AppGuard - Have you tried this program?

Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What's the difference between software restriction policy and anti-executable and how do the current products under them compare? Are there any redundancies between them or do they cover each other? People's posts suggests there are differences.
anti exe won't let a process run unless you allow it.
software restriction also controls what a process can do when it is already running.

if you use software restriction software like Appguard, that does it all.
but you might find it more convenient to manage vulnerable processes from an anti exe like NoVirusThanks EXE Radar Pro. Some people use both, or at least they used to, when NVT was more popular (now there are other softwares that came out).
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Personally, I'm still doing that, using both on my Windows 8.1 x64. Could you give exact names of the other software that came out please?
well, for instance, ReHIPS has won the hearts of many hard-core security enthusiasts.
there is also Excubits, and I think there is another product people are using, can't remember the name.
Nothing is an exact replacement for NVT ERP.
 
5

509322

Some people want to protect both System and User Space when they lower AppGuard's protections to "Allow Installs" or "OFF" to update programs.

A better way of doing it is to add the program publisher to the Trusted Publisher List and allow the program to update normally. This requires an update that is digitally signed.

AppGuard will not accept digital signatures with non-English characters.

In Locked Down mode it requires an update that is digitally signed through the entire run sequence. If not, then lower AppGuard to Protected mode and update.

If the update is not digitally signed at all, only then do you lower AppGuard to "Allow Installs." It is best not to lower to "OFF" unless absolutely necessary.

Always use the highest level of AppGuard security required to accomplish a program update. It is the most secure, proper way to do it.

Some programs have digitally signed installers, but their updates are not signed. The process of finding out which ones is trial-and-error.
 
Last edited by a moderator:
5

509322

well, for instance, ReHIPS has won the hearts of many hard-core security enthusiasts.
there is also Excubits, and I think there is another product people are using, can't remember the name.
Nothing is an exact replacement for NVT ERP.

ReHIPS is great because it uses separate user profiles (ReHIPSUSer) - which are isolated from each other as well as real user. If you keep your valuable data out of those profiles by not copying it there or backing up what you do create, you don't really care what happens in the ReHIPSUSer profiles as you can always delete them and re-create them.

The real user profile is still at risk if you use internet facing and downloaded programs within it.

For those that like combos, an exceptional one is AppGuard + ReHIPS.
 

NikolayfromRussia

Level 16
Verified
Top Poster
Jul 3, 2014
750
I have never tried this program. By the way, many MT users contact me and ask if I have appguard licenses to share. I am not from Appguard :) I don't have online shop where I sell appguard. I recommend to contact Jeff_T - Testing Group and ask him to share licenses with you. It is very easy for him to generate free licenses for you ;)
 
5

509322

I have never tried this program. By the way, many MT users contact me and ask if I have appguard licenses to share. I am not from Appguard :) I don't have online shop where I sell appguard. I recommend to contact Jeff_T - Testing Group and ask him to share licenses with you. It is very easy for him to generate free licenses for you ;)

I don't have any licenses to give out; engineering personnel do not generate licenses.

Plus, there is no more trial. The company made that change within the past few months.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
ReHIPS is great because it uses separate user profiles (ReHIPSUSer) - which are isolated from each other as well as real user. If you keep your valuable data out of those profiles by not copying it there or backing up what you do create, you don't really care what happens in the ReHIPSUSer profiles as you can always delete them and re-create them.

The real user profile is still at risk if you use internet facing and downloaded programs within it.

For those that like combos, an exceptional one is AppGuard + ReHIPS.
Anything running isolated can't access real user profile neither you can manually do that(rehips ignores permission for the real user profile).

You might mean for anything not running isolated but in this case it's like any security program. If you disable or lower the protection you can get infected.
 
5

509322

Anything running isolated can't access real user profile neither you can manually do that(rehips ignores permission for the real user profile).

You might mean for anything not running isolated but in this case it's like any security program. If you disable or lower the protection you can get infected.

At least some people will still use the real desktop to launch programs within the real user profile. If they do that, the HIPS will be the only ReHIPS module protecting the desktop. There are ways to bypass that HIPS. It's no different than any other HIPS.

That's the value of combining AppGuard with ReHIPS. AppGuard will block execution in the unlikely event of a HIPS bypass or some malc0der targets ReHIPS or any of a bunch of other bad scenarios.

What's the likelihood ? - probably a fraction of a percent. I think a very small fraction of a percent.

It would be very difficult to infect the real system using an AppGuard + ReHIPS combo. The most likely case would be a comedy of errors on the user's part.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
At least some people will still use the real desktop to launch programs within the real user profile. If they do that, the HIPS will be the only ReHIPS module protecting the desktop. There are ways to bypass that HIPS. It's no different than any other HIPS.
to harden the HIPS, you can add block rules for script interpreters and command line utilities, etc.
if you don't want total block for a certain process, such as cmd.exe, you can set to alert.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
At least some people will still use the real desktop to launch programs within the real user profile. If they do that, the HIPS will be the only ReHIPS module protecting the desktop. There are ways to bypass that HIPS. It's no different than any other HIPS.

That's the value of combining AppGuard with ReHIPS. AppGuard will block execution in the unlikely event of a HIPS bypass or some malc0der targets ReHIPS or any of a bunch of other bad scenarios.

What's the likelihood ? - probably a fraction of a percent. I think a very small fraction of a percent.

It would be very difficult to infect the real system using an AppGuard + ReHIPS combo. The most likely case would be a comedy of errors on the user's part.
I agree with what you said but user mistake is always possible. Appguard and rehips sure minimizes it though and only disable can infect you.
 
  • Like
Reactions: AtlBo and shmu26
5

509322

what would be the most common HIPS bypass, besides interpreters? (let's assume the user wisely chose "block" at the first prompt he sees)

There is no common one. There are various ones. You can find them on the net by searching for "HIPS bypass."

Since ReHIPS is basically an anti-executable HIPS, any bypass would very likely be the result of someone targeting the HIPS functionality.

If user selects block, then there should be no problem. If user selects allow, then there is a run sequence and anything is possible - such as hollow process.

We are talking hypotheticals and theoreticals here. It isn't something to fret over.

When in doubt, always block, block, block...
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
If user selects block, then there should be no problem.
so that's why I think ReHIPS really should keep the user safe, even if he runs some of his apps un-isolated.
But the browser should be isolated, or at least should be run in windows 10 appcontainer (Edge, or Chrome with the flag for "appcontainer lockdown" enabled), and of course the user needs to pay attention to alerts and try not to shoot himself in the foot.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top