Advice Request AppGuard guide/tips?

Please provide comments and solutions that are helpful to the author of this topic.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
It is hard, if not impossible, for home users to get effective support and guidance for AppGuard. If you are up to scouring old posts and threads on this forum and Wilders, you will learn a lot, though.
 
F

ForgottenSeer 69673

I still use the for life version too.
I only have a few tweaks I use.

in user space I add these = yes
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe

then in guarded apps I untick poweshell
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Sorry I am new to software restriction policies.

Good luck on your journey, but you picked the one SRP app that requires the most user skill and offers the least amount of user info/support. I would follow @shmu26 's suggestion to thoroughly comb the old threads here and at Wilders. There may be a few more users there to query than here on MT. (y)
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Good luck on your journey, but you picked the one SRP app that requires the most user skill and offers the least amount of user info/support. I would follow @shmu26 's suggestion to thoroughly comb the old threads here and at Wilders. There may be a few more users there to query than here on MT. (y)

Yes I'm doing that now, reading up on AppGuard. I've got the basic grasp of the program but I'm still working out what to add to user space and guarded apps which is tricky. This is a huge learning process for myself, learning more about system processes and software restriction policies is hard.
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Is there a specific reason you are punishing yourself. So many other tools...

Looking to improve security awareness/knowledge and improve safety. Nothing is bulletproof but I think learning new things is healthy. I would really like to move to Linux/MacOS but that isn't possible at the moment due to various reasons.
 

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
232
Delete Powershell from Guarded Apps.
Add browsers and other Internet-facing apps to Guarded Apps.
For browsers at least, Privacy should be set to On. MemWrite and MemRead should always be on.

Add to User Space:

c:\windows\*\bitsadmin.exe
c:\*powershell.exe
c:\*powershell_ise.exe
c:\*script.exe
c:\windows\*\mshta.exe
c:\windows\*\hh.exe
c:\windows\*\scrcons.exe
c:\windows\*\wmic.exe (already there)
c:\windows\*\reg.exe (already there)
c:\windows\syswow64\at.exe (already there)
c:\windows\system32\at.exe (already there)
c:\windows\syswow64\schtasks.exe (already there)
c:\windows\system32\schtasks.exe (already there)

For additional security, you can also add:

c:\windows\*\msiexec.exe
c:\windows\*\cmd.exe
c:\windows\*\regsvr32.exe
c:\windows\*\rundll32.exe
c:\windows\*\icacls.exe
c:\windows\*\cacls.exe
c:\windows\*\takeown.exe
c:\windows\*\regini.exe
c:\windows\*\vssadmin.exe
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Most are already in my user space list. Thank you though.

c:\windows\*\cmd.exe
c:\windows\*\rundll32.exe

These pose the biggest problems, cmd more so. cmd is a huge attack vector but is used by many legit applications too. runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.

Has anyone got a recent AppGuard update? I'm a bit suspicious as it downloads the .exe but also a .msi file which is smaller.
 

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
232
runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.
Actually, a few of these are in Guarded Apps, including CMD and regsvr32. Guarded Apps basically prohibits an app from reading or writing to the memory of other apps, or writing to certain directories. User Space prevents an app from being launched in user context at all. You could move these over, but consider moving them back if something breaks. Depending on what you run on your computer, it may be difficult to use when locked down that tightly.

Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
runddl32.exe is a guarded app, should I untick it and add it to user space?
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
 

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
232
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
I would like to have a way to set ACL deny permissions for standard users on LOLBINs, without having to go into it per process, per user. That way, you could get around the restriction with a simple RunAs, or by logging off. You can do it in Professional editions with Group Policy, but that doesn't help home users.
 

Zero Knowledge

Level 20
Thread author
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.

Thank you for the list. I will try to add some to user space, it is a learning process.

Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.

Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?

Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top