Are you using Appguard?

  • Total voters
    107
Status
Not open for further replies.

shmu26

Level 84
Verified
Trusted
Content Creator
It should be the option of last resort.

An audio converter uses an .exe to delete the entire contents of AppData\Local\Temp - for what ?
Maybe I did not explain it right. the main exe of the program creates a file in a temp folder, and after it finishes converting, it deletes the temp folder. I attached a screenshot of the path, taken from VoodooShield logs.
.
Capture.PNG
 
5

509322

Maybe I did not explain it right. the main exe of the program creates a file in a temp folder, and after it finishes converting, it deletes the temp folder. I attached a screenshot of the path, taken from VoodooShield logs.
.View attachment 161982
Add it to Guarded Apps list. Allowed to launch, but with limited rights. Deleting that temp directory is permissible with limited rights.
 

Trooper

Level 6
Verified
Locked Down mode blocks everything launched in User Space - even Microsoft digitally signed files. So unless you are running bunch of programs from User Space (including a USB flash drive) you will not see much blocked.

On W10 it will be dismhost.exe (Windows automatic maintenance), OneDriveStandaloneUpdater.exe, and OneDrive.exe as they launch from AppData. If you don't ever use OneDrive, then uninstall it.



It's there for informational purposes and isn't something to fret about. Study it so you familiarize with what commonly gets blocked. That way you will be able to pick-out unusual stuff in a heart-beat. Study it over a long period of time. A look now and then suffices.



My exact security config on one of my personal laptops is AG and EIS combo.

AG blocks by default and there are two types of alerts - pop-up and toaster. I recommend disabling the pop-up alert. It absolutely isn't needed. Everything blocked is logged unless you disable logging for blocked events on the User Space tab. Check the settings there to familiarize yourself with them.

Worthless BBCode...

EDIT: Received a popup about about suspicious stuff being blocked by AG.

Then I saw this in the Activity Report

Code:
08/01/17 23:16:52 AppGuard stopped <29> suspicious activities while active.
Oh noes, must I go into @Umbra anti NSA/CIA mode ?

No, that is just an alert showing how many "suspicious" events were blocked and recorded in the Activity Report. Once again, blocked events for trusted programs are rated as suspicious as the programs are doing stuff that they do not need to do. Just select "Do not show this alert again" when that toaster alert appears again and it will be silenced. It's an alert to show that AppGuard is actively protecting the system. It isn't needed one bit.
Thanks again for your help @Lockdown I was joking around about the NSA/CIA stuff. I any event I appreciate your assitance with this.

Question: How do I disable the pop-up alerts. I looked quickly last night but did not see it. Granted it was late and I had one eye open so it is likely due to that.

Cheers!
 
D

Deleted member 178

Thanks again for your help @Lockdown I was joking around about the NSA/CIA stuff. I any event I appreciate your assitance with this.

Question: How do I disable the pop-up alerts. I looked quickly last night but did not see it. Granted it was late and I had one eye open so it is likely due to that.

Cheers!
All popups or a specific one?
 
D

Deleted member 178

I guess all. I have seen the occasional popup that says Appguard has saved you from xx number of bad stuffs.
if my memory is good (because i dont do that, i like to know what it block) , you have a checkbox when a popup appears. tick it.
And in the GUI > Customize > alerts ; you can select what to show.
 

Trooper

Level 6
Verified
if my memory is good (because i dont do that, i like to know what it block) , you have a checkbox when a popup appears. tick it.
And in the GUI > Customize > alerts ; you can select what to show.
Thanks will have a look next time it happens.
 

Duotone

Level 10
Verified
You can disable pop-up on User Space tab if you wish.

Protected mode and hardened xml is high security too. Locked Down mode disables TPL.
Already disabled the popup only the blink icon remain... Protected mode & hardened.xml + only blueridge in TPL?!
What's the use of "Guarded" in TPL? Even Blueridge is set to "no".
 
5

509322

Already disabled the popup only the blink icon remain... Protected mode & hardened.xml + only blueridge in TPL?!
What's the use of "Guarded" in TPL? Even Blueridge is set to "no".
Guarded (=Untrusted) = run the untrusted process with limited privileges; cannot write to protected file system and registry. You rate the processes as untrusted even though they are well-established as safe because they are commonly targeted for exploits.

In the TPL, if you set to Guarded, then their installers will not be able to install to the protected files system (C:\Program Files) and their updaters might not function. To avoid that you run files for publishers on the TPL as un-Guarded. Just a FYI, the installer has to have a run sequence that is all digitally signed. If one of the files in the run sequence is not signed, then it will be blocked. In that case you just set AppGuard to Allow Installs.
 
Status
Not open for further replies.