Poll AppGuared users , Do you use in its default setting?

Discussion in 'AppGuard (Blue Ridge Networks)' started by hamo, Nov 19, 2017.

?

AppGuared users , Do you use in its default setting?

  1. Yes

    27.6%
  2. No

    72.4%
  1. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    #81 Lockdown, Nov 23, 2017
    Last edited: Nov 23, 2017
    AppGuard's Memory Guard provides side-by-side memory protection and not in-line (parent > child) memory protection. It was never designed nor implemented for in-line blocking. That implementation was deliberate. Therefore, Memory Guard does not stop hollow process. Other protection mechanisms in the AppGuard product protect the system and valuable user files if the product is properly configured and used.

    Dynamic forking, technically, is inherently different because of the parent > child relationship.
     
  2. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    Windows side-by-side.

    Research it.

    And yes, attacks can be made using Win SxS. (My AppGuard policy disables WinSxS stuff.)

    Search for WinSxS here Fileless attacks - Symantec research report:

    https://www.symantec.com/content/da...he-land-and-fileless-attack-techniques-en.pdf
     
    hamo, harlan4096 and shmu26 like this.
  3. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,652
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    so found out i was only right on the module, not on what it does :p
     
    shmu26 and Opcode like this.
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,315
    Caille
    Windows 10
    #84 Opcode, Nov 23, 2017
    Last edited: Nov 23, 2017
    MemProtect is good although I think it will only protect processes from kernel-mode via callbacks to block handle open/duplication requests for the process and its threads, as well as external thread creation into "protected" processes in which a handle has already been acquired (as a bonus potentially). I doubt it will be capable of preventing code injection performed through techniques which don't require a handle/thread creation (e.g. NtUserSetWindowsHookEx (WIN32U), or ROP/JOP chain exploitation possibly abusing shared memory or the alike).

    A new code injection technique being labelled as PROPagate for example, which works via exploitation of the SetWindowSubclass Win32 API function (-> WIN32U -> NtUserSetWindowLong), I doubt would be blocked by MemProtect. A PoC hasn't been published on it for checks to be properly made although I doubt a process/thread handle would be required.

    Take my post with a grain of salt because I do not know for sure.
     
    shmu26 and Umbra like this.
  5. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    #85 Lockdown, Nov 23, 2017
    Last edited: Nov 23, 2017
    MemProtect does not prevent hollow process. You're misquoting what was stated. And besides, it doesn't matter because if the hollow process has occurred, that means the user has disabled either AppGuard's or Bouncer's protections in the first place and allowed something to execute that either AppGuard or Bouncer would have blocked by default to begin with. So please don't make or automatically assume AppGuard to be less than. Hollow process is not a threat to a system with AppGuard installed. If AppGuard is blocking attacks from launching to begin with, then how can hollow process be a threat ? Hollow process cannot be the initiation stage of an attack. It is a post-execution stage. AppGuard blocks execution. Do you understand that ? Do you understand the simple concept - no execution, no hollow process ? Even if it is in-memory only using only trusted Windows processes (a difficult attack) to hollow process after a post exploit of a browser (like Poweliks - which AppGuard blocks from persistence) or Microsoft Office program the damage is going to be limited due to restricted privileges. @Opcode - you got anything on this ?

    Once you get into the Excubits Bouncer and MemProtect configuration you will quickly find that AppGuard is a comparative breeze.
     
  6. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    280
    811
    Washington DC
    Windows 7
    Emsisoft
    I use some of the eExcubits drivers and like them by Lockdown is correct by comparison Appguard is a piece of cake.
     
    shmu26 likes this.
  7. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    #87 Lockdown, Nov 23, 2017
    Last edited: Nov 23, 2017
    Posts by others in this thread are all tied into the concept of the user who installs the AV that gets glowing IT security news reviews for protecting Microsoft Office programs, but that user does not even have Microsoft Office installed on their system - because they don't want to pay $149 for Microsoft Office. But the IT security review was flawed to begin with, so everything was flawed in the entire chain - or something similar but with completely different details than the example given here. You know the mentality, hypocrisy, and nonsense - you've seen it a million times on the forums.
     
  8. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    Anyone who has a valid license for version 4.4.6.1 and wishes to gain access to the installer must contact AppGuard@BlueRidge.com.

    External download links to the 4.4.6.1 installer have been taken down due to unauthorized access, abuse and illegal activity.
     
    XhenEd likes this.
  9. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    I do believe that memory protection works both ways so that a guarded applications memory is also protected against access from other apps, that why I would like to have it run guarded.
    As my KeePass database is located in a place tagged with privacy this behavior is more than annoying... it breaks the function.

    I already opened a ticket. let's see what I get back.
     
    shmu26 likes this.
  10. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,268
    13,580
    Utopia
    Hollow process could also happen if a signed process attempts to carry it out, and AppGuard is in protected mode, correct? Sort of an academic question, because it is pretty unlikely to actually happen.
     
  11. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    Sure. If the user downloads and launches a file with a valid certificate. Hollow process gained notoriety with ransomware - in which case AppGuard's Private Folders will protect user files if the user even bothers to use them. The whole hollow process thingy gets blown out of proportion. Just use AppGuard as it is intended to be used and you won't ever have to worry about hollow process. However, try explaining that simple concept to the typical person here and it just goes right over their head. They immediately think you're actually trying to bamboozle them or something.
     
    shmu26 likes this.
  12. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    #92 Lockdown, Nov 24, 2017
    Last edited: Nov 24, 2017
    I know how our product's memory protections work. Your understanding is incorrect; Memory Guard is not two-way; it is only one-way.

    You've made an assumption about how the product's protections work, made a configuration based upon your incorrect understanding, and in the process it has inadvertently uncovered a settings bug.
     
    shmu26 likes this.
  13. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    it seems like I was on the wrong road regarding the two-way memory protection as I use it this way with memprotect on my other machine...

    However, using portable applications in locked-down mode I need to make this a guarded app...

    Thanks for the clarification!
     
    shmu26 likes this.
  14. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,268
    13,580
    Utopia
    Ah, I think I get it now. Signed processes running in user space have privacy protection, so you just need to add your sensitive data to private folders, and you're all set.
     
  15. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    upload_2017-11-24_8-47-56.png
    @shmu26 it depends on the settings of appguard, see the screenshot....
     
  16. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,652
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    And that is for Protected Mode with trusted publishers on default settings, set on Lockdown Mode this list is invalid.
     
  17. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,268
    13,580
    Utopia
    Thanks. There is another setting that is worth looking at, it is the list of guarded apps. You will see there that the standard browsers have privacy protection turned on by default, whereas most other guarded apps do not have it. (For instance, if MS Word had privacy protection, then you would not be able to open your private Word files.)

    You could try, just for the experiment, to disable privacy protection for your browser. Probably not a good idea as a permanent solution, though.
     
  18. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    @shmu26 : Thanks for the suggestion. I don't use keepass in combination with a browser plugin, just standalone, so there should be no side effect on this.
    To Keep my passwords away from the browser stuff (if there a breaches most of the time by browser plugins of PW managers) I don't have a connection but use autotype...
     
    hamo and shmu26 like this.
  19. hamo

    hamo Level 8

    Mar 30, 2014
    375
    1,536
    Eng.
    Egypt
    Windows 10
    And the link will be unavailable after 1 week pass from the day you received in your mail.

    This happen to me when I need latest version for 4.xx version.
     
    shmu26 likes this.
  20. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,851
    AppGuard LLC Virginia, U.S.
    They are being overly generous as the link should be available for only 24 or 48 hours.
     
Loading...