Appguard's News Thread (2017)

[Trooper]

The single biggest mistake that a lot of people do is paying way too much attention to the Activity Report when they first start using AppGuard.

It should not be the new user's objective to configure AppGuard such that there will be 0 block events for trusted programs in Activity Report. It doesn't work that way. Block events for known safe programs will always be present in the Activity Report.

I figured as much. I read the help file in which it stated that most of the messages were safe to be ignored. That said, wanted to post here just to be sure.

So for the most part, I assume that default install is "ok" but I should learn how to tweak things? Would that be correct? That is all I have done for the moment. I do not have much going on this machine outside of EIS, Chrome, and MS Office 2016. It's a home PC so I like to keep things simple.

 

[Trooper]

You don't have to do anything for Office 2016, Windows or EIS.

Office and Windows use digitally signed installers from Microsoft. Microsoft is a trusted publisher - so if the digital certificates check as valid and the entire installation run sequence is digitally signed, AppGuard is not going to block anything. EIS is installed to System Space and does not launch anything from User Space - so AppGuard isn't going to block anything.

Awesome! I need to read up and take a look at some stuff over on Wilders.

 

[Deleted member 178]

The single biggest mistake that a lot of people do is paying way too much attention to the Activity Report when they first start using AppGuard.
It should not be the new user's objective to configure AppGuard such that there will be 0 block events for trusted programs in Activity Report. It doesn't work that way. Block events for known safe programs will always be present in the Activity Report.

Yes because they are used to "alerts" events in other softwares, which are made to warn against malicious events primarily.
in AG we have "activity" events , activities can be anything, legit or not. They are just a log of what is being blocked by AG (based upon the policy set by the user) regardless the origin of the file/process/program.

 

[509322]

Awesome! I need to read up and take a look at some stuff over on Wilders.

Just learn one thing at a time. Keep AG in default Protected mode and it will be OK. Do not try to implement anti-NSA\CIA\FSB\DPRK\PLA policy as soon as you've installed the soft. You will not be inflicted with the worst digital infection known to mankind if you don't immediately have an @Umbra configuration on your system. If you take it easy and ask questions before doing, then you will be much better off.

Users that rush-in like fools are the ones that end-up smashing themselves and automatically blame everything on AG... and the attitude is predictable "Hey AG man... AG suxx !!"

Same thing happens with AppLocker and Group Policy and those that do not know what they're doing start immediate complaining (even long-time Admins do it). It's OK, people get frustrated and that is just how it is sometimes. I even get bent out of shape when I have to deal with Microsoft's worthless documentation.

 

[Trooper]

Just learn one thing at a time. Keep AG in default Protected mode and it will be OK. Do not try to implement anti-NSA\CIA\FSB\DPRK\PLA policy as soon as you've installed the soft. You will not be inflicted with the worst digital infection known to mankind if you don't immediately have an @Umbra configuration on your system. If you take it easy and ask questions before doing, then you will be much better off.

Users that rush-in like fools are the ones that end-up smashing themselves and automatically blame everything on AG... and the attitude is predictable "Hey AG man... AG suxx !!"

Same thing happens with AppLocker and Group Policy and those that do not know what they're doing start immediate complaining (even long-time Admins do it). It's OK, people get frustrated and that is just how it is sometimes. I even get bent out of shape when I have to deal with Microsoft's worthless documentation.

Will do and thank you for the advice. I will do as you say and take my time with it. I am aware of AppLocker and Group Policy all too well as I work in IT for a living. Good times. Funny statement about @Umbra config. He has encouraged me to go into Lockdown mode but I think I will stick with Protected mode for a little bit. I also won't stress about the activity log. I don't do anything risky on this machine as it is a home PC etc. So having EIS and now AG to back me up should be a definite plus in my security arsenal.

Now in the event something ever did slip through the cracks (which is unlikely in my case) does AG toss up a bunch of alerts or does it just block and then record this in the activity log? I am sure there are videos of testing on YouTube for me to see as well.

Cheers man!

EDIT: Received a popup about about suspicious stuff being blocked by AG.

Then I saw this in the Activity Report

08/01/17 23:16:52 AppGuard stopped <29> suspicious activities while active.

Oh noes, must I go into @Umbra anti NSA/CIA mode?

 

[Deleted member 178]

Now in the event something ever did slip through the cracks (which is unlikely in my case) does AG toss up a bunch of alerts or does it just block and then record this in the activity log? I am sure there are videos of testing on YouTube for me to see as well.

It just block based on your policy, no prompts. Just a block + a popup on bottom right saying something was blocked.
And yes there is a youtube video made by Cruelsister testing AG ,

 

[Trooper]

It just block based on your policy, no prompts. Just a block + a popup on bottom right saying something was blocked.
And yes there is a youtube video made by Cruelsister testing AG ,

Roger that. Will have a look good sir. Thanks!

 

[Deleted member 178]

@Trooper

Video Review - AppGuard on Windows 10- An Unconventional Use

 

[Trooper]

@Trooper

Video Review - AppGuard on Windows 10- An Unconventional Use

Thanks man I appreciate the link!

 

[Deleted member 178]

@Trooper this test was made on installing AG on an already infected machine

 

[509322]

He has encouraged me to go into Lockdown mode but I think I will stick with Protected mode for a little bit.

Locked Down mode blocks everything launched in User Space - even Microsoft digitally signed files. So unless you are running bunch of programs from User Space (including a USB flash drive) you will not see much blocked.

On W10 it will be dismhost.exe (Windows automatic maintenance), OneDriveStandaloneUpdater.exe, and OneDrive.exe as they launch from AppData. If you don't ever use OneDrive, then uninstall it.

I also won't stress about the activity log.

It's there for informational purposes and isn't something to fret about. Study it so you familiarize with what commonly gets blocked. That way you will be able to pick-out unusual stuff in a heart-beat. Study it over a long period of time. A look now and then suffices.



My exact security config on one of my personal laptops is AG and EIS combo.

AG blocks by default and there are two types of alerts - pop-up and toaster. I recommend disabling the pop-up alert. It absolutely isn't needed. Everything blocked is logged unless you disable logging for blocked events on the User Space tab. Check the settings there to familiarize yourself with them.

Worthless BBCode...

EDIT: Received a popup about about suspicious stuff being blocked by AG.

Then I saw this in the Activity Report

08/01/17 23:16:52 AppGuard stopped <29> suspicious activities while active.

Oh noes, must I go into @Umbra anti NSA/CIA mode ?

No, that is just an alert showing how many "suspicious" events were blocked and recorded in the Activity Report. Once again, blocked events for trusted programs are rated as suspicious as the programs are doing stuff that they do not need to do. Just select "Do not show this alert again" when that toaster alert appears again and it will be silenced. It's an alert to show that AppGuard is actively protecting the system. It isn't needed one bit.

 

[DJ Panda]

It sounds like a great product/product but I am too poor. And admit that my computer habits would probably make this product practically unusable..

 

[509322]

It sounds like a great product/product but I am too poor. And admit that my computer habits would probably make this product practically unusable..

At its most basic level, AppGuard is just a tray icon on-off switch. However, people that are heavy downloaders and installers don't like to even be bothered with a simple on-off switch. It is understandable. Everybody has their own personal preferences.

 

[Deleted member 178]

btw, i updated my User-Space Rules, now it is full with 128 entries and i blocked totally the possibility for rundll32.exe to run anywhere on C Mwahahahahaha

P.S: don't ask me how and share my xml file, i won't tell because if you copy me, you will break your system )

 

[Duotone]

P.S: don't ask me how and share my xml file, i won't tell because if you copy me, you will break your system )

Copying or using other .xml is not really practical with Appguard though I myself is using the hardened .xml tweaked for my use..

 

[shmu26]

If AppGuard is installed at default settings, is it necessary to make exceptions/rules for apps that run from an Appdata folder?
I don't understand why, but some devs seem to think it's really cool to run their app from Appdata instead of from Program Files.

 

[SHvFl]

If AppGuard is installed at default settings, is it necessary to make exceptions/rules for apps that run from an Appdata folder?
I don't understand why, but some devs seem to think it's really cool to run their app from Appdata instead of from Program Files.

Copy the folder from there to program files ftw? Most programs will work if you do that. e.g spotify

 

[509322]

If AppGuard is installed at default settings, is it necessary to make exceptions/rules for apps that run from an Appdata folder?
I don't understand why, but some devs seem to think it's really cool to run their app from Appdata instead of from Program Files.

• If it is digitally unsigned it will be blocked from launching in default Protected mode.
• If it is digitally signed, but not by a trusted publisher, it will be allowed to launch with full protections (this might cause breakage or misbehavior) - as long as the entire run sequence is digitally signed.
• If it is digitally signed by a publisher on the TPL, then it will launch with the protection settings for that TPL publisher.
• The user can add the digital signature to the TPL and adjust protection settings for the publisher.
• The user can add the process to the Guarded Apps list.
• The user can add the process to the User Space list and set to NO.
• The user can do a custom install (if the publisher gives the option within their installer) to System Space or by other means (e.g. copy-paste portable app to System Space).

Some publisher's do not adhere to Microsoft's recommended best practices. There are multiple ways within our product to solve the problem.

 

[shmu26]

• The user can add the process to the User Space list and set to NO.

• So if worse comes to worse, this is the solution.

• If it is digitally unsigned it will be blocked from launching in default Protected mode.
• If it is digitally signed, but not by a trusted publisher, it will be allowed to launch with full protections (this might cause breakage or misbehavior) - as long as the entire run sequence is digitally signed.
• If it is digitally signed by a publisher on the TPL, then it will launch with the protection settings for that TPL publisher.
• The user can add the digital signature to the TPL and adjust protection settings for the publisher.
• The user can add the process to the User Space list and set to NO.
• The user can do a custom install (if the publisher gives the option within their installer) to System Space or by other means (e.g. copy-paste portable app to System Space).

Some publisher's do not adhere to Microsoft's recommended best practices. There are multiple ways within our product to solve the problem.

What happens if a program writes an exe file to a temp folder in appdata, and then deletes the whole folder? I have an audio file converter that does this.

 

[509322]

• So if worse comes to worse, this is the solution.

What happens if a program writes an exe file to a temp folder in appdata, and then deletes the whole folder? I have an audio file converter that does this.

It should be the option of last resort.

An audio converter uses an .exe to delete the entire contents of AppData\Local\Temp - for what ?