Appguard Configuration & Setting Discussion Thread

D

Deleted member 178

Thread author
Thank you, @Umbra :).
I am looking to understand the processes/procedures you use surrounding these settings. E.g.,
1- what are the scenarios where you take your machine out of lockdown mode?
2- what steps do you take when you would like to update applications other than those made by your "security soft's vendors"?
1: when i install or update one of my few installed softs.
2:
a- find the file checksum on the vendor site, compared it with my downloaded installer by using checksum comparator.
b- check the file in Virus Total to be sure.
c- install it , but keep my other Application Control software enabled so i can inspect what installer does.

it's not 100% safe but better than doing nothing.

Note that i am using rollback RX so if i pinpoint some weird behavior afterwards, i reload my system to the baseline in a minute.
 

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
Thank you, @Umbra :).
- what are the scenarios where you take your machine out of lockdown mode?

when i install or update one of my few installed softs.

@Umbra and @Lockdown I have additional questions for you:

3. In @Umbra 's above AppGuard configuration, when you install new software or update of already-installed software, do you change your AppGuard mode from Lockdown to Allow Installs?

4. What elements of @Umbra 's above configuration allow you to perform updates to your software that you don't categorize as security software (i.e., software written by vendors that you do not add as Trusted Publishers within AppGuard)?

5. have you had to account for any software installers that uses Powershell (e.g., DropBox and Office365)?

Reference:
Appguard's News Thread (2017)
You don't have to do anything for Windows Updates. If you use manually downloaded and installed KBs from Microsoft's KB Windows Update portal via the browser, they should install in Protected mode, but are not going to install in Locked Down mode.
If you want to install something, then yes, you have to lower protection to either Allow Installs or OFF. In Allow Installs, powershell is not going to be permitted to do some things, so if the installer uses powershell, you see blocks of powershell in the Activity Report, then lower protection to OFF when using that installer. Few installers use powershell. The only ones I know of at the moment is the Office365 and DropBox installer. Something blocked is not a permanent breakage. Your Activity Report is not going to be completely empty for trusted programs; in fact it will be full of block events for trusted programs. All those block events are not important unless something is obviously broken.

6.a What do you recommend for users who want to both:
- use Lockdown mode, and
- utilize apps that run from within User Space (e.g., OneDrive, Windows Maintenance service, etc.)
?
E.g., might you recommend:

6.b - add publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Trusted Publishers List (TPL) and set their levels to Install, and temporarily change from Lockdown Mode to Protected Mode in order to run these apps from within User Space?

References:

Appguard's News Thread (2017)
Locked Down mode blocks everything launched in User Space - even Microsoft digitally signed files. So unless you are running bunch of programs from User Space (including a USB flash drive) you will not see much blocked.
On W10 it will be dismhost.exe (Windows automatic maintenance), OneDriveStandaloneUpdater.exe, and OneDrive.exe as they launch from AppData. If you don't ever use OneDrive, then uninstall it.

Appguard's News Thread (2017)
Protected mode is there when you need to lower it and run some digitally signed process from a publisher on the TPL from User Space.
For security, just use Locked Down mode.

Appguard Configuration & Setting Discussion Thread
You have to manually add the sofware's publisher then set its level to install (as BRN is , so appguard is updated automatically without user interactions)
The Publisher List is only for Protected Mode, if you are on Lockdown , you have to set AG to Install Mode)

OR

6.c. - add the publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Guard list, and remain in Lockdown mode while running these apps from within User Space?

Reference:
Appguard Configuration & Setting Discussion Thread
Only applications on the Guard List can execute from User Space while in Lock Down mode (User must manually add applications to the list; AppGuard comes with small pre-loaded list of Guarded Applications)

OR

6.d - in the User Space list, exclude the file paths of OneDrive, Windows Maintenance service, and any other apps within User Space [User Space (NO)] , and remain in Lockdown mode while running these apps?

