Advice Request AppGuard guide/tips?

Please provide comments and solutions that are helpful to the author of this topic.

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
Thank you for the list. I will try to add some to user space, it is a learning process.

Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.

Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?

Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.
Good questions, but let me observe the proper channels. To make sure your system is clean, or disinfect if it is not, let's have you start with MT's help & support group for malware removal. Click here to get to the main page, and then click the first link on that page, which should be the mandatory preparation guide. There, you'll be prompted to run a couple of scanners and paste the results for people to look at. Once we can be sure you're all set, my personal recommendation is to go back into AG configuration and untick all those checkboxes in Alerts. You'd have to be above my pay grade for those alerts to be of any real use.

Once you know your system is clean, you're more likely to win the lottery twice than get infected again, unless you disable AG and install a Trojan. :)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I have set bitsadmin service to be disabled
Keep in mind that bitsadmin and bitsadmin.exe are not the same thing. The former can be leveraged by malware even if you block the latter. Blocking the former can interfere with necessary functions, if I remember correctly, but you can usually block the latter with impunity.
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Keep in mind that bitsadmin and bitsadmin.exe are not the same thing. The former can be leveraged by malware even if you block the latter. Blocking the former can interfere with necessary functions, if I remember correctly, but you can usually block the latter with impunity.

Yes I know. bitsadmin.exe is blocked in userspace.

AppGuard update, has anyone got it?
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Here's 5.2.9.1

It's my copy, downloaded directly from Blue Ridge.

Thank you but I'm talking about AppGuard Solo internal updater. There is an update available but I'm hesitant because it downloads several files a .exe and .msi installer, the .exe looks fine but the .msi I'm worried about. The latest offical AppGuard installer download link is not the new updated version offered through update option in AppGuard which is odd.
 

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
Thank you but I'm talking about AppGuard Solo internal updater. There is an update available but I'm hesitant because it downloads several files a .exe and .msi installer, the .exe looks fine but the .msi I'm worried about. The latest offical AppGuard installer download link is not the new updated version offered through update option in AppGuard which is odd.
Gotcha. I honestly don't remember how I updated mine: I assume it linked me to the website, since I was able to save the install package. I know when I bought my license initially, the download link in the email didn't work. So I had to email support, they asked me to forward the confirmation email, and then they sent me a working link.
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Gotcha. I honestly don't remember how I updated mine: I assume it linked me to the website, since I was able to save the install package. I know when I bought my license initially, the download link in the email didn't work. So I had to email support, they asked me to forward the confirmation email, and then they sent me a working link.

New appguard has a internal updater. Download link still points to old stable, new stable is available through internal updater.
 

MIDave

Level 1
Verified
Dec 24, 2017
16
What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.
 
  • Like
Reactions: oldschool
F

ForgottenSeer 85911

What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.

Solo is not for home users. It is for SMB. It is garbage. You should not use it.
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
869
What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.

Thank you for posting. So the internal updater says 6.2.9.1113 is current and no new version is available? Just confirming.

Solo is not for home users. It is for SMB. It is garbage. You should not use it.

Care to explain your thoughts?
 

MIDave

Level 1
Verified
Dec 24, 2017
16
Thank you for posting. So the internal updater says 6.2.9.1113 is current and no new version is available? Just confirming.

Yes. When I click Check for Update it says that my version it says "Your version of Appguard is up to date". Maybe 6.2.9.1113 is the latest version, but I got the impression from your post #25 that there might be a newer version.
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
I am glad I found this thread. When I get home tonight, going to revisit it.

Question: Appguard Solo is preventing MS Teams from launching. How do I allow this app to run? Note, I am in lockdown mode.

Thanks!
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I am glad I found this thread. When I get home tonight, going to revisit it.

Question: Appguard Solo is preventing MS Teams from launching. How do I allow this app to run? Note, I am in lockdown mode.

Thanks!
Check the log to get the path, and make an exception in user space. Either that, or run Appguard at default settings.
I assume you know how to read the log and configure user space rules? If by any chance you are not familiar with that, please be informed that Appguard is not a consumer-oriented product. It is designed for IT professionals to use in a business environment. There is no support for home users. :(

You can get software restriction policy with support for home users, for free, it is called Hard_Configurator, from @Andy Ful. It is not exactly the same as Appguard. But it works great.
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
Check the log to get the path, and make an exception in user space. Either that, or run Appguard at default settings.
I assume you know how to read the log and configure user space rules? If by any chance you are not familiar with that, please be informed that Appguard is not a consumer-oriented product. It is designed for IT professionals to use in a business environment. There is no support for home users. :(

You can get software restriction policy with support for home users, for free, it is called Hard_Configurator, from @Andy Ful. It is not exactly the same as Appguard. But it works great.

It has been awhile. Yeah I read the logs, I guess I just need a pointer again on the user space rules. I just have not used the product in a few years and kind of forgot. I work in IT for a living so I don't really need the support.

Thanks.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It has been awhile. Yeah I read the logs, I guess I just need a pointer again on the user space rules. I just have not used the product in a few years and kind of forgot. I work in IT for a living so I don't really need the support.

Thanks.
Maybe the Appguard help file can answer your question. I sure hope so...
 
  • Like
Reactions: Trooper

Bretski

New Member
Jul 23, 2020
7
Trooper, you can right-click on the AppGuard tray icon and select Activity Report so you can get the blocked path. Or you can double-click the AppGuard tray icon and you will see the buttons for the activity report and the Customize button. Once you have the block path for Teams, click the Customize button and select the User Space tab. Click on Add and add the path. After adding the path make sure the Include column says No. You can click on the Yes or No in that column to change it.
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
Trooper, you can right-click on the AppGuard tray icon and select Activity Report so you can get the blocked path. Or you can double-click the AppGuard tray icon and you will see the buttons for the activity report and the Customize button. Once you have the block path for Teams, click the Customize button and select the User Space tab. Click on Add and add the path. After adding the path make sure the Include column says No. You can click on the Yes or No in that column to change it.

Thank you sir. Will look into this tonight. Cheers!
 
  • Like
Reactions: shmu26

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
See this is a little bit tricky. Here is what I see.

Thu Jul 23 20:27:09 2020 Prevented process <update.exe | c:\windows\explorer.exe> from launching from <c:\users\user\appdata\local\microsoft\teams>.
 
  • Like
Reactions: shmu26

Bretski

New Member
Jul 23, 2020
7
The launching is what you're after; c:\user\user\appdata\local\microsoft\teams is in user space. So you have to exclude that directory from user space. Works the same as excluding a file from user space. The only other option would be if Teams offers you the ability to change where everything is installed. I haven't used Teams so not sure if it offers this or not. For example to install in c:\program files... or similar instead of c:\user...

If you're not comfortable excluding an entire directory, exclude the update.exe in that directory. I wonder if update.exe is just some update function trying to run or that is how Teams starts. Might have to play with what you exclude from user space to get what you want.
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
The launching is what you're after; c:\user\user\appdata\local\microsoft\teams is in user space. So you have to exclude that directory from user space. Works the same as excluding a file from user space. The only other option would be if Teams offers you the ability to change where everything is installed. I haven't used Teams so not sure if it offers this or not. For example to install in c:\program files... or similar instead of c:\user...

If you're not comfortable excluding an entire directory, exclude the update.exe in that directory. I wonder if update.exe is just some update function trying to run or that is how Teams starts. Might have to play with what you exclude from user space to get what you want.

I have tried that but to no avail. This Teams app is super finicky it seems.
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top