Advice Request AppGuard v6 lock down anomaly?

[simmerskool]

I ran a portable app today that is located in its own folder directly on c:\appfolder\app.exe
Also this app is not microsoft and does not have a digital signature. Am I correct that this location is considered "user space?" This app is not on Publisher List. AG manual says user space "scripts and unsigned applications are not allowed to execute at all." p.13. AG was "locked down." This app.exe was never added to "Guarded Apps." I've made no edits to default Registry Exceptions tab. I never added this app.exe as a Power App in the Advanced tab. QUESTION: how did this app.exe execute when AG was set to Locked Down? I did find one thing I do not understand. I searched the system for "app.exe" and found the app in the above mentioned location, but also found c:\windows\prefetch\app.exe-5294A381.pf
I'm not familiar with prefetch for an exe, any chance this is some sort of bypass to AG? Or perhaps my understanding of user space needs more research.
The simple and direct question is, should this user space unsigned app.exe execute with AG in Locked Down? Did AG fail by allowing this app.exe to run? Or if it did not fail, what am I misunderstanding??

 

[Zero Knowledge]

QUESTION: how did this app.exe execute when AG was set to Locked Down?

Is the app signed but not by MS? Or is it just not signed at all? Can you post the full path/exe information?

If it is signed by AppGuard or someone else in the trusted list, then it would be allowed because off course it's in the trusted publisher list.

Otherwise AppGuard files may be trusted by some internal mechanism, I will have to check.

 

[simmerskool]

Is the app signed but not by MS? Or is it just not signed at all? Can you post the full path/exe information?

If it is signed by AppGuard or someone else in the trusted list, then it would be allowed because off course it's in the trusted publisher list.

Otherwise AppGuard files may be trusted by some internal mechanism, I will have to check.

The file is NOT signed -- has no digital signature. the path to the file is
c:\nameofappfolder\app.exe
however, I have not provided the specific name of the file on purpose. it is NOT a security app. Not sure what you mean by "signed by AppGuard?" you mean in AG publisher's list, no it isn't. This is not any kind of a system file, so I have no idea why AG would have some internal mechanism to trust this file. I looked at default entries, not there, and was never trusted by me as user. ??

 

[Zero Knowledge]

portable app today that is located in its own folder

Ah OK, this may be the reason. I will have to install AppGuard and check if this is the culprit. For some reason it may not consider portable a user space app.

Nice find simmerskool, you may have found a weakness in AppGuard aka portable app's run from C:> path. It's weird because in Lockdown mode it should be blocked if I understand AppGuard correctly, but it's a hard program to really understand 100% so I will have to check myself and get back to you.

 

[simmerskool]

Ah OK, this may be the reason. I will have to install AppGuard and check if this is the culprit. For some reason it may not consider portable a user space app.

I double checked and my memory had faded as this app was installed some time ago, but I see it has an update, and it is a setup installer exe, so when it originally installed it installed it directly into c:\root so it's not portable. I'm going to uninstall the current version and install the new version, and hopefully, the install will give me hte option to install it into \program files.
and golly even though ESET is my av and I used FF to DL the file, it seems that Defender MOTW is blocking the install. So this will be process. I still think it was ODD for AG not to block it, so I sent an email to AG support, curious to see if they reply. Thanks, appreciate your comments. will update.

 

[Zero Knowledge]

Ah OK now I understand. It's odd, in Lockdown mode it should be blocked if it's not in the trusted app list.

so I sent an email to AG support, curious to see if they reply.

I hope you get a reply, they don't seem to care about home users.

 

[simmerskool]

Ah OK now I understand. It's odd, in Lockdown mode it should be blocked if it's not in the trusted app list.

I hope you get a reply, they don't seem to care about home users.

Ah OK now I understand. It's odd, in Lockdown mode it should be blocked if it's not in the trusted app list.

I hope you get a reply, they don't seem to care about home users.

I ended up uninstalling the c:\root unsigned app that seemingly bypassed AG. I think the file is legit, not malware, but... could not get a totally clean report. VT= 1 av flag malicious trojan, intezer sandbox said it had so much unique code they could not decide if malware or clean. their designation was "unique code" -- I have other apps that give me the same data without anomalies. That got me started and I uninstalled 4 other not needed apps. another happy ending (we'll see what support says, if anything)

 

[simmerskool]

Update: AG support replied: but I had not included my license number so they wanted that before they email-chat. Just replied with the license... Encouraging their timely initial reply!!

 

[simmerskool]

I got a reply from AG support shortly after I provided my license no. So AG support seems responsive to help question emails. The premise of my question was wrong! Support says:

"It is NOT user space in location "C:\appxxx\"
This is System Space which will allow the launch.
If you wanted to define a System Space location to the policy as User Space you
would add it to the User Space Policy and toggle to YES to include it in the User
Space Policy.
Default User Space locations
User profiles "C:\Users\Username\*"
C:\ProgramData\*
UserSpace allows write to folders but restricts launch
SystemSpace prevents Guarded Application writes but allow launch
More information is included in the built in help system with Solo."

Assuming AG help pdf is correct and written clearly, then somewhat of a cross-wiring in my thinking. IT happens The "scary" part is I had the help file open and was reviewing when I wrote the first post in this thread.
But I am still foggy: isn't the conclusion or implication to Support's email that any exe in root directory ("system space") will run even if the exe is unsigned and not otherwise previously allowed?? Does that compute? or do I continue to mis-read. Weekend plans, RE-READ the AG manual.

So the app I was running from c:\root SystemSpace was not a Guarded App, was unsigned, AG prevented "writes" but allowed to launch. So could be, I did run this app previously, and had turned off read / write notifications which is why I saw nothing in AG Activity Log for this event. Certainly possible. This app did run and did display correct info onscreen, but apparently was blocked from writing anything to hdd/ssd. Just because I'm foggy... I sitll like AG (for now). I guess that any app that default installs out of \program files\ thows me a curve ball.

 

[ForgottenSeer 69673]

I got a reply from AG support shortly after I provided my license no. So AG support seems responsive to help question emails. The premise of my question was wrong! Support says:

"It is NOT user space in location "C:\appxxx\"
This is System Space which will allow the launch.
If you wanted to define a System Space location to the policy as User Space you
would add it to the User Space Policy and toggle to YES to include it in the User
Space Policy.
Default User Space locations
User profiles "C:\Users\Username\*"
C:\ProgramData\*
UserSpace allows write to folders but restricts launch
SystemSpace prevents Guarded Application writes but allow launch
More information is included in the built in help system with Solo."

Assuming AG help pdf is correct and written clearly, then somewhat of a cross-wiring in my thinking. IT happens The "scary" part is I had the help file open and was reviewing when I wrote the first post in this thread.
But I am still foggy: isn't the conclusion or implication to Support's email that any exe in root directory ("system space") will run even if the exe is unsigned and not otherwise previously allowed?? Does that compute? or do I continue to mis-read. Weekend plans, RE-READ the AG manual.

So the app I was running from c:\root SystemSpace was not a Guarded App, was unsigned, AG prevented "writes" but allowed to launch. So could be, I did run this app previously, and had turned off read / write notifications which is why I saw nothing in AG Activity Log for this event. Certainly possible. This app did run and did display correct info onscreen, but apparently was blocked from writing anything to hdd/ssd. Just because I'm foggy... I sitll like AG (for now). I guess that any app that default installs out of \program files\ thows me a curve ball.

if you look back at my setup, you will see most of what i added to userspace = yes
you will also note i unchecked powershell from guarded apps
does that kinda reflect on what support wrote you

 

[simmerskool]

if you look back at my setup, you will see most of what i added to userspace = yes
you will also note i unchecked powershell from guarded apps
does that kinda reflect on what support wrote you

I'll look at yours again, thanks. FWIW I contacted coding tech, who thought the app should not have launched from its root "system space" location, but he is not necessarily familiar with AG.

 

[Zero Knowledge]

Great post simmerskool! That clears things up. Just set the app to user space and = yes and off you go. Like you I'm going to have to study the help file again.

 

[ForgottenSeer 69673]

I'll look at yours again, thanks. FWIW I contacted coding tech, who thought the app should not have launched from its root "system space" location, but he is not necessarily familiar with AG.

also ask cruelsister how she used a trusted cert provider to hack appguard. hence why i removed them all. i don't need them.

 

[Zero Knowledge]

also ask cruelsister how she used a trusted cert provider to hack appguard. hence why i removed them all. i don't need them.

Yes wise choice, I remove everything except Microsoft and AppGuard. I figure you need those two trusted publishers to make your system/updates work.

 

[ForgottenSeer 69673]

Yes wise choice, I remove everything except Microsoft and AppGuard. I figure you need those two trusted publishers to make your system/updates work.

Andy full has posted a few times about appguard. Maybe you can ask him to post his thoughts here. i would love to see what he has to say.

 

[ForgottenSeer 69673]

i would really like to know what my kitty cruel has to say . but she is shy of posting in my thought lately and not sure why

 

[ForgottenSeer 69673]

as a huge side note you know i use shadow defender. cruel also made a post about this program in a good way. think she used default install and i use ram to store not my hard disk.

 

[simmerskool]

if you look back at my setup, you will see most of what i added to userspace = yes
you will also note i unchecked powershell from guarded apps
does that kinda reflect on what support wrote you

my weekend project + re-reading the manual. sidenote: my AG is still basically default config, except I did add a few apps to Guarded Apps, and a couple security apps to Power Apps. The app that triggered this thread was neither. FWIW a very knowledgeable IT tech friend told me that location is not really systemspace either, but he is not an AG user. Appreciate the replies!

also ask cruelsister how she used a trusted cert provider to hack appguard. hence why i removed them all. i don't need them.

I think she posted same thing about comodo firewall too -- remove not needed trust certs... More work for the weekend.

 

[simmerskool]

as a huge side note you know i use shadow defender. cruel also made a post about this program in a good way. think she used default install and i use ram to store not my hard disk.

I have used SD in the past, I just found it "awkward." Now that I have my VMware tweaked and running fast, most of my online is with VM win10 Guest or Linux Guest. I make an effort to read all of cruelsister's posts.

 

[ForgottenSeer 69673]

I have used SD in the past, I just found it "awkward." Now that I have my VMware tweaked and running fast, most of my online is with VM win10 Guest or Linux Guest. I make an effort to read all of cruelsister's posts.

good luck with your search. oh yes i have used VMware and virtual box many many times and no matter how you tweak them they still use a million more times ram . both Sd and appoguard , you do not notice they even run. it as you know is your preference. i hope you remember i am really not new to this rodeo.