Reference:
AppGuard 4.x 32/64 Bit
"I assume you are running AppGuard in Locked Down mode. AppGuard will block all processes from executing from User Space in Locked Down mode - unless they are added by the user to the Guarded Apps list.
...
If you don't want to see it blocked, then you have to allow it (Software Reporter).
To allow it, exclude its file path from User Space (NO) in the User Space list.
"

7. Do you have any guidance for which sorts of apps users can set as Guarded without causing interference to functionality and operation, and which should not be set as Guarded?
Reference:
AppGuard 4.x 32/64 Bit
"Alternatively, you can add it to the Guarded Apps list instead of creating an exclusion for it in the User Space list. However, if you add it to the Guarded Apps list, you should keep an eye on it until you are sure that the Guarded Apps protections do not interfere with its functionality and operation."
 
  • Like
Reactions: SHvFl

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
Not yet. Next release of 5.X. No ETA at this time.

For the time being, just remove all the publishers in the default Trusted Publisher List that you do not need.

@Lockdown , for users who utilize Protected Mode, what do you typically advise them to add to the Trusted Publisher List - e.g., add only MS, BRN and security software products, and add them as allow Install?

I recognize there are multiple strategies regarding this... might the most common AppGuard configuration strategies be documented somewhere?
 
5

509322

Thread author
@Lockdown , for users who utilize Protected Mode, what do you typically advise them to add to the Trusted Publisher List - e.g., add only MS, BRN and security software products, and add them as allow Install?

I recognize there are multiple strategies regarding this... might the most common AppGuard configuration strategies be documented somewhere?

I suggest keep both Microsoft and BRN. If you have any programs that use digitally signed updates from C:\Users\<User>\* you can add those too. The update run sequence has to be digitally signed all the way through. The best way to learn is simply to start with Microsoft and BRN in the Trusted Publisher List and make note of any block events from C:\Users\<User>\*. When you see such a block event you want to navigate to the blocked file, right-click and select Properties. Check if there is a Digital Signature tab. If there is such a tab then the file is digitally signed and you can add it to the TPL. Even after you add such a file to the TPL, if it has any unsigned children those will be blocked. Learning it is a trial-and-error effort. Make sense ?
 
D

Deleted member 178

Thread author
add only MS, BRN and security software products, and add them as allow Install?
yes, and maybe your hardware vendors.

I recognize there are multiple strategies regarding this... might the most common AppGuard configuration strategies be documented somewhere?
nope, because SRP is all about adjusting the options and rules for a specific system so there is no "guide" ; allow what you need to be running, guard (if possible) those that connect internet , block all the rest.
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
I recognize there are multiple strategies regarding this... might the most common AppGuard configuration strategies be documented somewhere?

Your best bet is start out using Protected Mode. Locked Down mode disables the Trusted Publisher List. This even the digitally signed files from publishers on the TPL will not launch. If you start out slowly, you will understand. Please don't try to build and anti-NSA\CIA policy right from the beginning.
 

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
I suggest keep both Microsoft and BRN. If you have any programs that use digitally signed updates from C:\Users\<User>\* you can add those too.

@Lockdown , given your stated strategy, can System Space apps (e.g., other security software such as Adguard) perform their automatic updates without any need for their publishers to be in the TPL, while in Protected Mode?
 
  • Like
Reactions: shmu26
5

509322

Thread author
@Lockdown , given your stated strategy, can System Space apps (e.g., other security software such as Adguard) perform their automatic updates without any need for their publishers to be in the TPL, while in Protected Mode?

You add publishers in the event that updates are blocked in a way that causes obvious breakages. The last time I used Adguard, which was quite some time ago, I do not recall any of its updates being blocked. @Umbra uses Adguard so maybe he can chime-in.
 
D

Deleted member 178

Thread author
@Umbra and @Lockdown I have additional questions for you:

3. In @Umbra 's above AppGuard configuration, when you install new software or update of already-installed software, do you change your AppGuard mode from Lockdown to Allow Installs?
Yes. you can't install in Lockdown Mode

4. What elements of @Umbra 's above configuration allow you to perform updates to your software that you don't categorize as security software (i.e., software written by vendors that you do not add as Trusted Publishers within AppGuard)?
if in Install Mode , yes. If not, no.

