Appguard Review

Discussion in 'AppGuard (Blue Ridge Networks)' started by Umbra, May 1, 2017.

  1. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    They are not going to tell you anything different that what I am saying. In fact, I am the one that informs and advises Support on these type issues.
     
    ZeroDay, TerrakionSmash and askmark like this.
  2. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    You mean a clean install of the OS and the entire system including non-system drives ?
     
  3. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    #103 Lockdown, May 20, 2017
    Last edited: May 20, 2017
    Group Policy can cause weirdness too - but I have never seen it cause the policy error.

    Group Policy can cause unexpected install\uninstall and function issues. It is difficult to diagnose Group Policy issues as they seem to be system specific; I have never identified any general trends with Group Policy that cause AppGuard issues. Also, I have never seen the Group Policy defaults cause problems with AppGuard. It still is possible - especially if policies have been changed from their defaults.
     
    Umbra likes this.
  4. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    #104 Lockdown, May 20, 2017
    Last edited: May 20, 2017
    @ParaXY
    @Umbra

    It has only been established that characters in a file path on a non-system partition\drive will cause the policy error.

    All of the below are file paths with symbol characters created on the System drive and none have - to my knowledge - ever caused an AppGuard policy error.

    On Windows 10 CU these file paths are created:
    • C:\Users\User\Favorites\Movies, Videos & TV (As a part of troubleshooting the policy error I would eliminate the "&" character in this file path)
    • C:\Users\User\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!??? where ? = wildcard for individual numbers
    * * * * *
    • There is a large number of file paths with the "#" character in it - most notably .NET Framework

    example,

    C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.*# where * = wildcard for all numbers

    • There is a large number of file paths with the "-" and "_" character in it - most notably WinSxS

    example,

    C:\Windows\WinSxS\amd64_c_hdc.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_5085ebedc393d4cc

    • Then there are the hidden, non-accessible file paths with the "$" character

    example,

    C:\$Extend\$RmMetadata

    • There are only a couple of file paths with the "%" character in it

    example,

    C:\Users\User\AppData\Roaming\Microsoft\Word\AppGuard%20Enterprise%20Folder%20Maps305882162702476631

    • There are file paths with the "(" and ")" characters in them

    example,

    C:\Program Files (x86)\Intel\Intel(R) Processor Graphics

    • There are usually only a very few file paths with the "+" character in it

    example,

    C:\Users\User\AppData\Local\Microsoft\Office\16.0\Wef\{EDDF5CCA-76A7-4076-9BEB-7BF04E507BA2}\Omex\Qxcohx+CWETDnICWSgcWrw==

    • There are some file paths with the "=" in it

    example,

    C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Component.CoreEditor,version=15.0.26208.0

    • There are some file paths with the "~" character in it

    example,

    C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_2017.317.1503.0_neutral_~_8wekyb3d8bbwe

    • There are some file paths with the "," character in it

    example,

    C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Component.CoreEditor,version=15.0.26208.0

    • There are file paths with the "{" and "}" characters in it

    example,

    C:\Users\User\AppData\Local\Microsoft\Office\16.0\Wef\{EDDF5CCA-76A7-4076-9BEB-7BF04E507BA2}

    • These characters will not be found in file paths - ` - ; - " - ' - < - < - * - ? - / - | - [ - ] as they are disallowed by Windows
     
    Andy Ful and Umbra like this.
  5. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    @Lockdown: Thanks for taking the time on a weekend to respond to my issues!

    Before I proceed with doing anything, am I correct in saying that I am searching for the & character in FOLDERS only and on NON system drives only? ie: I can ignore folder names on the boot drive?

    I just did a search on my D: drive using the following:

    Code:
    ~=&
    
    And this brought back a list of all files and folders with the & in it. Do I just rename the folders and ignore the files? Is it just the folders that contains an & that causes an issue with AppGuard? ie: filenames with & are ok?
     
  6. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,641
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    normally

    try 1st method (only rename folders) if still problematic try with the files.
     
  7. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    I would first just look at file paths on non-system drives and partitions for non-letter and non-number characters.

    First, just rename the folders. Folders with & in their name have been confirmed as a cause of the policy error that you have reported.

    Troubleshooting these type issues is a process of elimination.
     
  8. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    Ok, renaming the folders on my non-system drives with & in it didn't work. I even went one step further and disconnected the two data drives from Windows that contained folders with & in them and rebooted and AppGuard is still throwing the same errors when I change settings/slider.

    So I'm assuming it's not the folder names and has to be something else.

    What else can I check?
     
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,641
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    - do you have RAMdisks? if yes disconnect them
    - Any reg tweaks you did ? can you unload them?
    - Appguard was installed in admin account right?

    i saw you have VM partitions? what are those exactly ? classic partitions with VM images in them or mounted VM images?
     
  10. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    I don't have RAMdisks.

    Yes, lots of registry tweaks. Most of them are look and feel changes (like FIle Explorer). I've attached my registry tweaks as I keep them all in a single file. The one that caught my eye was:

    Code:
    ;Enable LSA Protection:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "RunAsPPL"=dword:00000001
    
    I installed Appguard using my SUA account but was prompted for my admin credentials to continue the install.

    The V: drive just contains the VMware disk files for VMware Workstation. They aren't mounted and are only used when a VM is powered on.

    I looked at the Event Viewer entries for AppGuard and they didn't tell me much (they were all informational). Does AppGuard have a more useful/details log somewhere that can assist with the troubleshooting?
     

