AppGuared users , Do you use in its default setting?

[shmu26]

AppGuard is the universe's most effective security software - period. No qualification is needed.

I can also state AppGuard is the universe's most capable, most efficient, etc, etc without qualification.

Legally, you can make such claims.
And there is good reason to believe that such claims are true, although I am not one to say, because I know almost nothing about corporate-oriented software, neither am I a professional tester.
But the soft-sell approach is usually more effective.

 

[SHvFl]

for me "memory protection" is that the software has a dedicated module to explicitly monitor the memory which ReHIPS hasn't.

Sure i get what you mean but then appguard should not be called memory protection either because it doesn't really monitor but it blocks or not depending on a flag in settings. Anw i don't know what is called but both in certain scenarios protect memory "sharing/manipulation".

But I only said it has memory protection for exploitable apps, which is thanks to the isolation. Fixer (or was it @SHvFl?) once explained to me that isolated apps, since they are running in a different and limited user account, do not have memory access to processes running in real user account.

Yeah that is the case. @Umbra just has a different idea in mind of what should be called memory protection which is cool. We can't all define things in the same way but don't worry about it. Both programs protect you if you set them up properly. They are quality products and they thought things through for you.

 

[shmu26]

I googled for Windows 10 process detail to learn my self, but I found only Win7 20 Windows processes you can kill to make your PC run quicker

Most of that stuff about making your PC run quicker will probably not make a difference that you can feel in real life. You could disable windows indexing, which can slow your PC down sometimes, but doing that will cripple windows search.

If you want to generally control windows processes, you might want something like this:
O&O ShutUp10: download free antispy tool for Windows 10

If you want to restrict vulnerable processes, which appguard is good at, check out this thread:
Vulnerable Processes
There is a link there to spreadsheet created by @Lockdown in a previous incarnation, but he seems to have taken down the link. Maybe he has a new and updated list somewhere.

 

[509322]

If you want to restrict vulnerable processes, which appguard is good at, check out this thread:
Vulnerable Processes
There is a link there to spreadsheet created by @Lockdown in a previous incarnation, but he seems to have taken down the link. Maybe he has a new and updated list somewhere.

I didn't take the GitHub lists down. They were taken down by the original authors - Casey Smith aka SubTee.

The spreadsheet was taken down by me. People need to research vulnerable processes and learn for themselves. They were using the spreadsheet as a shortcut and not putting forth the effort the learn anything - especially what they needed to know.

 

[509322]

But the soft-sell approach is usually more effective.

I am not selling anything here at MT.

@shmu26 - you're not going to understand this part but it is a reply to an earlier post by another - the vast majority of people here at MT either want or expect free or some economically unfeasible price like $10 for a lifetime license. AppGuard LLC is not interested in that market demographic as it doesn't retain employees nor the lights on. Until the world's money-based economic system no longer applies and becomes some idealistic Utopia where everybody and all companies can live and exist for free, AppGuard LLC is going to expect payment for its product at a level that makes economic sense.

 

[hamo]

Vulnerable Processes

+ 1
Thanks shmu26, this is what I looking for to learn.
Interesting & helpful link for me JPCERT/CC Blog : Windows Commands Abused by Attackers

 

[shmu26]

+ 1
Thanks shmu26, this is what I looking for to learn.
Interesting & helpful link for me JPCERT/CC Blog : Windows Commands Abused by Attackers

Yeah, that link is pretty interesting. It is mainly about how malware finds out what you have on your system, like if it wants to encrypt your photos, it looks for image files. Or maybe it wants to know what AV you are using, so it can turn it off. Some of those processes help it make a network connection, like for a RAT.

But the processes that are most crucial to restrict, in order to prevent the actual attack, are the script interpreters. If you have a 64x system, most of the time you will have two of each. One in Windows/System32, and the other in Windows/SysWOW64.
These are some of the most commonly abused script interpreters:
powershell
powershell_ISE
wscript
cscript
cmd

The first 4 are rarely needed by your system or software, you can safely block them without crippling your computer.

If you have these 5 processes (if 64 bit system, then it is 10 processes) under control, one way or another, you have significantly limited the ability of malware to run.

There are people following this thread who know a lot more about the subject than I do, so I hope they will correct any inaccuracies...

 

[Deleted member 178]

Sure i get what you mean but then appguard should not be called memory protection either because it doesn't really monitor but it blocks or not depending on a flag in settings.

AG has a memory protection (in my point of view), especially against dynamic forking (process hollowing), one process in memory cannot read or modify another process' memory space; this feature is the real power of AG.
@Lockdown can correct me if i'm wrong.

 

[paulderdash]

Disable powershell - permanently.

powershell is not needed by home users.

