Appguard Configuration & Setting Discussion Thread

[shmu26]

If I run an AV that has anti-exploit/BB features, could that potentially conflict with Appguard? For instance, let's say my AV tries to block process hollowing, and at the same time, Appguard is trying to restrict memory access. Will they get in each other's way?

 

[509322]

If I run an AV that has anti-exploit/BB features, could that potentially conflict with Appguard? For instance, let's say my AV tries to block process hollowing, and at the same time, Appguard is trying to restrict memory access. Will they get in each other's way?

Technically, it is possible. No security soft vendor guarantees 100 % compatibility or absence of any conflicts.

Over the course of years there have been no serious conflicts reported that could be conclusively proven.

It is rare for AG to mess with another security soft. Most of the time it turns out that the vendor is trying to launch default disabled processes or processes launching from User Space and AG, of course, blocks those. The low incidence of issues between AG and other softs is one of the primary reasons that some people choose to use it.

Read every single security soft EULA and you will find that the language therein does not guarantee use with other softs. Nobody is going to guarantee such a thing.

 

[shmu26]

A user may modify their xml using an xml editor, but we're not going to provide any "How Tos" or support for it. It opens a can of worms.

So let's say I get my policy set up the way I want it. But it only applies to one user.
Can I paste my XML file into appdata folder of other users? I assume the exceptions that have a specific user account in the path are not going to work. But the rest will?

 

[509322]

So let's say I get my policy set up the way I want it. But it only applies to one user.
Can I paste my XML file into appdata folder of other users? I assume the exceptions that have a specific user account in the path are not going to work. But the rest will?

In the future AppGuard will implement a single policy for the entire machine\all user accounts.

 

[509322]

So let's say I get my policy set up the way I want it. But it only applies to one user.
Can I paste my XML file into appdata folder of other users? I assume the exceptions that have a specific user account in the path are not going to work. But the rest will?

The drop-in is possible, and it is quite simple, but enough people could not manage to update the user file paths to the extent that the guides here had to be taken down.

Leave it alone.

 

[Mr.X]

In the future AppGuard will implement a single policy for the entire machine\all user accounts.

I can't wait for it.

 

[Mr.X]

Me new to Win10 (whispers: I'm starting to hate it).

09/03/17 08:59:30 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\mrx\appdata\local\temp\a1bb5ca3-43b1-4807-b3b6-62a3ba798c9f>.
09/03/17 08:59:25 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\mrx\appdata\local\temp\fbcf5735-7af3-4c03-8267-35dcec8170aa>.
09/03/17 08:59:16 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\mrx\appdata\local\temp\28cf1ff2-0335-4e39-bae2-4b7d45fb6f46>.
09/03/17 08:59:13 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\mrx\appdata\local\temp\f38699e9-09b5-4ee7-9cd1-73d4ae2e94a8>.

I know how to deal with it from AppGuard perspective but not from a general perspective so, any recommendation?

 

[509322]

Me new to Win10 (whispers: I'm starting to hate it).

I know how to deal with it from AppGuard perspective but not from a general perspective so, any recommendation?

User Space List, NO, c:\users\mrx\appdata\local\temp\*\dismhost.exe

It is Automatic Maintenance; idle process

 

[Mr.X]

I know it's a maintenance idle process. I should worded better my question: In your experience not letting run that process could trigger or cause unforeseen, OR seen lol, weird events? Cause I rather let AG block it for good.

 

[509322]

I know it's a maintenance idle process. I should worded better my question: In your experience not letting run that process could trigger or cause unforeseen, OR seen lol, weird events? Cause I rather let AG block it for good.

Weirdness ? No. You can even disable it and run it only manually if you wish.

Auto-Maint runs disk defrag\optimize drives, NET optimization, check for updates, etc.

Here is one official MSDN article (there are others): Automatic Maintenance (Windows)

 

[Mr.X]

Weirdness ?

I was referring to any other "weird" events or negative side effects not the Automatic Maintenance process itself. Please understand that I prefer AG to block it so the process won't accomplish its tasks. I'm not interested in disk maintenance of any kind, or .NET optimization (I do this one running a specialized script), I do updates manually as well. In fact, I've stopped automatic download/install of them.

 

[509322]

I was referring to any other "weird" events or negative side effects not the Automatic Maintenance process itself. Please understand that I prefer AG to block it so the process won't accomplish its tasks. I'm not interested in disk maintenance of any kind, or .NET optimization (I do this one running a specialized script), I do updates manually as well. In fact, I've stopped automatic download/install of them.

I have not seen any weirdness by blocking AM. There are some users like you that prefer to allow AG to block AM or even go so far as to permanently disable AM within Windows.

 

[Mr.X]

Alright. Thanks for your insight @Lockdown .

 

[shmu26]

So I'm still trying to figure out what could go wrong if you run AppGuard in Protected mode and have no other security apps other than Windows Defender.
What I came up with so far is signed ransomware. Theoretically, it could run from user space, as long as it is an exe file and not a script, and encrypt user data located outside of privacy-protected folders. Same goes for data stealers.
Doesn't sound so likely or so scary. What am I overlooking?

 

[509322]

So I'm still trying to figure out what could go wrong if you run AppGuard in Protected mode and have no other security apps other than Windows Defender.
What I came up with so far is signed ransomware. Theoretically, it could run from user space, as long as it is an exe file and not a script, and encrypt user data located outside of privacy-protected folders. Same goes for data stealers.
Doesn't sound so likely or so scary. What am I overlooking?

You pretty much hit the nail on the head.

Worst case scenario:

1. Digitally signed malware that is fully signed all the way through the run sequence, including *.tmp files will run
2. Ransomware will encrypt User Space
3. User Session infection for other malware types (reboot system will clear)

For any of that to happen you have to run the malware.

We have many end-users that have run AppGuard in Medium (old setting name)\Protected mode for years and years and the system never got infected. I would bet heavily that those folks are not the "let's see I'll download this an execute it just to see what it does" types.

Security software doesn't allow systems to get infected, people themselves infect their systems.

 

[shmu26]

I have been warned not to reformat a partition while AppGuard is installed on the system.
Any other warnings a user should know about?

 

[509322]

I have been warned not to reformat a partition while AppGuard is installed on the system.
Any other warnings a user should know about?

If it is the partition that AppGuard is installed on, it should be removed. If it is a non-system partition, then set AppGuard to OFF and disable the 20 minute timeout in the GUI. I suppose I didn't explain it correctly.

Don't forget to uninstall AppGuard before doing a clean Windows installs, otherwise the clean install will consume one of the activations.

For the time being, do not use characters such as "&" in file paths on non-system partitions.

Other than that, issue sort-out is on a case-by-case basis.

 

[Aktiffiso]

Hi i have a litle problem appguard stops some word plugins citavi and stilus can someone help me to unlock ?

01/19/18 19:49:30 AppGuard stopped <16> suspicious activities while active.
01/19/18 19:47:26 Prevented <pid: 4936> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:46:53 Prevented <pid: 8440> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:46:53 Prevented process <pid: 4936> from writing to <c:\program files\microsoft office\root\office16\addins\citavi word addin\citaviwordaddin.docm>.
01/19/18 19:45:40 Prevented <Microsoft Word> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:45:22 Prevented process <Microsoft Word> from writing to <c:\program files\microsoft office\root\office16\addins\citavi word addin\citaviwordaddin.docm>.
01/19/18 19:45:11 Prevented <Opera Internet Browser> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:41:56 Prevented <Opera Internet Browser> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:40:06 Prevented <Opera Internet Browser> from writing to <\registry\machine\system\controlset001\services\bam\usersettings\s-1-5-21-3854041146-1172013033-528664091-1001>.
01/19/18 19:39:12 Protection level is set to <protected>.
01/19/18 19:32:22 Protection level is set to <off>.
01/19/18 19:30:43 Protection level is set to <protected>.
01/19/18 19:29:43 Protection level is set to <protected>.
01/19/18 19:24:19 Prevented process <pid: 10896> from writing to <c:\windows\temp\opera autoupdate\installer.exe>.
01/19/18 19:24:19 Prevented process <pid: 10896> from writing to <c:\windows\system32\config\systemprofile\downloads\desktop.ini>.
01/19/18 19:24:09 Prevented process <hds_control_check.vbs | c:\windows\syswow64\cscript.exe> from launching from <c:\users\ciesa\appdata\roaming\hard disk sentinel>.
01/19/18 19:24:07 Prevented process <hds_control_remove.vbs | c:\windows\syswow64\cscript.exe> from launching from <c:\users\ciesa\appdata\roaming\hard disk sentinel>.
01/19/18 19:22:33 Prevented process <Opera Internet Browser> from writing to <c:\windows\system32\config\systemprofile\downloads\desktop.ini>.
01/19/18 19:22:31 Prevented process <Opera Internet Browser> from writing to <c:\windows\temp\opera autoupdate\installer.exe>.
01/19/18 19:19:20 Protection level is set to <protected>.

 

[509322]

@Aktiffiso

1. You must make C:\Windows\Temp\Opera Autoupate\installer.exe an Exception folder:

Double-click tray icon > Customize button > Guarded Apps tab > Settings tab > Add button > c:\windows\temp\opera autoupdate\installer.exe (copy-paste) > OK button > Under Type column select Exception (Read\Write) in drop-down menu [you must highlight selection in Type column to expose drop-down menu] > OK button > OK button

This is so Opera can auto update.

2. You must make c:\program files\microsoft office\root\office16\addins\citavi word addin\citaviwordaddin.docm an Exception folder:

Double-click tray icon > Customize button > Guarded Apps tab > Settings tab > Add button > c:\program files\microsoft office\root\office16\addins\citavi word addin\citaviwordaddin.docm (copy-paste) > OK button > Under Type column select Exception (Read\Write) in drop-down menu [you must highlight selection in Type column to expose drop-down menu] > OK button > OK button​

3. You must add c:\users\ciesa\appdata\roaming\hard disk sentinel\hds_control_remove.vbs to the User Space list and set to NO:

Double-click tray icon > Customize button > User Space tab > Add button > c:\users\ciesa\appdata\roaming\hard disk sentinel\hds_control_remove.vbs (copy-paste) > OK button > under Include column make sure select "NO" > Apply button > OK button

There is nothing in the log that shows any block events associated with Stilus.

I could find no infos on Stilus.

* * * * *

ADVISORY:

I don't know how Citavi works. I'm not sure if it uses Word's default settings or its own.

Microsoft Word is writing to citaviwordaddin.docm. A .docm is a macro file. You should contact the Citavi publisher and ask them if Citavi is using macros by default - if it over-rides Word's security settings or if it is defaulting to Word's security settings or using its own security settings. Macros being selected or even being enabled by default puts your system at risk.

The Citavi KB on macros doesn't look very reassuring:

How to run a macro in Citavi

 

[Aktiffiso]

Here are the event when appguard block stilus it says :

Nombre: Stilus para Word
De: file:///C:/TEMP/Stilus para Word.vsto

************** Texto de la excepción **************
System.UnauthorizedAccessException: Acceso denegado. (Excepción de HRESULT: 0x80070005 (E_ACCESSDENIED))
en System.Deployment.Internal.Isolation.IsolationInterop.CreateActContext(CreateActContextParameters& Params)
en System.Deployment.Internal.Isolation.IsolationInterop.CreateActContext(IDefinitionAppId AppId)
en System.ActivationContext.CreateFromName(ApplicationIdentity applicationIdentity)
en System.ActivationContext.CreatePartialActivationContext(ApplicationIdentity identity)
en Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()