Advice Request Some questions on AppGuard

[notabot]

AppGuard ( referring to the Solo version , AppGuard Solo - AppGuard ) among other features offers,

a. MemoryGuard: prevents protected programs from writing to, or reading from, other processes’ memory

b. Application Containment/Guarded Execution ensures protected applications are prevented from performing high-risk activities that might be exploited by malware

c. Zero-day and unknown malware defense – assumes all high target applications contain zero-day malware and guards them to prevent any zero-day exploit

Regarding a. MemoryGuard, this sounds a lot like blocking injections, does it do it by wrapping processes in an AppContainer ?, does this work in practice or a lot of software breaks?
Also what more does MemoryGuard offer in specific for Chrome when compared to running Chrome with the AppContainer flag enabled ?

Regarding b. & c. how does it differ from what Windows 10 already offers?

Also does AppGuard install a kernel driver or it uses purely Windows 10 native mechanisms ?

 

[davisd]

AppGuard Solo is no good for you. AG is for experts, average users can't handle it unlike Voodooshield, better use it instead.

Read Solo's user guide before. https://www.appguard.us/wp-content/uploads/2019/05/AppGuard_Solo_User_Guide6_0.pdf

 

[notabot]

AppGuard Solo is no good for you. AG is for experts, average users can't handle it unlike Voodooshield, better use it instead.

Read Solo's user guide before. https://www.appguard.us/wp-content/uploads/2019/05/AppGuard_Solo_User_Guide6_0.pdf

Thanks for your response but it doesn’t address any of the questions

 

[[correlate]]

 

[notabot]

AppGuard like any security solution will have uncovered attack vectors and bugs, so it will be bypassed by something. Many AVs had kernel modules that were exploitable, there exist UAC bypasses etc.

What I’m after with these questions is to see how the protections it provides compare with what Windows 10 offers to judge it on its merits / weaknesses based on the functional requirements it promises to deliver

 

[ForgottenSeer 58943]

I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.

 

[oldschool]

The product has really gone off into the sunset from the looks of it, at least in terms of consumers.

This indeed. No longer marketed to consumers. No (or very few) users either here or @ Wilders.

 

[notabot]

I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.

Thanks for this, what AG offers seems to overlap quite a bit with what Windows offers..

This indeed. No longer marketed to consumers. No (or very few) users either here or @ Wilders.

I see, without a user community, for me it doesn't make sense to use it anyhow

 

[ForgottenSeer 58943]

I'd love to play with it.. Free trial. Maybe low cost consumer version w/free trial.

However with VoodooShield implementing WhitelistCloud into it soon, I may just totally revert to that as my security posture along with lockdowns.

 

[ForgottenSeer 69673]

I still use it but I have added a few things to userspace = yes

That bypass would not succeed with these settings.

c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe

 

[Andy Ful]

This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.

Edit.
Due to SRP like restrictions, only the applications from SystemSpace can be run. That is why we can see Word, PowerShell, CMD, and Calc running in the video.

 

[notabot]

This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.

Is the sandbox AppContainer ? or AppGuard is using a different technology ?
I actually prefer it if it's AppContainer and all AppGuard uses is native mechanisms, a neat UI for these things may be worth paying. If on the other hand it's in-house solutions that have probably gone through less scrutiny than Windows native mechanisms I'm not so sure.

 

[Andy Ful]

It is a kind of sandbox based on AppGuard technology - it has many similarities with sandboxes based on restrictions. I do not know all details, so I cannot say that it is a full sandbox. You cannot find a sandbox term in AppGuard documentation.
The Guarded applications are run with many restrictions to protect some important Registry keys, prevent changes in System Space, prevent read/write access to memory of other processes, etc. Furthermore, the child processes of Guarded applications are also automatically guarded.