AppGuard - Have you tried this program?

Status
Not open for further replies.

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Is AppGuardSetup-4-4-6-1 the last 4.XX release?

I think I will try AppGuard again after a long time.

Is there a best practice user guide out there as to what to whitelist?
Yes, that version is the last version of AG 4. But I'm actually hoping that it is not. :D

If you want the best protection, provided you know what to do when it blocks something legitimate, then I suggest the "hardened xml" of Jeff. Or you can just use Lockdown mode.

You can also just use its default settings, as there's no need to whitelist things manually (putting them into Power Apps), unless it's necessary to do so.

Of course, you may want to add to Guarded Apps all your internet-facing programs.
 
5

509322

Is AppGuardSetup-4-4-6-1 the last 4.XX release?

I think I will try AppGuard again after a long time.

Is there a best practice user guide out there as to what to whitelist?

The way AppGuard works System Space is whitelisted and User Space blacklisted.

AppGuard best practice:

1. Clean install the OS
2. Install desired software
3. Install AppGuard and enable protections
4. The user can create exceptions for User Space launches if they so wish

This is the procedure that should be followed when installing any security software. It is fundamental to start with a clean system.
 
Last edited by a moderator:
5

509322

Yes, that version is the last version of AG 4. But I'm actually hoping that it is not. :D

If you want the best protection, provided you know what to do when it blocks something legitimate, then I suggest the "hardened xml" of Jeff. Or you can just use Lockdown mode.

You can also just use its default settings, as there's no need to whitelist things manually (putting them into Power Apps), unless it's necessary to do so.

Of course, you may want to add to Guarded Apps all your internet-facing programs.

The hardened xml is no longer publicly available; users will have to harden AppGuard manually if they so wish using the vulnerable process lists available here at MT and over at Wilders
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
@Lockdown

Is it okay to include HP Support Assistant modules, or maybe the HP Support Assistant itself, to AppGuard's Guarded Apps list? I noticed that Kaspersky's TAM includes some of the modules in the Control Created Programs folder. So, that means Kaspersky monitors the modules' behavior.

The HP Support Assistant modules included in KL's TAM are: Detect_AntivirusDefenderA, Detect_AntivirusDefenderB, Detect_AntivirusNoAV_A, Detect_PIPMessage, Detect_WelcomeHPSAv8.
 
5

509322

@Lockdown

Is it okay to include HP Support Assistant modules, or maybe the HP Support Assistant itself, to AppGuard's Guarded Apps list? I noticed that Kaspersky's TAM includes some of the modules in the Control Created Programs folder. So, that means Kaspersky monitors the modules' behavior.

The HP Support Assistant modules included in KL's TAM are: Detect_AntivirusDefenderA, Detect_AntivirusDefenderB, Detect_AntivirusNoAV_A, Detect_PIPMessage, Detect_WelcomeHPSAv8.

Based upon the module descriptions it looks like Windows Defender detection, no AV detection, detection of PIP App ?, and detection of the HP Welcome Support Assistant App. I would reasonably expect no problems created by adding these to the Guarded Apps list - but you just never know until you try.

It's OK. If something breaks look at what has been blocked in the Activity Report and just remove it from the Guarded Apps list.

Vulnerabilities in these OEM utilities is not unheard of. Toshiba had to patch one due to a vulnerability that permitted escalation of privilege. It was patched before it was ever exploited. The exploit risk is very low, but nevertheless vulnerabilities can be present.
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Based upon the module descriptions it looks like Windows Defender detection, no AV detection, detection of PIP App ?, and detection of the HP Welcome Support Assistant App. I would reasonably expect no problems created by adding these to the Guarded Apps list - but you just never know until you try.

It's OK. If something breaks look at what has been blocked in the Activity Report and just remove it from the Guarded Apps list.

Vulnerabilities in these OEM utilities is not unheard of. Toshiba had to patch one due to a vulnerability that permitted escalation of privilege. It was patched before it was ever exploited. The exploit risk is very low, but nevertheless vulnerabilities can be present.
Thanks, Jeff!

I'll add them. I'll look out for anything unusual. :)
 
  • Like
Reactions: ForgottenSeer 55474

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I manually checked for updates, and I got these block messages.

