Advice Request Looking for suggestions for Appguard

[ForgottenSeer 69673]

Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.

 

[ForgottenSeer 95367]

Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.

Analyze the incidence of LOLBin abuse. For example, one study gives

 

[Bretski]

I have been using the LOLBAS Project files on Github for things to block in AppGuard, which I've been using continuously since 2014. You can find the files on Github's home page by searching for LOLBAS and you will see it. I don't have regsvr32exe added to user space but it is a guarded app with memory protection. I run in locked down mode so my guarded apps and trusted publishers lists are much larger than yours.

Thanks for the nice graph of useful info Furyo. Can you share where that came from?

 

[ForgottenSeer 95367]

LOLBins Are No Laughing Matter: How Attackers Operate Quietly

Recent threat research on living off the land binaries and how it affects cloud security.

www.uptycs.com

The list of LOLBins is essentially static. Every 3 to 5 years, another few will be added. Then there are those that get removed as LOLBins. So management of the LOLBin policies is not a burden for the user. It's just a simple matter of occasional, judicious maintenance as @ticklemefeet is doing here. Wouldn't it be great if other things in life were so trivially easy to manage?

 

[ForgottenSeer 69673]

Thank You both for the great posts and info. MY question is why are you not posting more on the forum? Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them. And then there is the undocumented LOLBINS.

 

[ForgottenSeer 69673]

Sine I created this thread, I have added a couple more. certutil and desktopimgdownldr

Have been thinking about adding bitsadmin, aitstatic, deviceEnroller, directxdatabaseupdater, MDMAppinstaller and SpeechModelDownload just for kicks.

What do you think?

 

[ForgottenSeer 95367]

Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them

Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.

And then there is the undocumented LOLBINS.

You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.

What do you think?

Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.

 

[ForgottenSeer 69673]

Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.


You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.


Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.

I sent you a PM

 

[simmerskool]

I used AG in somewhat distant past, probably v4, probably with lifetime license, perhaps v5, I only generally recall, and recall licensing changes etc, and folks seemed to back away from it. I looked at AG Solo website today.

AppGuard Solo Malware Blocker

Home Blog News Privacy Policy BEST PC Cyber-Safety Solution "NO APPGUARD CUSTOMER HAS EVER REPORTED A BREACH" (Your Welcome Email Contains A Link To

appguardsolo.com

I could afford the yearly license for AG Solo, and assume there are advantages to running current version. I did find some of my older versions, but doubt I have a working license. Is it worth "effort" to try the 30-day trial, I think I'd have to make some security app changes for it to run smoothly. Is AG Solo easy enough to switch over to as It seems to be an app that some folks strongly dislike, while others (a smaller population now-a-days) like a lot.

 

[Andrezj]

Is it worth "effort" to try the 30-day trial?

be aware trial is accessible only after providing credit card

 

[simmerskool]

be aware trial is accessible only after providing credit card

thanks, I realize the only way to see if I'd like it, is to try it out again. I don't exactly remember why I stopped using it other than when they switched the licensing to per annual (after having a lifetime license) although I vaguely recall that at times the optimal tweaking could be (or was) a tad complicated IIRC. Plus being a tad spooked by running an older version as OS updated when AG was also being updated.

 

[dinosaur07]

Still working good to me v.4 lifetime in both Windows 10 and 11.

 

[ForgottenSeer 69673]

Still working good to me v.4 lifetime in both Windows 10 and 11.

Same here. Pus did you try this website? $ 39.00 a year is not that bad Endpoint Security Solutions and Cybersecurity Company

 

[simmerskool]

Still working good to me v.4 lifetime in both Windows 10 and 11.

Good to know thanks. I have various older versions in storage, but think my license got borked a long time ago. Still thinking about current AG Solo, but not a high priority.

 

[simmerskool]

Same here. Pus did you try this website? $ 39.00 a year is not that bad Endpoint Security Solutions and Cybersecurity Company

Thanks! I'll check it out.

 

[Andrezj]

Thanks! I'll check it out.

at that price could be only single license for 1 device

 

[ForgottenSeer 69673]

at that price could be only single license for 1 device

yes, not corporate lic

 

[simmerskool]

Same here. Pus did you try this website? $ 39.00 a year is not that bad Endpoint Security Solutions and Cybersecurity Company

yes, thanks for the $39 link, but gee the various webpages for AG are confusing. It also looks like some AG webpages have changed in the last 2 days! Meanwhile I searched my old info and I find AG v4.3.13.1 and my license number too. I vaguely recall there was a version 5, and perhaps the current is v6 solo?? but it is hard to get concrete info about the status. I see I have
AppGuard43_Setup.exe sha256= 0715adbb872f60f5465252f1809a06b4687026a81f0f18921abadd2079b4669c circa Feb 2016. Was this the last version 4? I also vaguely recall folks saying v5 & v6 did not offer anything new or better, just different more expensive licensing. Can you fill-in any missing blanks in my notes and memory? I need to either install some version of AG or FORGET it Not sure why I'm obsessing...? Sorta recall there was a built-in cap or problem with uninstalling & reinstalling.

 

[Zero Knowledge]

and perhaps the current is v6 solo??

AppGuardSolo 6.7.41.1 coming in @ 53.9MB is the latest version last time I checked.

Can you fill-in any missing blanks in my notes and memory?

With V6 it's got extra trusted vendors, more guarded apps and user space apps, and protects LASS process out of the box so no security software can write to it. It's also had a few bugs fixed and improved the app somewhat. Not sure if V6 will run on Windows 11, I haven't tried but I assume it does. V4 will run but now AppGuardSolo has been reduced to $39.99 I see no reason not to upgrade since the price is right.

 

[simmerskool]

AppGuardSolo 6.7.41.1 coming in @ 53.9MB is the latest version last time I checked.



With V6 it's got extra trusted vendors, more guarded apps and user space apps, and protects LASS process out of the box so no security software can write to it. It's also had a few bugs fixed and improved the app somewhat. Not sure if V6 will run on Windows 11, I haven't tried but I assume it does. V4 will run but now AppGuardSolo has been reduced to $39.99 I see no reason not to upgrade since the price is right.

Good info. Big thanks!! My "concern" is conflicting with Voodooshield, and I'm willing to uninstall VS to run AGSolo, although I did some folks at wilders report running VS & AG together without problems, but that was a few years ago. Not really my intent to run them together. Re my URL "confusion"
AppGuard Solo - AppGuard shows it at $89.95
Page Under Maintenance comes up "website under maintenance"
do you have a URL to buy for $39? I can't find it today, although I recall seeing it the other day.