Q&A AppGuared users , Do you use in its default setting?

AppGuared users , Do you use in its default setting?


  • Total voters
    30
Status
Not open for further replies.

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#81
AG has a memory protection (in my point of view), especially against dynamic forking (process hollowing), one process in memory cannot read or modify another process' memory space; this feature is the real power of AG.
@Lockdown can correct me if i'm wrong.
AppGuard's Memory Guard provides side-by-side memory protection and not in-line (parent > child) memory protection. It was never designed nor implemented for in-line blocking. That implementation was deliberate. Therefore, Memory Guard does not stop hollow process. Other protection mechanisms in the AppGuard product protect the system and valuable user files if the product is properly configured and used.

Dynamic forking, technically, is inherently different because of the parent > child relationship.
 
Last edited:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#82
Thanks.
Now that you mentioned Windows file system, there are certain processes that when I search for them, they don't appear in the regular locations like System32, but are buried somewhere in C:\WINDOWS\WinSxS\amd64_RANDOM CHARACTERS........
Any insights on that?
Windows side-by-side.

Research it.

And yes, attacks can be made using Win SxS. (My AppGuard policy disables WinSxS stuff.)

Search for WinSxS here Fileless attacks - Symantec research report:

https://www.symantec.com/content/da...he-land-and-fileless-attack-techniques-en.pdf
 
D

Deleted member 65228

Guest
#84
Also, according to this topic - Poll - MemProtect , their other software MemProtect protects against process hollowing, something that Lockdown said Appguard doesn't, as well as other memory attack techniques (I guess, haven't studied much, all I know is that I like shiny things, like when you were a kid and you find a 50 cent coin on the floor, that's MemProtect and Bouncer for me right now)
MemProtect is good although I think it will only protect processes from kernel-mode via callbacks to block handle open/duplication requests for the process and its threads, as well as external thread creation into "protected" processes in which a handle has already been acquired (as a bonus potentially). I doubt it will be capable of preventing code injection performed through techniques which don't require a handle/thread creation (e.g. NtUserSetWindowsHookEx (WIN32U), or ROP/JOP chain exploitation possibly abusing shared memory or the alike).

A new code injection technique being labelled as PROPagate for example, which works via exploitation of the SetWindowSubclass Win32 API function (-> WIN32U -> NtUserSetWindowLong), I doubt would be blocked by MemProtect. A PoC hasn't been published on it for checks to be properly made although I doubt a process/thread handle would be required.

Take my post with a grain of salt because I do not know for sure.
 
Last edited by a moderator:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#85
Also, according to this topic - Poll - MemProtect , their other software MemProtect protects against process hollowing, something that Lockdown said Appguard doesn't, as well as other memory attack techniques (I guess, haven't studied much, all I know is that I like shiny things, like when you were a kid and you find a 50 cent coin on the floor, that's MemProtect and Bouncer for me right now)
MemProtect does not prevent hollow process. You're misquoting what was stated. And besides, it doesn't matter because if the hollow process has occurred, that means the user has disabled either AppGuard's or Bouncer's protections in the first place and allowed something to execute that either AppGuard or Bouncer would have blocked by default to begin with. So please don't make or automatically assume AppGuard to be less than. Hollow process is not a threat to a system with AppGuard installed. If AppGuard is blocking attacks from launching to begin with, then how can hollow process be a threat ? Hollow process cannot be the initiation stage of an attack. It is a post-execution stage. AppGuard blocks execution. Do you understand that ? Do you understand the simple concept - no execution, no hollow process ? Even if it is in-memory only using only trusted Windows processes (a difficult attack) to hollow process after a post exploit of a browser (like Poweliks - which AppGuard blocks from persistence) or Microsoft Office program the damage is going to be limited due to restricted privileges. @Opcode - you got anything on this ?

Once you get into the Excubits Bouncer and MemProtect configuration you will quickly find that AppGuard is a comparative breeze.
 
Last edited:

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#86
Once you get into the Excubits Bouncer and MemProtect configuration you will quickly find that AppGuard is a comparative breeze.
I use some of the eExcubits drivers and like them by Lockdown is correct by comparison Appguard is a piece of cake.
 
Likes: shmu26

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#87
I use some of the eExcubits drivers and like them by Lockdown is correct by comparison Appguard is a piece of cake.
Posts by others in this thread are all tied into the concept of the user who installs the AV that gets glowing IT security news reviews for protecting Microsoft Office programs, but that user does not even have Microsoft Office installed on their system - because they don't want to pay $149 for Microsoft Office. But the IT security review was flawed to begin with, so everything was flawed in the entire chain - or something similar but with completely different details than the example given here. You know the mentality, hypocrisy, and nonsense - you've seen it a million times on the forums.
 
Last edited:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#88
Anyone who has a valid license for version 4.4.6.1 and wishes to gain access to the installer must contact AppGuard@BlueRidge.com.

External download links to the 4.4.6.1 installer have been taken down due to unauthorized access, abuse and illegal activity.
 
Likes: XhenEd
Joined
Jun 4, 2017
Messages
157
OS
Windows 10
Antivirus
Emsisoft
#89
There is no need to make KeePass a Guarded App.

Does Privacy Mode break anything or is it just annoying you that you cannot disable it permanently?

Make a video or screenshots and submit them as a downloadable link as part of a step-by-step bug report to AppGuard@BlueRidge.com.
I do believe that memory protection works both ways so that a guarded applications memory is also protected against access from other apps, that why I would like to have it run guarded.
As my KeePass database is located in a place tagged with privacy this behavior is more than annoying... it breaks the function.

I already opened a ticket. let's see what I get back.
 
Likes: shmu26

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,643
OS
Windows 10
#90
Even if it is in-memory only using only trusted Windows processes (a difficult attack) to hollow process after a post exploit of a browser (like Poweliks - which AppGuard blocks from persistence) or Microsoft Office program the damage is going to be limited due to restricted privileges.
Hollow process could also happen if a signed process attempts to carry it out, and AppGuard is in protected mode, correct? Sort of an academic question, because it is pretty unlikely to actually happen.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#91
Hollow process could also happen if a signed process attempts to carry it out, and AppGuard is in protected mode, correct? Sort of an academic question, because it is pretty unlikely to actually happen.
Sure. If the user downloads and launches a file with a valid certificate. Hollow process gained notoriety with ransomware - in which case AppGuard's Private Folders will protect user files if the user even bothers to use them. The whole hollow process thingy gets blown out of proportion. Just use AppGuard as it is intended to be used and you won't ever have to worry about hollow process. However, try explaining that simple concept to the typical person here and it just goes right over their head. They immediately think you're actually trying to bamboozle them or something.
 
Likes: shmu26

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
#92
I do believe that memory protection works both ways so that a guarded applications memory is also protected against access from other apps, that why I would like to have it run guarded.
As my KeePass database is located in a place tagged with privacy this behavior is more than annoying... it breaks the function.

I already opened a ticket. let's see what I get back.
I know how our product's memory protections work. Your understanding is incorrect; Memory Guard is not two-way; it is only one-way.

You've made an assumption about how the product's protections work, made a configuration based upon your incorrect understanding, and in the process it has inadvertently uncovered a settings bug.
 
Last edited:
Likes: shmu26
Joined
Jun 4, 2017
Messages
157
OS
Windows 10
Antivirus
Emsisoft
#93
it seems like I was on the wrong road regarding the two-way memory protection as I use it this way with memprotect on my other machine...

However, using portable applications in locked-down mode I need to make this a guarded app...

Thanks for the clarification!
 
Likes: shmu26

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,643
OS
Windows 10
#94
Sure. If the user downloads and launches a file with a valid certificate. Hollow process gained notoriety with ransomware - in which case AppGuard's Private Folders will protect user files if the user even bothers to use them. The whole hollow process thingy gets blown out of proportion. Just use AppGuard as it is intended to be used and you won't ever have to worry about hollow process. However, try explaining that simple concept to the typical person here and it just goes right over their head. They immediately think you're actually trying to bamboozle them or something.
Ah, I think I get it now. Signed processes running in user space have privacy protection, so you just need to add your sensitive data to private folders, and you're all set.
 

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,643
OS
Windows 10
#97
View attachment 174203
@shmu26 it depends on the settings of appguard, see the screenshot....
Thanks. There is another setting that is worth looking at, it is the list of guarded apps. You will see there that the standard browsers have privacy protection turned on by default, whereas most other guarded apps do not have it. (For instance, if MS Word had privacy protection, then you would not be able to open your private Word files.)

You could try, just for the experiment, to disable privacy protection for your browser. Probably not a good idea as a permanent solution, though.
 
Joined
Jun 4, 2017
Messages
157
OS
Windows 10
Antivirus
Emsisoft
#98
@shmu26 : Thanks for the suggestion. I don't use keepass in combination with a browser plugin, just standalone, so there should be no side effect on this.
To Keep my passwords away from the browser stuff (if there a breaches most of the time by browser plugins of PW managers) I don't have a connection but use autotype...
 

hamo

Level 9
Verified
Joined
Mar 30, 2014
Messages
444
OS
Windows 10
#99
Anyone who has a valid license for version 4.4.6.1 and wishes to gain access to the installer must contact AppGuard@BlueRidge.com.

External download links to the 4.4.6.1 installer have been taken down due to unauthorized access, abuse and illegal activity.
And the link will be unavailable after 1 week pass from the day you received in your mail.

This happen to me when I need latest version for 4.xx version.
 
Likes: shmu26

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,917
And the link will be unavailable after 1 week pass from the day you received in your mail.

This happen to me when I need latest version for 4.xx version.
They are being overly generous as the link should be available for only 24 or 48 hours.
 
Status
Not open for further replies.