AppGuared users , Do you use in its default setting?

Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
AppGuard is the universe's most effective security software - period. No qualification is needed.

I can also state AppGuard is the universe's most capable, most efficient, etc, etc without qualification.
Legally, you can make such claims.
And there is good reason to believe that such claims are true, although I am not one to say, because I know almost nothing about corporate-oriented software, neither am I a professional tester.
But the soft-sell approach is usually more effective.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
for me "memory protection" is that the software has a dedicated module to explicitly monitor the memory which ReHIPS hasn't.
Sure i get what you mean but then appguard should not be called memory protection either because it doesn't really monitor but it blocks or not depending on a flag in settings. Anw i don't know what is called but both in certain scenarios protect memory "sharing/manipulation".

But I only said it has memory protection for exploitable apps, which is thanks to the isolation. Fixer (or was it @SHvFl?) once explained to me that isolated apps, since they are running in a different and limited user account, do not have memory access to processes running in real user account.
Yeah that is the case. @Umbra just has a different idea in mind of what should be called memory protection which is cool. We can't all define things in the same way but don't worry about it. Both programs protect you if you set them up properly. They are quality products and they thought things through for you.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I googled for Windows 10 process detail to learn my self, but I found only Win7 20 Windows processes you can kill to make your PC run quicker
Most of that stuff about making your PC run quicker will probably not make a difference that you can feel in real life. You could disable windows indexing, which can slow your PC down sometimes, but doing that will cripple windows search.

If you want to generally control windows processes, you might want something like this:
O&O ShutUp10: download free antispy tool for Windows 10

If you want to restrict vulnerable processes, which appguard is good at, check out this thread:
Vulnerable Processes
There is a link there to spreadsheet created by @Lockdown in a previous incarnation, but he seems to have taken down the link. Maybe he has a new and updated list somewhere.
 
5

509322

If you want to restrict vulnerable processes, which appguard is good at, check out this thread:
Vulnerable Processes
There is a link there to spreadsheet created by @Lockdown in a previous incarnation, but he seems to have taken down the link. Maybe he has a new and updated list somewhere.

I didn't take the GitHub lists down. They were taken down by the original authors - Casey Smith aka SubTee.

The spreadsheet was taken down by me. People need to research vulnerable processes and learn for themselves. They were using the spreadsheet as a shortcut and not putting forth the effort the learn anything - especially what they needed to know.
 
  • Like
Reactions: SHvFl
5

509322

But the soft-sell approach is usually more effective.

I am not selling anything here at MT.

@shmu26 - you're not going to understand this part but it is a reply to an earlier post by another - the vast majority of people here at MT either want or expect free or some economically unfeasible price like $10 for a lifetime license. AppGuard LLC is not interested in that market demographic as it doesn't retain employees nor the lights on. Until the world's money-based economic system no longer applies and becomes some idealistic Utopia where everybody and all companies can live and exist for free, AppGuard LLC is going to expect payment for its product at a level that makes economic sense.
 
Last edited by a moderator:
  • Like
Reactions: shmu26 and SHvFl

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
+ 1
Thanks shmu26, this is what I looking for to learn.
Interesting & helpful link for me JPCERT/CC Blog : Windows Commands Abused by Attackers
Yeah, that link is pretty interesting. It is mainly about how malware finds out what you have on your system, like if it wants to encrypt your photos, it looks for image files. Or maybe it wants to know what AV you are using, so it can turn it off. Some of those processes help it make a network connection, like for a RAT.

But the processes that are most crucial to restrict, in order to prevent the actual attack, are the script interpreters. If you have a 64x system, most of the time you will have two of each. One in Windows/System32, and the other in Windows/SysWOW64.
These are some of the most commonly abused script interpreters:
powershell
powershell_ISE
wscript
cscript
cmd

The first 4 are rarely needed by your system or software, you can safely block them without crippling your computer.

If you have these 5 processes (if 64 bit system, then it is 10 processes) under control, one way or another, you have significantly limited the ability of malware to run.

There are people following this thread who know a lot more about the subject than I do, so I hope they will correct any inaccuracies...
 
  • Like
Reactions: hamo and AtlBo
D

Deleted member 178

Sure i get what you mean but then appguard should not be called memory protection either because it doesn't really monitor but it blocks or not depending on a flag in settings.
AG has a memory protection (in my point of view), especially against dynamic forking (process hollowing), one process in memory cannot read or modify another process' memory space; this feature is the real power of AG.
@Lockdown can correct me if i'm wrong.
 

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
Disable powershell - permanently.

powershell is not needed by home users.

A. Untick powershell in the Guarded Apps list.
B. Add powershell to the User Space list and set it to "Yes."

powershell is used by malc0ders to attack a system by various methods.
And Lenovo crapware. :sneaky:

I have a very customised AppGuard 4.4.6.1 on one machine, but I think on my unopened Dell XPS 13 (8th Gen Intel) I'll probably run a more vanilla version of (Granite) AppGuard and control vulnerable processes in NVT ERP.
 
Last edited:
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I get lost when I look at a list of all the possibly vulnerable processes. That's why I like ReHIPS, they did the thinking for me, the rules are ready-made. It's a very nice companion to AppGuard.
 
  • Like
Reactions: AtlBo

boredog

Level 9
Verified
Jul 5, 2016
416
Yeah, that link is pretty interesting. It is mainly about how malware finds out what you have on your system, like if it wants to encrypt your photos, it looks for image files. Or maybe it wants to know what AV you are using, so it can turn it off. Some of those processes help it make a network connection, like for a RAT.

But the processes that are most crucial to restrict, in order to prevent the actual attack, are the script interpreters. If you have a 64x system, most of the time you will have two of each. One in Windows/System32, and the other in Windows/SysWOW64.
These are some of the most commonly abused script interpreters:
powershell
powershell_ISE
wscript
cscript
cmd

The first 4 are rarely needed by your system or software, you can safely block them without crippling your computer.

If you have these 5 processes (if 64 bit system, then it is 10 processes) under control, one way or another, you have significantly limited the ability of malware to run.

There are people following this thread who know a lot more about the subject than I do, so I hope they will correct any inaccuracies...
Besides those I also have mshta both 32 and 64 added to user space.
 
  • Like
Reactions: AtlBo and shmu26

Glashouse

Level 4
Verified
Well-known
Jun 4, 2017
174
Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?
I am guessing that keepass inherits the rules of your browser, which probably has privacy enabled by default. I don't know how keepass actually works, so this is just a conjecture.
You could try disabling privacy for the browser, and see if that helps.
 
5

509322

Using AppGuard I just noticed a behavior I can't understand.
I want KeePass to be a GuardedApp. Everything works fine except the fact that for KeePass privacy gets enabled and there is nothing I can do against it.
I turn it off and it gets enabled again by AppGuard... No matter if I use the installer or the portable version...

any ideas on this?

There is no need to make KeePass a Guarded App.

Does Privacy Mode break anything or is it just annoying you that you cannot disable it permanently ?

Make a video or screenshots and submit them as a downloadable link as part of a step-by-step bug report to AppGuard@BlueRidge.com.
 
5

509322

I get lost when I look at a list of all the possibly vulnerable processes. That's why I like ReHIPS, they did the thinking for me, the rules are ready-made. It's a very nice companion to AppGuard.

That's it. Encourage others not to learn and not to think. If people cannot wrap their heads around a list of about 50 processes then the entire solar system is lost. Humanity is sunk.


People are not stupid. It is not that difficult to learn about a small list of processes.

However, people are extremely lazy.

Pretty pathetic. What a shame.
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
That's it. Encourage others not to learn and not to think. If people cannot wrap their heads around a list of about 50 processes then the entire solar system is lost. Humanity is sunk.


People are not stupid. It is not that difficult to learn about a small list of processes.

However, people are extremely lazy.

Pretty pathetic. What a shame.
Well, I can't deny that people are by nature lazy, but there are ways that even naturally lazy people (like me) can learn. One of that ways is by examining the ready-made rules in ReHIPS. It was designed by intelligent people, and a person can learn a lot from it.
 
5

509322

@shmu26 - the list of vulnerable processes. I made a project of educating users about them, but instead of users doing the right thing and learning they just used all that stuff as a short cut and only got themselves into trouble. Hence I pulled all my stuff. The point was to build one's knowledge and not a shortcut to a paranoid AppGuard configuration.

Casey Smith (SubTee) is redoing his stuff on GitHub.

Just locating processes in the Windows file system answers a lot of questions.

If you have a question about any processes you know what to do.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@shmu26 - the list of vulnerable processes. I made a project of educating users about them, but instead of users doing the right thing and learning they just used all that stuff as a short cut and only got themselves into trouble. Hence I pulled all my stuff. The point was to build one's knowledge and not a shortcut to a paranoid AppGuard configuration.

Casey Smith (SubTee) is redoing his stuff on GitHub.

Just locating processes in the Windows file system answers a lot of questions.

If you have a question about any processes you know what to do.
Thanks.
Now that you mentioned Windows file system, there are certain processes that when I search for them, they don't appear in the regular locations like System32, but are buried somewhere in C:\WINDOWS\WinSxS\amd64_RANDOM CHARACTERS........
Any insights on that?
 
  • Like
Reactions: AtlBo and SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
AG has a memory protection (in my point of view), especially against dynamic forking (process hollowing), one process in memory cannot read or modify another process' memory space; this feature is the real power of AG.
@Lockdown can correct me if i'm wrong.
You are right. Maybe i was not clear but one way or the other both products protect certain applications memory.
 
  • Like
Reactions: shmu26
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top