notabot

Level 12
AppGuard ( referring to the Solo version , AppGuard Solo - AppGuard ) among other features offers,

a. MemoryGuard: prevents protected programs from writing to, or reading from, other processes’ memory

b. Application Containment/Guarded Execution ensures protected applications are prevented from performing high-risk activities that might be exploited by malware

c. Zero-day and unknown malware defense – assumes all high target applications contain zero-day malware and guards them to prevent any zero-day exploit

Regarding a. MemoryGuard, this sounds a lot like blocking injections, does it do it by wrapping processes in an AppContainer ?, does this work in practice or a lot of software breaks?
Also what more does MemoryGuard offer in specific for Chrome when compared to running Chrome with the AppContainer flag enabled ?

Regarding b. & c. how does it differ from what Windows 10 already offers?

Also does AppGuard install a kernel driver or it uses purely Windows 10 native mechanisms ?
 
Last edited:

notabot

Level 12
AppGuard like any security solution will have uncovered attack vectors and bugs, so it will be bypassed by something. Many AVs had kernel modules that were exploitable, there exist UAC bypasses etc.

What I’m after with these questions is to see how the protections it provides compare with what Windows 10 offers to judge it on its merits / weaknesses based on the functional requirements it promises to deliver
 

Slyguy

Level 42
Verified
I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.
 

notabot

Level 12
I don't really think anyone around here uses appguard anymore to be honest do you may not find your answer here. The product has really gone off into the sunset from the looks of it, at least in terms of consumers. But I don't know any corporations using it either to be honest.
Thanks for this, what AG offers seems to overlap quite a bit with what Windows offers..

This indeed. No longer marketed to consumers. No (or very few) users either here or @ Wilders.
I see, without a user community, for me it doesn't make sense to use it anyhow
 

Slyguy

Level 42
Verified
I'd love to play with it.. Free trial. Maybe low cost consumer version w/free trial.

However with VoodooShield implementing WhitelistCloud into it soon, I may just totally revert to that as my security posture along with lockdowns.
 

ticklemefeet

Level 22
Verified
I still use it but I have added a few things to userspace = yes

That bypass would not succeed with these settings.

c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.

Edit.
Due to SRP like restrictions, only the applications from SystemSpace can be run. That is why we can see Word, PowerShell, CMD, and Calc running in the video.
 
Last edited:

notabot

Level 12
This is not what I could call bypass, but rather educational video about how AppGuard works. The Guarded applications (like Word and PowerShell in the video) were restricted in the kind of Sandbox. So, like in any sandbox, the malware introduced by them can spy and run other applications (like cmd.exe and calc.exe in the video) in the sandbox. As we could see, any malicious action outside User Space was blocked by AppGuard.
The true bypass should be able to do something in the AppGuard System Space. It is possible (I did it myself), but not like it was done in the video.
Is the sandbox AppContainer ? or AppGuard is using a different technology ?
I actually prefer it if it's AppContainer and all AppGuard uses is native mechanisms, a neat UI for these things may be worth paying. If on the other hand it's in-house solutions that have probably gone through less scrutiny than Windows native mechanisms I'm not so sure.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
It is a kind of sandbox based on AppGuard technology - it has many similarities with sandboxes based on restrictions. I do not know all details, so I cannot say that it is a full sandbox. You cannot find a sandbox term in AppGuard documentation.
The Guarded applications are run with many restrictions to protect some important Registry keys, prevent changes in System Space, prevent read/write access to memory of other processes, etc. Furthermore, the child processes of Guarded applications are also automatically guarded.
 
Last edited: