Status of AppGuard Personal

[509322]

Abu

Here's a couple things you could try:
1 Add Opera to list of trusted publishers
2 look in log and find out the subfolder that Opera updates from, and exclude it from User space (using * to replace version number if necessary)

@cimmay

I am making the assumption that Opera does not update from User Space since you are not reporting a block event for "opera_updater.exe" in User Space. If it does use also use some updater in User Space, then @shmu26 is correct. You have to identify the Opera updater process if it is using one.

If it isn't updating from User Space, then

1 - You don't need to add Opera to TPL since it is installed to Programs folder and see 2
2 - Looks to me Opera is updating from c:\windows\temp\opera autoupdate - which is System Space

The block event is probably rundll32 or some inherited Guarded process attempting to write to a log or some other innocuous file in the update directory and that blocked write does not break anything associated with the Opera update process.

I've said it a million times that block events of known trusted programs should be ignored unless something is obviously is broken.

The objective is not to make the AppGuard configuration such that there are zero block events of trusted programs. If a user does that they should not use AppGuard.

 

[509322]

Thanks, I would like Opera's autoupdate to function without using AppGuard's "allow installs" enabled. The messages were posted here but removed by someone. I will try again with just one to illustrate:
10/25/17 12:24:14 Prevented process <pid: 6012> from writing to <c:\windows\temp\opera autoupdate\installer.exe>.

Nothing is being blocked from executing. Only a write is being blocked. You should not have to lower protection to "Allow Installs" for Opera browser to auto update.

 

[cimmay]

Nothing is being blocked from executing. Only a write is being blocked. You should not have to lower protection to "Allow Installs" for Opera browser to auto update.

I opened Opera About page. It said "checking for updates..." then it said "An error occurred while checking for updates". I immediately enabled AppGuard "Allow Installs" and reloaded the About page. An update was then downloaded and installed.

 

[FleischmannTV]

Discussing block events is off topic regarding the continuation of AppGuard Personal.

 

[cimmay]

You should not have to lower protection to "Allow Installs" for Opera browser to auto update.

Yes! Finally got autoupdate to work without intervention. In AppGuard's "Guarded Apps" I added Folder "Exception" (Read/Write) to c:windows\temp\opera autoupdate. AppGuard does block Opera update dll's and registry, but at least the About page will do a check and give status. Need to wait several weeks to see if it will truly do an install. Now I save 6 clicks when checking for update.

 

[scootnod]

what is up with all the whiners? Small Business option works fine for home users on their main computer. Not bulk home user license compatible maybe cost wise. I have 5 personal licenses I wont renew in a year for the cost but will keep one small business though. But add VoodooShield and Emsisoft on the others as well and more than protected. Who needs support with google anyways?

 

[shmu26]

Yes! Finally got autoupdate to work without intervention. In AppGuard's "Guarded Apps" I added Folder "Exception" (Read/Write) to c:windows\temp\opera autoupdate.

Good thinking. Glad you figured it out.

 

[Deleted member 65228]

I think I will get a business license in the future once I need it, and only apply it to the systems which need it.

 

[cimmay]

Pardon me but anyone know if AppGuard needs settings configured to work successfully with ZoneAlarm's Anti-Ransomware?

 

[Deleted member 178]

Pardon me but anyone know if AppGuard needs settings configured to work successfully with ZoneAlarm's Anti-Ransomware?

if something is blocked, yes. If not, no.

 

[cimmay]

if something is blocked, yes. If not, no.

Seems like coordinated protection, but I don't know if AppGuard will stop ZA from doing any work when it's needed most.

 

[509322]

Seems like coordinated protection, but I don't know if AppGuard will stop ZA from doing any work when it's needed most.

There are no conflicts between any security softs and AppGuard as long as the security soft is installed to System Space (Program Files).

On rare occasions a user might have to make a configuration exception for a browser extension or for a portable scanner in AppGuard.

 

[cimmay]

On rare occasions a user might have to make a configuration exception...

