[Contest] AppGuard

We are familiar with the terms Anti-Virus, Anti-Malware etc. Most of these traditional Anti-Virus rely on virus definition updates. Even though this model has its merits there is definitely a serious draw back and that is Zero day malware detection. What happens if a virus is not in its Virus database? So here we are seeking an answer to effectively stop the outbreak of Zero day malware’s and preventing it from hampering our valuable data. What exactly is Appguard and where does it fit in our security setup? How effective it is stopping Zero-day Malware’s. Let’s see…..

At first, I want to tell you what exactly a zero-day malware is. There are mainly two kinds of them

  • Malicious software that exploits a vulnerability that is not yet known in an application
  • Malicious software that has not been detected by anti-virus products

AppGuard developed by Blue Ridge Networks uses a set of policy restriction with the help of a set of complementary protections providing advanced security without scanning and updates. It isolates and contains malicious code, allowing users to go online without concern about exposure to viruses. In short, Appguard will block any malicious code from executing itself. The main purpose of Appguard is not virus removal but instead its prevention.

AppGuard contains several types of protection:

  • Drive-by Download Protection stops suspicious programs from launching.
  • Application Containment/Guarded Execution ensures protected applications are prevented from performing high-risk activities that might be exploited by malware.
  • MemoryGuard prevents protected programs from writing to or reading from other processes memory.
  • InstallGuard prevents installation of programs from untrusted vendors.
    • Privacy Mode- prevents browsers from reading private data
    • Prevents software on malicious web sites from accessing private data.
    • Prevents malware-infected USB devices from taking over PCs.

Let’s see how it works.

AppGuard applies policy restriction to untrusted processes, silently blocking any behaviour that contravenes the policy without prompting the user for a decision. It prevents untrusted software from compromising the system space. In Appguards terms the system consists of two parts, the System-Space and User-Space. The primary goal of AppGuard is to protect objects within the System-Space (Windows and Program Files folders). Objects that lie outside system space may be compromised by malware but they are prevented from compromising objects within System-Space.  Let me give you an example to understand this concept clearly. Suppose the Earth is the System-Space and the outer-Space is the User-Space, then the atmosphere that protect the earth from harmful things in the Outer-Space is our Appguard. However contaminated the outer Space is, the atmosphere protects the very core i.e. the Earth. Similar to that,  Appguard prevents the system space even if the user space is compromised.

There’s actually a lot more to understand about AppGuard. To understand what Appguard is, I have to explain some of the terms of Appguard and different modules. They can be found in the respective sections.

Let’s take a walk through the features of Appguard

Installation & License terms

Appguard provides a 10 day trial which is more than enough to understand the working and security of it. Appguard provides lifetime license for the current version i.e. the license is perpetual for current major version 4 but if you want to upgrade to next major version when it comes out, an upgrade fee will have to be paid. But don’t worry, looking at the Appguard’s release cycle a major release is announced about every 18 month. So it’s pretty much bang for the buck.

Price : $ 24.95

Download Link: http://www.appguardus.com/support/products/AG4/files/AppGuardSetup.exe (20.83 MB)

The installation is pretty straight forward. After installation clicking on “Evaluate AppGuard” to use the trial or activate Appguard if you have already purchased.

Note:  The golden rule is, activate/deactivate (uninstall) Appguard only when there is an active internet connection, if you have bought a 1 user license and want to remove AppGuard from the old PC to use it on the new PC.

AppGuard User Interface

1

The user interface of Appguard is pretty neat. The AppGuard User Interface allows the user to change the AppGuard Protection Level using the slider. The 3 modes are explained below:

Locked Down: It’s the most secure level and it only allows user space applications specified in the Guard List to run. All Guarded applications are Memory Guarded independent of how they are configured on the Guarded Applications Configuration Tab. This mode will not allow installation or updates from the Internet. Only installation files (*.msi and *.msp) digitally signed by Microsoft are permitted to install in this mode.

Medium: This is the recommended protection level. Till you get used to Appguard use this level as you will have a great balance between usability and security. This mode allows automatic updates for Guarded apps. It allows all digitally signed applications in User space to run and will be Guarded, MemoryGuarded and run in Privacy Mode. Scripts and unsigned applications are not allowed to execute. Only installation files (*.msi and *.msp) digitally signed by vendors permited by the Trusted Publisher list are allowed to execute.

Install: Use this level when installing, uninstalling or updating software. If your installation requires a reboot, uncheck the “Automatically resume ” checkbox. This checkbox will be displayed when the protection level slider is lowered to install mode from the GUI. AppGuard will not re-enable the protections until the user reinstates the Protection Level. If the “Re-enable” checkbox is checked, AppGuard will automatically re-enable AppGuard after the timeout has expired.

Two other buttons in the GUI are Appguard Activity Report and customize

A) AppGuard Customization

The AppGuard customization tabs are accessed by clicking the Customize button in the GUI. There are five tabs: Alerts, User-Space, Guarded-Apps, Publishers, and Advanced.

1)    Alerts

2

The Alerts tab provides controls for setting alert options as well as the controls for managing the Ignored Messages list. To “UnIgnore” a message, select the message in the list and click on the “Remove” button
AppGuard reports events in three ways:

  • Blinking the AppGuard Tray Icon
  • Report status to AppGuard Activity Report
  • Report event to the Windows Event Log

2)    User-Space

3

Before going into this setting a small definition of User-Space and System Space will give better understanding

System-Space

System Space refers to the computer storage space that is typically not accessible by non-admin Windows users. This usually includes all folders on the the system volume (usually the C: drive) with the exception of the user’s profile directory. System-Space includes the Windows and Program Files folders. System-Space executables are not guarded by default.

User-Space

User space refers to the computer storage space that is typically accessible by all types of Windows users. It includes the user’s profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block (Locked Down protection level) or Guard (medium and install protection levels) the execution of any programs contained in user space directories. If a directory is excluded from the user space definition, then AppGuard will always allow the UnGuarded execution of programs located in that directory.

Now back to the settings…..

You can modify the user space definition from the User space Tab on the AppGuard Configuration Interface. You can define your own set of protected directories by including them in the user space definition. When you specify a folder to include in User space, all sub-folders will be protected as well. Select “No” in the “Include” column to specify any drives or sub-folders within a protected folder if you want to allow launches and ignore that drive entirely.

3)    Guarded-Apps

4

This tab provides a list of the currently guarded applications known as the Guard List. On this tab, you can alter the Privacy and MemoryGuard settings for a Guarded application. Some of the terms are explained below:

  • MemoryGuard™

Memory Write protection prevents a Guarded Application from writing to any process’s memory. Attackers seek to re-allocate memory, place executable code into the newly allocated memory, and execute it within the context of the target process.

Memory Read protection prevents a Guarded Application from reading and copying the content of any process’s memory.

In the Medium and Locked Down Protection Levels, AppGuard automatically MemoryGuards and read-protects all applications launched from User space or USB memory devices. It also MemoryGuards and read-protects all applications on the Guard List unless configured otherwise. Most MemoryGuard blocked events don’t impact the normal functioning of applications and can be ignored usually.

  • Privacy Mode

AppGuard prevents applications that are executed in Privacy Mode from accessing (reading or writing) Private Folders. When AppGuard is first installed, all browsers (Internet Explorer, FireFox, Google Chrome and Opera), user space and USB applications are executed in Privacy Mode which prohibits them from accessing the “My Documents\MyPrivateFolder” directory. The end user can configure additional applications to run in privacy mode and can define additional folders as Private Folders.

  • Guarded Applications

Any application that processes data or files originating from outside its host should be guarded. Applications that should be guarded include Internet-facing applications and applications that load data files that may contain malicious code. If an application is located in User-Space, applications are automatically untrusted and guarded on execution and if located in System-Space, applications can be added to the Guard List guarded on execution

The Guard List is the set of applications that are explicitly configured to be Guarded by AppGuard. The Guard List can be viewed on the Guarded Applications Tab. When AppGuard is first installed it is configured to guard most widely deployed applications by default. This is referred to as the Default Guard List. Additional Applications can be added to the Guard List from the Guarded Applications Tab. All guarded applications are MemoryGuarded and all browser applications are set to run in Privacy Mode.

  • Default Guarded Applications

Most widely deployed applications are automatically guarded by AppGuard. Additionally, several programs that are commonly used as attack vectors are guarded. The default list is given below:

Application Privacy Mode MemoryGuard
Acrobat Reader No Yes
FireFox Yes Yes
Google Chrome Yes Yes
Internet Explorer Yes Yes
Opera Yes Yes
Microsoft Office Access No Yes
Microsoft Office Excel No Yes
Microsoft Office Outlook No Yes
Microsoft Office PowerPoint No Yes
Microsoft Office Word No Yes
Microsoft Register Server No Yes
Run a DLL as an App No Yes
Outlook Express No Yes
Windows Command Processor No Yes
Windows Media Player No Yes

 

 

 

 

 

 

 

 

  • Unguarded Applications

Unguarded applications are trusted applications which are located in System-Space. They are automatically trusted unless they are explicitly defined as guarded applications. Unguarded applications have read/write access to both User-Space and System-Space.

