Advice Request Some questions on AppGuard

Please provide comments and solutions that are helpful to the author of this topic.

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
AppGuard ( referring to the Solo version , AppGuard Solo - AppGuard ) among other features offers,

a. MemoryGuard: prevents protected programs from writing to, or reading from, other processes’ memory

b. Application Containment/Guarded Execution ensures protected applications are prevented from performing high-risk activities that might be exploited by malware

c. Zero-day and unknown malware defense – assumes all high target applications contain zero-day malware and guards them to prevent any zero-day exploit

Regarding a. MemoryGuard, this sounds a lot like blocking injections, does it do it by wrapping processes in an AppContainer ?, does this work in practice or a lot of software breaks?
Also what more does MemoryGuard offer in specific for Chrome when compared to running Chrome with the AppContainer flag enabled ?

Regarding b. & c. how does it differ from what Windows 10 already offers?

Also does AppGuard install a kernel driver or it uses purely Windows 10 native mechanisms ?
 
Last edited:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703


AppGuard like any security solution will have uncovered attack vectors and bugs, so it will be bypassed by something. Many AVs had kernel modules that were exploitable, there exist UAC bypasses etc.

What I’m after with these questions is to see how the protections it provides compare with what Windows 10 offers to judge it on its merits / weaknesses based on the functional requirements it promises to deliver
 
F

ForgottenSeer 58943

I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.

Thanks for this, what AG offers seems to overlap quite a bit with what Windows offers..

This indeed. No longer marketed to consumers. No (or very few) users either here or @ Wilders.

I see, without a user community, for me it doesn't make sense to use it anyhow
 
F

ForgottenSeer 58943

I'd love to play with it.. Free trial. Maybe low cost consumer version w/free trial.

However with VoodooShield implementing WhitelistCloud into it soon, I may just totally revert to that as my security posture along with lockdowns.
 
F

ForgottenSeer 69673

I still use it but I have added a few things to userspace = yes

That bypass would not succeed with these settings.

c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.

Edit.
Due to SRP like restrictions, only the applications from SystemSpace can be run. That is why we can see Word, PowerShell, CMD, and Calc running in the video.
 
Last edited:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.

Is the sandbox AppContainer ? or AppGuard is using a different technology ?
I actually prefer it if it's AppContainer and all AppGuard uses is native mechanisms, a neat UI for these things may be worth paying. If on the other hand it's in-house solutions that have probably gone through less scrutiny than Windows native mechanisms I'm not so sure.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It is a kind of sandbox based on AppGuard technology - it has many similarities with sandboxes based on restrictions. I do not know all details, so I cannot say that it is a full sandbox. You cannot find a sandbox term in AppGuard documentation.
The Guarded applications are run with many restrictions to protect some important Registry keys, prevent changes in System Space, prevent read/write access to memory of other processes, etc. Furthermore, the child processes of Guarded applications are also automatically guarded.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top