Advice Request AppGuard guide/tips?

[ebocious]

Thank you for the list. I will try to add some to user space, it is a learning process.

Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.

Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?

Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.

Good questions, but let me observe the proper channels. To make sure your system is clean, or disinfect if it is not, let's have you start with MT's help & support group for malware removal. Click here to get to the main page, and then click the first link on that page, which should be the mandatory preparation guide. There, you'll be prompted to run a couple of scanners and paste the results for people to look at. Once we can be sure you're all set, my personal recommendation is to go back into AG configuration and untick all those checkboxes in Alerts. You'd have to be above my pay grade for those alerts to be of any real use.

Once you know your system is clean, you're more likely to win the lottery twice than get infected again, unless you disable AG and install a Trojan.

 

[shmu26]

I have set bitsadmin service to be disabled

Keep in mind that bitsadmin and bitsadmin.exe are not the same thing. The former can be leveraged by malware even if you block the latter. Blocking the former can interfere with necessary functions, if I remember correctly, but you can usually block the latter with impunity.

 

[Zero Knowledge]

Keep in mind that bitsadmin and bitsadmin.exe are not the same thing. The former can be leveraged by malware even if you block the latter. Blocking the former can interfere with necessary functions, if I remember correctly, but you can usually block the latter with impunity.

Yes I know. bitsadmin.exe is blocked in userspace.

AppGuard update, has anyone got it?

 

[ebocious]

AppGuard update, has anyone got it?

Here's 5.2.9.1

It's my copy, downloaded directly from Blue Ridge.

 

[Zero Knowledge]

Here's 5.2.9.1

It's my copy, downloaded directly from Blue Ridge.

Thank you but I'm talking about AppGuard Solo internal updater. There is an update available but I'm hesitant because it downloads several files a .exe and .msi installer, the .exe looks fine but the .msi I'm worried about. The latest offical AppGuard installer download link is not the new updated version offered through update option in AppGuard which is odd.

 

[ebocious]

Thank you but I'm talking about AppGuard Solo internal updater. There is an update available but I'm hesitant because it downloads several files a .exe and .msi installer, the .exe looks fine but the .msi I'm worried about. The latest offical AppGuard installer download link is not the new updated version offered through update option in AppGuard which is odd.

Gotcha. I honestly don't remember how I updated mine: I assume it linked me to the website, since I was able to save the install package. I know when I bought my license initially, the download link in the email didn't work. So I had to email support, they asked me to forward the confirmation email, and then they sent me a working link.

 

[Zero Knowledge]

Gotcha. I honestly don't remember how I updated mine: I assume it linked me to the website, since I was able to save the install package. I know when I bought my license initially, the download link in the email didn't work. So I had to email support, they asked me to forward the confirmation email, and then they sent me a working link.

New appguard has a internal updater. Download link still points to old stable, new stable is available through internal updater.

 

[MIDave]

What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.

 

[ForgottenSeer 85911]

What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.

Solo is not for home users. It is for SMB. It is garbage. You should not use it.

 

[Zero Knowledge]

What version of AG Solo do you have? I just bought another license and the download link still provides 6.2.9.1113 which I have had for the past year. Checking for updates through the app says my version is current. I emailed AG support a couple of days ago, but no response so far.

Thank you for posting. So the internal updater says 6.2.9.1113 is current and no new version is available? Just confirming.

Solo is not for home users. It is for SMB. It is garbage. You should not use it.

Care to explain your thoughts?

 

[MIDave]

Thank you for posting. So the internal updater says 6.2.9.1113 is current and no new version is available? Just confirming.

Yes. When I click Check for Update it says that my version it says "Your version of Appguard is up to date". Maybe 6.2.9.1113 is the latest version, but I got the impression from your post #25 that there might be a newer version.

 

[Trooper]

I am glad I found this thread. When I get home tonight, going to revisit it.

Question: Appguard Solo is preventing MS Teams from launching. How do I allow this app to run? Note, I am in lockdown mode.

