Appguard's News Thread (2017)

Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
It should be the option of last resort.

An audio converter uses an .exe to delete the entire contents of AppData\Local\Temp - for what ?
Maybe I did not explain it right. the main exe of the program creates a file in a temp folder, and after it finishes converting, it deletes the temp folder. I attached a screenshot of the path, taken from VoodooShield logs.
.
Capture.PNG
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Maybe I did not explain it right. the main exe of the program creates a file in a temp folder, and after it finishes converting, it deletes the temp folder. I attached a screenshot of the path, taken from VoodooShield logs.
.View attachment 161982

Add it to Guarded Apps list. Allowed to launch, but with limited rights. Deleting that temp directory is permissible with limited rights.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Add it to Guarded Apps list. Allowed to launch, but with limited rights. Deleting that temp directory is permissible with limited rights.
Great. Now I just need to wait until AG Personal becomes available again. Apparently, there is no way to get it at the present time.
 

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Locked Down mode blocks everything launched in User Space - even Microsoft digitally signed files. So unless you are running bunch of programs from User Space (including a USB flash drive) you will not see much blocked.

On W10 it will be dismhost.exe (Windows automatic maintenance), OneDriveStandaloneUpdater.exe, and OneDrive.exe as they launch from AppData. If you don't ever use OneDrive, then uninstall it.



It's there for informational purposes and isn't something to fret about. Study it so you familiarize with what commonly gets blocked. That way you will be able to pick-out unusual stuff in a heart-beat. Study it over a long period of time. A look now and then suffices.



My exact security config on one of my personal laptops is AG and EIS combo.

AG blocks by default and there are two types of alerts - pop-up and toaster. I recommend disabling the pop-up alert. It absolutely isn't needed. Everything blocked is logged unless you disable logging for blocked events on the User Space tab. Check the settings there to familiarize yourself with them.

Worthless BBCode...

EDIT: Received a popup about about suspicious stuff being blocked by AG.

Then I saw this in the Activity Report

Code:
08/01/17 23:16:52 AppGuard stopped <29> suspicious activities while active.

Oh noes, must I go into @Umbra anti NSA/CIA mode ?

No, that is just an alert showing how many "suspicious" events were blocked and recorded in the Activity Report. Once again, blocked events for trusted programs are rated as suspicious as the programs are doing stuff that they do not need to do. Just select "Do not show this alert again" when that toaster alert appears again and it will be silenced. It's an alert to show that AppGuard is actively protecting the system. It isn't needed one bit.

Thanks again for your help @Lockdown I was joking around about the NSA/CIA stuff. I any event I appreciate your assitance with this.

Question: How do I disable the pop-up alerts. I looked quickly last night but did not see it. Granted it was late and I had one eye open so it is likely due to that.

Cheers!
 
  • Like
Reactions: meltcheesedec
D

Deleted member 178

Thread author
Thanks again for your help @Lockdown I was joking around about the NSA/CIA stuff. I any event I appreciate your assitance with this.

Question: How do I disable the pop-up alerts. I looked quickly last night but did not see it. Granted it was late and I had one eye open so it is likely due to that.

Cheers!
All popups or a specific one?
 
  • Like
Reactions: Trooper
D

Deleted member 178

Thread author
I guess all. I have seen the occasional popup that says Appguard has saved you from xx number of bad stuffs.
if my memory is good (because i dont do that, i like to know what it block) , you have a checkbox when a popup appears. tick it.
And in the GUI > Customize > alerts ; you can select what to show.
 
  • Like
Reactions: Trooper

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
if my memory is good (because i dont do that, i like to know what it block) , you have a checkbox when a popup appears. tick it.
And in the GUI > Customize > alerts ; you can select what to show.

Thanks will have a look next time it happens.
 
D

Deleted member 178

Thread author
@Lockdown @Umbra
With the hardened.xml is it fine just to put AG on "Protected Mode"?!
If you use hardened xml, mean you don't trust any process even legit. So why you will use a mode that does exactly the opposite.
Lockdown Mode + Hardened xml only , if not no need use the hardened xml.
 
  • Like
Reactions: meltcheesedec

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
@Umbra @Lockdown
Aim was to have a tight security w/ less pop-up so I thought having added the hardened.xml + Protected mode would do the trick.
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
You can disable pop-up on User Space tab if you wish.

Protected mode and hardened xml is high security too. Locked Down mode disables TPL.

Already disabled the popup only the blink icon remain... Protected mode & hardened.xml + only blueridge in TPL?!
What's the use of "Guarded" in TPL? Even Blueridge is set to "no".
 
  • Like
Reactions: meltcheesedec
5

509322

Thread author
Already disabled the popup only the blink icon remain... Protected mode & hardened.xml + only blueridge in TPL?!
What's the use of "Guarded" in TPL? Even Blueridge is set to "no".

Guarded (=Untrusted) = run the untrusted process with limited privileges; cannot write to protected file system and registry. You rate the processes as untrusted even though they are well-established as safe because they are commonly targeted for exploits.

In the TPL, if you set to Guarded, then their installers will not be able to install to the protected files system (C:\Program Files) and their updaters might not function. To avoid that you run files for publishers on the TPL as un-Guarded. Just a FYI, the installer has to have a run sequence that is all digitally signed. If one of the files in the run sequence is not signed, then it will be blocked. In that case you just set AppGuard to Allow Installs.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top