Advice Request AppGuard guide/tips?

Please provide comments and solutions that are helpful to the author of this topic.

shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It is hard, if not impossible, for home users to get effective support and guidance for AppGuard. If you are up to scouring old posts and threads on this forum and Wilders, you will learn a lot, though.
 
  • Like
Reactions: Stopspying, AtlBo, [correlate] and 7 others
F

ForgottenSeer 69673

I still use the for life version too.
I only have a few tweaks I use.

in user space I add these = yes
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe

then in guarded apps I untick poweshell
 
  • Like
Reactions: [correlate], Nevi, harlan4096 and 7 others
oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,613
Zero Knowledge said:
Sorry I am new to software restriction policies.
Click to expand...

Good luck on your journey, but you picked the one SRP app that requires the most user skill and offers the least amount of user info/support. I would follow @shmu26 's suggestion to thoroughly comb the old threads here and at Wilders. There may be a few more users there to query than here on MT. (y)
 
  • Like
Reactions: DDE_Server, [correlate], Dave Russo and 7 others
Z

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
849
oldschool said:
Good luck on your journey, but you picked the one SRP app that requires the most user skill and offers the least amount of user info/support. I would follow @shmu26 's suggestion to thoroughly comb the old threads here and at Wilders. There may be a few more users there to query than here on MT. (y)
Click to expand...

Yes I'm doing that now, reading up on AppGuard. I've got the basic grasp of the program but I'm still working out what to add to user space and guarded apps which is tricky. This is a huge learning process for myself, learning more about system processes and software restriction policies is hard.
 
  • Like
Reactions: DDE_Server, [correlate], Dave Russo and 3 others
Z

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Telos said:
Is there a specific reason you are punishing yourself. So many other tools...
Click to expand...

Looking to improve security awareness/knowledge and improve safety. Nothing is bulletproof but I think learning new things is healthy. I would really like to move to Linux/MacOS but that isn't possible at the moment due to various reasons.
 
  • Like
Reactions: DDE_Server, [correlate], Dave Russo and 5 others
ebocious

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
236
Delete Powershell from Guarded Apps.
Add browsers and other Internet-facing apps to Guarded Apps.
For browsers at least, Privacy should be set to On. MemWrite and MemRead should always be on.

Add to User Space:
c:\windows\*\bitsadmin.exe
c:\*powershell.exe
c:\*powershell_ise.exe
c:\*script.exe
c:\windows\*\mshta.exe
c:\windows\*\hh.exe
c:\windows\*\scrcons.exe
c:\windows\*\wmic.exe (already there)
c:\windows\*\reg.exe (already there)
c:\windows\syswow64\at.exe (already there)
c:\windows\system32\at.exe (already there)
c:\windows\syswow64\schtasks.exe (already there)
c:\windows\system32\schtasks.exe (already there)

For additional security, you can also add:
c:\windows\*\msiexec.exe
c:\windows\*\cmd.exe
c:\windows\*\regsvr32.exe
c:\windows\*\rundll32.exe
c:\windows\*\icacls.exe
c:\windows\*\cacls.exe
c:\windows\*\takeown.exe
c:\windows\*\regini.exe
c:\windows\*\vssadmin.exe
 
  • Like
  • +Reputation
Reactions: DDE_Server, oldschool, Protomartyr and 7 others
Z

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Most are already in my user space list. Thank you though.

c:\windows\*\cmd.exe
c:\windows\*\rundll32.exe

These pose the biggest problems, cmd more so. cmd is a huge attack vector but is used by many legit applications too. runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.

Has anyone got a recent AppGuard update? I'm a bit suspicious as it downloads the .exe but also a .msi file which is smaller.
 
  • Like
Reactions: oldschool, Protomartyr, [correlate] and 3 others
ebocious

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
236
Zero Knowledge said:
runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.
Click to expand...
Actually, a few of these are in Guarded Apps, including CMD and regsvr32. Guarded Apps basically prohibits an app from reading or writing to the memory of other apps, or writing to certain directories. User Space prevents an app from being launched in user context at all. You could move these over, but consider moving them back if something breaks. Depending on what you run on your computer, it may be difficult to use when locked down that tightly.

Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.
 
Last edited:
  • Like
Reactions: DDE_Server, oldschool, Protomartyr and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Zero Knowledge said:
runddl32.exe is a guarded app, should I untick it and add it to user space?
Click to expand...
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
 
  • Like
  • HaHa
Reactions: DDE_Server, oldschool, Protomartyr and 3 others
ebocious

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
236
shmu26 said:
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
Click to expand...
I would like to have a way to set ACL deny permissions for standard users on LOLBINs, without having to go into it per process, per user. That way, you could get around the restriction with a simple RunAs, or by logging off. You can do it in Professional editions with Group Policy, but that doesn't help home users.
 
  • Like
Reactions: oldschool, Protomartyr, [correlate] and 1 other person
Z

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
849
ebocious said:
Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.
Click to expand...

Thank you for the list. I will try to add some to user space, it is a learning process.

Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.

Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?

Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.
 
Last edited:
  • Like
Reactions: oldschool, Protomartyr, harlan4096 and 3 others

Similar threads

Dave Russo
    • Hundred Points
    • Wow
    • Like
Serious Discussion Appguard
Replies
8
Views
462
General Security Discussions
simmerskool
simmerskool
Dave Russo
    • Like
Advice Request TrendMicro Firewall booster
Replies
4
Views
500
Other security for Windows, Mac, Linux
Trident
Trident
A
    • Like
Advice Request Motorola Launcher
Replies
4
Views
243
Android & WearOS
Divine_Barakah
Divine_Barakah

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top