ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

AppGuard

4 posters

Page 1 of 2 1, 2  Next

Go down

AppGuard Empty AppGuard

Post by ssj100 7/5/2010, 11:16

http://www.blueridgenetworks.com/products/appguard.php

The last time I tested AppGuard (about 8 weeks ago), their program was unable to block command prompt executables. Now in the latest release, they can!

However, they are still unable to block scripting executables (like vbscript). Maybe someone should just tell them to mimick their "anti-executable" technology to be like SRP?

SRP was created more than 8 years ago (came out with Windows XP Pro), and it's been blocking command prompt executables and scripting executables from it's birth, as well as the usual type of binary executables. Rather unfortunate that this paid software (in the year 2010) hasn't caught on yet?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Ruhe 25/6/2010, 22:23

If I understand it right it uses some Sandboxie like features?
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 26/6/2010, 03:23

I'm not really sure. It seems more like an anti-executable.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 12/2/2011, 02:15

AppGuard version 3.0.13 is out. Seems someone is following my advice haha:
However, they are still unable to block scripting executables (like vbscript). Maybe someone should just tell them to mimick their "anti-executable" technology to be like SRP?
Now, the program appears to be blocking vbscript at least.

I've also been testing AppGuard in the past against various "exploits". I decided to briefly re-test version 3.0.13 against the following exploits:
https://ssj100.forumotion.com/t187-vulnerability-in-windows-shell-could-allow-remote-code-execution#1302 : BYPASSED
No way to block (malicious) DLL loading still?

https://ssj100.forumotion.com/t319-excel-macro-testing#2640 : BYPASSED
Since no other Anti-executable or HIPS passed, this result is probably forgivable.

https://ssj100.forumotion.com/t47-buffer-overflow-bo-tests#216 :
Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable
Adding both "botester.exe" and "botester32.exe" to the "Guarded Apps" list makes no difference.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Rico 13/2/2011, 05:20

hi ssj, I've seen the guest poster at Sandboxie forums asking about the read-only setting. Now the tests you have here would be interesting if could run them in a read-only sandboxed windows explorer and see what happens. You would see if they have been successful or not, by looking at the sandbox contents through the explore option.

I'm curious how the excel macro performs since it seems to have speared through every HIPS out there.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/2/2011, 05:37

Without even testing, the Excel Macro will of course not work if it didn't have a chance to write itself (the Excel file containing the Macro) on the system.

However, if the Excel file is written on the system and the user opens it, then this particular Macro would still be able to be executed (and run the equivalent of "cmd.exe" and "regedit.exe" in this example). The reason is that it is being executed in memory - nothing needs to be written to disk (not after the Excel file has been written already). This is why Sandboxie is unique in the sense that you can easily control which sandbox needs to be terminated/deleted (therefore stopping any eg. keylogger running in memory) before doing something more sensitive (eg. online banking).

EDIT: by the way, I tried testing the Excel Macro in a sandbox with C:\ as Read Only. I couldn't even open the Excel file. In fact, I can't even open a blank Excel file! Clearly Excel needs to write something somewhere in order to open in the first place.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Rico 13/2/2011, 06:38

Nice! finding.

I know even if they write to memory they still have to install something to hook into the system right? Or else the virus would be pointless unless it was a standalone exe keylogger.

Could you please see if there is anything left or installed to disk with the running of Steven Didier's & the other BO tests? Even if residing on disk? Thats the last thing I'll ask I promise Very Happy. These tests show Sandboxie's capabilities and allows us to discover their full extent.

Thank you very much


Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/2/2011, 06:55

ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Please test AppGuard in the right context

Post by Guest 13/4/2011, 11:13

AppGuard what is it?

a) It prevents Guarded Apps from writing to Windows and Program Files directory, this is called the Admin space
b) It prevents execution of executables on other directories (like my documents, pictures) and other partitions (like USB sticks), this is called the user space
c) It prevents memory intrusions of guarded aps (memory protection of internet facing aps and office aps)

So when you are surfing, it prevents malicious JavaScript, Flash Exploits and PDF-exloits to compromise your browser memory for instance (c). It also protects you from drive-by downloads because guarded aps can only write to user space, but those executables can't be executed(b) and even when you run admin (so when an intrusion/social enegineered malware managed to trick you into elevating something) it protects your Windows and Program File directories (a).

