AppGuard - wersje stabilne

[Tadek59]

Pewnie miałeś je poukrywane,

Jest taki program do usuwania toolbarów (darmowy) a zwie się Toolbar Cleaner

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

Dzięki pewnie się przyda te toolbary to siedlisko szpiegów i różnych wrogich działań

 

[pkolasa]

Lub AdwCleaner, który ma szerszy zakres działań i zajmuje się też preferencjami przeglądarek, gdzie pozostają często śmieci:

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

 

[ichito]

Dla zainteresowanych i używających...bardzo pochlebna opinia na temat AppGuard (kees1958 na forum Wildersów)

Kees1958 Kees1958 is offline
Massive Poster

Join Date: Jul 2006
Posts: 5,529
Default Re: Light Weight HIPS for 64 bit OS
@mattbiernat

A great HIPS for x64 is AppGuard, it is one time payment for lifetime usage of the main version you are buying (so 3.00 through 3.99 for version 4.01 you would have to pay again).

How is it intended to use?
It is not a system wide HIPS, but a HIPS directed to the threatgate programs and area's (like USB, Internet). The idea behind it is that by looking only at the threatgates, you prevent them entering (not having to fight against all threatvectors possibly started by all the executables living on your harddrive).

How does it compare against traditional HIPS
For starters it uses way less CPU cycles, so it has minimal effect. When performance or light is important to you, it is a positive feature of AppGuard

When tested in broad HIPS test against well known HIPS/FW like OA, Comodo, Outpost, SPyshelter it will loose miseraly. When you would at the results one would ask, why pay for a program which protects at so little area's?

Any malware researcher / security enthousiast could tell you (with sufficient knowledge provided that is), that AppGuard in daily use will be as strong as any other HIPS, may be even stronger because it imposes deny execute on vulnarable area's and a smart paranoid memory protection (not matched by most other HIPS).

So what is the secret on AppGuard?
.......

A na to pytanie odpowiedź już znajdziecie w oryginalnym poście

Spoiler: Pokaż zawartość

Zaloguj lub Zarejestruj się aby zobaczyć!

 

[OXYGEN THIEF]

Tu z czym to się je odnośnie programu AppGuard

1. Introduction

Before looking at how to customize AppGuard, a few notes on the approach that AppGuard takes to securing the system might be helpful.

AppGuard looks at the whole computer system as consisting of two parts. There are files, processes, and registry keys forming a sub-system within the whole that must be protected against being compromised by malware. This sub-system is called a trusted enclave. The primary goal of AppGuard is to protect objects within the trusted enclave. Objects that lie outside the trusted enclave may be compromised by malware but they must be prevented from compromising objects within the trusted enclave.

To enforce this model, AppGuard has some basic concepts.

1.1. System Space

System Space consists of objects located within the trusted enclave and contains everything that is not considered to be User Space. System Space includes the Windows and Program Files folders. System Space executables run as Unguarded Applications unless they are explicitly defined as Guarded Applications.

1.2. User Space

User Space consists of objects located outside the trusted enclave and contains the current user profile plus any additional partitions. User Space executables automatically run as Guarded Applications except where some are explicitly unguarded by customization.

1.3. Guarded Applications

Guarded Applications are untrusted applications that have the potential to compromise the trusted enclave if not restricted on execution. If located in User Space, applications are automatically untrusted and guarded on execution. If located in System Space, applications can be explicitly defined as untrusted and guarded on execution. Applications that should be untrusted include Internet-facing applications and applications that load data files that may contain malicious code.

Guarded Applications have read/write access to User Space, but read-only access to System Space. Any child process spawned by a Guarded Application will also inherit the same set of restrictions as its parent and run guarded.

1.4 Unguarded Applications

Unguarded Applications are trusted applications located within System Space. All applications located within System Space are automatically trusted unless they are explicitly defined as Guarded Applications.

Unguarded Applications have read/write access to both User Space and System Space.

1.5. Protection Level

The Protection Level determines the way in which the various AppGuard features are applied and the degree of restriction and protection that AppGuard provides.

High is the default. For most users, it represents the best compromise between security and usability for normal use. Medium would normally only be used if High is causing issues. Locked Down is highly restrictive and would normally be used in situations where increased security is required. For many users, Locked Down may be too restrictive for normal use. Install allows protection to be lowered when installing or updating software. Off is self explanatory.


