shmu26

Level 74
Content Creator
Trusted
Verified
Thanks @Andy Ful and @shmu26 for clearing my doubts about Appguard settings. I'm still using version 4 since I have a lifetime licence. I had some queries regarding AppGuard but can't seem to find the AppGuard section here at MT.
Yes, it seems like that section disappeared. The Appguard rep who provided support on that thread is no longer a member of the forum. But there are still some experienced Appguard users around who can answer questions.
 

ticklemefeet

Level 21
Verified
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
Andy does your wild card cover both sys32 and syswow64 for version 4 too? I think it does but not completely sure. Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.
 
Last edited:

Andy Ful

Level 37
Content Creator
Trusted
Verified
Andy does your wild card cover both sys32 and syswow64 for version 4 too? I think it does but not completely sure. Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.
Yes.(y)
You can check if your rules work by trying to run any of those executables and next looking at the AppGuard log.
 
Last edited:

shmu26

Level 74
Content Creator
Trusted
Verified
Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.
That is standard for Appguard. It's good, leave it that way.

By the way, whenever you add something to the user space list, make sure it is set to be included. Because every item on the user space list can be toggled to included or excluded. If you want it blocked, it should be included. Forgetting to check this is among the most common errors in Appguard configuration.
 
Reactions: Andy Ful

ticklemefeet

Level 21
Verified
That is standard for Appguard. It's good, leave it that way.

By the way, whenever you add something to the user space list, make sure it is set to be included. Because every item on the user space list can be toggled to included or excluded. If you want it blocked, it should be included. Forgetting to check this is among the most common errors in Appguard configuration.
Not sure what you are saying but my user space list is set to included - yes. is that what you mean? Version 4 doesn't allow you to toggle between the two.
 

devjit2018

Level 6
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.
 
Reactions: shmu26

shmu26

Level 74
Content Creator
Trusted
Verified
Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.
There is a very long list of lol bins, i.e., processes that can be abused. It is sufficient to block the main ones, which are commonly used to run scripts and/or download payloads. If you block everything that can be abused, you will end up with a headache and an unusable computer.
 

Andy Ful

Level 37
Content Creator
Trusted
Verified
Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.
If I correctly remember, AppGuard blocks executables in the User Space even when they are going to run with Administrator rights, so administrative tasks cannot use them. Such executables as rundll32.exe or regsv32.exe are commonly used by the system and some user applications, so it is not recommended to block them.
 
Last edited:

Similar Threads

Similar Threads