Now i am using winantirasom but i am looking for a good antiexe, i see appguard and appcheck i know appguard are legendary pice of software, but i know appcheck dont do bad what do you think?
Cuestion Appguard compare appcheck
- Thread starter Aktiffiso
- Start date
I don't know anything about AppCheck as I never tried it. Perhaps @Opcode could comment.
AppGuard is general-purpose anti-malware software restriction policy using the default policies. Only very specific, rare types of attacks are going to get past the default policies. It's the kind of attacks that only the paranoid worry about - even though one of those attacks will never hit their systems within their lifetimes.
The user can customize the AppGuard policies to prevent advanced and sophisticated attacks. The advantage to software restriction policy software is the high degree of flexibility, low ongoing user-maintenance, and high protection.
- Jan 16, 2017
- 1,469
I don't think they can be compared. They're very different products with different purposes.
- Mar 1, 2014
- 1,708
AppGuard is mainly a Software Restriction Policy (SRP) software.
AppCheck is an anti-ransomware software.
Their designs are completely different. Therefore, they can't be directly compared.
If you want, you can combine both. But the question is, why would you? If you insist on choosing only one, then I would go for AppGuard.
I will provide an answer to the question based on my own preference, thoughts and personal testing. I am not trying to "bash" a product to make them lose sales or customers, I am just sharing my own personal views based on testing. I cannot say much about WinAntiRansom as I have not personally tested it, but I have read things about it (and remember, not everything you read online is true so take it all with a grain of salt). Sometimes the truth hurts so if I did bash anyone, take it as criticism to be taken in and improved on, not as an "attack". Honesty is the best policy.
1. WinAntiRansom. I feel that this used to be much more popular and has lot customers recently, I recall seeing another discussion on it around here recently, where a video from Britec was shared about the product. In the video, the software fails entirely and doesn't seem to block anything at all. At the same time, many people have been complaining about false positive detection's lately.
You can find the video here:
I am sure the product can be good but I just cannot say anything more. Sorry.
2. AppCheck. AppCheck is an OK product which is co-owned by two ex-AhnLab staff members (About Us - CheckMAL). I personally do not like AppCheck that much because I think that their marketing is ridiculous and that they make their product appear so much better than it really is - I know, marketing is usual and every vendor makes their product look better than it is sometimes, but I get a different "feeling" with their website and when testing their product.
The website basically talks about how they are this and that... Yeah, you'll see what I mean when you check it out.
To alter the Master Boot Record you will require administrative rights, you cannot do it with standard rights. This explains why Petya samples require elevation. I went hunting with their self-protection and within minutes found a way to shut them down... Yes, I did require administrator rights and yes they did protect the processes from being terminated initially. They failed to protect the services properly though. I did speak to them about it and I was essentially told that they did not feel they were a "big" target so they intentionally made the self-protection weak, which to me is a big red flag because it implies to me that they know how to improve it and make it more secure but couldn't be bothered to. Who knows? Maybe improving it got in the way of another component within their product, but surely you should design it in a way that it won't conflict in each other so it being more secure isn't a problem.
All in all, my test demonstration sample did the following:
- Shut down AppCheck entirely (no trace of their processes/services - this means that their device driver/s were also unloaded from memory)
- Executed the Petya sample which was able to then infect the system by overwriting the Master Boot Record and force-crash the system to get the fake CHDSK screen to appear. (which the pro version would have blocked by default -> the MBR modification attempt).
If we look at the above chart screenshots, the MBR protection is a feature on the Pro version however the self-protection is on both the free and paid version. Plot twist... I was using the free version which means I did not actually have access to the MBR protection. I certainly was not going to pay for their product so I can test one thing, and I doubt they would give me back my money so I had to make-do with what I had.