2. AppGuard Customization

2.1. Customizing Alerts

The Alerts panel in the GUI allows the way different types of alerts are handled to be customized and is where blocked events are displayed. Most blocked events are harmless and do not impact the ability of a program to function normally. Future occurrences of a blocked event can be optionally be suppressed from being reported by right clicking on it and creating an Ignore Message rule. An Ignore Message rule does not suppress the blocked event itself: just the reporting and/or logging of it. Wildcards can be used to make Ignore Message rules more generic.

If it has been decided to make an exception for a blocked event, right-clicking on the event in the Alerts panel and selecting Ignore Message without actually creating a rule enables the full path name to be displayed, which can be helpful in identifying the executable involved.

2.2. Moving a System Space Folder to User Space

Where allowed, this involves a two-step procedure. The System Space folder to be moved is added in the User-Space tab, setting the Include flag to Yes in order to guard its executables. The folder is also added in the Guarded Apps tab with the Type flag set to Read/Write in order to unprotect it and allow all guarded executables write access. Windows and Program Files folders may not be moved to User space as they are core components of the trusted enclave.

2.3. Moving a User Space Folder to System Space

This also involves a two-step procedure. The User Space folder to be moved is added in the User-Space tab, setting the Include flag to No in order to unguard its executables. The folder is also added in the Guarded Apps tab with the Type flag set to Read Only in order to protect it and prevent any guarded executables from having write access.

2.4. Unguarding User Space Applications

By default, User Space executables are untrusted and automatically run as Guarded Applications. In order to override this, a User Space executable or folder can be added in the User-Space tab with the Include flag set to No.

2.5. Guarding System Space Applications

By default, System Space executables are trusted and automatically run as Unguarded Applications. In order to override this, applications can be added to the Guarded Apps tab. Separate flags can be set for each Guarded Application that control whether Privacy and MemoryGuard features are enabled. Several untrusted applications are already predefined in the Guarded Applications tab when AppGuard is first installed; others can be manually added later.

2.6. Creating User Space Private Folders

A folder in User Space can be made a Private Folder by adding a folder entry in the Guarded Apps Tab and setting the Type flag to Deny Access. This is useful to prevent Guarded Applications such as web browsers from having any access to folders containing confidential data. When the Protection Level is set to High or Medium, Private Folders is only enabled for Guarded Applications where the Privacy flag is set to Yes.

2.7. Creating User Space Protected Resources

A folder in User Space can be made a Protected Resource by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read Only. An example use for this might be to prevent write access to an additional partition containing system objects. By default, AppGuard treats additional partitions as an extension of User Space and allows read/write access.

2.8. Creating System Space Exception Folders

A folder in System Space can be made an Exception Folder by adding a folder entry in the Guarded Apps tab and setting the Type flag to Read/Write. An example use for this might be to allow write access to Sandboxie’s sandbox folder, which by default is located in System Space. As part of System Space, AppGuard would normally prevent guarded applications from writing to it. As an alternative, the sandbox folder could be moved to an additional partition if there is one, in which case it would automatically be in User Space and no folder exception would be needed.

2.9. Trusted Publishers

The Publishers tab enables digitally signed executables from trusted publishers to be run as Unguarded Applications from User Space. This allows software installs and updates to be applied from trusted publishers in the list who sign their executables without having to reduce the Protection Level to Install.

2.10. Power Applications

Adding an application to the PowerApps tab means that it will never run as a Guarded Application, even if executed as a child process of a Guarded Application. For this reason, this feature should be used very sparingly only where necessary. Other types of AppGuard exceptions should be considered to resolve issues before adding executables as Power Applications.

2.11. Miscellaneous Features

The Advanced tab is where miscellanous features not covered elsewhere can be managed. The feature that is most likely to be customized is MemoryGuard.

MemoryGuard prevents Guarded Applications from being able to inject code into the memory space of other running applications and vice versa. The Advanced tab is where MemoryGuard exceptions can be made. This should only be done if MemoryGuard blocking events are occurring and only then if MemoryGuard is preventing an application from working correctly. Most MemoryGuard events don’t impact the normal functioning of applications and can usually be ignored.

