Basic Appguard Configuration question

Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Jul 3, 2015
8,148
1
31,237
8,388
Middle Earth
If I use the default policy, plus I add c:\*powershell* and c:\*script.exe to user space, and set them to "yes". are there any other potentially malicious file types that a user could click on and run?
I am not asking about Office macros and browser exploits etc, I am just asking about clickable files that could pose a security risk.
Powershell is unticked in power apps, so that the user space list will be enforced.
 
  • Like
Reactions: meltcheesedec
shmu26 said:
If I use the default policy, plus I add c:\*powershell* and c:\*script.exe to user space, and set them to "yes". are there any other potentially malicious file types that a user could click on and run?
I am not asking about Office macros and browser exploits etc, I am just asking about clickable files that could pose a security risk.
Powershell is unticked in power apps, so that the user space list will be enforced.
Click to expand...

The default policy covers the most commonly encountered stuff.

How paranoid are you ? Or, how paranoid of a configuration do you want ? How much do you want to block ?

Block *bitsadmin* if you are worried about malicious shortcut (*.lnk) files. It's deprecated, but it is still on your system. Malicious shortcuts can also call interpreters. Block hh.exe because of .chm files, but a malicious .chm will usually just call wscript or cscript to download other malicious files from the internet so you're already covered with the C:\*script.exe policy. We can sit here and make a long list of potentially abused file types. The vast majority of stuff is blocked by disabling interpreters and the user space policies. For a second opinion on this general concept you can ask @Andy Ful.

My best advice, the best course of action is to install AppGuard and soon after just bite the bullet and configure it hard-core one time. What you're doing, really, is protecting against cmd.exe and many exploits. Beyond this initial configuration it is just maintenance and disable stuff temporarily when you need it. Then backup the xml. Ask @Umbra.

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Whatever you do, you should use what you like and stick with it.
 
  • Like
Reactions: XhenEd, johnyjohn, aragornnnn and 7 others
Lockdown said:
The default policy covers the most commonly encountered stuff.

How paranoid are you ? Or, how paranoid of a configuration do you want ? How much do you want to block ?

Block *bitsadmin* if you are worried about malicious shortcut (*.lnk) files. It's deprecated, but it is still on your system. Malicious shortcuts can also call interpreters. Block hh.exe because of .chm files, but a malicious .chm will usually just call wscript or cscript to download other malicious files from the internet so you're already covered with the C:\*script.exe policy. We can sit here and make a long list of potentially abused file types. The vast majority of stuff is blocked by disabling interpreters and the user space policies. For a second opinion on this general concept you can ask @Andy Ful.

My best advice, the best course of action is to install AppGuard and soon after just bite the bullet and configure it hard-core one time. What you're doing, really, is protecting against cmd.exe and many exploits. Beyond this initial configuration it is just maintenance and disable stuff temporarily when you need it. Then backup the xml. Ask @Umbra.

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Whatever you do, you should use what you like and stick with it.
Click to expand...
Thanks. I didn't know that bitsadmin worked that way.
I am looking in windows default apps "by file type," and I don't even see .ink in the list. Doesn't that mean it is not clickable as a file?
 
  • Like
Reactions: meltcheesedec
shmu26 said:
Thanks. I didn't know that bitsadmin worked that way.
I am looking in windows default apps "by file type," and I don't even see .ink in the list. Doesn't that mean it is not clickable as a file?
Click to expand...

.lnk = shortcut file that you see on your Desktop for all your programs. It's not in the default apps.
 
  • Like
Reactions: meltcheesedec and shmu26
After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system
Click to expand...
That is the thing what i keep saying everywhere lol. Choose one or two real strong softs , learn them to the core, then all the others apps became irrelevant.
 
  • Like
Reactions: DDE_Server, frogboy, meltcheesedec and 2 others
Yeah, the more knowledge the better, but I don't see why every user has to reinvent the wheel.
OSArmor has a ready-made policy, ReHIPS has a ready-made policy, Florian from Excubits Bouncer maintains a list of vulnerables. They are there to be used, and it makes sense to me to use them.
 
  • Like
Reactions: erreale, meltcheesedec and Sunshine-boy
shmu26 said:
Yeah, the more knowledge the better, but I don't see why every user has to reinvent the wheel.
OSArmor has a ready-made policy, ReHIPS has a ready-made policy, Florian from Excubits Bouncer maintains a list of vulnerables. They are there to be used, and it makes sense to me to use them.
Click to expand...

Ready-made is no problem if the user understands the what is happening behind the ready-made. But given the fact that the vast majority of users have so very many problems with ready-made, it is proof that the missing ingredient is user knowledge. And the only way to learn is by doing. However, it comes down to personal priorities. Some people just don't want to do it. And the fact of the matter is, unless you are a high-risk user doing the most overtly at-risk behaviors, that probability protects systems more than any security soft does, such that fussing with security configurations past a certain point is a waste of time in the grand scheme of things. Security configurations are insurance policies. Nothing more, nothing less. That is reality.
 
Last edited by a moderator:
  • Like
Reactions: Deleted member 178, meltcheesedec, harlan4096 and 1 other person
Lockdown said:
Ready-made is no problem if the user understands the what is happening behind the ready-made. But given the fact that the vast majority of users have so very many problems with ready-made, it is proof that the missing ingredient is user knowledge. And the only way to learn is by doing. However, it comes down to personal priorities. Some people just don't want to do it. And the fact of the matter is, unless you are a high-risk user doing the most overtly at-risk behaviors, that probability protects systems more than any security soft does, such that fussing with security configurations paste a certain point is a waste of time in the grand scheme of things. Security configurations are insurance policies. Nothing more, nothing less. That is reality.
Click to expand...
I have to agree, OSArmor's premade rulesets are so not fitting for me that I have it disabled most of the times.
Especially when the exclusion list is not getting anything done..
 
  • Like
Reactions: meltcheesedec and askmark
Lockdown said:
After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.
Click to expand...

Well said, @Lockdown .

Related question:
What do you think of those of us who might occasionally come here to MT to review latest trends, tools, advance, etc, in security software, but after putting together a configuration including including AppGuard in Locked Down mode (e.g., mine is SECURE - Meltcheesedec Security Configuration 2018 ), start to feel safe and spend more progressively less time learning about malware?
 
  • Like
Reactions: shmu26
meltcheesedec said:
Well said, @Lockdown .

Related question:
What do you think of those of us who might occasionally come here to MT to review latest trends, tools, advance, etc, in security software, but after putting together a configuration including including AppGuard in Locked Down mode (e.g., mine is SECURE - Meltcheesedec Security Configuration 2018 ), start to feel safe and spend more progressively less time learning about malware?
Click to expand...
To break it down simply, security starts with safe surfing habits/maintenance habits. You should rely on your security only as a back up. It is good to learn about certain threats, and how they may be introduced to your system as well, as it is part of safe surfing habits, knowing what to look for.

There is no need to dwell on security every second of the day, and not utilize your machine for what it is intended for.
 
Last edited by a moderator:
  • Like
Reactions: DDE_Server, upnorth, harlan4096 and 1 other person
Umbra said:
Testing + Google most of the time, twitter is good source too which often leads to github.
Click to expand...
When you test malware samples, what tool(s) do you use, to see what's happening?
I know that @Lockdown likes SpyShelter for this, but what do you use?
 
shmu26 said:
When you test malware samples, what tool(s) do you use, to see what's happening?
I know that @Lockdown likes SpyShelter for this, but what do you use?
Click to expand...
Im not sure what Umbra uses, but thought i would leave a list here of tools i use when im testing. I may or may not add other tools depending on what im testing and how, but this is the base line of tools i utilize mainly.

These 2 products "Regshot,FolderChangesView" allow you to record changes in realtime as the sample executes and makes changes to the system. This is especially important when testing Dynamic portions of a security product. Behavior blockers for example allow a sample to execute and run while monitoring its behavior, this allows it to make changes to the system, what changes are being allowed, which ones are leaving changes after the product has supposedly secured you, how badly is the system corrupted/damaged by those changes most are not even aware happened. If you really want to get into the meat and potatoes of testing, dig deep, to see how samples effect the system, and how the product does as well. Reset the snapshot of your VM between every sample to get the best accurate results while recording all changes and traffic.

Process Explorer
Autoruns
TCPview
PeStudio
Microsoft Message Analyzer
Regshot
FolderChangesView
Hashmyfiles
 
  • Like
Reactions: ZeroDay, shmu26, askmark and 1 other person
Another basic question.....

Just installed AppGuard for the first time and put myself on a bit of a learning curve. I am getting a message saying "prevented google chrome from writing to the registry"

Is it best simply to set this to select "ignore" this message in future ? - what's best ?

I am sure that after a few prompts/answers from more experienced users, I will get the hang of it but for now please bear with me !
 
AMD1 said:
Is it best simply to set this to select "ignore" this message in future ? - what's best ?
Click to expand...
Expected alert so if it is really annoying you, you can ignore it, but personally i let it, i like to know what happens.

Also, it is better to ignore events from: activity report window > select event and right click > ignore message, than directly from the popup.
 
Status
Not open for further replies.

You may also like...