Duhh, so what
IT INTERCEPTS CERTAIN STARTING POINTS OF INTRUSIONS IN A VERY SMART AND INTELLIGENT WAY. BY FOCUSSING ON THE STARTING POINTS IT PROVIDES SOLID PROTECTION. TESTING IT WITH A PROOF OF CONCEPT OR MALWARE IN THE MIDDLE OF THE SEQUENCE OF EVENTS IS AS USEFULL
AS
lol!

Regards Kees

Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 13:31

Kees, not really sure what you're on about haha.

From reading my previous posts, AppGuard has certainly improved on which executables it blocks - about 1-2 years ago, it failed to block several script executions.

I think AppGuard currently still fails to block (malicious) DLL loading? Doesn't this give rise to fairly serious theoretical implications? That's not a rhetorical question by the way. I'm seriously not sure haha.

And AppGuard fails to block execution in memory (via the Excel Macro). If a user has Microsoft Excel installed, AppGuard would white-list (EXCEL.EXE) this right? Therefore, if Macros were enabled, or if the user got tricked into enabling a malicious Macro, data harvesting could occur and AppGuard would fail to prevent this. This isn't because we're testing it between the sequence of events right? And sure, as p2u will always point out, Macros should always be permanently disabled. But again, the theoretical implications are there I think. If I was a professional malware writer, this thread may come in useful haha. Or who knows, it may be absolutely useless, I really don't know for sure.

With regards to buffer overflow protection, are there any tests out there that show this feature of AppGuard in action? If so, please link us.

Anyway, don't get me wrong, AppGuard in the REAL world would probably block everything in-the-wild, just like LUA + SRP would (except it does it for free!).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 15:10

ssj100 wrote:Kees, not really sure what you're on about haha.

From reading my previous posts, AppGuard has certainly improved on which executables it blocks - about 1-2 years ago, it failed to block several script executions.

I think AppGuard currently still fails to block (malicious) DLL loading? Doesn't this give rise to fairly serious theoretical implications? That's not a rhetorical question by the way. I'm seriously not sure haha.

Anyway, don't get me wrong, AppGuard in the REAL world would probably block everything in-the-wild, just like LUA + SRP would (except it does it for free!).

What I am on about is this:
On Windows for instance Chrome and IE run in protected mode, e.g. low rights so lower rights processes and objects are not allowed to change objects with higher rights (so medium = LUA and HIGH = Admin and System). This reduces the attack surface substantially. On Windows7/Vista chrome manages to totally isolate code running in the browser, something your beloved Sandboxie on x64 can't manage.

Because SBIE lacks a protection mechanism, the real world exploitability of this x64 hole (or I would rather say theoretical microscopital tiny dot in the second phase defense of application virtualisation) is near zero (say 0,0000000000000? %). Tzuk was only correct to mention this difference from x32 to x64 version. I can understand his irritation. He is now adding 'features' (few do understand) to contain this 'weakness' (less are capable of testing).

Something simular applies to AppGuard. You are pointing out a weakness in the middle of intrusion event "does not block malicious DLL loading". I told you AppGuard intercepts starting points. DLL's have to be started by an Exe (f.i.) or are injected from one running process (A) to another running process (B). By the way DLL are dynamic load libraries and DLL injection is a 'normal' Windows technique. AppGuard does stop downloaded exe's to run from user space and it protects memory intrusions (e.g. DLL injection) of guarded apps, so here you go. Appguard will prevent in 99,99999999999% of the cases the loading of DLL's without having a mechanism to prevent it cold. Now you can take the viewpoint that it does not stop DLL loading or the viewpoint that it prevents loading of DLL's with intrusion intend.

Only difference some have a PoC to test dll loading, but very few are capable to write a PoC intruding messaging to system services (the SBIE 'weakness').



Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 15:20

Thanks for the information. Not sure why you had to bring Sandboxie into it though haha. tzuk has already clearly documented that Sandboxie 64-bit has "weaknesses", but at least he's tried hard to support a 64-bit version, and is already trying to patch up those "weaknesses". As far as I understand it, programs like DefenseWall aren't even close to having a 64-bit version. Also keep in mind that Sandboxie isn't just useful for web-browser virtualisation - it does much much more than that. For example, I use a sandboxed explorer.exe numerous times a day. So comparing Chrome (a web-browser) with Sandboxie doesn't really make sense, but I do understand your point.

A couple more things:
1. I still use Windows XP, and I know many on this forum do too. Therefore, many of us are still on 32-bit. Therefore, in this context, "Protected Mode" is irrelevant (since it's not available), and so is any weakness with Sandboxie 64-bit.
2. In my view, AppGuard fails to block (direct) DLL loading. Simple as that. Faronics Anti-Executable version 3 also failed to block (direct) DLL loading, but they put it back in version 4 - "Exploit Analyst" Rmus actually requested them to do this!
3. I actually do agree with your viewpoints in general. That's why I said this:
Anyway, don't get me wrong, AppGuard in the REAL world would probably block everything in-the-wild, just like LUA + SRP would (except it does it for free!).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 15:58

I brought SBIE in, because the remark about the weakness of SBIE is as irrelevant as the remark about AppGuard's weakness not stopping DLL's to load.

Do you understand that a DLL needs to be loaded by another executable (e.g. Com or Exe): AppGuard user space protection stops this.

Another way of executing a DLL is to inject it in another proces. AppGuard's memory protection stops this

So it does not stop dll's to load, but it prevent's foreign code in DLL's to execute without the consent of the user.

About Faronics: would you think an innovator of deny execute of the first hour would suddenly introduce a hole in their protection? Come on, get real. They put it back on because of marketing reason (no discussion with people in Social Media who do not understand what they are talking about) or for people running older OS-ses (Rmus runs Win95 or 2000 as I recall).

When you are on XP x32, surely BufferZone Pro deserves some attention. The Pro version is free and unlike Sandboxie it protects out of box also against unsigned executables installing outside the sandbox. It also has keylogger protection. So does the same as SBIE (even better, some Safe-Admin like protection) and it is free?

Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 16:09

Kees1958 wrote:I brought SBIE in, because the remark about the weakness of SBIE is as irrelevant as the remark about AppGuard's weakness not stopping DLL's to load.

Do you understand that a DLL needs to be loaded by another executable (e.g. Com or Exe): AppGuard user space protection stops this.

Another way of executing a DLL is to inject it in another proces. AppGuard's memory protection stops this

So it does not stop dll's to load, but it prevent's foreign code in DLL's to execute without the consent of the user.
Yes, that makes sense. Thanks for the clarification.

Kees1958 wrote:About Faronics: would you think an innovator of deny execute of the first hour would suddenly introduce a hole in their protection? Come on, get real. They put it back on because of marketing reason (no discussion with people in Social Media who do not understand what they are talking about) or for people running older OS-ses (Rmus runs Win95 or 2000 as I recall).
That also makes sense. However, I didn't realise Faronics Anti-Executable version 3 prevented DLL injection into another process?

Kees1958 wrote:When you are on XP x32, surely BufferZone Pro deserves some attention. The Pro version is free and unlike Sandboxie it protects out of box also against unsigned executables and all sorts of keyloggers. So does the same as SBIE (even better, some some Safe-Admin like protection) and it is free?
Yes, I've tested BufferZone Pro many times. But I'm not sure why you're bringing this into a thread about AppGuard haha. But since you've started it, I personally find Sandboxie much much more configurable and flexible than BufferZone Pro. Again, I will give the following example:
ssj100 wrote:Also keep in mind that Sandboxie isn't just useful for web-browser virtualisation - it does much much more than that. For example, I use a sandboxed explorer.exe numerous times a day.
By the way, it really feels like you've got something against Sandboxie (or me?) haha. If you want to promote positive experiences of any software, feel free to post in the relevant thread or create a new topic.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 16:16

Sorry to bring it up, was this what brought it into my mind

SRP and LUA are a free replacement of AppGuard (for V2 that is true)

Bufferzone Pro is a free replacement for SBIE paid (true for x32)


Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 16:21

Kees1958 wrote:Sorry to bring it up, was this what brought it into my mind

SRP and LUA are a free replacement of AppGuard (for V2 that is true)
Agreed.
Kees1958 wrote:
Bufferzone Pro is a free replacement for SBIE paid (true for x32)
Disagree. There are quite a few things that Sandboxie can do that BufferZone Pro can't. For example, BufferZone Pro can't run a sandboxed explorer.exe the last time I checked. Also, it can't run applications in a sandbox for testing purposes etc. Also, BufferZone Pro doesn't offer the ability to configure Start/Run/Internet Access/Port restrictions in individual sandboxes. And the last time I checked, BufferZone Pro didn't have a "Drop Rights" mechanism either. I'm sure there are numerous other things too. I'm sorry, but saying BufferZone Pro is the same as Sandboxie is not correct. If you think I'm wrong, go have a chat to Sully haha.


Last edited by ssj100 on 13/4/2011, 16:29; edited 1 time in total
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 16:29

Quotes from AE (mid 2010), also AE calculates hashes so changed whitelisted programs will fail to run

Savant Protection is implemented with a Kernel-level filter driver. It starts at boot time and it intercepts the start of an application and the loading of dll’s from within the kernel. In this way we prevent any executable not on the whitelist from running.

Bouncer is a kernel level service. This allows us to perform a check immediately prior to execution load and determine whether the binary is on the whitelist or not. If the binary is not on the whitelist (and not originating from a pre-authorized trusted source), Bouncer prevents the execution of the binary. This is an important aspect of Bouncer. It checks the validity of the binary before it loads; not as it loads or immediately after. By then, the damage could have already been done. Bouncer protects against several types of memory attacks, including dll injections and attempts to write to kernel memory.







Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 16:35

Kees1958 wrote:Quotes from AE (mid 2010), also AE calculates hashes so changed whitelisted programs will fail to run

Savant Protection is implemented with a Kernel-level filter driver. It starts at boot time and it intercepts the start of an application and the loading of dll’s from within the kernel. In this way we prevent any executable not on the whitelist from running.

Bouncer is a kernel level service. This allows us to perform a check immediately prior to execution load and determine whether the binary is on the whitelist or not. If the binary is not on the whitelist (and not originating from a pre-authorized trusted source), Bouncer prevents the execution of the binary. This is an important aspect of Bouncer. It checks the validity of the binary before it loads; not as it loads or immediately after. By then, the damage could have already been done. Bouncer protects against several types of memory attacks, including dll injections and attempts to write to kernel memory.
Wow, thanks for this. I always wondered why Faronics removed the direct DLL blocking mechanism. This explains it. Presumably these new protection features don't work on Windows 2000? And that's why Rmus requested the re-implementation of direct DLL blocking in version 4?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 16:59

When did you check BZ for the last time, because all you mention is available since release 3 see http://www.trustware.com/BufferZone-Pro-Features/

BZ can not sandbox Explorer
It does auto sandbox new executables and scripts even created by trusted programs. It looks more like CIS and Avast Sandbox. Compared to SBIE it protects outside the sandbox. You mention to qualify the disadvantage of SBIE compared to GeSWall, DefenseWall, SafeSpace and Bufferzone as advantage. No need to apply a up side down tweak as sandbox explorer or run several sandboxes simultaneously, because all other applications provide protection outside the sandbox also (or have a mode to accomplish that).

BZ does not has drop rights
You seem to forget that drop rights was introduced in SBIE to compensate for running with high rights. SBIE is not able to run IE or Chrome with low rights, BufferZone can run applications in every elevation level and protect them. On Vista/Windows 7 processes run by default with Medium rights (which is the same as the drop rights option of SBIE). Again you mention a disadvantage of SBIE as an advantage

Bufferzone does not offer to test programs.
Are we talking about the same program. BZ has the ability to switch between virtualised snapshots, way more advanced than SBIE does please check the BZ features link (Take a "snapshot" of the Virtual Zone for one- step restore).

Bufferzone does not offer access protection to internet
It was the first of the virtualisation programs to offer a FireWall mechanism with it. This can be managed on application level.

Bufferzone has only one sandbox
It offers one sandbox at at time AND system wide protection outside the sandbox. The snapshot feature allows you to switch between sandboxes. But when you do not understand the system wide protection, or snapshoy feature I will agree that SafeSpace, GreenBorder, BufferZone, GeSWall, DefenseWall all have the 'disadvantage' of 1 sandbox). Compared to SBIE it also offers keyloger protection inside a sandbox.

Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 17:09

have to go now, nice playing again, let's call it a draw Smile

Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 17:13

You make some good points, and I did fail to recognise some of the features BufferZone has, particularly the "snapshot" feature.

I suppose the point I was trying to make is that BufferZone is quite different to Sandboxie. You've basically proved that point in your post haha.
Kees1958 wrote:When did you check BZ for the last time, because all you mention is available since release 3 see http://www.trustware.com/BufferZone-Pro-Features/
All? How about the ability to configure Start/Run/Port restrictions? Also, you seem to keep forgetting that I am still running on Windows XP, but your points for users running Vista/7 are applicable.

The reason for running a sandboxed explorer.exe is because of this:
https://ssj100.forumotion.com/t290-defensewall-pitfalls#2314
Therefore, you missed the point for why I want to run a sandboxed explorer.exe. For me, this is actually a huge advantage of Sandboxie over GeSWall, DefenseWall etc.

And I do understand the "system-wide" protection. However, the ability to have several individual sandboxes makes Sandboxie much more configurable than the rest. And with a good Sandboxie configuration together with a good security approach, in my opinion, Sandboxie is overall more secure than the rest. Also, despite you emphasising the excellent "out of the box" protection of other software, once Sandboxie is configured, it's all set and forget.

Anyway, I think for less technical-minded users, BufferZone etc is a decent alternative to Sandboxie. But saying that it's the same as (or even a replacement for) Sandboxie is not correct and quite mis-leading actually. You've already outlined the differences in the implementation yourself haha.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by ssj100 13/4/2011, 17:42

Kees1958 wrote:have to go now, nice playing again, let's call it a draw Smile
Okay mate, see you next year haha.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 18:12

ssj100 wrote:
Kees1958 wrote:have to go now, nice playing again, let's call it a draw Smile
Okay mate, see you next year haha.

Sorry to drop by again.

Text files are never contained by DW because they can't contain code. WMF exploits are tacked by DW, BZ, GW. Try your text file test with other formats (e.g. a video or a picture) and you will see they are all protected. So your conclusion is based on a file type which is never contained.
lol!

Yehaa beware of text based exploits, nice work around, I will implement it for sure when text based intrusion occur in the wild

lol!

Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by Rico 13/4/2011, 21:16

My friend Kees, you got some info a little muddled up. AppGuard as an advertised AE product should be able to stop any and all potentially malicious files from running initially. If it fails to do that then it has surely failed in the area of it's expertise. Sandboxie on the other hand is containment oriented (even though you could still configure it to prevent execution of almost anything if you want). In default settings, Sandboxie lets anything execute, but makes sure that its forced into a jailcell whereby the conatgion can be eliminated along with its payload. Two horses for different courses.

Sandboxie on 64 basically provides the same protection as its x32 sibling now, so the acclaimed Achilles Heel of x64 shouldn't be a problem anymore.

DLL execution ITW (from drivebys) is fairly common as I had mentioned before and have alot of power that exe has with the caveat that it can't self replicate.

Kees1958 wrote:DLL's have to be started by an Exe (f.i.) or are injected from one running process (A) to another running process (B). By the way DLL are dynamic load libraries and DLL injection is a 'normal' Windows technique. AppGuard does stop downloaded exe's to run from user space and it protects memory intrusions (e.g. DLL injection) of guarded apps, so here you go. Appguard will prevent in 99,99999999999% of the cases the loading of DLL's without having a mechanism to prevent it cold.

This isn't really a roadblock as all it takes for a malicious dll to be loaded is a vulnerable browser -- A legitmate exe, that has been exploited and used to load and use a malicious dll. In that case there wouldn\t be anything appguard can do since browsers are whitelisted and the blocking of a dll payload is not supported.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

AppGuard Empty Re: AppGuard

Post by Guest 13/4/2011, 22:12

My dear Rico,

Browsers are guarded not whitelisted. Any idea how a staged intrusion developes through an exploit? You exactly clarify the benefits of memory protection of AppGuard. lol!

Hey we are on topic again Very Happy

RTFM or study


Guest
Guest


Back to top Go down

AppGuard Empty Re: AppGuard

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum