Advice Request Looking for suggestions for Appguard

  • Thread starter ForgottenSeer 69673
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 69673

Thread author
Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.
 

Attachments

  • Screenshot 2022-08-05 091824.png
    Screenshot 2022-08-05 091824.png
    36 KB · Views: 217
  • Screenshot 2022-08-05 091911.png
    Screenshot 2022-08-05 091911.png
    34.4 KB · Views: 166
  • Screenshot 2022-08-05 092049.png
    Screenshot 2022-08-05 092049.png
    33.9 KB · Views: 179
  • Screenshot 2022-08-05 092251.png
    Screenshot 2022-08-05 092251.png
    14.3 KB · Views: 169
  • Screenshot 2022-08-05 092434.png
    Screenshot 2022-08-05 092434.png
    24.4 KB · Views: 204
F

ForgottenSeer 95367

Thread author
Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.
Analyze the incidence of LOLBin abuse. For example, one study gives

1659767684163.png
 
Last edited by a moderator:

Bretski

New Member
Jul 23, 2020
7
I have been using the LOLBAS Project files on Github for things to block in AppGuard, which I've been using continuously since 2014. You can find the files on Github's home page by searching for LOLBAS and you will see it. I don't have regsvr32exe added to user space but it is a guarded app with memory protection. I run in locked down mode so my guarded apps and trusted publishers lists are much larger than yours.

Thanks for the nice graph of useful info Furyo. Can you share where that came from?
 
F

ForgottenSeer 95367

Thread author

The list of LOLBins is essentially static. Every 3 to 5 years, another few will be added. Then there are those that get removed as LOLBins. So management of the LOLBin policies is not a burden for the user. It's just a simple matter of occasional, judicious maintenance as @ticklemefeet is doing here. Wouldn't it be great if other things in life were so trivially easy to manage?
 
F

ForgottenSeer 69673

Thread author
Thank You both for the great posts and info. MY question is why are you not posting more on the forum? Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them. And then there is the undocumented LOLBINS.
 
F

ForgottenSeer 69673

Thread author
Sine I created this thread, I have added a couple more. certutil and desktopimgdownldr

Have been thinking about adding bitsadmin, aitstatic, deviceEnroller, directxdatabaseupdater, MDMAppinstaller and SpeechModelDownload just for kicks.

What do you think?
 
Last edited by a moderator:
  • Like
Reactions: simmerskool
F

ForgottenSeer 95367

Thread author
Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them
Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.

And then there is the undocumented LOLBINS.
You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.

What do you think?
Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool
F

ForgottenSeer 69673

Thread author
Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.


You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.


Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.
I sent you a PM
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
I used AG in somewhat distant past, probably v4, probably with lifetime license, perhaps v5, I only generally recall, and recall licensing changes etc, and folks seemed to back away from it. I looked at AG Solo website today.

I could afford the yearly license for AG Solo, and assume there are advantages to running current version. I did find some of my older versions, but doubt I have a working license. Is it worth "effort" to try the 30-day trial, I think I'd have to make some security app changes for it to run smoothly. Is AG Solo easy enough to switch over to as It seems to be an app that some folks strongly dislike, while others (a smaller population now-a-days) like a lot.
 
  • Like
Reactions: dinosaur07

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
be aware trial is accessible only after providing credit card
thanks, I realize the only way to see if I'd like it, is to try it out again. I don't exactly remember why I stopped using it other than when they switched the licensing to per annual (after having a lifetime license) although I vaguely recall that at times the optimal tweaking could be (or was) a tad complicated IIRC. Plus being a tad spooked by running an older version as OS updated when AG was also being updated.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Same here. Pus did you try this website? $ 39.00 a year is not that bad Endpoint Security Solutions and Cybersecurity Company
yes, thanks for the $39 link, but gee the various webpages for AG are confusing. It also looks like some AG webpages have changed in the last 2 days! Meanwhile I searched my old info and I find AG v4.3.13.1 and my license number too. I vaguely recall there was a version 5, and perhaps the current is v6 solo?? but it is hard to get concrete info about the status. I see I have
AppGuard43_Setup.exe sha256= 0715adbb872f60f5465252f1809a06b4687026a81f0f18921abadd2079b4669c circa Feb 2016. Was this the last version 4? I also vaguely recall folks saying v5 & v6 did not offer anything new or better, just different more expensive licensing. Can you fill-in any missing blanks in my notes and memory? I need to either install some version of AG or FORGET it :confused: Not sure why I'm obsessing...? Sorta recall there was a built-in cap or problem with uninstalling & reinstalling.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
and perhaps the current is v6 solo??

AppGuardSolo 6.7.41.1 coming in @ 53.9MB is the latest version last time I checked.

Can you fill-in any missing blanks in my notes and memory?

With V6 it's got extra trusted vendors, more guarded apps and user space apps, and protects LASS process out of the box so no security software can write to it. It's also had a few bugs fixed and improved the app somewhat. Not sure if V6 will run on Windows 11, I haven't tried but I assume it does. V4 will run but now AppGuardSolo has been reduced to $39.99 I see no reason not to upgrade since the price is right.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
AppGuardSolo 6.7.41.1 coming in @ 53.9MB is the latest version last time I checked.



With V6 it's got extra trusted vendors, more guarded apps and user space apps, and protects LASS process out of the box so no security software can write to it. It's also had a few bugs fixed and improved the app somewhat. Not sure if V6 will run on Windows 11, I haven't tried but I assume it does. V4 will run but now AppGuardSolo has been reduced to $39.99 I see no reason not to upgrade since the price is right.
Good info. Big thanks!! My "concern" is conflicting with Voodooshield, and I'm willing to uninstall VS to run AGSolo, although I did some folks at wilders report running VS & AG together without problems, but that was a few years ago. Not really my intent to run them together. Re my URL "confusion"
AppGuard Solo - AppGuard shows it at $89.95
Page Under Maintenance comes up "website under maintenance"
do you have a URL to buy for $39? I can't find it today, although I recall seeing it the other day.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top