Appguard Configuration & Setting Discussion Thread

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Two most common configuration questions in the past were:

1. Chrome installed to User Space and then run in Locked Down mode
2. Sanboxie

Those questions are not so frequent nowaydays.
Just curious why someone would install Chrome to user space?
 
  • Like
Reactions: meltcheesedec

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
MS Outlook: how to keep it as a guarded app, like it is by default, and at the same time, have privacy protection for the .pst and .ost files, so that the other guarded apps can't steal data?
 
Last edited:
  • Like
Reactions: meltcheesedec
5

509322

Thread author
MS Outlook: how to keep it as a guarded app, like it is by default, and at the same time, have privacy protection for the .pst and .ost files, so that the other guarded apps can't steal data?

Make the Outlook folders Private (Deny Access). Office creates folders in User Space. Use UltraSearch or equivalent to locate them on the system.

Privacy Mode prevents Guarded Apps (and their children) with Privacy enabled from accessing Private folders.

Stealing .pst\.ost is not prevalent.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Make the Outlook folders Private (Deny Access). Office creates folders in User Space. Use UltraSearch or equivalent to locate them on the system.

Privacy Mode prevents Guarded Apps (and their children) with Privacy enabled from accessing Private folders.

Stealing .pst\.ost is not prevalent.
Got it. So the trick is to keep privacy disabled for Outlook.
 
  • Like
Reactions: meltcheesedec

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Basically. If you enable Privacy Mode for Outlook and also make its folders Private, then Outlook will be denied access to its own folders.
Which is the lesser of the two evils: disable privacy for Outlook, or not make its folders private?
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Which is the lesser of the two evils: disable privacy for Outlook, or not make its folders private?

Privacy Mode is not set for Outlook by default. Look in the Guarded Apps tab at the Privacy setting. By default it is only set for browsers. What you don't see is that Privacy Mode is set by default for unknown and unsigned files that are launched from User Space.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
What you don't see is that Privacy Mode is set by default for unknown and unsigned files that are launched from User Space.
Normally, files like that won't even launch from User space. So you mean that even in install mode, unknown and unsigned files are put in Privacy mode?
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Normally, files like that won't even launch from User space. So you mean that even in install mode, unknown and unsigned files are put in Privacy mode?

Privacy Mode is disabled when protection is set to Allow Installs.

There are both signed and unsigned unknown files. Files from non-TPL publishers with a valid certificate are allowed to launch in Protected Mode.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Two questions:
1 In locked down mode, I understand that processes can run from user space if they are on the guarded apps list. Now, powershell is on the guarded apps list, by default. So if I go and add it to user space, it should still run, right? But it doesn't. The same is true with cmd.exe. What's the explanation?

2 Where can I find the latest @Lockdown vulnerable processes list, and how do I import/apply it to AppGuard?
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Two questions:
1 In locked down mode, I understand that processes can run from user space if they are on the guarded apps list. Now, powershell is on the guarded apps list, by default. So if I go and add it to user space, it should still run, right? But it doesn't. The same is true with cmd.exe. What's the explanation?

2 Where can I find the latest @Lockdown vulnerable processes list, and how do I import/apply it to AppGuard?

1. If you add a process that is on the default Guarded Apps list to User Space and set to NO, you have to untick it in the Guarded Apps list first for it to be
completely disabled; the Guarded Apps list supersedes the User Space list.

2. You have to manually add each item to AppGuard. There is no import\export function within the AppGuard GUI. After you have configured the product
the way that you wish, you can save a copy of the AppGuardPolicy.xml located in AppData\Roaming\Blue Ridge Networks\AppGuard.
 
  • Like
Reactions: meltcheesedec

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
1. If you add a process that is on the default Guarded Apps list to User Space and set to NO, you have to untick it in the Guarded Apps list first for it to be
completely disabled; the Guarded Apps list supersedes the User Space list.
I added powershell to user space, and set to YES. Since it is a guarded app, why can't it launch?
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
I added powershell to user space, and set to YES. Since it is a guarded app, why can't it launch?

If you set it to YES, and you unticked it in the Guarded Apps list it should be disabled.

If you set it to YES, but did not untick it in the Guarded Apps list it should launch.

If it isn't working that way, open a support case at AppGuard@BlueRidgeNetworks.com.

Or the appguard.us webpage: Contact Us
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
2. You have to manually add each item to AppGuard. There is no import\export function within the AppGuard GUI. After you have configured the product
the way that you wish, you can save a copy of the AppGuardPolicy.xml located in AppData\Roaming\Blue Ridge Networks\AppGuard.
Can't you open the xml in notepad, and paste in a whole bunch of entries (after making a backup copy of the file)?
If you set it to YES, and you unticked it in the Guarded Apps list it should be disabled.

If you set it to YES, but did not untick it in the Guarded Apps list it should launch.

If it isn't working that way, open a support case at AppGuard@BlueRidgeNetworks.com.

Or the appguard.us webpage: Contact Us
For me it is in the "support case" category, but I must say that even before I put it in user space, it was having a hard time launching. At first it failed, second time it succeeded, and powershell_ISE complained about some component being missing.
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Can't you open the xml in notepad, and paste in a whole bunch of entries (after making a backup copy of the file)?

For me it is in the "support case" category, but I must say that even before I put it in user space, it was having a hard time launching. At first it failed, second time it succeeded, and powershell_ISE complained about some component being missing.

A user may modify their xml using an xml editor, but we're not going to provide any "How Tos" or support for it. It opens a can of worms.

What you are describing regarding powershell\powershell_ISE appears to be a Windows issue. If powershell_ISE is complaining about a missing component, then that is very likely not an AppGuard issue. You might consider running /sfc scannow and other Windows repair utilities.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
A user may modify their xml using an xml editor, but we're not going to provide any "How Tos" or support for it. It opens a can of worms.

What you are describing regarding powershell\powershell_ISE appears to be a Windows issue. If powershell_ISE is complaining about a missing component, then that is very likely not an AppGuard issue. You might consider running /sfc scannow and other Windows repair utilities.
I hear ya loud and clear about editing the XML file. I sure wouldn't want to provide support for guys who mess with that.

About the powershell_ISE, it works just fine if I disable appguard.
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
About the powershell_ISE, it works just fine if I disable appguard.

If I understood one of your earlier posts, you said powershell_ise was complaining of a missing component before AppGuard was installed. Correct ?
 
  • Like
Reactions: meltcheesedec

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
If I understood one of your earlier posts, you said powershell_ise was complaining of a missing component before AppGuard was installed. Correct ?
It was after Appguard was installed, but before I added it to user space.
 
  • Like
Reactions: meltcheesedec

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top