Which registry items are protected by AppGuard?

[Online_Sword]

Recently I am studying how to simulate the features of AppGuard with some other hips softwares.

Why AppGuard? Because some features of other anti-exe programs, such as command-line whitelist, is too hard for me to simulate.

The fact is that I like AG very much, but I am unable to purchase it owing to some boring cross-border payment issues.

Some features of AG, such as blocking executable files in user space, prevent guarded applications from writing to protected folders and prevent "private" guarded applications from reading the private folders, are not hard to simulate.

The problem is the registry.

We know AG prevents guarded applications from writing to protected registry items/keys/values.

But I do not know the exact registry items/keys/values that are protected by AG.

Only after knowing the items exactly can I write some hips rules to protect them.

So I hope experienced users could explain this to me.

Thank you.

 

[hjlbx]

Recently I am studying how to simulate the features of AppGuard with some other hips softwares.

Why AppGuard? Because some features of other anti-exe programs, such as command-line whitelist, is too hard for me to simulate.

The fact is that I like AG very much, but I am unable to purchase it owing to some boring cross-border payment issues.

Some features of AG, such as blocking executable files in user space, prevent guarded applications from writing to protected folders and prevent "private" guarded applications from reading the private folders, are not hard to simulate.

The problem is the registry.

We know AG prevents guarded applications from writing to protected registry items/keys/values.

But I do not know the exact registry items/keys/values that are protected by AG.

Only after knowing the items exactly can I write some hips rules to protect them.

So I hope experienced users could explain this to me.

Thank you.

Blue Ridge Networks doesn't provide a list of protected registry keys, but if you submit a request to Barb at BRN she will most likely be of some assistance.

NOTE: Don't submit a request via technical support as you will get no help there; if you do request contact directly with Barb or goto Wilders Security and see if someone has a direct contact method.

 

[Online_Sword]

After reading the official documents of AG, I find that, the help document says:

Any user-application can be guarded as long as it follows Microsoft's recommended best practices and does not write to the HKLM registry hive or to certain system directories.

I think this means the registry item that are protected by AG should include HKEY_Local_Machine\*.

I have also checked the prevention log of AG. All the events related to registry have a similar form with the following,

09/08/15 01:23:42 Prevented <Google Chrome> from writing to <\registry\machine\software\wow6432node\google\update\clientstatemedium\{XXXXXX}\_numaccounts>.

I think this is consistent with my guess.

 

[hjlbx]

After reading the official documents of AG, I find that, the help document says:



I think this means the registry item that are protected by AG should include HKEY_Local_Machine\*.

I have also checked the prevention log of AG. All the events related to registry have a similar form with the following,



I think this is consistent with my guess.

From what I remember that is only part of the registry protection. To be perfectly honest, I don't precisely know since with AppGuard I never bothered to get that deep into the registry protections. I just took it at face value...