A. Untick powershell in the Guarded Apps list.
B. Add powershell to the User Space list and set it to "Yes."

powershell is used by malc0ders to attack a system by various methods.

And Lenovo crapware.

I have a very customised AppGuard 4.4.6.1 on one machine, but I think on my unopened Dell XPS 13 (8th Gen Intel) I'll probably run a more vanilla version of (Granite) AppGuard and control vulnerable processes in NVT ERP.

 

[shmu26]

I get lost when I look at a list of all the possibly vulnerable processes. That's why I like ReHIPS, they did the thinking for me, the rules are ready-made. It's a very nice companion to AppGuard.

 

[boredog]

Yeah, that link is pretty interesting. It is mainly about how malware finds out what you have on your system, like if it wants to encrypt your photos, it looks for image files. Or maybe it wants to know what AV you are using, so it can turn it off. Some of those processes help it make a network connection, like for a RAT.

But the processes that are most crucial to restrict, in order to prevent the actual attack, are the script interpreters. If you have a 64x system, most of the time you will have two of each. One in Windows/System32, and the other in Windows/SysWOW64.
These are some of the most commonly abused script interpreters:
powershell
powershell_ISE
wscript
cscript
cmd

The first 4 are rarely needed by your system or software, you can safely block them without crippling your computer.

If you have these 5 processes (if 64 bit system, then it is 10 processes) under control, one way or another, you have significantly limited the ability of malware to run.

There are people following this thread who know a lot more about the subject than I do, so I hope they will correct any inaccuracies...

Besides those I also have mshta both 32 and 64 added to user space.

 

[shmu26]

Besides those I also have mshta both 32 and 64 added to user space.

Good move. I happen to have software that uses mshta, but most people don't.

 

[Glashouse]

Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?

 

[shmu26]

Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?

I am guessing that keepass inherits the rules of your browser, which probably has privacy enabled by default. I don't know how keepass actually works, so this is just a conjecture.
You could try disabling privacy for the browser, and see if that helps.

 

[509322]

Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?

There is no need to make KeePass a Guarded App.

Does Privacy Mode break anything or is it just annoying you that you cannot disable it permanently ?

Make a video or screenshots and submit them as a downloadable link as part of a step-by-step bug report to AppGuard@BlueRidge.com.

 

[509322]

I get lost when I look at a list of all the possibly vulnerable processes. That's why I like ReHIPS, they did the thinking for me, the rules are ready-made. It's a very nice companion to AppGuard.

That's it. Encourage others not to learn and not to think. If people cannot wrap their heads around a list of about 50 processes then the entire solar system is lost. Humanity is sunk.


People are not stupid. It is not that difficult to learn about a small list of processes.

However, people are extremely lazy.

Pretty pathetic. What a shame.

 

[shmu26]

That's it. Encourage others not to learn and not to think. If people cannot wrap their heads around a list of about 50 processes then the entire solar system is lost. Humanity is sunk.


People are not stupid. It is not that difficult to learn about a small list of processes.

However, people are extremely lazy.

Pretty pathetic. What a shame.

Well, I can't deny that people are by nature lazy, but there are ways that even naturally lazy people (like me) can learn. One of that ways is by examining the ready-made rules in ReHIPS. It was designed by intelligent people, and a person can learn a lot from it.

 

[509322]

@shmu26 - the list of vulnerable processes. I made a project of educating users about them, but instead of users doing the right thing and learning they just used all that stuff as a short cut and only got themselves into trouble. Hence I pulled all my stuff. The point was to build one's knowledge and not a shortcut to a paranoid AppGuard configuration.

Casey Smith (SubTee) is redoing his stuff on GitHub.

Just locating processes in the Windows file system answers a lot of questions.

If you have a question about any processes you know what to do.

 

[shmu26]

@shmu26 - the list of vulnerable processes. I made a project of educating users about them, but instead of users doing the right thing and learning they just used all that stuff as a short cut and only got themselves into trouble. Hence I pulled all my stuff. The point was to build one's knowledge and not a shortcut to a paranoid AppGuard configuration.

Casey Smith (SubTee) is redoing his stuff on GitHub.

Just locating processes in the Windows file system answers a lot of questions.

If you have a question about any processes you know what to do.

Thanks.
Now that you mentioned Windows file system, there are certain processes that when I search for them, they don't appear in the regular locations like System32, but are buried somewhere in C:\WINDOWS\WinSxS\amd64_RANDOM CHARACTERS........
Any insights on that?

 

[SHvFl]

AG has a memory protection (in my point of view), especially against dynamic forking (process hollowing), one process in memory cannot read or modify another process' memory space; this feature is the real power of AG.
@Lockdown can correct me if i'm wrong.

You are right. Maybe i was not clear but one way or the other both products protect certain applications memory.