Appguard Configuration & Setting Discussion Thread

5

509322

Thread author
For the sake of a perfect installation :p I always set to OFF, proven I downloaded a trusted installer/vendor file. :cool:

@meltcheesedec
@Mr.X
@Umbra

AppGuard's Guarded and MemoryGuard protections are not completely OFF for some programs until the protection level is set to OFF. When the protection level is set to Allow Installs some programs on the Guarded Apps list continue to be fully prevented from messing with the system and programs that are auto-detected and auto-added by default to the Guarded Apps list - some registry and file system blocks will occur, but nothing that should prevent the program from being installed.

A program being MemoryGuarded during installation has never been reported to cause an issue.

I know there has been a lot of user confusion about this. If you see block events while using Allow Installs when installing a program, disregard those logged block events unless there is an obvious breakage. I have never seen an obvious breakage happen. With IDM if the user selects certain buttons during with Allow Installs, then AppGuard will prevent it. However, if the user just allows IDM to install normally then afterwards everything works fine. That's the only case where I have seen an issue, but technically it is not a breakage.

The Activity Report is to be used to identify obvious block event breakages. Everything else is logged protection events. Do not even attempt to create exceptions such that trusted programs will have zero block events in the Activity Report. A user who does this is lowering AppGuard's protections and opening security holes.
 

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
If you see block events while using Allow Installs when installing a program, disregard those logged block events unless there is an obvious breakage. I have never seen an obvious breakage happen.

@Lockdown , is it true that you have however seen breakage happen while using Allow Installs when installing a program that uses Powershell (e.g., DropBox and Office365)?

With IDM if the user selects certain buttons during with Allow Installs, then AppGuard will prevent it.

Pardon my ignorance but what is IDM in this context?
 
  • Like
Reactions: SHvFl
5

509322

Thread author
@Lockdown , is it true that you have however seen breakage happen while using Allow Installs when installing a program that uses Powershell (e.g., DropBox and Office365)?

Pardon my ignorance but what is IDM in this context?

1. No; even with powershell disabled there isn't a permanent program breakage

DropBox update command lines for Powershell:

2017/08/11_16:42:48 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"

2017/08/11_16:42:50 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"

2. Internet Download Manager
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
1. No; even with powershell disabled there isn't a permanent program breakage

DropBox update command lines for Powershell:

2017/08/11_16:42:48 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"

2017/08/11_16:42:50 > C:\Program Files (x86)\Dropbox\Client_32.4.23\Dropbox.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"

2. Internet Download Manager
So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?
 
  • Like
Reactions: meltcheesedec

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I bet this has been asked somewhere, some time, but the official configuration recommendation for the AppGuard + Sandboxie combo is: "c:\sandbox an exception folder (on the Guarded Apps tab) and NOT to add c:\sandbox to user-space policy."
Sounds like AppGuard is not going to provide much memory protection for sandboxed apps, if you do this. Correct?
Any suggestions?
 
  • Like
Reactions: meltcheesedec

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
I was thinking I might then ask for your thoughts on the following, proposed AppGuard configuration and usage/process/procedure:

AppGuard Configuration:
<some ignorance>

AppGuard Usage/Process/Procedure:
<some ignorance>

For those of you who read this aforementioned post ( Appguard Configuration & Setting Discussion Thread ), please pardon my ignorance. I was an AppGuard newbie. Thankfully @Lockdown guided me item-by-item via PM's. I am now using a @Lockdown -guided, light and effective configuration of AppGuard in Locked Down mode, as part of SECURE - Meltcheesedec Security Configuration 2017 . I documented my entire AppGuard installation and configuration via text and screenshots - which I will soon share here on MalwareTips. Stay tuned.
 
  • Like
Reactions: XhenEd and shmu26
5

509322

Thread author
So if the Dropbox powershell command fails, it results in some unneeded installer files getting left behind?

Powershell is being used to remove DropBox Windows\Metro App. It is probable that "DropBoxOEM" is the preinstalled Windows App shipped on some OEM systems. Therefore, if a person does not have DropBox Windows App installed, blocking powershell isn't going to cause any DropBox troubles. If they do, then they can drop AppGuard to Allow Installs or OFF when they see the powershell block. DropBox will attempt to run powershell a few times before it will go silent. So there is enough time to lower protection and let Dropbox do its thing and then re-enable protection.

The only reference I can find regarding the *.DropboxOEM AppXPackage is from the Windows 8 Metro Apps era (2013).
 

meltcheesedec

Level 2
Verified
Jul 30, 2017
54
In the Guarded Apps list there is a tickbox.

1. ticked = launches as Guarded and MemoryGuarded
2. unticked = launches unguarded and unmemoryguarded
3. ticked & in User Space list set to YES = launches as Guarded and MemoryGuarded (Guarded Apps list supersedes User Space list)
4. unticked & User Space list set to NO = disabled\blocked (for Guarded Apps you must untick them to be blocked)

@Lockdown :

can you please tell us how AppGuard functions in use cases:
5. ticked & in User Space list set to NO
6. unticked & User Space list set to YES
?
 

aragornnnn

Level 12
Verified
Top Poster
Well-known
Aug 18, 2016
561
To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.
 
