You can run programs in System Space as Guarded. You can search online if there is a history of exploits. If yes, add it to the Guarded Apps list if you wish.
- Status
You can run programs in System Space as Guarded. You can search online if there is a history of exploits. If yes, add it to the Guarded Apps list if you wish.
- Aug 28, 2015
- 801
Do I need to do anything about these @Lockdown
Code:
08/17/17 20:44:04 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\username\appdata\local\temp\daaef381-3444-4aea-b8a0-699fb12ff77d>.Make this rule in User Space and set to NO:
c:\users\<user>\appdata\local\temp\*\dismhost.exe, where <user>= your user profile name
You will also see block events for OneDrive and Google Chrome (if you use it) processes in Locked Down mode
- Aug 28, 2015
- 801
Thanks I do not use OneDrive but do use Google Chrome. So far, seeing these.
Code:
08/17/17 21:15:28 Prevented <pid: 768> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
08/17/17 20:45:45 Prevented process <pid: 6188> from writing to <c:\windows\performance\winsat\winsat.log>.Only pay attention to blocked executions. Everything else is just recorded protection events. The only time you go looking at stuff other than blocked executions is when something is obviously broken and there is no blocked execution that accounts for it. I have only seen this 1 time in many years.
In other words, the events you posted are not anything to be concerned about.
You should not be focusing on the Activity Report except when a process is blocked from launching and you need to allow it.
Another thing you should not do is try to craft a policy such that the Activity Report is free of block events for trusted programs. It doesn't work that way.
- Aug 28, 2015
- 801
Thanks for your insight and guidance. Will do. Much appreciated!
- Jul 3, 2015
- 8,153
I basically use ReHIPS as my guide. If ReHIPS isolates it, then there must be something exploitable about it.
Is the rule for dismhost and for onedrive necessary only in lockdown mode?
I guess following ReHIPS is one way to learn.
In Locked Down mode the rules for dismhost.exe and OneDrive are the most common. Google Chrome runs some ancillary processes from User Space so you will have to create exclusions if you use it.
This kind of posts about blocking events are often made by anti-exe/hips users, when an alert has a real meaning.
With SRP, one must understand that since SRP block everything not explicitely allowed, block reports are obviously expected.
As Lockdown said, unless you feel something is broken with your apps, there is no need to pay too much attention to the reports.
With SRP, one must understand that since SRP block everything not explicitely allowed, block reports are obviously expected.
As Lockdown said, unless you feel something is broken with your apps, there is no need to pay too much attention to the reports.
- Aug 28, 2015
- 801
Do I need to do anything for this one?
Code:
08/19/17 16:02:46 Prevented process <Google Chrome> from writing to <c:\users\username\appdata\local\google\chrome\user data\default\storage\ext\fahmaaghhglfmonjliepjlchgpgfmobi\def\file system\primary\p\10\00001074>.
- Mar 1, 2014
- 1,708
With all the repeating questions, I think it's time that someone should write an FAQ about AppGuard. 
With all the repeating questions, I think it's time that someone should write an FAQ about AppGuard.
A FAQ isn't going to help because it is going to say the same exact thing that I have said here and elsewhere over-and-over.
"If nothing is obviously broken, then disregard the events in the Activity Report."
It's an incredibly simple concept.
Actually, I did create and put up a FAQ. It was a crystal-clear step-by-step set of instructions. Many different people read it and commented that it was a good FAQ. However, there were those that got their hands on it, didn't bother to follow the straight-foward step-by-step instructions, and proceeded to blow themselves up. So it was recently removed.
Last edited by a moderator:
The Activity Report should be used to identify blocked launches. Other than that, everything else is protection events.
I have turned off the blinking icon and balloon pop ups so my Appguard installs are very peaceful. I do look a the logs occasionally, but even that is boring.
You of all people can explain when it is necessary to inspect the Activity Report closely.
We only had to dig into the Activity Report when Rhopsody\Napster was broken. Then there were those backup scripts, but you ended up getting new scripts from the author and we didn't have to go any further.
How often do situations like this arise ? And what is the one defining character of something that requires digging into the Activity Report ? => "something is obviously broken..."
Last edited by a moderator:
- Aug 28, 2015
- 801
On the surface no. But you know how Google is. For all I know it could be an extension trying to update or something. Will keep an eye on it. I thought you mentioned that a rule needs to be created for Chrome? I have not created one as of yet however.
- Jul 3, 2015
- 8,153
Any potential conflicts between AppGuard and HitmanPro.Alert 3.7?
- Aug 28, 2015
- 801
I've haven't had any issues. I did make the exe the the antivirus parts downloads a power app
- Status
Similar threads
- Microsoft Threat Intelligence
- Microsoft Defender