Thanks!

 

[shmu26]

I am glad I found this thread. When I get home tonight, going to revisit it.

Question: Appguard Solo is preventing MS Teams from launching. How do I allow this app to run? Note, I am in lockdown mode.

Thanks!

Check the log to get the path, and make an exception in user space. Either that, or run Appguard at default settings.
I assume you know how to read the log and configure user space rules? If by any chance you are not familiar with that, please be informed that Appguard is not a consumer-oriented product. It is designed for IT professionals to use in a business environment. There is no support for home users.

You can get software restriction policy with support for home users, for free, it is called Hard_Configurator, from @Andy Ful. It is not exactly the same as Appguard. But it works great.

 

[Trooper]

Check the log to get the path, and make an exception in user space. Either that, or run Appguard at default settings.
I assume you know how to read the log and configure user space rules? If by any chance you are not familiar with that, please be informed that Appguard is not a consumer-oriented product. It is designed for IT professionals to use in a business environment. There is no support for home users.

You can get software restriction policy with support for home users, for free, it is called Hard_Configurator, from @Andy Ful. It is not exactly the same as Appguard. But it works great.

It has been awhile. Yeah I read the logs, I guess I just need a pointer again on the user space rules. I just have not used the product in a few years and kind of forgot. I work in IT for a living so I don't really need the support.

Thanks.

 

[shmu26]

It has been awhile. Yeah I read the logs, I guess I just need a pointer again on the user space rules. I just have not used the product in a few years and kind of forgot. I work in IT for a living so I don't really need the support.

Thanks.

Maybe the Appguard help file can answer your question. I sure hope so...

 

[Bretski]

Trooper, you can right-click on the AppGuard tray icon and select Activity Report so you can get the blocked path. Or you can double-click the AppGuard tray icon and you will see the buttons for the activity report and the Customize button. Once you have the block path for Teams, click the Customize button and select the User Space tab. Click on Add and add the path. After adding the path make sure the Include column says No. You can click on the Yes or No in that column to change it.

 

[Trooper]

Trooper, you can right-click on the AppGuard tray icon and select Activity Report so you can get the blocked path. Or you can double-click the AppGuard tray icon and you will see the buttons for the activity report and the Customize button. Once you have the block path for Teams, click the Customize button and select the User Space tab. Click on Add and add the path. After adding the path make sure the Include column says No. You can click on the Yes or No in that column to change it.

Thank you sir. Will look into this tonight. Cheers!

 

[Trooper]

See this is a little bit tricky. Here is what I see.

Thu Jul 23 20:27:09 2020 Prevented process <update.exe | c:\windows\explorer.exe> from launching from <c:\users\user\appdata\local\microsoft\teams>.

 

[Bretski]

The launching is what you're after; c:\user\user\appdata\local\microsoft\teams is in user space. So you have to exclude that directory from user space. Works the same as excluding a file from user space. The only other option would be if Teams offers you the ability to change where everything is installed. I haven't used Teams so not sure if it offers this or not. For example to install in c:\program files... or similar instead of c:\user...

If you're not comfortable excluding an entire directory, exclude the update.exe in that directory. I wonder if update.exe is just some update function trying to run or that is how Teams starts. Might have to play with what you exclude from user space to get what you want.

 

[Trooper]

The launching is what you're after; c:\user\user\appdata\local\microsoft\teams is in user space. So you have to exclude that directory from user space. Works the same as excluding a file from user space. The only other option would be if Teams offers you the ability to change where everything is installed. I haven't used Teams so not sure if it offers this or not. For example to install in c:\program files... or similar instead of c:\user...

If you're not comfortable excluding an entire directory, exclude the update.exe in that directory. I wonder if update.exe is just some update function trying to run or that is how Teams starts. Might have to play with what you exclude from user space to get what you want.

I have tried that but to no avail. This Teams app is super finicky it seems.