Advice Request Replacing AppGuard 5.2.9.1 with AppLocker (possibly)

[MrSecure007]

Hi Forum

I've been using AppGuard 5.2.9.1 for a few years now and have been really happy with it but unfortunately I think the time may have come for me to replace it as certain features I enable in Windows 10 blue screen my machine (like HyperV and Sandbox). I have contacted their support and was told to upgrade but I don't want to purchase subscription based software for the new version (I was lucky to pay a one off fee for AdGuard 5.2.9.1) so am looking at options.

So my questions are:

1. Are there any other 3rd party alternatives to AdGuard that I should consider? I don't mind paying but would like to avoid subscription based software if I can
2. I've used AppLocker before and really liked it (my version of Win10 supports it). Does anyone know an easy way to setup AppLocker rules (Powershell perhaps)? I remember vaguely that there were ways to bypass some AppLocker rules and you had to add MANY exes exceptions (for example) to the block list to really lock things down good. Doing this via the GUI was painful and time consuming (I used Florians blacklist from Execubits for the exe list and folders that needed to be blocked due to them being writable for non admins). I'll be using Publishing rules and hash rules for anything that isn't signed. I also want to add in any additional rules to prevent AppLocker being bypassed.

Hopefully I haven't forgotten to mention anything important but if I have please ask

Thanks for any help!

 

[Nightwalker]

AdGuard is a system wide adblocker (version 7.5.2), are you perhaps referring to AppGuard?

Home - AppGuard

AppGuard protects the operating system at the kernel level preventing breaches using patented dynamic isolation and inheritance technologies.

www.appguard.us

Maybe you could take a look at NVT EXE Radar Pro or SpyShelter, but I dont think there is a direct alternative to AppGuard.

NoVirusThanks: Free Security Software & Cyber Security

Security software to protect your PC from malware. Security services for a safer Internet. Information Technology, Cyber Security and Security Solutions.

www.novirusthanks.org

Best Free Antispyware Software 2024 | Download SpyShelter

Download SpyShelter Antispyware FREE software. Get instant protection against spyware. Easy to use.

www.spyshelter.com

 

[dinosaur07]

VoodooShield might be a good alternative for Appguard so you might give it a try. With the Pro version you can do customization as you wish.

 

[shmu26]

I dont think there is a direct alternative to AppGuard.

+1
You might want to look into Hard_Configurator, as it is Software Restriction Policy, like AppGuard is. Not saying that H_C does everything that AppGuard does, and vice versa, but at least they are in the same category. I don't think you will get those BSODs with H_C, because H_C does not usually mess with processes running with system privileges.

 

[Freud2004]

AdGuard is a system wide adblocker (version 7.5.2), are you perhaps referring to AppGuard?

Home - AppGuard

AppGuard protects the operating system at the kernel level preventing breaches using patented dynamic isolation and inheritance technologies.

www.appguard.us

Maybe you could take a look at NVT EXE Radar Pro or SpyShelter, but I dont think there is a direct alternative to AppGuard.

NoVirusThanks: Free Security Software & Cyber Security

Security software to protect your PC from malware. Security services for a safer Internet. Information Technology, Cyber Security and Security Solutions.

www.novirusthanks.org

Best Free Antispyware Software 2024 | Download SpyShelter

Download SpyShelter Antispyware FREE software. Get instant protection against spyware. Easy to use.

www.spyshelter.com

Maybe a little update... 2015 last version

EXE Radar Pro v3.0​

Version	3.0
Last Updated	April 22, 2015
Operating System	For Windows XP, Vista, 7, 8, 10 (32\64-bit)
Category	Malware Protection Tools
License Type	Commercial
File Size	7 MB

 

[jetman]

Appguard is very expensive.

If you just want to secure your PC for online banking or puchases etc, perhaps consider buying an iPad as a secondary device ? My understanding is that iOS is more secure than any Windows PC- even one running Appguard.

 

[shmu26]

Maybe a little update... 2015 last version

EXE Radar Pro v3.0​

Version	3.0
Last Updated	April 22, 2015
Operating System	For Windows XP, Vista, 7, 8, 10 (32\64-bit)
Category	Malware Protection Tools
License Type	Commercial
File Size	7 MB

ERP version 4 was released, as a free beta. It is very stable.

 

[MrSecure007]

Thanks for all the replies! EXE Radar Pro looks interesting but I think I will stick with AppLocker.

Has anyone created AppLocker rules to lock their PC down *and* set them up to prevent bypasses from happening?

 

[danb]

Has anyone created AppLocker rules to lock their PC down *and* set them up to prevent bypasses from happening?

No. The closest example that I am aware of with AppLocker is AaronLocker, but it would take years to properly patch the gaps.

GitHub - microsoft/AaronLocker: Robust and practical application control for Windows

Robust and practical application control for Windows - microsoft/AaronLocker

github.com

 

[mazskolnieces]

Hi Forum

I've been using AppGuard 5.2.9.1 for a few years now and have been really happy with it but unfortunately I think the time may have come for me to replace it as certain features I enable in Windows 10 blue screen my machine (like HyperV and Sandbox). I have contacted their support and was told to upgrade but I don't want to purchase subscription based software for the new version (I was lucky to pay a one off fee for AdGuard 5.2.9.1) so am looking at options.

So my questions are:

1. Are there any other 3rd party alternatives to AdGuard that I should consider? I don't mind paying but would like to avoid subscription based software if I can
2. I've used AppLocker before and really liked it (my version of Win10 supports it). Does anyone know an easy way to setup AppLocker rules (Powershell perhaps)? I remember vaguely that there were ways to bypass some AppLocker rules and you had to add MANY exes exceptions (for example) to the block list to really lock things down good. Doing this via the GUI was painful and time consuming (I used Florians blacklist from Execubits for the exe list and folders that needed to be blocked due to them being writable for non admins). I'll be using Publishing rules and hash rules for anything that isn't signed. I also want to add in any additional rules to prevent AppLocker being bypassed.

Hopefully I haven't forgotten to mention anything important but if I have please ask

Thanks for any help!

Use the LOLBin policies in @Andy Ful 's Hard_Configurator. The policies he uses are all Microsoft best practices and they cover AppLocker "bypasses." AppLocker "bypasses" aren't actually bypasses. They're incomplete policies that allow for abuse of LOLBins such as rundll32 and regsvr32, which should be disabled by default.

Microsoft never endingly preaches that LOLBins should be permanently disabled. ASR is the foundation of any OS best security practices. Microsoft is a huge advocate of ASR, and rightly so. Microsoft is of the mindset that just because they ship it with Windows doesn't mean it should be enabled. Of course they don't even broach this for home consumers because they don't want to deal with home consumer problems. Microsoft focuses upon consumers to buy games and movies, and not security.

 

[Nevi]

If you just want to secure your PC for online banking or puchases etc, perhaps consider buying an iPad as a secondary device ? My understanding is that iOS is more secure than any Windows PC- even one running Appguard.

It has been that way for a long time, but IOS users should start to use good protection, as the black hats has started to write a lot of malware to Mac computers.

Apple’s malware problem is getting worse

Macs aren’t as safe as they used to be. Here’s how to protect yourself.

www.vox.com

 

[MrSecure007]

Use the LOLBin policies in @Andy Ful 's Hard_Configurator. The policies he uses are all Microsoft best practices and they cover AppLocker "bypasses." AppLocker "bypasses" aren't actually bypasses. They're incomplete policies that allow for abuse of LOLBins such as rundll32 and regsvr32, which should be disabled by default.

Microsoft never endingly preaches that LOLBins should be permanently disabled. ASR is the foundation of any OS best security practices. Microsoft is a huge advocate of ASR, and rightly so. Microsoft is of the mindset that just because they ship it with Windows doesn't mean it should be enabled. Of course they don't even broach this for home consumers because they don't want to deal with home consumer problems. Microsoft focuses upon consumers to buy games and movies, and not security.

I've never come across "Hard_Configurator" before so will be looking into this, thanks for sharing! Can this replace AppGuard or should they be used together? I've decided to not use AppLocker.

I'd also never come across the term "LOLBins" before but this is what I am worried about, securing the signed MS executables. I have a blacklist of exes Execubits used to have on their website before they shut down but its quite long to add them all to AppGuards config and I haven't tried yet.

 

[mazskolnieces]

I've never come across "Hard_Configurator" before so will be looking into this, thanks for sharing! Can this replace AppGuard or should they be used together? I've decided to not use AppLocker.

I'd also never come across the term "LOLBins" before but this is what I am worried about, securing the signed MS executables. I have a blacklist of exes Execubits used to have on their website before they shut down but its quite long to add them all to AppGuards config and I haven't tried yet.

The Excubits list is LOLBins. Hard_Configurator contains the entire Excubits list. You don't have to add anything additional unless you want to.

Use Hard_Configurator by itself.

Homepage - Hard_Configurator (hard-configurator.com)

The best thing you can do is check it out and when you do you'll see for yourself. I'd bet you like it immediately.

 

[danb]

Use the LOLBin policies in @Andy Ful 's Hard_Configurator. The policies he uses are all Microsoft best practices and they cover AppLocker "bypasses." AppLocker "bypasses" aren't actually bypasses. They're incomplete policies that allow for abuse of LOLBins such as rundll32 and regsvr32, which should be disabled by default.

Microsoft never endingly preaches that LOLBins should be permanently disabled. ASR is the foundation of any OS best security practices. Microsoft is a huge advocate of ASR, and rightly so. Microsoft is of the mindset that just because they ship it with Windows doesn't mean it should be enabled. Of course they don't even broach this for home consumers because they don't want to deal with home consumer problems. Microsoft focuses upon consumers to buy games and movies, and not security.

Any chance you could provide a link to Microsoft’s best practices where they suggest disabling rundll32 and regsvr32 (along with others) is a good idea? H_C will be a great soft once Andy finishes his WDAC implementation, but I am curious why Microsoft would deprecate SRP and still include it in their best practices .

 

[mazskolnieces]

Any chance you could provide a link to Microsoft’s best practices where they suggest disabling rundll32 and regsvr32 (along with others) is a good idea? H_C will be a great soft once Andy finishes his WDAC implementation, but I am curious why Microsoft would deprecate SRP and still include it in their best practices .

There is no question that Microsoft very much continues to support features and software that it has "deprecated" in it security guidance and best practices. Microsoft officially no longer supports Windows 8.1 thru XP or Server 2012R2 thru 2003, and yet there's literally millions of companies that still use those OSes and Microsoft still maintains the same security guidance for those companies. And the foundation of that security is ASR, which Microsoft publishes best practices in docs, blogs, Git pages, divisional guidance, and a lot of other ways.

Deprecation does not mean much in Microsoft parlance. There are items that were deprecated back in the XP era that still ship with Windows. Just because Microsoft says it is deprecating something clearly doesn't mean in practice that it is obsolete or is not to be used any longer.

You did know that WDAC is a superset of AppLocker, and that AppLocker is a superset of SRP, and that all three (WDAC, AppLocker, and SRP) are all software restriction policy based security despite Microsoft calling them by different names, right ?

 

[danb]

Again, where is the evidence? All you have to do is provide a link the Microsoft's best practices and you will have proven your point. Otherwise, pretty much everything you have said is opinion with zero fact to back it up.

Including the notion that WDAC is based on SRP. You are suggesting that a kernel mode mechanism is based on a user mode mechanism? Where do you get these crazy ideas? When did truth become optional?

Application Control for Windows

Application Control restricts which applications users are allowed to run and the code that runs in the system core.

docs.microsoft.com

 

[mazskolnieces]

Again, where is the evidence? All you have to do is provide a link the Microsoft's best practices and you will have proven your point. Otherwise, pretty much everything you have said is opinion with zero fact to back it up.

Application Control for Windows

Application Control restricts which applications users are allowed to run and the code that runs in the system core.

docs.microsoft.com

Microsoft still supports SRP with a huge online doc database. The evidence that Microsoft still includes SRP as part of its security best practices are pages such as this: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) - Windows security | Microsoft Docs

Since WDAC only applies to W10 (and Microsoft has never stated that it has plans to make it backward compatible), and AppLocker only applies to post-Windows 7 systems, the only native Microsoft option remains SRP for earlier systems. Microsoft clearly notes that SRP is the only one that works across mixed version enterprise environments.

Within the context of AppLocker, there are ways to bypass it including rundll32 and regsvr32. Microsoft Security even quotes the researchers who find this stuff such as Casey Smith and Matt Graeber.

There's literally hundreds of thousands of organizations and others that run Windows with rundll32 and regsvr32 disabled without there being any undue inconvenience or a system crash. There's no way to provide evidence except for a person to try it and see for themselves. Furthermore, Microsoft has never stated not to disable LOLBins because they are shipped with the OS and therefore not meant to be disabled. Any notion that permanently disabling Windows processes is wrong is ludicrous. If that were the case, then why does Microsoft still rely upon SRP (SRP, AppLocker and WDAC) as the foundation of its highest security where processes are permanently disabled ?

