 10
    Kaspersky
    nice thank you :)
     
  17. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    #57 Lockdown, Aug 26, 2017
    Last edited: Aug 26, 2017
    There is no official AppGuard LLC "position" on configuring any 3rd-party soft within AppGuard. The offical AppGuard LLC position is that any custom configuration is the user's prerogative and at their own risk. This is no different than any other software publisher.

    The user may add the sandbox to the User Space list, but then there will be items blocked. To solve this, the user must create exclusions in the User Space list - thereby permitting the launch of processes and loading of dlls within the sandbox.

    You do get memory protections for launched programs when the sandbox is added to User Space.

    Since a user can configure\restrict program launches in Sanboxie, adding the sandbox to User Space in AppGuard is mostly superfluous.
     
    shmu26 likes this.
  18. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,539
    Utopia
    Thanks. By "official configuration recommendation for the AppGuard + Sandboxie combo", I was talking about Sandboxie's recommendation for solving compatibility issues.
     
  19. shadek

    shadek Level 1

    Aug 20, 2017
    13
    22
    Sweden
    Windows 10
    Is the latest version of AppGuard 4.x still good enough to use on latest Windows 10 update?
     
  20. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    Two most common configuration questions in the past were:

    1. Chrome installed to User Space and then run in Locked Down mode
    2. Sanboxie

    Those questions are not so frequent nowaydays.
     
    shmu26 likes this.
Loading...
Similar Threads Forum Date
How to configure AppGuard to be use on a gaming PC? AppGuard (Blue Ridge Networks) Friday at 6:06 PM
Q&A AppGuard + Spectre/Meltdown General Security Discussions Jan 9, 2018
AppGuard LLC Partners with SheepDog Response AppGuard (Blue Ridge Networks) Jan 2, 2018