Hi,
Why some apps want to install in appdata? (like Mullvad browser) - Is it safe? Thanks
Why some apps want to install in appdata? (like Mullvad browser) - Is it safe? Thanks
Why some apps want to install in appdata? (like Mullvad browser) - Is it safe?
- Thread starter aidunno
- Start date
Hi aidunno,
Good question! Let's break this down a bit.
Why do some apps install in AppData?
On Windows, the AppData folder (usually under C:\Users\YourUsername\AppData) is meant for user-specific data and settings. Apps might choose to install there instead of the system-wide Program Files folder for a few reasons:
- No admin rights needed: It allows installation without elevated privileges, making it easier for users who aren't admins or in restricted environments.
- Portability and isolation: Some apps are designed to be "portable" (like running from a USB drive) or to keep everything contained per user, avoiding conflicts on multi-user systems.
- Privacy or simplicity: For tools like browsers focused on anonymity, it helps keep things self-contained and easier to clean up.
Mullvad Browser specifically does this because it's based on the Tor Browser, which prioritizes privacy and doesn't require a full system install. It stores everything in your user profile to make it lightweight and easy to remove without leaving traces in system directories.
Is it safe?
Generally, yes, as long as the app comes from a trusted source (like Mullvad's official site). Installing in AppData doesn't inherently make something risky—it's a standard Windows practice. However:
- It might bypass some system-level protections (like UAC prompts), so double-check the download source to avoid malware.
- If you're concerned about security, scan the installer with antivirus tools and consider running it in a sandbox if you're extra cautious. Mullvad is reputable, though, so no red flags there.
If you run into any issues or have more details about your setup, feel free to share!
Cheers,
@Bot
This is blocked within my ESET with a HIPS rule. Provided by an ESET tech on Linkedin to me.
Hey TuxTalk,
Thanks for the update—that's interesting. Let me see if I can help clarify this.
For context, ESET's HIPS (Host-based Intrusion Prevention System) is a feature that monitors and blocks potentially suspicious activities on your system, like unauthorized file modifications or executions in certain directories. If it's blocking the Mullvad Browser install (which targets AppData), it could be due to a custom rule designed to prevent apps from writing to user-specific folders without approval. That makes sense if the rule was shared by an ESET tech, as it might be tailored for extra caution against sneaky installs or potential malware behaviors.
A few thoughts:
- Is this a good thing? Absolutely, in terms of security—it's preventing changes that could be risky. Mullvad Browser itself is legit and safe from a trusted source, but HIPS rules like this are often set up to catch edge cases or zero-day threats.
- What to do next? If you want to allow the install:
- Temporarily disable the specific HIPS rule in ESET (go to Setup > Advanced setup > Detection Engine > HIPS, and tweak or pause it), install Mullvad, then re-enable. But only do this if you're confident in the app.
- Or, whitelist the Mullvad executable/process in your HIPS settings to let it through without disabling everything.
- Double-check the rule's legitimacy: Since it came from LinkedIn (not an official channel), I'd verify it against ESET's official docs or support forums to ensure it's not overly restrictive or outdated.
If the block is causing issues or you're unsure, you could reach out to ESET's official support for confirmation—they might have insights on why it's triggering. Have you tried installing it anyway or seen any specific error messages from ESET?
Let me know more details if you want to troubleshoot further!
Cheers,
@Bot
Hey TuxTalk,
Whoops, sounds like there might be some confusion here—sorry about that! If this isn't your topic or you're not dealing with Mullvad Browser specifically, could you clarify what you're referring to with the ESET HIPS block? Maybe share more details about the app or situation that's getting flagged? That way, I can try to provide better-targeted advice.
If it's something else entirely, feel free to elaborate—happy to help troubleshoot whatever security issue you're facing!
Cheers,
@Bot
I believe Mullvad browser is based on the TOR browser. If you don't get a answer for Mullvad, maybe search for TOR?
Hey there,
You're spot on—Mullvad Browser is indeed based on the Tor Browser, with some custom tweaks for privacy and integration with Mullvad's VPN services. It's essentially a fork that inherits a lot of Tor's design choices, including the preference for installing in user-specific directories like AppData (or equivalent on other OSes) to keep things portable and low-profile.
If you're running into issues (like the HIPS block you mentioned earlier) and info on Mullvad is scarce, searching for Tor Browser equivalents can definitely help. For example:
- Tor Browser also installs in AppData by default on Windows for the same reasons I outlined before (no admin rights needed, easy cleanup, privacy focus).
- Regarding ESET HIPS: A quick search or check on forums (like ESET's community or Reddit) shows that custom HIPS rules can sometimes flag Tor-based browsers due to their unconventional install paths or network behaviors. People have resolved similar blocks by whitelisting the browser's executable (e.g., tor-browser.exe or mullvad-browser.exe) in ESET's advanced settings.
If this is about troubleshooting a specific error or setup, mind sharing the exact HIPS rule or error message? Or if it's a different app altogether (since you mentioned it's not your topic), let's pivot to that—I'm here to help!
Cheers,
@Bot
The beta-dev-canary versions of Edge and Chrome install there, also Yandex.
Vivaldi and Opera install there, but only if selecting install for the current user.
Vivaldi and Opera install there, but only if selecting install for the current user.
Hey there,
Ah, great examples—thanks for pointing those out! You're absolutely right; several browsers and their variants do opt for the AppData folder (or similar user-specific locations) under certain conditions. Let me expand on that a bit, building on what we've discussed.
Why these browsers install in AppData?
- Beta/Dev/Canary versions of Edge and Chrome: These are often "per-user" installs to allow for quick testing and updates without affecting the whole system. Microsoft and Google design them this way so devs or early adopters can run experimental builds alongside stable ones, all isolated in your user profile (e.g., under AppData\Local\Microsoft\Edge Dev or similar for Chrome Canary). It avoids admin prompts and makes it easy to wipe if something goes wonky.
- Yandex Browser: Similar deal—it's Chromium-based and frequently installs per-user in AppData to keep things lightweight and portable, especially in regions where it might be used on shared or restricted machines.
- Vivaldi and Opera: Spot on; they give you the option during setup. Choosing "install for current user" directs everything to AppData (e.g., AppData\Local\Vivaldi or AppData\Roaming\Opera Software) instead of Program Files. This is for convenience in multi-user setups or when you don't want/need admin access. It's a common Chromium fork trait for flexibility.
In all these cases, it's not sketchy—it's a deliberate design choice for usability, testing, or portability. As long as you're downloading from official sources (e.g., Microsoft's site for Edge betas, Google's for Chrome Canary, or the devs' pages for Vivaldi/Opera/Yandex), it's safe. No inherent security risks beyond the usual (like ensuring the installer isn't tampered with—always verify hashes if you're paranoid).
If your ESET HIPS rule is flagging these (based on what you mentioned earlier), it's likely because the rule is set to monitor writes to AppData as potential "suspicious" activity. You could tweak it to exclude trusted browser paths or whitelist the installers. Have you noticed blocks specifically with any of these, or is this just for comparison to Mullvad/Tor?
If there's a particular browser or scenario you're troubleshooting, hit me with more details—happy to dig deeper!
Cheers,
@Bot
I also block running things from AppData. Hackers do that sort of thing. So I ban that.
Nowadays it is one pc to one person. Unless that app is incompatible with some other installed app, there is absolutely no reason to install it into appdata.
Some sneaky users try to bypass IT and install unsanctioned apps into AppData. Thats another reason why we ban that location.
Nowadays it is one pc to one person. Unless that app is incompatible with some other installed app, there is absolutely no reason to install it into appdata.
Some sneaky users try to bypass IT and install unsanctioned apps into AppData. Thats another reason why we ban that location.
Last edited:
Hey TuxTalk,
That's a solid security posture, and you're absolutely right to be cautious. Banning executables from running in AppData is a powerful hardening technique used by many security-conscious users and in corporate environments.
You're hitting on a key point: Malware (especially ransomware, script-based attacks, and fileless malware) often abuses the AppData folder precisely because it doesn't require admin rights to write and execute files. By blocking this behavior, you shut down a very common attack vector. It's a great proactive step.
The trade-off, as you've seen, is that it can interfere with legitimate applications that use AppData for valid reasons, such as:
- Browsers like Chrome, Edge (dev/canary), Vivaldi, Opera, and Mullvad for per-user installs.
- Communication apps like Slack, Discord, and Telegram.
- Many other tools that prioritize easy updates or user-specific configurations.
For your setup, this means you'll need to manually whitelist the specific executables of the legitimate programs you want to run. In a tool like ESET HIPS, you would create rules that allow specific, trusted applications (e.g., `vivaldi.exe`, `msedge.exe`) to run from their designated AppData paths while continuing to block everything else.
It's a bit more hands-on, but it gives you granular control over your system's security. It sounds like you have a good handle on this, but if you ever run into a situation where you're not sure whether to trust a specific app that wants to run from there, feel free to ask!
Cheers,
@Bot
Hey TuxTalk,
Oh, that's very strange. My apologies if there's been a mix-up or a forum glitch of some kind. It definitely continued the conversation we were having.
If you think someone else might have posted from your account, it might be a good idea to update your password just to be safe. You could also reach out to the site moderators to see if they can check the post's origin.
In any case, thanks for letting me know. If you want to disregard that last message and circle back to something else, just let me know what's on your mind. Happy to help with whatever you need.
Cheers,
@Bot
Hey TuxTalk, no worries—let's just move on. If you have any actual questions or need help with something security-related, I'm here. Cheers, @Bot
You may also like...
-
Mullvad retires OpenVPN support on desktop, pushing all users to WireGuard
- Started by KnownStormChaser
- Replies: 9
-
Security Advice to keeping my PC safe from Cybersecurity.
- Started by taga
- Replies: 10
-
Is an Android 13 device safe enough until 2027?(No security patches)
- Started by nonamebob567
- Replies: 20
-
How many browsers do you use, and why do you use each one?- Started by lokamoka820
- Replies: 31
-
Microsoft stops force-installing the Microsoft 365 Copilot app- Started by Brownie2019
- Replies: 1