I did notice that generally most any application running already is never blocked. But on the last page of AppGuard is option for "Power Applications". I went and looked up ZA in Task Manager and added the exe to the option. Can rest a little easier now. Thanks.

 

[509322]

I did notice that generally most any application running already is never blocked. But on the last page of AppGuard is option for "Power Applications". I went and looked up ZA in Task Manager and added the exe to the option. Can rest a little easier now. Thanks.

That is completely unnecessary and actually decreases security, but you have the right as the user to misconfigure the product policy.

Power Apps should only be used when all other exceptions methods have failed to resolve any program breakages. It is extremely rare that making a process a Power Apps is ever required.

 

[shmu26]

That is completely unnecessary and actually decreases security, but you have the right as the user to misconfigure the product policy.

Power Apps should only be used when all other exceptions methods have failed to resolve any program breakages. It is extremely rare that making a process a Power Apps is ever required.

If I understand right, the argument against adding an AV to power apps unnecessarily is because if the AV gets compromised, and it is a power app, then there is zero protection to stop it. But if it is not a power app, then the processes it spawns will not automatically have full permissions.
Is this correct?

 

[509322]

If I understand right, the argument against adding an AV to power apps unnecessarily is because if the AV gets compromised, and it is a power app, then there is zero protection to stop it. But if it is not a power app, then the processes it spawns will not automatically have full permissions.
Is this correct?

The AV already is running with elevated privileges. That's how they work. Any exploit child process will run elevated.

If any malicious child process runs from User Space it will be blocked as long as the AV process is not a Power App.

There is no need to create unnecessary exceptions in any software restriction policy. Such exceptions creates needless holes. Such exceptions are the equivalent to taking a bulletproof vest and physically poking holes in it.

 

[_CyberGhosT_]

If I understand right, the argument against adding an AV to power apps unnecessarily is because if the AV gets compromised, and it is a power app, then there is zero protection to stop it. But if it is not a power app, then the processes it spawns will not automatically have full permissions.
Is this correct?

In a sense yes, but then you run into how many are running a "Admin" level acct, or handing out Admin run level permissions like it is free candy, both of which no matter what your running can pose additional problems or issues.
Limit the privledges and scripts run, and you find infection a rarity. I do this and run exclusively no sig software and the numbers say I am more apt to experience an infection than Joe Blow 2 to 3 time over. Not happening, why ?
Because I know this OS and my Linux Mint, I know what to do and how to run things that "limit" my ability to contract a nasty
of any nature. What 2.yrs now and no issues in WIndows or Linux ? Either the numbers lie, or are not applied correctly, or, just maybe we are figuring this out and moving in the appropriate direction as conscious and educated users.

 

[shmu26]

In a sense yes, but then you run into how many are running a "Admin" level acct, or handing out Admin run level permissions like it is free candy, both of which no matter what your running can pose additional problems or issues.
Limit the privledges and scripts run, and you find infection a rarity. I do this and run exclusively no sig software and the numbers say I am more apt to experience an infection than Joe Blow 2 to 3 time over. Not happening, why ?
Because I know this OS and my Linux Mint, I know what to do and how to run things that "limit" my ability to contract a nasty
of any nature. What 2.yrs now and no issues in WIndows or Linux ? Either the numbers lie, or are not applied correctly, or, just maybe we are figuring this out and moving in the appropriate direction as conscious and educated users.

 

[shmu26]

The AV already is running with elevated privileges. That's how they work. Any exploit child process will run elevated.

If any malicious child process runs from User Space it will be blocked as long as the AV process is not a Power App.

There is no need to create unnecessary exceptions in any software restriction policy. Such exceptions creates needless holes. Such exceptions are the equivalent to taking a bulletproof vest and physically poking holes in it.

Do all security softs regularly run with elevated privileges, or only the ones that Windows recognizes as AV?

 

[cimmay]

That is completely unnecessary and actually decreases security, but you have the right as the user to misconfigure the product policy.

With AppGuard Power Applications active the ZA benefit outweighs the risk.