AppGuard Redux

View previous topic View next topic Go down

AppGuard Redux

Post by blues on 19/4/2012, 00:07

Not wanting to reopen the last thread, I figured a new one might be in order...

...Has anyone had any experience with the most recent versions of AppGuard?

It seems to be quite well received at Wilders and at least a few very respected folks swear by it. (Even using it in concert with Sandboxie.)

What I'm trying to figure out is what it would bring to the table when one is already using Sandboxie in tandem with FW/HIPS/Anti-Logger (and possibly AV).

It's certainly an interesting app, I'm just not sure if I want to figure out how to get it to either play nicely with my current medley of security apps or which one(s) it might replace.

Any thoughts on the topic appreciated from those who have spent some time with it.

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: AppGuard Redux

Post by ssj100 on 19/4/2012, 00:33

Any anti-executable mechanism is always going to do well "in-the-wild" when coupled with a good security approach.

Since you're interested in using it with Sandboxie, you might want to take a look at this:
http://www.sandboxie.com/phpbb/viewtopic.php?t=11781
Looks like AppGuard have fixed the conflict with the latest version.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppGuard Redux

Post by blues on 19/4/2012, 01:11

I had read that they were making it more compliant after reading of the issues on the Sandboxie forum as well as Wilders...

...but have a look at this thread:

http://www.wilderssecurity.com/showthread.php?t=321098

...where Bellgamin speaks to the anti-executable actions of PrivateFirewall alerting him to the very same issues which his AE flagged.

This is what makes me wonder whether an AE (in this case AppGuard) is really adding a needed layer of security or if its mostly redundant given the tenor of Bellgamin's post and experience.

Having never used a standalone AE (Faronics, ExeRadar Pro, AppGuard) I was hoping to garner opinions in this regard.

Thanks.

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: AppGuard Redux

Post by ssj100 on 19/4/2012, 09:19

I didn't realise (or had forgotten) that you had PrivateFirewall installed - I tested it very briefly a couple of years ago in a VM, and I do recall that it essentially has a classical HIPS function. If that's the case, I can't see the point of also using "pure" anti-executable solutions.

The way I see it, with regard to anti-executable mechanisms:
LUA+SRP = Faronics AE = ExeRadar Pro = AppGuard = Classical HIPS

Of course, each of the mechanisms above may have various levels of configuration. For example, Classical HIPS allow for very granular control, while LUA+SRP, ProcessGuard, Faronics AE (particularly v2) allowed for very limited configuration.

Another point that may need to be considered is with regard to buffer overflow protection. My understanding is that the "MemoryGuard" mechanism in AppGuard provides this protection to some extent. I'm not certain how effective it is, as I haven't personally tested it myself and I haven't seen demonstrations of its ability. What I'm pretty sure of is that PrivateFirewall, LUA+SRP, and Faronics AE do not provide any specific buffer overflow protection.

From my personal testing (can be found somewhere in this forum), Windows built-in Hardware DEP can only block some forms of buffer overflow exploits - some is better than none, so I have this enabled fully on my system. The buffer overflow protection built into Comodo Internet Security is able to block much more (in fact, I haven't seen it bypassed yet).

So in summary, I think the only mechanism that AppGuard may add to your current setup is this buffer overflow protection. In saying that, I personally wouldn't install AppGuard just because of that. For me, I've demonstrated to myself from various testings (whether it's comprehensive or not, I don't know) that with a good security approach and the clever (dare I say it) use of Sandboxie, my system is immune to buffer overflow exploits - as long as the potentially malicious buffer overflow exploit is run within the sandbox, it should not be able to break out of it, barring kernel-level exploitation. I have also demonstrated that even memory-only malware (malware not written to disk) is safely contained with Sandboxie. You can therefore appreciate that because no irreversible changes are made to the REAL system, a good security approach is all that is required to eg. perform safe online banking - you would simply need to terminate/empty any sandbox which is running and then open a fresh browser to perform sensitive browsing. Furthermore, regular emptying of sandboxes (which effectively contain threat-gates) is a very convenient and quick method of removing malware or malware traces.

Anyway, it may be useful to remember that all real-world exploits that have been demonstrated in history (reference to implications from many posts by "Rmus") required some sort of PE executable that any anti-executable mechanism would block anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppGuard Redux

Post by blues on 19/4/2012, 19:02

Thanks for that excellent reply. We are clearly thinking along the same lines (though yours are articulated much more elegantly) and have arrived at the same conclusion regarding the use of a standalone AE (or AppGuard in the present case).

One member who is active at the Sandboxie, Wilders and Emsisoft forums uses AppGuard in concert with Sandboxie and Online Armor++.

I just couldn't wrap my head around the need for AG with Sandboxie & HIPS but because a couple of respected folks had promoted the idea I was intrigued.
(Interestingly, he ranked the "security" value of the three apps in the following order: Sandboxie, AppGuard, OA++)

All that said, after weighing what I consider the pros and cons yesterday, I decided against it and am pleased to have your take support my own.
(Especially in light of the fact that Emsisoft Anti-Malware also incorporates a behavior blocker. (A separate subject, no doubt.)

My main concern these days is primarily in the area of "loggers" when doing any online financial transactions. To that end I have each of my sandboxes set up restrictively and am further bolstered via NoScript, AdBlock Plus as well as CertPatrol (to alert to certificate irregularities) within the browser.

Thanks again for your comprehensive reply.


blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: AppGuard Redux

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum