It puts memory restrictions on selected apps and processes, and it also prevents them from writing in system space. It also has an option for privacy protection, which is enabled by default for browsers. You manually define which files and folders are to be considered "private," and your browsers cannot read or write there.what is it?
Yes, sandboxing is stronger protection than guarded apps, but also more frustrating. Guarded apps does not really limit your productivity, and does not really break functionality.I see so it's a great feature! but I guess you can do the same with Sandboxie free
what about the registry?
Hardcore Appguard users have enough tweaks to block half of Windows. I am not one of them.what is it?
what about that PowerShell Dll? what about WMI? there more things that need to block:/
i guess I can block it with Eset hips as well but I'm not sure about it. i removed this dll btwpowershell dlls either in Appguard
Lockdown can tell us.ut I think that guarded apps blocks writing to critical registry areas but allows writing to certain other registry areas.
The basic idea of guarded apps is that malware cannot make system changes that will survive a reboot, and it restricts interaction with the memory of other running processes. This prevents both injecting into them and stealing data from them.i guess I can block it with Eset hips as well but I'm not sure about it. i removed this dll btw
Lockdown can tell us.
I have noticed that Windows Defender at high settings is heavy on the system. And other people have told me the same. Not sure exactly which protections are responsible for the lag on the system, but I set PUA Protection and Cloud Check Time back to default, and it seems to help.
Yes, locked down mode with extra tweaks is much more secure.
Tweak number one, in my opinion, is to add c:\*script.exe to user space. It is almost a must.
This is because Appguard at OOTB (out of the box) settings does not protect windows script host, so this is tweak number 1.
Powershell is on the guarded apps list, so it won't be able to do much damage even at OOTB settings.
Granted that Appguard will block the payload that wscript spawns, even at OOTB settings, but it is not wise to let the malware get so far. Nip it in the bud.
My current config is Appguard + ReHIPS + Excubits MemProtect demo + Kaspersky Internet Security 19 RC.
It probably sounds like I am nuts to use so many advanced security applications together, but there is a method to my madness:
1 I don't have a lot of tweaks in Appguard, and I run it at "protected" level, not locked down.
2 I don't isolate everything in ReHIPS.
3 I don't have a lot of tweaks in KIS.
Basically, I pick and choose the features I like best in each of the various security softs I use.
I use Chrome most of the time, it is in guarded apps by default in all the recent versions of Appguard.
You did the right thing with powershell. But I have it protected in ReHIPS, so I left it at default settings in Appguard.
I also did the registry hack to set powershell to constrained language.
Ahhh I am still using lifetime version 4.0 and it doesn't have any other browsers added. That was a good move on their part.
Does the reg hack cover just powershell.exe in sys 32 & 64 folders or does it also cover PowerShell in the syswow 32 & 64 folders too? And does it cover powershell_ise.exe in the sys 32 and syswow folders?
i guess I can block it with Eset hips as well but I'm not sure about it. i removed this dll btw
Lockdown can tell us.
I have a standard user account on my desktop that is used by a novice who has little patience for security. So I try to build my config in such a way that it will work both for noobs and for geeks. Right now, I am using KIS, but I might go back to Windows Defender.If you aren't downloading and installing unknown files then why even enable these settings in the first place ? You already know a PUA\PUP from a legit one and don't need some AV to tell you. Plus, these AVs are all over the place on what they classify a PUA\PUP and it doesn't help a lot of folks. And then there are those folks who are hell bent on installing the program no matter what the AV tells them.
I have a standard user account on my desktop that is used by a novice who has little patience for security. So I try to build my config in such a way that it will work both for noobs and for geeks. Right now, I am using KIS, but I might go back to Windows Defender.
What I noticed is that Kaspersky, unlike some other AVs, does not care very much whether the program is legal or not.Kaspersky has a strange way of dealing with PUAs\PUPs. Meaning, Kaspersky rates legit programs as PUAs\PUPs and a lets a lot of PUAs\PUPs to be installed.
Basically, this is because Eugene Kaspersky does not want to be sued by the publisher, but if that publisher is running an open source project and isn't likely to sue, then you can bet the program will be blacklisted. Check it for yourself.
What I noticed is that Kaspersky, unlike some other AVs, does not care very much whether the program is legal or not.
But it consistently flags Process Hacker, which is a legal program, as potentially unwanted. It flags all Process Hacker processes, one after another.
The log in Excubits MemProtect recorded a blocked powershell event this morning, I am sure it was a Windows scheduled task, but I don't have a clue why:I keep telling you that PowerShell isn't needed - that it should be disabled. I wouldn't tell you that if it wasn't true. The PowerShell commands that Office, DropBox, etc runs during updates, repairs, etc are "empty" and do not break anything. You are needlessly exposing your system to risk by keeping PowerShell enabled - all for nothing.
The log in Excubits MemProtect recorded a blocked powershell event this morning, I am sure it was a Windows scheduled task, but I don't have a clue why:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7f06bbe7908fb8d914459155ec6219e7\System.Management.Automation.ni.dll
Lockdown is 100% right.
Process Hacker comes shipped with a vulnerable driver which can be operated by other third-party software, the source code is also open-source, making it easy for a malware author to understand what the correct IPC buffers it should pass to do XXXXXX (e.g. get the driver to terminate your AV's service from kernel-mode).
I don't use Process Hacker at all anymore because of this, not even with the driver disabled.
For the record, CPU-Z also has a vulnerable driver and their driver can be exploited to bypass your AV's self protection as well via NtDeviceIoControlFile.
VirtualBox also has a vulnerable driver which can be used to exploit PatchGuard's Driver Signature Enforcement (DSE) feature and load an unsigned device driver in a "driver-less" way (meaning the driver will not even show up on the ntoskrnl.exe imports list).
CPU-Z may have patched their driver years later but I doubt it.
kprocesshacker.sysI am using the Process Hacker nightly builds. Which driver is it so I can check ?