    Attached Files:

    askmark likes this.
  11. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,641
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #111 Umbra, May 21, 2017
    Last edited: May 21, 2017
    try to disable it.


    Install AG under admin account first because users are separated. The settings you do in one isn't transferred to another. I never installed AG under SUA .

    So uninstall AG from SUA, reboot , install it under Admin account.

    It is not a good practice to install from SUA; SUA is made for daily tasks.
     
  12. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    @ParaXY

    AppGuard must be installed in an Administrator account.

    When you sign-in to a SUA account you will have to create a separate policy.

    Policies are separate for each User Profile.

    A lot of registry tweaks is a problem. You might have to backtrack every single one of the registry tweaks if installing in an Administrator account does not fix the issue.

    There are no other AppGuard logs other than those in the Event Viewer. Our logging only shows AppGuard events. You will find Windows logging in SYSTEM.

    I can tell you right now - when registry tweaks are involved - if the problem persists, then support is going to tell you to clean install the OS. In the case of persistent problems, your best bet to resolve issues is to always clean install the OS.
     
    TerrakionSmash likes this.
  13. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,641
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    I said that to him :D
     
  14. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    You could try this... has worked for me in the past when tracking down elusive registry key or file permission issues.
     
    Umbra likes this.
  15. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    #115 Lockdown, May 21, 2017
    Last edited: May 21, 2017
    I saw it. I can't force anybody to do a clean install. At the same time, neither I nor support are going to spend any time troubleshooting modified\tweaked Windows. Troubleshooting on a system with Windows tweaks is the responsibility of the user.

    Anything that modifies user and\or file system permissions can create issues that are very difficult to troubleshoot.
     
    Andy Ful, TerrakionSmash and askmark like this.
  16. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    And who has not experienced this one before ? -- you make tweaks to the OS, at some later point they seem to be causing a problem, you then spend hours undoing those tweaks, reboot the system, and the problem still persists after you undo the tweaks...

    In the end you clean install the OS and that fixes the problem.
     
    TerrakionSmash, shmu26 and Umbra like this.
  17. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    280
    810
    Washington DC
    Windows 7
    Emsisoft
    Hi Para

    In reading through this thread I noticed you said you disabled Applocker. If you can you should try uninstalling it. I have found with security program conflicts disabling doesn't help. Drivers can still be active and cause issues.
     
    Andy Ful and shmu26 like this.
  18. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    Thanks for all the replies everyone.

    So I uninstalled (again), rebooted and this time logged in as the admin account and installed AppGuard. Same behaviour, errors whenever changing anything in AppGuard.

    Before even considering a rebuild, I am running Windows 10 Enterprise Creators Update (Build 1703), is this an issue since it was only released a few weeks ago?

    Also, I use Bitlocker on all my drives with ReFS, is this an issue? The boot drive uses NTFS.

    I also use Secure Boot in UEFI.

    You can't uninstall AppLocker but you can remove all the rules and disable the service which is what I have done.

    I did have a quick look in ProcMon but I almost never use this tool so may need some guidance on how to use this to troubleshoot this issue!
     
  19. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,843
    AppGuard LLC Virginia, U.S.
    @ParaXY

    Please read this support policy: AppGuard 4.x 32/64 Bit

    I really can't give you a definitive answer on Win 10 Enterprise CU (1703).

    There are no known incompatibilities between BitLocker and AppGuard. However, with BitLocker anything is possible.

    I recommend a clean uninstall of AppGuard. After uninstalling it do the following in both the Admin and SUA accounts\user profiles:

    1. Search for Blue Ridge Networks using UltraSearch or Search Everything

    Any folders that are found, delete them

    There should be folders for C:\Program Files (x86), C:\ProgramData, and C:\Users\User\AppData\Roaming

    2. Search for AppGuard using UltraSearch or Search Everything

    Any AppGuard objects that are found, delete them

    There should be prefetch items

    3. Search for brnfilelock.sys

    Delete it

    4. Reboot the system

    5. Perform a registry clean-up using CCleaner or equivalent

    6. Reboot the system

    7. Reinstall AppGuard
     
    Andy Ful and TerrakionSmash like this.
  20. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    I read your support policy. Not sure what you're hinting at but are you saying my version of Windows isn't legitimately activated:

    That means if you install a Windows image that has not been paid for and activated using the official activation method designated by Microsoft for that image, and you then install AppGuard on that Windows image, that AppGuard installation will be unsupported by AppGuard LLC\Blue Ridge Networks.

    Anyway, yes this Windows "image" is activated using the official method. I work for a Microsoft Gold partner so that is how I have an Enterprise license.

    I uninstalled AppGuard from my physical PC and have installed AppGuard successfully in a VM. The VM is running Windows 10 Enterprise Creators Edition 1703, has a bitlocker enabled ReFS partition and, most importantly, I have run my registry customisation batch file on the VM and I can still change AppGuards slider/settings without any errors prompting me. Obviously there are still many differences between the VM and my physical PC (like other apps installed and the data drives) but it does prove that all my tweaks of the OS work.

    Ok, I am going to try what you mentioned and report back.

    Thanks for the help and assistance.

    Stay tuned!
     
    Andy Ful likes this.
Loading...
Similar Threads Forum Date
Qualified AppGuard Reviews AppGuard (Blue Ridge Networks) Nov 9, 2016
How to configure AppGuard to be use on a gaming PC? AppGuard (Blue Ridge Networks) Friday at 6:06 PM
Q&A AppGuard + Spectre/Meltdown General Security Discussions Jan 9, 2018