Advice Request Other standalone Default-Deny software?

[Andy Ful]

AppGuard is smart default-deny (execution default-deny in User Space) for scripts and unsigned applications. It can be thought as a kind of isolation default-deny for digitally signed programs in User Space (but not on Publisher List), because they are forced to run isolated from other processes and computer resources (also by memory restrictions).

Edit.
For enterprise users, AppGuard has some important advantages, for example, Guarded Applications and Memory Guard. That is why it is awarded in this area.
For home users, the main difference between AppGuard and H_C is managing application installations. In AppGuard, most installers cannot be run or the installation will fail due to restrictions. So, the special Install mode has to be used, which turns off most of the restrictions for all processes. In H_C, the user can safely install most applications without turning OFF the protection, by using "Run As SmartScreen", which bypasses the protection only for the installers accepted by SmartScreen.

 

[Andy Ful]

Comodo Firewall with CS settings, has solved the problem with installation of new applications, by using very large Trusted Vendors List and cloud file lookup feature. Though it is not as safe as forced SmartScreen, but pretty much secure in practice.

I did not use VoodooShield for a long time , so I am not sure how it manages the new application installation.

Generally, all default-deny will have a problem to solve with new applications and updates.

 

[shmu26]

I do not think he is a geek. and I'm using Comodo Firewall with the sister configuration Cruel in W7 and I have no problem

And my wife uses Comodo Firewall at CruelSister settings with no problem. I never ever have complaints from her about things blocked by Comodo, or bugs or anything. My wife is not a geek at all, not even close to it.

 

[shmu26]

What are Voodooshield's pros over AppGuard if free/pro versus paid factor and target environments is ignored for a moment and just talking directly from the functionality and usability perspective, which one offers more solidified inbuilt protection mechanisms against sophisticated threats and would require less user maintenance over time when configured and set properly?

/Time and "knowledge" required to set-up for working, office-like PC doesn't matter, just interested in high tier and robust SRP/Default-Deny. Thanks.

Don't use Appguard unless you have deep pockets and profound knowledge of how your OS works. Either that, or you have an expert to advise you and keep you notified about critical changes that might need to be make to the config, due to Microsoft updates.

 

[oldschool]

Spot on @Andy Ful @shmu26 with all your points. With VS, you may leave enabled and answer the prompts during install and the number of prompts you get depend on the Security Posture you have enabled, e.g. In Aggressive mode = most > Relaxed = least. Or you may use "Disable/Install" mode. I have had zero problems with VS.

 

[ebocious]

I just poked around the website a little bit...and I think it's $9.99 a month. So that is not inexpensive protection. But maybe there is a more inexpensive way to purchase it.

A single license for Tech Fortress is available for $3.99/month here. The AOL Data Secure plan is $9.99 a month. I read somewhere that the plan supposedly allows use of the software on up to five devices. I've sent an email to ask about this, but have not yet received a response. If so, then near-bulletproof protection on five computers could be had for as little as $2/month!

 

[shmu26]

A single license for Tech Fortress is available for $3.99/month here. The AOL Data Secure plan is $9.99 a month. I read somewhere that the plan supposedly allows use of the software on up to five devices. I've sent an email to ask about this, but have not yet received a response. If so, then near-bulletproof protection on five computers could be had for as little as $2/month!

You need a credit card with a US or UK address.

 

[ebocious]

@ebocious - that's interesting. I have not heard of this before. Have you ever contacted VoodooShield with this issue? I know there are users who run older versions knowingly. VS has always worked well for me.

I have not. But I experienced the issue on three different units, one of them a fresh installation. No other security software running; even WD was disabled (not SmartScreen). The previous update worked successfully via the prompt, but it still required user intervention. And really, the fact that the software will refuse to continue working until you have installed the update and rebooted your system, is kind of a tall order for granny. I've since replaced VS with Cruel Comodo on these three units.

 

[shmu26]

AppGuard boasts a perfect track record for 20 years. "In 20 years of providing cybersecurity solutions, there has been not one reported breach of our solutions."

Their definition of a "breach" is very narrow. I will give you an example. The default config does not block wscript or cscript. This is a wide, gaping hole in protection for a home user. If you get hit by a common malware that uses wscript, they will tell you it is not a "breach", because you didn't configure it to block wscript.
In a nutshell, AppGuard does what you configured it to do, so it all depends on your configuration.

 

[ebocious]

Their definition of a "breach" is very narrow. I will give you an example. The default config does not block wscript or cscript. This is a wide, gaping hole in protection for a home user. If you get hit by a common malware that uses wscript, they will tell you it is not a "breach", because you didn't configure it to block wscript.
In a nutshell, AppGuard does what you configured it to do, so it all depends on your configuration.

Good information! Can you tell me where this information is located? Not that I'm questioning you; I'd just like to see it.

 

[ForgottenSeer 69673]

I created a cheap JS file and clicked on it. Appguard blocked it. I then ran the file through virus total , turned off Appguard and clicked on it again.

 

[Deckard]

Good information! Can you tell me where this information is located? Not that I'm questioning you; I'd just like to see it.

Same thing, I'm interested, as I'm with AppGuard Solo since yesterday.

 

[ebocious]

View attachment 211136

Is this with default config? And what edition of AG are you using?

 

[ForgottenSeer 69673]

Is this with default config? And what edition of AG are you using?

It is version 4-4-6-1 and it is my tweaked settings.

 

[shmu26]

Good information! Can you tell me where this information is located? Not that I'm questioning you; I'd just like to see it.

There have been a lot of discussions of so-called "bypasses" and as far as I remember, Jeff the Appguard rep (AKA Lockdown, in the early years he used to go by a handle something like "hjblx") would always make the same point, that it depends on the config. A bypass is defined as malware getting past the defense mechanisms of the software. If the software is not set up to block a certain behavior, that is not called a bypass.

All I can tell you is don't believe the half-truths that come out of the marketing department of any software, and that includes Appguard. The dudes who write the marketing hype don't even understand the software. They are paid to make it sound good, that's all.

Properly configured, Appguard is as strong as money can buy. It is tops. But you gotta configure it right.

 

[Deckard]

Good information! Can you tell me where this information is located? Not that I'm questioning you; I'd just like to see it.

I found the info, about wscript and cscript, wrote by Lockdown, in Wilders

... For increased malicious shortcut mitigation, add both wscript.exe and cscript.exe to the Guarded Apps list or disable both by adding them to User Space (YES).
....
Both it and cscript.exe should be added manually to Guarded Apps at this time or disable them by adding each to User Space (YES). If you find you need either one on occasion, you then temporarily UnGuard or enable it [User Space (NO)], do what you need to do, then afterwards immediately re-enable the protections. If you need either one on a permanent basis, then you can permanently UnGuard (untick in Guarded Apps list) or delete the rule from Guarded Apps list. For the User Space list delete the entry in the User Space list or alternatively, you can set the User Space policy for the process permanently to User Space (NO). I retain the policy rules once I've created them and just disable them - instead of deleting them. It saves me from having to re-add a rule later on if I want it again.
...

So, as wscript.exe and cscript.exe are in many places (System32, SysWOW64, ..) but each time in the Windows directory,

c:\windows\*\wscript.exe        yes

and

c:\windows\*\cscript.exe        yes

in the User Space.

 

[shmu26]

I found the info, about wscript and cscript, wrote by Lockdown, in Wilders


So, as wscript.exe and cscript.exe are in many places (System32, SysWOW64, ..) but each time in the Windows directory,

c:\windows\*\wscript.exe        yes

and

c:\windows\*\cscript.exe        yes

in the User Space.

Right.
And just in case the malware comes with its own wscript file, and drops it somewhere, you can protect by broadening out the above rules:

c:*\wscript.exe        yes

and

c:*\cscript.exe        yes

Actually, it is recommended to make an even broader rule, to protect against a longer list of scriptors:

c:*script.exe        yes

Similarly, most Appguard users make a rule like this, or something like it:

c:*powershell*        yes

 

[shmu26]

Regarding Appguard configuration and support: I have been advised by PM (not here at MalwareTips) as follows:
"Appguard has no interest on being discussed on forums ", and furthermore, the community of Appguard experts "isn't here to help or advise people. "

Accordingly, Appguard is not for home users, because the official support channel is notoriously unhelpful, and support on forums is no longer available. You need a business or corporate licence to get real support, and even then, I am not sure how good the support is.

Appguard has been saying for a long time that they don't want home users, and guess what, they mean it.

 

[Deckard]

Regarding Appguard configuration and support: I have been advised by PM (not here at MalwareTips) as follows:
"Appguard has no interest on being discussed on forums ", and furthermore, the community of Appguard experts "isn't here to help or advise people. "

Accordingly, Appguard is not for home users, because the official support channel is notoriously unhelpful, and support on forums is no longer available. You need a business or corporate licence to get real support, and even then, I am not sure how good the support is.

Appguard has been saying for a long time that they don't want home users, and guess what, they mean it.

Thank you for this info !
I imagine that softwares like Appguard or softwares from Excubits generate a lot of incomprehension, configuration errors from home users and the work for the support could be enormous, so a financial loss for the company.
The "enthusiast home user" are not easy to manage. Maybe even worse.

 

[shmu26]

Thank you for this info !
I imagine that softwares like Appguard or softwares from Excubits generate a lot of incomprehension, configuration errors from home users and the work for the support could be enormous, so a financial loss for the company.
The "enthusiast home user" are not easy to manage. Maybe even worse.

Quite true.