This was not a problem. I spoke to AppCheck myself and they essentially told me that it was intentionally weak (the self-protection) because they did not feel they were a "target" for malware. Explain this to me... They are not a "target", but they have 350k+ users according to their website each month (makes me wonder if that was true or just a lie)? The point is to be prepared so you cannot be attacked easily, not do nothing until you actually get attacked. They never said to me that the MBR protection would have still worked after the bypass was deployed (I did sent them all the files, it was a very basic technique to shut them down... Too basic). In other words, the MBR protection would have been gone just like all the other protection should it have been the Paid version I was testing. Fantastic!
Using that logic it is like saying:
I should leave my house front door unlocked and open each night because no one will ever try and burgle my house. Stupid isn't it?
I would not mind if it took a lot to bypass, because obviously no self-protection is full-proof and there can always be a new work-around or intriguing attempt. However, in this case there was nothing complex or interesting to it. It was very simple and without exaggeration it took hardly any time of my day to do it. Not only this, but it would have removed the MBR protection which is a paid feature...
Typically speaking, companies do not focus as much on self-protection bypasses that require elevation because you get a lot more privileges and it can be trickier to patch it. Vendors like Avast, AVG, Avira, Kaspersky, ESET and what-not will not ignore them if they require elevation because of the amount of resources they have and skilled employees with years and years of experience dipping into Windows Internals and writing stable and efficient code, so I can understand why a smaller company like CheckMAL would be lacking in that department or ignoring for now because of that (at the same time, I feel it should have been much better at the time of testing since they do use it as a reason on their website). However, in this scenario, Petya would have required elevation anyway, therefore I gained elevation so I could have the same rights Petya would have had to try and bypass it, and then deployed Petya elevated... I think it was 100% fair due to the circumstances.
To end my personal verdict on AppCheck, the product is OK and does work. My ransomware test was not extensive because I was more or less finished with bothering after my Petya-allowance test which succeeded, but they will improve over time and maybe they have improved their self-protection already. It would not be such a bad idea to use it, but I would not blend it with any of the products mentioned in the original post and I doubt I would ever pick it for my own configuration.
3. AppGuard. I feel awkward about what I am about to say next because I do not want anyone to feel it is biased (since I was tagged by Lockdown to see if I could comment and he is also a member here), but hands down AppGuard is by far my favourite out of all the discussed software here and it works incredibly well at what it is designed to do - it is well-made and stable.
AppGuard is unique in the sense that it is an SRP (Software Restriction Policy), which means depending on the configuration, programs won't be able to perform specific actions regardless of if they are clean or malicious based on settings. Unless you manually add it to the list, it is not going to be allowed to run, and you can setup a configuration for it to prevent it from performing specific actions. On that note, it also has proper self-protection unlike some other products... A bypass like described earlier would have NEVER worked with a product like AppGuard, not in a million years.
Lets say I want a program called test.exe to run and I setup a configuration for it, and then I try to inject code into notepad.exe (the official one which is trusted and allowed to run). That code injection attack can be automatically blocked, because test.exe won't be able to perform modifications to the memory of notepad.exe depending on the configuration.
AppGuard also comes with a Trusted Publishers list to prevent everything from being blocked entirely (e.g. Windows applications are safe and there are software provided by very popular and large corporations which are safe) and this reduces problems with the user having to keep fixing stuff.
Depending on who you are and what you do on your system it could potentially be a bit high maintenance in comparison to the standard approaches of installing an Anti-Virus product where you would toggle a few settings and leaving it there forever more, but it certainly is beneficial and if it is used properly it undoubtedly protects you very well.
Companies should look more into AppGuard as well, and SRP all together if they do not already. It could help them out a lot...
The only product I would recommend to someone discussed within this thread would be AppGuard and the other two mentioned products don't come close to me actually recommending to someone who did not ask about them prior. That speaks for itself. I found nothing of concern to me with AppGuard... I really like it and I think it is good.
I only tested AppGuard < 2 weeks ago, I was really impressed with how useful it can really be. They are on the right track and have nailed it on the head. I do not personally use it but I can recommend it without breaking a sweat or looking back and regretting doing so.
------------------------------------------
TLDR; WAR seems to have problems these days according to others, AppCheck is not reliable for MBR protection with the Pro version and has dodgy marketing IMO and AppGuard is a solid rock which can protect you really well (my personal thoughts).
I think that you should try out software you are considering using (and if there is no trial for AppGuard anymore then maybe Lockdown could help you out with that) and decide which one you are most comfortable with. I do not want to tell you "You should use XXXXX" because I would rather you decide for yourself, but my personal thoughts are above on the three different software mentioned.
-Opcode.
1. WinAntiRansom. I feel that this used to be much more popular and has lot customers recently, I recall seeing another discussion on it around here recently, where a video from Britec was shared about the product. In the video, the software fails entirely and doesn't seem to block anything at all. At the same time, many people have been complaining about false positive detection's lately.
You can find the video here:
Take it with a grain of salt though, it could have been a since fixed bug or a problem with setup.
I am sure the product can be good but I just cannot say anything more. Sorry.
2. AppCheck. AppCheck is an OK product which is co-owned by two ex-AhnLab staff members (About Us - CheckMAL). I personally do not like AppCheck that much because I think that their marketing is ridiculous and that they make their product appear so much better than it really is - I know, marketing is usual and every vendor makes their product look better than it is sometimes, but I get a different "feeling" with their website and when testing their product.
The website basically talks about how they are this and that... Yeah, you'll see what I mean when you check it out.
To alter the Master Boot Record you will require administrative rights, you cannot do it with standard rights. This explains why Petya samples require elevation. I went hunting with their self-protection and within minutes found a way to shut them down... Yes, I did require administrator rights and yes they did protect the processes from being terminated initially. They failed to protect the services properly though. I did speak to them about it and I was essentially told that they did not feel they were a "big" target so they intentionally made the self-protection weak, which to me is a big red flag because it implies to me that they know how to improve it and make it more secure but couldn't be bothered to. Who knows? Maybe improving it got in the way of another component within their product, but surely you should design it in a way that it won't conflict in each other so it being more secure isn't a problem.
All in all, my test demonstration sample did the following:
- Shut down AppCheck entirely (no trace of their processes/services - this means that their device driver/s were also unloaded from memory)
- Executed the Petya sample which was able to then infect the system by overwriting the Master Boot Record and force-crash the system to get the fake CHDSK screen to appear. (which the pro version would have blocked by default -> the MBR modification attempt).
If we look at the above chart screenshots, the MBR protection is a feature on the Pro version however the self-protection is on both the free and paid version. Plot twist... I was using the free version which means I did not actually have access to the MBR protection. I certainly was not going to pay for their product so I can test one thing, and I doubt they would give me back my money so I had to make-do with what I had.
This was not a problem. I spoke to AppCheck myself and they essentially told me that it was intentionally weak (the self-protection) because they did not feel they were a "target" for malware. Explain this to me... They are not a "target", but they have 350k+ users according to their website each month (makes me wonder if that was true or just a lie)? The point is to be prepared so you cannot be attacked easily, not do nothing until you actually get attacked. They never said to me that the MBR protection would have still worked after the bypass was deployed (I did sent them all the files, it was a very basic technique to shut them down... Too basic). In other words, the MBR protection would have been gone just like all the other protection should it have been the Paid version I was testing. Fantastic!
Using that logic it is like saying:
I should leave my house front door unlocked and open each night because no one will ever try and burgle my house. Stupid isn't it?
I would not mind if it took a lot to bypass, because obviously no self-protection is full-proof and there can always be a new work-around or intriguing attempt. However, in this case there was nothing complex or interesting to it. It was very simple and without exaggeration it took hardly any time of my day to do it. Not only this, but it would have removed the MBR protection which is a paid feature...