5. have you had to account for any software installers that uses Powershell (e.g., DropBox and Office365)?
I disabled totally Powershell from running on my system, so i don't (want to) use any apps needing it.

Reference:
Appguard's News Thread (2017)


6.a What do you recommend for users who want to both:
- use Lockdown mode, and
- utilize apps that run from within User Space (e.g., OneDrive, Windows Maintenance service, etc.)
?
E.g., might you recommend:

6.b - add publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Trusted Publishers List (TPL) and set their levels to Install, and temporarily change from Lockdown Mode to Protected Mode in order to run these apps from within User Space?
yep , it the best scenario.

6.c. - add the publishers of OneDrive, Windows Maintenance service, and any other apps within User Space to the Guard list, and remain in Lockdown mode while running these apps from within User Space?
nope, it may block the update process in some stages.

6.d - in the User Space list, exclude the file paths of OneDrive, Windows Maintenance service, and any other apps within User Space [User Space (NO)] , and remain in Lockdown mode while running these apps?
nope may cause updating issues too.

Reference:
AppGuard 4.x 32/64 Bit
"I assume you are running AppGuard in Locked Down mode. AppGuard will block all processes from executing from User Space in Locked Down mode - unless they are added by the user to the Guarded Apps list.
...
If you don't want to see it blocked, then you have to allow it (Software Reporter).
To allow it, exclude its file path from User Space (NO) in the User Space list.
"
Yep.

7. Do you have any guidance for which sorts of apps users can set as Guarded without causing interference to functionality and operation, and which should not be set as Guarded?
All internet-facing/vulnerable apps/processes you're using should be guarded. Critical processes and security ones shouldn't.
remember that Guarded Apps prevails over User Space, so if you add one to user-space, disable the rulle in Guarded Apps.
 
  • Like
Reactions: meltcheesedec

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
Your best bet is start out using Protected Mode. Locked Down mode disables the Trusted Publisher List. This even the digitally signed files from publishers on the TPL will not launch. If you start out slowly, you will understand. Please don't try to build and anti-NSA\CIA policy right from the beginning.

@Lockdown mode: the issue is that true AppGuard devotees and power users such as @Umbra are:
- very respected on these boards, and
- regularly post that Locked Down mode is by far the optimal configuration setup, even upon first using AppGuard

So users like me then ask you tons of questions in order to learn AppGuard :).

E.g.,
After I review responses by you (thanks in advance for your help) and @Umbra to the questions I posed in reply
Appguard Configuration & Setup demo Thread
I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:


AppGuard Configuration:
- TPL: All security software vendors are in TPL (i.e., MS, BRN, plus a few others noted in my configuration: SECURE - Meltcheesedec Security Configuration 2017 )
- TPL: in addition, add publishers of apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) to the Trusted Publishers List (TPL) and set their levels to Install
- Guard List: Add "wscript.exe, cscript.exe and powershell_ise.exe to the Guarded Apps list" (Reference: Basic Hardened AppGuard Policy XML (continued) ) and "Commonly Exploited Programs" list you posted on Basic Hardened AppGuard Policy XML

AppGuard Usage/Process/Procedure:
- While installing software (in which installers may user Powershell): AppGuard is in OFF mode
- While initializing automatic updates of existing software in System Space whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While initializing automatic updates of existing software in System Space whose publishers are NOT in TPL: I'm confused on this; should AppGuard be in Protected Mode or Allow Installs mode?
- While running apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While web surfing, viewing email, and downloading any files: AppGuard is in Lockdown mode

What do you think?
 
Last edited:
  • Like
Reactions: shmu26
D

Deleted member 178

Thread author
AppGuard Configuration:
1- TPL: All security software vendors are in TPL (i.e., MS, BRN, plus a few others noted in my configuration: SECURE - Meltcheesedec Security Configuration 2017 )
2- TPL: in addition, add publishers of apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) to the Trusted Publishers List (TPL) and set their levels to Install
3- Guard List: Add "wscript.exe, cscript.exe and powershell_ise.exe to the Guarded Apps list" (Reference: Basic Hardened AppGuard Policy XML (continued) ) and "Commonly Exploited Programs" list you posted on Basic Hardened AppGuard Policy XML
1-good
2-seems ok
3-Still good, just remember that Guarded Apps is restriction not containment.