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

 

[Tadek59]

Witam !

Mam problem i wklejam :

09/12/12 16:38:33 Prevented process <loader.exe - c:\program files\xussoft\xus desktop\xusdesktop.exe> from launching from <g:\easeus\todo backup\bin>.

Mam XUS Desktop i tam ikonki wśród nich ikonkę EaseUS Todo Backup , klikam i AppGuard blokuje i nie pozwala na uruchomienie programu , jak dodać ten program do wykluczeń w AppGuard , zauważyłem że kiedy ustawiałem pewne rzeczy w programie EaseUS Todo Backup , dopiero wyłączenie AppGuarda pozwoliło mi na zatwierdzenie ustawień , podobnie przy odpaleniu backupu AppGuard nie pozwolił go przeprowadzić , musiałem zrobić off .
Boje się że za tydzień kiedy Backup będzie się chciał odpalić automatycznie bo tak go ustawiłem AppGuard go zatrzyma , zatem proszę o pomoc .

 

[OXYGEN THIEF]

Tadek59 AppGuard to zablokował bo to coś co chciałeś uruchomić znajduje się na niesystemowej partycji.Sam to tak ustawiłeś (lokalizację tego pliku g:\easeus\todo backup\bin) czy może tak z automatu poszło ?
Dokładniej jakie rzeczy, masz logi z tego ??

 

[Tadek59]

Tadek59 AppGuard to zablokował bo to coś co chciałeś uruchomić znajduje się na niesystemowej partycji.Sam to tak ustawiłeś (lokalizację tego pliku g:\easeus\todo backup\bin) czy może tak z automatu poszło ?
Dokładniej jakie rzeczy, masz logi z tego ??

Sam , dlatego że chciałem żeby wszystko zapisywało się na dysku zewnętrznym i tam też się zapisało / backup / u mnie to dysk G .

 

[OXYGEN THIEF]

Przejdź do zakładki UserSpace w AppGuardzie i jest removable media czyli po naszemu to są wszystkie dyski przenośne jak klikniesz przy tym na NO (jest Yes) to powinno grać.Choć lepiej (bezpieczniej) jak dla mnie było by ustawić tam tylko ścieżkę do tego co AppGuard zablokował czyli g:\easeus\todo backup\bin i dajesz na NO.

I jak dodasz tą ścieżkę musisz zrobić testową kopię, sprawdzić potem w logach czy AppGuard nic nie zablokował jeśli zablokuje to podasz tu loga.

 

[Tadek59]

Przejdź do zakładki UserSpace w AppGuardzie i jest tam removable media czyli po naszemu to są wszystkie dyski przenośne jak klikniesz przy tym na NO (jest Yes) to powinno grać.Choć lepiej (bezpieczniej) jak dla mnie było by ustawić tam tylko ścieżkę do tego co AppGuard zablokował czyli g:\easeus\todo backup\bin i dajesz na NO.

I jak dodasz tą ścieżkę musisz zrobić testową kopię, sprawdzić potem w logach czy AppGuard nic nie zablokował jeśli zablokuje to podasz tu loga.

Wow !

Dzięki , wszystko okay i nic nie blokuje

 

[OXYGEN THIEF]

Dodałeś tylko ścieżkę do tego pliku i kliknełęś na NO czy może ustawiłeś przy Removable Media na NO ?

 

[Tadek59]

Dodałeś tylko ścieżkę do tego pliku i kliknełęś na NO czy może ustawiłeś przy Removable Media na NO ?

Zrobiłem tak jak ty byś to zrobił !
Czyli ustawiłem tam tylko ścieżkę do tego co AppGuard zablokował czyli g:\easeus\todo backup\bin i dałem na NO.

To chyba dobrze

 

[OXYGEN THIEF]

a przy removable Media zostawiłeś na YES tak ? jeśli tak to git.

 

[Tadek59]

a przy removable Media zostawiłeś na YES tak ? jeśli tak to git.

Dokładnie tak zostawiłem na YES !

Jeszcze raz

 

[OXYGEN THIEF]

Ok, to git

 

[HrabiaDracula]

W końcu na dobrychprogramach pojawił się AppGuard

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!