02/02/17 16:37:33 Prevented <Detect_PIPMessage> from writing to <\registry\user\.default\software\microsoft\windows\currentversion\internet settings\zonemap>.
02/02/17 16:37:33 Prevented <Detect_PIPMessage> from writing to memory of <HP Support Assistant>.
02/02/17 16:37:33 Prevented process <Detect_PIPMessage> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output32.xml>.
02/02/17 16:37:00 Prevented process <Detect_AntiVirusDefenderA> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output9.xml>.
02/02/17 16:37:00 Prevented <Detect_AntiVirusDefenderA> from writing to memory of <HP Support Assistant>.
02/02/17 16:37:00 Prevented <Detect_AntiVirusDefenderA> from writing to <\registry\user\.default\software\classes\local settings\muicache\7e\52c64b7e>.
02/02/17 16:35:30 Prevented process <Detect_PIPMessage> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output32.xml>.
02/02/17 16:35:30 Prevented <Detect_PIPMessage> from writing to memory of <HP Support Assistant>.
02/02/17 16:35:30 Prevented <Detect_PIPMessage> from writing to <\registry\user\.default\software\microsoft\windows\currentversion\internet settings\zonemap>.
02/02/17 16:35:26 Prevented process <Detect_AntiVirusDefenderA> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output9.xml>.
02/02/17 16:35:26 Prevented <Detect_AntiVirusDefenderA> from writing to memory of <HP Support Assistant>.
02/02/17 16:35:26 Prevented <Detect_AntiVirusDefenderA> from writing to <\registry\user\.default\software\classes\local settings\muicache\7e\52c64b7e>.

I hope they're benign. The HP Support Assistant didn't show any errors or failures.
 
Last edited:
  • Like
Reactions: ForgottenSeer 55474
5

509322

I manually checked for updates, and I got these block messages.

02/02/17 16:37:33 Prevented <Detect_PIPMessage> from writing to <\registry\user\.default\software\microsoft\windows\currentversion\internet settings\zonemap>.
02/02/17 16:37:33 Prevented <Detect_PIPMessage> from writing to memory of <HP Support Assistant>.
02/02/17 16:37:33 Prevented process <Detect_PIPMessage> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output32.xml>.
02/02/17 16:37:00 Prevented process <Detect_AntiVirusDefenderA> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output9.xml>.
02/02/17 16:37:00 Prevented <Detect_AntiVirusDefenderA> from writing to memory of <HP Support Assistant>.
02/02/17 16:37:00 Prevented <Detect_AntiVirusDefenderA> from writing to <\registry\user\.default\software\classes\local settings\muicache\7e\52c64b7e>.
02/02/17 16:35:30 Prevented process <Detect_PIPMessage> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output32.xml>.
02/02/17 16:35:30 Prevented <Detect_PIPMessage> from writing to memory of <HP Support Assistant>.
02/02/17 16:35:30 Prevented <Detect_PIPMessage> from writing to <\registry\user\.default\software\microsoft\windows\currentversion\internet settings\zonemap>.
02/02/17 16:35:26 Prevented process <Detect_AntiVirusDefenderA> from writing to <c:\program files (x86)\hewlett-packard\hp support solutions\modules\activecheck\product_line\a2output9.xml>.
02/02/17 16:35:26 Prevented <Detect_AntiVirusDefenderA> from writing to memory of <HP Support Assistant>.
02/02/17 16:35:26 Prevented <Detect_AntiVirusDefenderA> from writing to <\registry\user\.default\software\classes\local settings\muicache\7e\52c64b7e>.

I hope they're benign.

Good grief man ! ... what did you do ? !!!! You have 60 seconds before your system will self-destruct ! Run !

Get out your tin foil hat, put it on, and duck... and cover.

All joking aside, here is something that will help you to analyze the Activity Report:

Don't read too much into the Activity Report block events to \registry, read\write to memory, write to *.xml, writes to logs\dat files and exotic file types, etc. You don't have to doubt or second guess such block events unless something is obviously broken - like a program won't check for updates or the update fails.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Good grief man ! ... what did you do ? !!!! You have 60 seconds before your system will self-destruct ! Run !

Get out your tin foil hat, put it on, and duck... and cover.

All joking aside, here is something that will help you to analyze the Activity Report:

Don't read too much into the Activity Report block events to \registry, read\write to memory, write to *.xml, writes to logs\dat files and exotic file types, etc. You don't have to doubt or second guess such block events unless something is obviously broken - like a program won't check for updates or the update fails.
:D

Thanks! It's maybe fine (not broken) since it didn't show any errors or failures. :)
 
  • Like
Reactions: ForgottenSeer 55474
5

509322

:D

Thanks! It's maybe fine (not broken) since it didn't show any errors or failures. :)

It is rare for blocks to \registry, xml, dat, log, other file types - block of memory read\write - to break something. I have only seen it happen in a single case - a blocked write to a registry key broke something. So you can rest easy that breakages like this are almost non-existent.
 

erreale

Level 9
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
Sorry for the question ... but AppGuard exists in the trial version? On their website, I can't find information about it.
 
  • Like
Reactions: ForgottenSeer 55474
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top