Appguard Configuration & Setting Discussion Thread

D

Deleted member 178

Thread author
what you should put in Guarded Applications:

- every internet-facing apps (browsers, P2P, etc...)
- Mail clients (thunderbird, etc...)
- Virtual Machines (VMware, Virtual Box)
- Portable apps
- Media Players (Foobar, VLC, etc...)
- Archive softs (WinRAR, 7zip, etc...)
 
Last edited by a moderator:

Purshu_Pro

Level 29
Verified
Honorary Member
Aug 3, 2013
1,879
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?
Guarded Applications can run, but they won't be able to touch areas which AppGuard (hard-coded) has set.
Google Chrome, for example, runs fine even if it is Guarded.
 
D

Deleted member 178

Thread author
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself

yes

unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?

No, you have to select this prior launching a Guarded apps:

mZ0zuT8.png
 
H

hjlbx

Thread author
I'm confused of how it works, so 'Guarded Applications' won't get authority to run itself unless I set the protection to install mode? If that is the case, when I run VMware I must set to install mode every time?

Guarded Application:
  • Application added by user to Guard List or included in preloaded list
  • Digitally signed application (not on Guard List) that executes from User Space while in Protected mode
Guarded Application policies:
  • Any digitally signed application executed from User Space will be automatically guarded while in Protected mode (AppGuard allows only digitally signed applications to execute from User Space and prevents them from modifying Protected Resources - without the need to add them to the Guard List)
  • Only applications on the Guard List can execute from User Space while in Lock Down mode (User must manually add applications to the list; AppGuard comes with small pre-loaded list of Guarded Applications)
Guarded Applications cannot affect Protected Resources:

Protected Resources include Process Memory (protected by MemoryGuard), and critical Operating System Components.


The critical OS Components that AppGuard protects (Guarded Applications cannot affect) are:

  • Windows system folder
  • Program files folder
  • Selected registry keys
  • Process memory
Source: AppGuard Help File
 
Last edited by a moderator:

Purshu_Pro

Level 29
Verified
Honorary Member
Aug 3, 2013
1,879
Still confused with the Guarded Application rule. I read it again and again, but not able to understand the algorithm. @Umbra so if I want to run a update for for a program like Adguard or Firefox, how do I add exception? I mean I dont want to manually set Appguard to install mode, instead run automatically like it does with Microsoft one's.
 
D

Deleted member 178

Thread author
@Umbra so if I want to run a update for for a program like Adguard or Firefox, how do I add exception? I mean I dont want to manually set Appguard to install mode, instead run automatically like it does with Microsoft one's.

Go here:

IRTvXQl.png


You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)

The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)
 

yashiscool

Level 2
Verified
Jan 10, 2013
55
I think Comodo Internet Security already has a similar feature to Sandbox applications as per application's requirement. I am using Malwarebyte's Anti Exploit in addition.
Is this anything different?
 
D

Deleted member 178

Thread author
Appguard is another level of protection than CIS. CIS is jut fancy and buggy. To make CIS as strong as Appguard , you need hours of tweaks... Not saying Blue Ridge Network get 1st rank in Homeland Security for 2 consecutive years.
 
  • Like
Reactions: Tiny

Purshu_Pro

Level 29
Verified
Honorary Member
Aug 3, 2013
1,879
You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)

The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)
What if I want to add an unsigned application to run? I am not able to run this portable application.
Capture.PNG
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
@Lockdown

Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?

But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?


Not that I'm paranoid that this will happen to my laptop (even then, I have KIS and HMP.A :D ), I just want clarification to better understand how AppGuard works in cerain situations. :)
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
There are pending changes forthcoming to significantly tighten security when executing digitally signed files in Protected mode. Anyhow...

Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?

For a file that meets or exceeds the digital signature requirements, at worst, you will get a User Session infection; once the system is rebooted malware cannot run and will remain inert on system unless the user manually navigates to the file and re-executes it.

The installer might be digitally signed, but if every file in the run sequence - including temp files - is not signed, then the installation will be blocked.

Files that can meet the signature requirements are generally PUPs\PUAs and that sort of rubbish. The real criminal malc0ders don't get involved with certificates because of the paper trail it leaves behind - but they do manage to steal them from time-to-time. It's not unheard of, but at the same time it isn't common enough to be worrisome.

But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?

If malware is digitally signed with full, extended authenticode (every file in the install run sequence), the publisher is on the Trusted Publisher List, and the certificate passes verification - then yes - it will be able to install on the system, create autoruns and persist on the system. This type of malware represents a minuscule fraction of all malware and is quite rare. The certificates very often are quickly revoked.

You can manage the Trusted Publisher List. Some users just keep Microsoft and Blue Ridge Networks in their TPL. However you decide to manage the TPL, digitally signed malware of the truly dangerous kind is not statistically relevant. You also have the option of running AppGuard in Locked Down mode which disables the Trusted Publisher List and further restricts Microsoft signed files.

* * * * *

I hate to be the one to burst your bubble, but if a malware - for example - that is digitally signed, co-signed by Microsoft with an Extended Validation certificate is executed on your system then it is going to sail right past Kaspersky and Hitman.Pro - and any other security soft of the antivirus\internet security type. Security softs don't monitor every single file on your system - in case you didn't know that - and they all whitelist files based upon digital certificates. That's why it's important to use much more restrictive protections such as software restriction policies.

You have a much higher probability of walking out your door and getting struck by lightning twice than getting smacked with a full Microsoft authenticode malware.
 
Last edited by a moderator:

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
Thank you, @Umbra :).

I am looking to understand the processes/procedures you use surrounding these settings. E.g.,
- what are the scenarios where you take your machine out of lockdown mode?
- what steps do you take when you would like to update applications other than those made by your "security soft's vendors"?
 
  • Like
Reactions: SHvFl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top