Appguard's News Thread (2017)

Status
Not open for further replies.

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Do I need to do anything about these @Lockdown

Code:
08/17/17 20:44:04 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\username\appdata\local\temp\daaef381-3444-4aea-b8a0-699fb12ff77d>.
 
5

509322

Thread author
Do I need to do anything about these @Lockdown

Code:
08/17/17 20:44:04 Prevented process <dismhost.exe | c:\windows\system32\cleanmgr.exe> from launching from <c:\users\username\appdata\local\temp\daaef381-3444-4aea-b8a0-699fb12ff77d>.

Make this rule in User Space and set to NO:

c:\users\<user>\appdata\local\temp\*\dismhost.exe, where <user>= your user profile name

You will also see block events for OneDrive and Google Chrome (if you use it) processes in Locked Down mode
 

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Make this rule in User Space and set to NO:

c:\users\<user>\appdata\local\temp\*\dismhost.exe, where <user>= your user profile name

You will also see block events for OneDrive and Google Chrome (if you use it) processes in Locked Down mode

Thanks I do not use OneDrive but do use Google Chrome. So far, seeing these.

Code:
08/17/17 21:15:28 Prevented <pid: 768> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
08/17/17 20:45:45 Prevented process <pid: 6188> from writing to <c:\windows\performance\winsat\winsat.log>.
 
5

509322

Thread author
Thanks I do not use OneDrive but do use Google Chrome. So far, seeing these.

Code:
08/17/17 21:15:28 Prevented <pid: 768> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{8a69d345-d564-463c-aff1-a69d9e530f96}>.
08/17/17 20:45:45 Prevented process <pid: 6188> from writing to <c:\windows\performance\winsat\winsat.log>.

Only pay attention to blocked executions. Everything else is just recorded protection events. The only time you go looking at stuff other than blocked executions is when something is obviously broken and there is no blocked execution that accounts for it. I have only seen this 1 time in many years.

In other words, the events you posted are not anything to be concerned about.

You should not be focusing on the Activity Report except when a process is blocked from launching and you need to allow it.

Another thing you should not do is try to craft a policy such that the Activity Report is free of block events for trusted programs. It doesn't work that way.
 

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Only pay attention to blocked executions. Everything else is just recorded protection events. The only time you go looking at stuff other than blocked executions is when something is obviously broken and there is no blocked execution that accounts for it. I have only seen this 1 time in many years.

In other words, the events you posted are not anything to be concerned about.

You should not be focusing on the Activity Report except when a process is blocked from launching and you need to allow it.

Another thing you should not do is try to craft a policy such that the Activity Report is free of block events for trusted programs. It doesn't work that way.

Thanks for your insight and guidance. Will do. Much appreciated!
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You can run programs in System Space as Guarded. You can search online if there is a history of exploits. If yes, add it to the Guarded Apps list if you wish.
I basically use ReHIPS as my guide. If ReHIPS isolates it, then there must be something exploitable about it.

Is the rule for dismhost and for onedrive necessary only in lockdown mode?
 
  • Like
Reactions: SHvFl
5

509322

Thread author
I basically use ReHIPS as my guide. If ReHIPS isolates it, then there must be something exploitable about it.

Is the rule for dismhost and for onedrive necessary only in lockdown mode?

I guess following ReHIPS is one way to learn.

In Locked Down mode the rules for dismhost.exe and OneDrive are the most common. Google Chrome runs some ancillary processes from User Space so you will have to create exclusions if you use it.
 
D

Deleted member 178

Thread author
This kind of posts about blocking events are often made by anti-exe/hips users, when an alert has a real meaning.
With SRP, one must understand that since SRP block everything not explicitely allowed, block reports are obviously expected.

As Lockdown said, unless you feel something is broken with your apps, there is no need to pay too much attention to the reports.
 

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Do I need to do anything for this one?

Code:
08/19/17 16:02:46 Prevented process <Google Chrome> from writing to <c:\users\username\appdata\local\google\chrome\user data\default\storage\ext\fahmaaghhglfmonjliepjlchgpgfmobi\def\file system\primary\p\10\00001074>.
 
5

509322

Thread author
With all the repeating questions, I think it's time that someone should write an FAQ about AppGuard. :)

A FAQ isn't going to help because it is going to say the same exact thing that I have said here and elsewhere over-and-over.

"If nothing is obviously broken, then disregard the events in the Activity Report."

It's an incredibly simple concept.

Actually, I did create and put up a FAQ. It was a crystal-clear step-by-step set of instructions. Many different people read it and commented that it was a good FAQ. However, there were those that got their hands on it, didn't bother to follow the straight-foward step-by-step instructions, and proceeded to blow themselves up. So it was recently removed.
 
Last edited by a moderator:
5

509322

Thread author
I have turned off the blinking icon and balloon pop ups so my Appguard installs are very peaceful. I do look a the logs occasionally, but even that is boring.

You of all people can explain when it is necessary to inspect the Activity Report closely.

We only had to dig into the Activity Report when Rhopsody\Napster was broken. Then there were those backup scripts, but you ended up getting new scripts from the author and we didn't have to go any further.

How often do situations like this arise ? And what is the one defining character of something that requires digging into the Activity Report ? => "something is obviously broken..."
 
Last edited by a moderator:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top