Appguard Configuration & Setting Discussion Thread

[meltcheesedec]

Send me a PM please. Let's cover item-by-item.

@Lockdown done.

 

[Mr.X]

do you change your AppGuard mode from Lockdown to Allow Installs?

Yes. you can't install in Lockdown Mode

For the sake of a perfect installation I always set to OFF, proven I downloaded a trusted installer/vendor file.

 

[509322]

For the sake of a perfect installation I always set to OFF, proven I downloaded a trusted installer/vendor file.

@meltcheesedec
@Mr.X
@Umbra

AppGuard's Guarded and MemoryGuard protections are not completely OFF for some programs until the protection level is set to OFF. When the protection level is set to Allow Installs some programs on the Guarded Apps list continue to be fully prevented from messing with the system and programs that are auto-detected and auto-added by default to the Guarded Apps list - some registry and file system blocks will occur, but nothing that should prevent the program from being installed.

A program being MemoryGuarded during installation has never been reported to cause an issue.

I know there has been a lot of user confusion about this. If you see block events while using Allow Installs when installing a program, disregard those logged block events unless there is an obvious breakage. I have never seen an obvious breakage happen. With IDM if the user selects certain buttons during with Allow Installs, then AppGuard will prevent it. However, if the user just allows IDM to install normally then afterwards everything works fine. That's the only case where I have seen an issue, but technically it is not a breakage.

The Activity Report is to be used to identify obvious block event breakages. Everything else is logged protection events. Do not even attempt to create exceptions such that trusted programs will have zero block events in the Activity Report. A user who does this is lowering AppGuard's protections and opening security holes.

 

[meltcheesedec]

If you see block events while using Allow Installs when installing a program, disregard those logged block events unless there is an obvious breakage. I have never seen an obvious breakage happen.

@Lockdown , is it true that you have however seen breakage happen while using Allow Installs when installing a program that uses Powershell (e.g., DropBox and Office365)?

With IDM if the user selects certain buttons during with Allow Installs, then AppGuard will prevent it.

Pardon my ignorance but what is IDM in this context?

 

[509322]

@Lockdown , is it true that you have however seen breakage happen while using Allow Installs when installing a program that uses Powershell (e.g., DropBox and Office365)?

Pardon my ignorance but what is IDM in this context?

1. No; even with powershell disabled there isn't a permanent program breakage

DropBox update command lines for Powershell:

2017/08/11_16:42:48 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"

2017/08/11_16:42:50 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"

2. Internet Download Manager

 

[shmu26]

1. No; even with powershell disabled there isn't a permanent program breakage

DropBox update command lines for Powershell:

2017/08/11_16:42:48 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"

2017/08/11_16:42:50 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"

2. Internet Download Manager

So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?

 

[509322]

So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?

Don't know. Nothing is broken so didn't even bother to check. I've been using DropBox with AG forever without issue.

 

[shmu26]

I bet this has been asked somewhere, some time, but the official configuration recommendation for the AppGuard + Sandboxie combo is: "c:\sandbox an exception folder (on the Guarded Apps tab) and NOT to add c:\sandbox to user-space policy."
Sounds like AppGuard is not going to provide much memory protection for sandboxed apps, if you do this. Correct?
Any suggestions?

 

[meltcheesedec]

I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:

AppGuard Configuration:
<some ignorance>

AppGuard Usage/Process/Procedure:
<some ignorance>

For those of you who read this aforementioned post ( Appguard Configuration & Setting Discussion Thread ), please pardon my ignorance. I was an AppGuard newbie. Thankfully @Lockdown guided me item-by-item via PM's. I am now using a @Lockdown -guided, light and effective configuration of AppGuard in Locked Down mode, as part of SECURE - Meltcheesedec Security Configuration 2017 . I documented my entire AppGuard installation and configuration via text and screenshots - which I will soon share here on MalwareTips. Stay tuned.

 

[509322]

So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?

Powershell is being used to remove DropBox Windows\Metro App. It is probable that "DropBoxOEM" is the preinstalled Windows App shipped on some OEM systems. Therefore, if a person does not have DropBox Windows App installed, blocking powershell isn't going to cause any DropBox troubles. If they do, then they can drop AppGuard to Allow Installs or OFF when they see the powershell block. DropBox will attempt to run powershell a few times before it will go silent. So there is enough time to lower protection and let Dropbox do its thing and then re-enable protection.

The only reference I can find regarding the *.DropboxOEM AppXPackage is from the Windows 8 Metro Apps era (2013).

 

[meltcheesedec]

In the Guarded Apps list there is a tickbox.

1. ticked = launches as Guarded and MemoryGuarded
2. unticked = launches unguarded and unmemoryguarded
3. ticked & in User Space list set to YES = launches as Guarded and MemoryGuarded (Guarded Apps list supersedes User Space list)
4. unticked & User Space list set to NO = disabled\blocked (for Guarded Apps you must untick them to be blocked)

@Lockdown :

can you please tell us how AppGuard functions in use cases:
5. ticked & in User Space list set to NO
6. unticked & User Space list set to YES
?

 

[aragornnnn]

To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.

 

[Deleted member 178]

To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.

Yep

 

[509322]

To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.

Use the wildcard * in file path locations that will change over time - such as version or random numbers.

For software_reporter_tool.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\google\chrome\user data\*\software_reporter_tool.exe, where * = version number that will change over time.

For dismhost.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\temp\*\dismhost.exe, where * = random number generated each time dismhost.exe is run.

 

[509322]

Can you please tell us how AppGuard functions in use cases:

5. ticked & in User Space list set to NO

6. unticked & User Space list set to YES

?

5. If a program is added to the Guarded Apps list then there is no need to add to the User Space list unless you plan on only using it temporarily and then disabling it after you are done with it (set back to YES)

• With this setting\configuration the process is going to run as a Guarded App
• Untick it, in Protected mode if the publisher is on the TPL it is going to run according to the TPL settings (TPL enabled), otherwise will run as un-Guarded
• Untick it, in Locked Down mode it is going to run as un-Guarded (TPL disabled)

These are just permutations of the same thing - basically for convenience so that you do not have to keep adding\deleting programs from the lists. There are also tray icon context menu options that provide the same convenience.

There are no defined use-cases. If it achieved what you wanted it to do, then it worked. One way might involve one or two more steps than the other. Users figure out which method works best for them.

6. Guarded Apps list supersedes User Space list; must untick a process on the Guarded Apps list to disable it

 

[aragornnnn]

Use the wildcard * in file path locations that will change over time - such as version or random numbers.

For software_reporter_tool.exe, add this to User Space list and sent to NO:

c:\users\stef\appdata\local\google\chrome\user data\*\software_reporter_tool.exe, where * = version number that will change over time

For dismhost.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\temp\*\dismhost.exe, where * = random number generated each time dismhost.exe is run.

nice thank you

 

[509322]

I bet this has been asked somewhere, some time, but the official configuration recommendation for the AppGuard + Sandboxie combo is: "c:\sandbox an exception folder (on the Guarded Apps tab) and NOT to add c:\sandbox to user-space policy."
Sounds like AppGuard is not going to provide much memory protection for sandboxed apps, if you do this. Correct?
Any suggestions?

There is no official AppGuard LLC "position" on configuring any 3rd-party soft within AppGuard. The offical AppGuard LLC position is that any custom configuration is the user's prerogative and at their own risk. This is no different than any other software publisher.

The user may add the sandbox to the User Space list, but then there will be items blocked. To solve this, the user must create exclusions in the User Space list - thereby permitting the launch of processes and loading of dlls within the sandbox.

You do get memory protections for launched programs when the sandbox is added to User Space.

Since a user can configure\restrict program launches in Sanboxie, adding the sandbox to User Space in AppGuard is mostly superfluous.

 

[shmu26]

There is no official AppGuard LLC "position" on configuring any 3rd-party soft within AppGuard. The offical AppGuard LLC position is that any custom configuration is the user's prerogative and at their own risk. This is no different than any other software publisher.

The user may add the sandbox to the User Space list, but then there will be items blocked. To solve this, the user must create exclusions in the User Space list - thereby permitting the launch of processes and loading of dlls within the sandbox.

You do get memory protections for launched programs when the sandbox is added to User Space.

Since a user can configure\restrict program launches in Sanboxie, adding the sandbox to User Space in AppGuard is mostly superfluous.

Thanks. By "official configuration recommendation for the AppGuard + Sandboxie combo", I was talking about Sandboxie's recommendation for solving compatibility issues.

 

[shadek]

Is the latest version of AppGuard 4.x still good enough to use on latest Windows 10 update?

 

[509322]

Thanks. By "official configuration recommendation for the AppGuard + Sandboxie combo", I was talking about Sandboxie's recommendation for solving compatibility issues.

Two most common configuration questions in the past were:

1. Chrome installed to User Space and then run in Locked Down mode
2. Sanboxie

Those questions are not so frequent nowaydays.