Typically speaking, companies do not focus as much on self-protection bypasses that require elevation because you get a lot more privileges and it can be trickier to patch it. Vendors like Avast, AVG, Avira, Kaspersky, ESET and what-not will not ignore them if they require elevation because of the amount of resources they have and skilled employees with years and years of experience dipping into Windows Internals and writing stable and efficient code, so I can understand why a smaller company like CheckMAL would be lacking in that department or ignoring for now because of that (at the same time, I feel it should have been much better at the time of testing since they do use it as a reason on their website). However, in this scenario, Petya would have required elevation anyway, therefore I gained elevation so I could have the same rights Petya would have had to try and bypass it, and then deployed Petya elevated... I think it was 100% fair due to the circumstances.
To end my personal verdict on AppCheck, the product is OK and does work. My ransomware test was not extensive because I was more or less finished with bothering after my Petya-allowance test which succeeded, but they will improve over time and maybe they have improved their self-protection already. It would not be such a bad idea to use it, but I would not blend it with any of the products mentioned in the original post and I doubt I would ever pick it for my own configuration.
If someone thinks I am a "liar" or my test was flawed for using the free version even though the paid version would not have kept the MBR protection after the SP bypass, find a way for me to gain access to the Pro version (e.g. temp pro key from them) and I can re-test with it to prove that is the case.
3. AppGuard. I feel awkward about what I am about to say next because I do not want anyone to feel it is biased (since I was tagged by Lockdown to see if I could comment and he is also a member here), but hands down AppGuard is by far my favourite out of all the discussed software here and it works incredibly well at what it is designed to do - it is well-made and stable.
AppGuard is unique in the sense that it is an SRP (Software Restriction Policy), which means depending on the configuration, programs won't be able to perform specific actions regardless of if they are clean or malicious based on settings. Unless you manually add it to the list, it is not going to be allowed to run, and you can setup a configuration for it to prevent it from performing specific actions. On that note, it also has proper self-protection unlike some other products... A bypass like described earlier would have NEVER worked with a product like AppGuard, not in a million years.
Lets say I want a program called test.exe to run and I setup a configuration for it, and then I try to inject code into notepad.exe (the official one which is trusted and allowed to run). That code injection attack can be automatically blocked, because test.exe won't be able to perform modifications to the memory of notepad.exe depending on the configuration.
AppGuard also comes with a Trusted Publishers list to prevent everything from being blocked entirely (e.g. Windows applications are safe and there are software provided by very popular and large corporations which are safe) and this reduces problems with the user having to keep fixing stuff.
Depending on who you are and what you do on your system it could potentially be a bit high maintenance in comparison to the standard approaches of installing an Anti-Virus product where you would toggle a few settings and leaving it there forever more, but it certainly is beneficial and if it is used properly it undoubtedly protects you very well.
Companies should look more into AppGuard as well, and SRP all together if they do not already. It could help them out a lot...
The only product I would recommend to someone discussed within this thread would be AppGuard and the other two mentioned products don't come close to me actually recommending to someone who did not ask about them prior. That speaks for itself. I found nothing of concern to me with AppGuard... I really like it and I think it is good.
I only tested AppGuard < 2 weeks ago, I was really impressed with how useful it can really be. They are on the right track and have nailed it on the head. I do not personally use it but I can recommend it without breaking a sweat or looking back and regretting doing so.
------------------------------------------
TLDR; WAR seems to have problems these days according to others, AppCheck is not reliable for MBR protection with the Pro version and has dodgy marketing IMO and AppGuard is a solid rock which can protect you really well (my personal thoughts).
I think that you should try out software you are considering using (and if there is no trial for AppGuard anymore then maybe Lockdown could help you out with that) and decide which one you are most comfortable with. I do not want to tell you "You should use XXXXX" because I would rather you decide for yourself, but my personal thoughts are above on the three different software mentioned.
-Opcode.
I see I see. Its a very good answer i will check slowly as i say i am not english native but i really like to check and study. Thanks Opcode. And thanks Lockdown
- Jan 16, 2017
- 1,469
Very informative post @Opcode!
No, but I doubt I will ever bother - apparently it is just based on signatures. Correct if that is wrong though.
Similar threads