AppGuard Usage/Process/Procedure:
1- While installing software (in which installers may user Powershell): AppGuard is in OFF mode
2- While initializing automatic updates of existing software in System Space whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
3- While initializing automatic updates of existing software in System Space whose publishers are NOT in TPL: I'm confused on this; should AppGuard be in Protected Mode or Allow Installs mode?
4- While running apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
5- While web surfing, viewing email, and downloading any files: AppGuard is in Lockdown mode
1- install is better, if it causes issues, just untick powershell in Guarded Apps temporarily.
2- yep,
3- install
4- it is ok.
5- it's fine , remember Guarded Apps overrides User Space.

for a beginner it is more than enough. Once you will be experienced, you will go tighter.
 

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
5- it's fine , remember Guarded Apps overrides User Space.

@Umbra , questions:
7. might you be able to please provide me more detail concerning your statement, as it relates to my proposed configuration above? E.g.,
8. are you suggesting (concerning my configuration above) that I not add my "apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space)" as Guarded?
 
5

509322

Thread author
@Lockdown mode: the issue is that true AppGuard devotees and power users such as @Umbra are:
- very respected on these boards, and
- regularly post that Locked Down mode is by far the optimal configuration setup, even upon first using AppGuard

So users like me then ask you tons of questions in order to learn AppGuard :).

E.g.,
After I review responses by you (thanks in advance for your help) and @Umbra to the questions I posed in reply
Appguard Configuration & Setup demo Thread
I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:


AppGuard Configuration:
- TPL: All security software vendors are in TPL (i.e., MS, BRN, plus a few others noted in my configuration: SECURE - Meltcheesedec Security Configuration 2017 )
- TPL: in addition, add publishers of apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) to the Trusted Publishers List (TPL) and set their levels to Install
- Guard List: Add "wscript.exe, cscript.exe and powershell_ise.exe to the Guarded Apps list" (Reference: Basic Hardened AppGuard Policy XML (continued) ) and "Commonly Exploited Programs" list you posted on Basic Hardened AppGuard Policy XML

AppGuard Usage/Process/Procedure:
- While installing software (in which installers may user Powershell): AppGuard is in OFF mode
- While initializing automatic updates of existing software in System Space whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While initializing automatic updates of existing software in System Space whose publishers are NOT in TPL: I'm confused on this; should AppGuard be in Protected Mode or Allow Installs mode?
- While running apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space) whose publishers are in TPL (configured as allowing Install): AppGuard is in Protected Mode
- While web surfing, viewing email, and downloading any files: AppGuard is in Lockdown mode

What do you think?

Send me a PM please. Let's cover item-by-item.
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
@Umbra , questions:
7. might you be able to please provide me more detail concerning your statement, as it relates to my proposed configuration above? E.g.,
8. are you suggesting (concerning my configuration above) that I not add my "apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space)" as Guarded?

In the Guarded Apps list there is a tickbox.

1. ticked = launches as Guarded and MemoryGuarded
2. unticked = launches unguarded and unmemoryguarded
3. ticked & in User Space list set to YES = launches as Guarded and MemoryGuarded (Guarded Apps list supersedes User Space list)
4. unticked & User Space list set to NO = disabled\blocked (for Guarded Apps you must untick them to be blocked)
 
D

Deleted member 178

Thread author
@Umbra , questions:
7. might you be able to please provide me more detail concerning your statement, as it relates to my proposed configuration above? E.g.,
Lockdown answered you in details in the post above ;)
8. are you suggesting (concerning my configuration above) that I not add my "apps within User Space (e.g., OneDrive, Windows Maintenance service, and any other apps within User Space)" as Guarded?
Exact, choose one or the other, Guarded Apps is about items restriction, User-Space is made to fully "block" or "allow" items.
 
  • Like
Reactions: meltcheesedec

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top