You want a link that provides a complete set of Microsoft best practices. Well there isn't one. Microsoft best practices are literally spread out across thousands of web pages and other resources such as Microsoft docs, support, blogs, and whitepapers. Just because I don't provide a link doesn't mean that what is being said is speculation. Go to any Microsoft Ignite and attend security presentations.

You seem to imply that just because Microsoft has "deprecated" SRP that it is no longer to be used. Then explain how Microsoft is not telling companies to stop using SRP with mixed environments and expensive Intune licenses, and infrastructure that is not possible to upgrade and upon which SRP is the only working option ?

ASR is Microsoft's foundational security with the objective to disable LOLBins. Within the context of reading Microsoft docs and security blogs this fact is plainly clear.

Including the notion that WDAC is based on SRP. You are suggesting that a kernel mode mechanism is based on a user mode mechanism? Where do you get these crazy ideas? When did truth become optional?

You assertion that WDAC is not SRP because it uses a kernel mode driver is ludicrous. SRP is not defined by how it does it, it is defined by what it does.

I will just end with this fact... Hard_Configurator is wildly popular and shall continue to grow in popularity. It's because @Andy Ful is a gentleman. H_C is a freeware open source project. Plus it provides for an almost completely trouble free security user experience. It uses not only SRP but various native Microsoft security options that Microsoft has no incentive to eliminate from the OS any time soon. There's no evidence to suggest otherwise. Absolutely none. Microsoft is not throwing the baby out with the bath water; SRP will be around for a long time.

We are all aware that you have your own peculiar motivated bias in certain topic matters. It's OK. You're entitled to your wrong opinions.

 

[danb]

Microsoft still supports SRP with a huge online doc database. The evidence that Microsoft still includes SRP as part of its security best practices are pages such as this: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) - Windows security | Microsoft Docs

Since WDAC only applies to W10 (and Microsoft has never stated that it has plans to make it backward compatible), and AppLocker only applies to post-Windows 7 systems, the only native Microsoft option remains SRP for earlier systems. Microsoft clearly notes that SRP is the only one that works across mixed version enterprise environments.

Within the context of AppLocker, there are ways to bypass it including rundll32 and regsvr32. Microsoft Security even quotes the researchers who find this stuff such as Casey Smith and Matt Graeber.

There's literally hundreds of thousands of organizations and others that run Windows with rundll32 and regsvr32 disabled without there being any undue inconvenience or a system crash. There's no way to provide evidence except for a person to try it and see for themselves. Furthermore, Microsoft has never stated not to disable LOLBins because they are shipped with the OS and therefore not meant to be disabled. Any notion that permanently disabling Windows processes is wrong is ludicrous. If that were the case, then why does Microsoft still rely upon SRP (SRP, AppLocker and WDAC) as the foundation of its highest security where processes are permanently disabled ?

You want a link that provides a complete set of Microsoft best practices. Well there isn't one. Microsoft best practices are literally spread out across thousands of web pages and other resources such as Microsoft docs, support, blogs, and whitepapers. Just because I don't provide a link doesn't mean that what is being said is speculation. Go to any Microsoft Ignite and attend security presentations.

You seem to imply that just because Microsoft has "deprecated" SRP that it is no longer to be used. Then explain how Microsoft is not telling companies to stop using SRP with mixed environments and expensive Intune licenses, and infrastructure that is not possible to upgrade and upon which SRP is the only working option ?

ASR is Microsoft's foundational security with the objective to disable LOLBins. Within the context of reading Microsoft docs and security blogs this fact is plainly clear.

You assertion that WDAC is not SRP because it uses a kernel mode driver is ludicrous. SRP is not defined by how it does it, it is defined by what it does.

I will just end with this fact... Hard_Configurator is wildly popular and shall continue to grow in popularity. It's because @Andy Ful is a gentleman. H_C is a freeware open source project. Plus it provides for an almost completely trouble free security user experience. It uses not only SRP but various native Microsoft security options that Microsoft has no incentive to eliminate from the OS any time soon. There's no evidence to suggest otherwise. Absolutely none. Microsoft is not throwing the baby out with the bath water; SRP will be around for a long time.

We are all aware that you have your own peculiar motivated bias in certain topic matters. It's OK. You're entitled to your wrong opinions.

Wow... a lot of words and still not one shred of evidence to support anything you have bloviated. You do realize, for example, if you disable rundll32, it will break most of the control panel applets? This is just one example of why it is not smart to disable vital system components.

H_C is designed for security geeks. VS is designed for complete novices and average users. These are 2 totally different products in 2 totally different markets. VS was the cool new kid on the block for many years on both MT and Wilders and you cannot hold that title forever. It's cool because we have moved on to focus on business. Some days we are getting 750 new installs / new user accounts, and it is only growing from there since we started marketing recently. And besides, you would be surprised how many security geeks on the forums are closet VS users, or have switched back to VS after trying other products . I never thought that VS would be known as the boring, stable, tried and true option .

I am not going to ask again for evidence to support your wild claims, but if you happen to find any please let me know.

 

[mazskolnieces]

You do realize, for example, if you disable rundll32, it will break most of the control panel applets? This is just one example of why it is not smart to disable vital system components.

And so ? It is easy enough to turn off a boolean like a light switch to gain access to the control panel. So your claim is trivial and at best a minor inconvenience. Windows control panel is not a vital system component as there is nothing that happens during the regular course of using the OS that it needs access to it. Nobody needs constant unfettered access to the Control Panel. And besides, enterprises sure don't care.

I wonder why people who disable the entire LOLBin list in Hard_Configurator never complain about it ? Seems like they all can make it work without issue.

You know it's pretty disturbing, and quite sad actually, that a developer of a security product doesn't even know what Microsoft's own recommended security best practices are. That he doesn't even know what Microsoft MSPs and Microsoft security personnel do to secure a 100,000+ endpoint deployment. You don't even know how any of Microsoft's enterprise security works, like the things needed to create, install and manage the policies. A Windows security expert with real world experience wouldn't ask for web pages as evidence because they wouldn't need it. You're doing it just because your objective is to say "If you don't provide what I'm asking for, then it's just not true." How petty and unprofessional is that ?

Ask the WDAC team what it is... it's SRP. It always was. The fact that it uses a kernel mode driver as opposed to working in user mode doesn't make WDAC something other than SRP.

Enterprises and those people who so choose will continue to use SRP on Windows until such time in the distant future most everybody switches to Windows 10 and Server 2016 and above.

VS is designed for complete novices and average users. These are 2 totally different products in 2 totally different markets. VS was the cool new kid on the block for many years on both MT and Wilders and you cannot hold that title forever. It's cool because we have moved on to focus on business. Some days we are getting 750 new installs / new user accounts, and it is only growing from there since we started marketing recently. And besides, you would be surprised how many security geeks on the forums are closet VS users, or have switched back to VS after trying other products . I never thought that VS would be known as the boring, stable, tried and true option .

Not sure why you feel the need to talk about your product in this thread since it is not relevant to the discussion of SRP. It's just an antiexecutable.

You say Andy's "product" is only for security geeks but that is a wild claim and there is no evidence you provide to support it. You act like people cannot handle a product that is basically an ON-OFF product like a light switch. Please show us a single instance where a H_C user couldn't figure out how to use the product or a bug that persisted to the extent that the user abandoned the product.

I think you have a penchant for overexaggerating the VS user base and how wonderful it is doing. If your product was doing so great, then you wouldn't spend all your time on tiny forums for security software enthusiasts. Don't get me wrong, it's nice that you do. There's certainly a lot of people on these forums that appreciate their free VS licenses. But my guess is that as soon as you stopped giving away free licenses lots of your user base would lose interest. Who knows. Maybe I'm wrong. But one thing for certain is that these small forums are most definitely places where people come to because they're attracted to the free software.

I am not going to ask again for evidence to support your wild claims, but if you happen to find any please let me know.

You have the option of proving every last word that I've posted is wrong. There's nothing stopping you.

 

[Andy Ful]

@danb, @mazskolnieces, and @MrSecure007​

Thank you for the interesting discussion. Although I mostly agree with @mazskolnieces, I think that it is hard to replace AppGuard due to its special features. Anyway, the Windows version used by @MrSecure007 allows using AppLocker, he used it before and he really liked it. So, the simplest solution for him will be using AppLocker again and learn how to apply additional rules to avoid bypasses.
One Thousand and One Application Blocks — Improsec | improving security
GitHub - microsoft/AaronLocker: Robust and practical application control for Windows
Using AaronLocker to Easily Deploy Microsoft AppLocker (ipswitch.com)