D

Deleted member 178

Thread author
To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.
Yep
 
  • Like
Reactions: aragornnnn
5

509322

Thread author
To stop those 2 popup's from showing up every now and then, i just have to add them to "User Space" and set "include" to "no" right?

08/26/17 13:11:57 Prevented process <software_reporter_tool.exe | c:\program files\google\chrome\application\chrome.exe> from launching from <c:\users\stef\appdata\local\google\chrome\user data\swreporter\21.119.1>.

08/26/17 13:07:37 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\stef\appdata\local\temp\cf7faa1b-8c78-4881-937f-d25948a17143>.

Use the wildcard * in file path locations that will change over time - such as version or random numbers.

For software_reporter_tool.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\google\chrome\user data\*\software_reporter_tool.exe, where * = version number that will change over time.

For dismhost.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\temp\*\dismhost.exe, where * = random number generated each time dismhost.exe is run.
 
Last edited by a moderator:
5

509322

Thread author
Can you please tell us how AppGuard functions in use cases:

5. ticked & in User Space list set to NO

6. unticked & User Space list set to YES

?

5. If a program is added to the Guarded Apps list then there is no need to add to the User Space list unless you plan on only using it temporarily and then disabling it after you are done with it (set back to YES)
  • With this setting\configuration the process is going to run as a Guarded App
  • Untick it, in Protected mode if the publisher is on the TPL it is going to run according to the TPL settings (TPL enabled), otherwise will run as un-Guarded
  • Untick it, in Locked Down mode it is going to run as un-Guarded (TPL disabled)
These are just permutations of the same thing - basically for convenience so that you do not have to keep adding\deleting programs from the lists. There are also tray icon context menu options that provide the same convenience.

There are no defined use-cases. If it achieved what you wanted it to do, then it worked. One way might involve one or two more steps than the other. Users figure out which method works best for them.

6. Guarded Apps list supersedes User Space list; must untick a process on the Guarded Apps list to disable it
 
Last edited by a moderator:

aragornnnn

Level 12
Verified
Top Poster
Well-known
Aug 18, 2016
561
Use the wildcard * in file path locations that will change over time - such as version or random numbers.

For software_reporter_tool.exe, add this to User Space list and sent to NO:

c:\users\stef\appdata\local\google\chrome\user data\*\software_reporter_tool.exe, where * = version number that will change over time

For dismhost.exe, add this to User Space list and set to NO:

c:\users\stef\appdata\local\temp\*\dismhost.exe, where * = random number generated each time dismhost.exe is run.
nice thank you :)
 
5

509322

Thread author
I bet this has been asked somewhere, some time, but the official configuration recommendation for the AppGuard + Sandboxie combo is: "c:\sandbox an exception folder (on the Guarded Apps tab) and NOT to add c:\sandbox to user-space policy."
Sounds like AppGuard is not going to provide much memory protection for sandboxed apps, if you do this. Correct?
Any suggestions?

There is no official AppGuard LLC "position" on configuring any 3rd-party soft within AppGuard. The offical AppGuard LLC position is that any custom configuration is the user's prerogative and at their own risk. This is no different than any other software publisher.

The user may add the sandbox to the User Space list, but then there will be items blocked. To solve this, the user must create exclusions in the User Space list - thereby permitting the launch of processes and loading of dlls within the sandbox.

You do get memory protections for launched programs when the sandbox is added to User Space.

Since a user can configure\restrict program launches in Sanboxie, adding the sandbox to User Space in AppGuard is mostly superfluous.
 
Last edited by a moderator:
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
There is no official AppGuard LLC "position" on configuring any 3rd-party soft within AppGuard. The offical AppGuard LLC position is that any custom configuration is the user's prerogative and at their own risk. This is no different than any other software publisher.

The user may add the sandbox to the User Space list, but then there will be items blocked. To solve this, the user must create exclusions in the User Space list - thereby permitting the launch of processes and loading of dlls within the sandbox.

You do get memory protections for launched programs when the sandbox is added to User Space.

Since a user can configure\restrict program launches in Sanboxie, adding the sandbox to User Space in AppGuard is mostly superfluous.
Thanks. By "official configuration recommendation for the AppGuard + Sandboxie combo", I was talking about Sandboxie's recommendation for solving compatibility issues.
 

shadek

Level 1
Aug 20, 2017
10
Is the latest version of AppGuard 4.x still good enough to use on latest Windows 10 update?
 
5

509322

Thread author
Thanks. By "official configuration recommendation for the AppGuard + Sandboxie combo", I was talking about Sandboxie's recommendation for solving compatibility issues.

Two most common configuration questions in the past were:

1. Chrome installed to User Space and then run in Locked Down mode
2. Sanboxie

Those questions are not so frequent nowaydays.
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top