4)    Trusted Publishers

5

When in Medium Protection Levels, AppGuard will allow User space applications and installations to execute if they are digitally signed by a publisher contained in the Trusted Publisher list without changing the protection to Install mode. When AppGuard is first installed, the following publishers are contained on the Trusted Publisher List:

  • Microsoft
  • Google
  • Adobe
  • Mozilla
  • Sun Microsystems
  • Blue Ridge Networks

5)    Advanced Settings

6

From this tab you can:

  • Configure Privileged Operations:

v  Activate Parental Controls (this button also enables Super User accounts).

v  Disable TamperGuard: This allows you to stop the AppGuard service or to uninstall AppGuard.

v  Enable Privileged Mode: Running in Privileged Mode enables any user (regardless of Parental Control settings) to disable any AppGuard protection. Also, all settings can be restored to the original default settings with a click of a button when running in Privileged Mode.

  • Change the Suspension Timeout: When AppGuard’s Protection Level is lowered to Install or turned Off, AppGuard will automatically resume to the previous Protection level after this time has elapsed.
  • Configure Power Applications.

The main two options in advanced settings tab are described below

TamperGuard™

AppGuard prevents end users and malware from stopping AppGuard or tampering with AppGuard’s critical components. This prevents AppGuard from being crippled so that you can be assured that AppGuard is always protecting your computer. TamperGuard can be disabled from the Advanced Settings Tab on the Configuration Interface.

Power Applications

Power Applications are exempt from AppGuard protections. They are able to launch unGuarded applications from User space. They are also able to read and write the memory of Guarded Applications. Security application should only be added to the Power application list. In the new version actually there is no need to add any security application there. Only add if Appguard is blocking the normal functioning of the security software.

B)  AppGuard Activity Report

7
The tray icon will flash if Appguard blocks something and by opening the AppGuard Activity Report we can see the blocked events. Most blocked events do not impact the ability of a program to function normally and can be ignored. If you are unable to do something, such as install a new application or some other application fails to update, check the AppGuard Activity Report to see if AppGuard blocked it. If you find that AppGuard blocked an action, you can change the Protection Level or temporarily suspend protection. If you are getting blocking messages that do not interfere with normal operation and you prefer not to be notified, you can ignore these messages by right-clicking on the event and choosing Ignore Message from the drop down menu.

Blocking actions are highlighted in red. The following types of blocking events are reported when the Alert Level is set to the default settings:

  • A potential malware attack from a USB device was blocked.
  • A suspicious installation was stopped to protect your system.
  • A suspicious attempt to modify your application was prevented.
  • A suspicious attempt to steal information from your application was stopped.
  • An unauthorized configuration change in the system registry was prevented.

Two modules that need mentioning are the InstallGuard and USB protection

ü InstallGuard

InstallGuard prevents end users and malware from installing (or uninstalling) software using Windows Installer (msi) files. Because AppGuard’s primary purpose is to prevent malware from infecting your PC, many of its protections may interfere with the installation of a legitimate application. To install a legitimate program the user has to reduce AppGuard’s protection level to Install mode. All MSI files that are digitally signed by Microsoft are not blocked.

Protection from USB Malware Attacks

AppGuard blocks these attacks by preventing autorun and script launches from USB devices. In the Medium Protection level, AppGuard will only permit digitally signed programs to run and will automatically Guard these programs.

CPU and RAM usage

Appguard gives top notch protection that too with minimal CPU and RAM usage. It uses around 10 MB of RAM and less than 1 % CPU usage on an average system.

My Personal experience

I have always recommended this software to my friends and only a few were able to understand its merits. The funny thing is most of them said that they weren’t able to install anything and to install anything they have lower the protection and that it’s a bit annoying and they always forget to lower the protection. I see this in a different angle. It shows how powerful Appguard really is and nothing can get past it. You are in full control of your system when Appguard is in operation. Even though Appguard is so good at protection it’s always recommended to combine this with an Anti-Virus or an Anti-executable like Novirusthanks Exe Radar Pro, as Appguard when in install mode is vulnerable. Appguard is compatible with every security software if there is any problem simply add it to power application and you are good to go. All in all I am pretty much impressed with the protection Appguard provides and it has been my frontline defence for some time. Give it a try and I must say you won’t be disappointed. I know it’s a bit of learning curve but once you understand its capabilities then I am sure it will make it to your security defence strategy.

Reviewer: reyes

1. Subscribe to our free newsletter to get all the latest giveaways. Click here

2. [Contest] AppGuard


Filed Under: Giveaways and contests

Tags: