Blue Ridge Networks AppGuard Review
Blue Ridge Networks AppGuard Review
Anti-Virus products have been a staple in computer security for a while. While they still have their place on todays PC’s it’s been proven time and time again that their reactive nature and the fact they rely heavily on signature database updates can leave computer users exposed to newer threats until the vendors catch up. With thousands of new variations of malware being released daily, it is virtually impossible for them to keep us protected from the newest ones all the time. HIPs (Host Intrusion Prevention) have become commonplace alongside Anti-Virus software and even combined with firewalls but in order to get the maximum protection from these the user must be relied upon to answer prompts. Just like Windows UAC, many users will eventually not even bother reading these prompts and will simply start allowing everything nullifying any potential benefits. To top it all off, every layer that gets added for protection results in a slightly heavier, more resource hungry suite. As such it can be difficult to find security software that is both effective and light. This is where a program created by Blue Ridge Networks comes in. This piece of software is called AppGuard and in an online world where many programs ‘claim’ to be innovative, this one earns it place as the most innovative that I have seen in a long while. How it works can take some time to understand and it’s easy to get confused or mixed up when first trying. I’ll try to explain anyway but the beauty of this program is that you don’t actually have to understand how it works to make use of it. It’s designed to run alongside just about any other security software, including your Anti-Virus.
The download can be found from their homepage and is about 22 MB in size. The installer includes both the 32 and 64 bit versions. The install process is fairly standard, accept the EULA, hit install and you’re almost done. It doesn’t include any third party extras or bundled offers. A reboot will be required when it is complete. The trial version is fully functional for thirty days.
After the reboot is complete you’ll see the first ‘nag’ screen that the trial version of the program contains. You can order the full version, enter your license id information and activate the program if you’ve already paid for it, or ‘Evaluate AppGuard’.
Depending on how you access the main interface you might notice that right clicking on the tray icon opens up some functions for easy use. We’ll cover these menu options a bit later but for now I want to draw you attention to the interface.
When the program initially starts you’ll find yourself on a screen with relatively few options. Most of the screen is taken up by the three ‘protection levels’ available (not including off) during standard use. The default is ‘Medium’ and it is the one I’d recommend most people remain on unless they will be running something they don’t trust or like it says in the description, ‘when browsing untrusted sites’ in which case switching to locked down mode is a good idea.
‘Locked Down’ mode as the name implies is the highest level of security AppGuard provides and it is rather strict in what it will allow to run.
Generally ‘Medium’ is not intrusive and allows you to run programs normally without bothering you but still guarding your computer.
‘Install’ should only be used when you intend to install a new piece of software or update one that isn’t already defined as trusted. While in this mode the ‘launch protections’ AppGuard gives us are disabled.
So far I’ve only covered these protections as a basic overview, there is more to each and I’ll try to explain how they come into play as we cross paths with the specific options but I’d rather not risk overwhelming and confusing you too early!
The ‘AppGuard Activity Report’ is something that doesn’t have to be used unless you notice a problem with a program or want to see what AppGuard has prevented during the current session. The screenshot below is pretty empty but after we take a look at most of the options we’ll come back to this as well and take a look at it in action.
The ‘Customize…’ button on the main interface will take you to a screen broken down into tabs where we will find most of the options. It’ll start out on the ‘Alerts’ tab and this is where we’ll see the first mentions of some of its other protections.
This page is directly related to the ‘Activity Report’ screen we just glanced at before. It allows you to select which events will cause the AppGuard tray icon to blink, which events should show up on the session report and which types of events should be recorded to the Windows Event Log. You can also set up specific messages which should be ignored (not reported) just for the AppGuard interface or the Event Log as well.
Generally AppGuard is very user friendly but this area brought up one of the ways it has failed thus far. The standard computer user has no idea what the Windows Event Log is. Even some more advanced users might have some trouble navigating it and filtering out all the details and deciding what is actually relevant. Don’t get me wrong- as a power user I’m glad to have the information available there! I just think that there should be another window inside of AppGuard itself where users can look up and filter/sort through the previous and current data in a much friendlier manner.
The second tab, ‘User Space’ is where things can start to get confusing. What is this mysterious ‘User Space’? This is the area of your Operating System (eg Windows) that AppGuard will ‘watch’. I’ll be using an analogy throughout this review so I may as well start it here.
Think of your computer as an office building. User Space is the area(s) where AppGuard has posted security guards. Those security guards stand watch at those entrance points and can either prevent unauthorized admittance (eg prevent something from launching) or follow a ‘guest’ around and ensure they don’t read or touch anything they aren’t supposed to.
Normally ‘User Space’ will include only a few specific directories but in order to attempt and explain it I’ll need to risk confusing you further. This is where another term used by AppGuard comes into play, ‘System Space’.
So let’s start with ‘System Space’. These are the areas of the computer that the Operating System and most legitimate programs are installed and run from. The standard user will likely never explore or mess around with these areas manually and for the most part AppGuard will leave these areas alone as well though there a few exceptions. In an attempt to illustrate it I’ve highlighted the ‘System Space’ areas as green and the ‘User Space’ areas as red. There is also a slightly mixed area which I’ve highlighted as yellow because certain sub-directories inside are also considered system space. I left the ‘Documents and Settings’ untouched as it isn’t a true folder and is only a link to a folder in the ‘Users’ area kept for compatibility purposes with older software. By default all other partitions and drives (eg not on C:\), network locations (shared folders), etc are considered ‘User Space’ by AppGuard.
For the most part programs do not run from ‘User Space’ though there a few programs out there that have ignored Microsoft guidelines. Most exploits and malware however do target these areas as they are nonrestrictive and will be the most likely place they are able to gain a foothold.
In ‘Locked Down’ mode any application that does not have a rule added in the ‘Guarded Apps’ tab will be prevented from running from these ‘User Spaces’. In ‘Medium’ any valid, digitally signed, program can run from these areas but will only do so guarded and are still unable to change anything in ‘System Space’.
Back to the analogy, In ‘Locked Down’ mode the guards handcuff and shackle anyone who is attempting to enter (run) without authorization through those guarded areas and prevents them from entering. If a person attempting to enter the building has authorization (eg it is a guarded app on the list), let’s call it a verified pass, in ‘Locked Down’ mode, or anyone with a pass while in ‘Medium’ mode, the guards won’t stop them from entering the building but they will follow them around and ensure they keep their hands to themselves and aren’t able to do anything malicious.
In the ‘User Space’ area you’ll find a list that is generated by default and it is a good starting point. Many users will never have to change anything in this section but if you or another program has created a custom folder on the root of the drive (C:\) or from within any of the areas defined as ‘System Space’ and need to run anything from these folders you may want to consider adding them to ‘User Space’ to enable protection.
As an example I created a new folder on the drive and labeled it ‘SillyRabbit’. I also placed a program inside. As there is no rule existing in AppGuard defining this folder as ‘User Space’ and it exists on the root of the drive, AppGuard will not mess with it.
In order to add it to ‘User Space’ you can simply select ‘Add’ and browse to the directory. Afterward you will see it reflected in the list and it will be treated just like the others. On the other hand, perhaps you have one of the misbehaving, but legitimate, applications which creates and runs a randomly named file from a specific folder in the ProgramData folder which is in ‘User Space’. Adding that sub-directory and changing the ‘Include’ flag to ‘No’ will make AppGuard ignore that folder but could open up a small hole. Another, safer method- assuming the file it creates is signed, would be to make use of the publisher area which we will cover next. The ‘Publishers’ area starts off with a list containing a few of the most common software vendor signatures found. This list contains information found from the Digital Signatures used by each. AppGuard processes the digital signatures of any program attempting to run while in ‘Medium’ mode and unless there are specific rules in the ‘Guarded Apps’ tab it uses the settings found here for any matching vendors. By browsing to an executable AppGuard is able to grab the digital signature information from a file and you are able to create a ‘default’ rule for any vendor yourself.
The options available for the Publishers list is similar to those found on the next tab with a few exceptions. You can decide if all executables from the vendor should be guarded or not. Using the publisher list also allows you to define whether the applications should be allowed to start installers from ‘User Space’ and automatically place AppGuard into the ‘Install’ mode seen on the main interface. I’d recommend caution when considering making use of the ‘Level’ and setting it to ‘Install’.
The ‘Guarded Apps’ tab is where the application specific protections are found and tweaked. The default list actually contains more programs and your screen will likely show some of these if you try it. The list will only display those applications found on your computer though (and installed in default locations) and I didn’t have much installed on this one. By adding any application to the list you allow it to run but it will always be guarded. The ‘Privacy’ settings are related in part to the ‘Folders’ section below where you can add specific folders that the application should be unable to access. ‘MemWrite’ and ‘MemRead’ are short ways of defining if the application is allowed to read the memory (information held in RAM) from other running processes or change anything they might hold. As many exploits and malwares will try to harvest data (read) or escape and spread by modifying other applications (write) this is a crucial method of protection that is somehow missing in most security products and one of the main reasons I began to love this application.
Back to the analogy again, the Privacy flag is akin to locking specific doors. The person (application) may be able to roam the office but if they try to open a locked door, they can’t. The ‘memory read’ blocking can pretty much be described as preventing that person from looking through the pockets or watching over the shoulders of other people in the office. The ‘memory write’ protection blocks changes to anything another person in the office might have on them.
The Folder ‘Settings…’ will open a smaller window with a few defaults where you can add folders you don’t want the guarded apps to be granted access to. Inversely you can also grant exceptions to specific folders that guarded applications should be able write to or should only be allowed to read from.
The ‘Advanced’ tab holds some more of the generalized options with the more important aspects being the ‘Privileged Operation’ area where you can set rules as to which accounts can change what inside of AppGuard. This computer only had one active user but this is a great option to have when there are multiple users (or even kids) you don’t want to be able to change settings.
When accessing the menu from the tray icon you’ll come across a few options not found in the primary interface. You can temporarily allow USB launches and User Space launches along with selecting if these should be allowed guarded or unguarded. If you’re running a guarded application and find you can’t do something you need to, or access a folder that you normally don’t want it to you can temporarily suspend protections for the ones already running. I have not yet found a need to make use of these options but they are nice to see. The specific application can be selected from either the ‘Guarded Execution’ or ‘Privacy Mode’ menus.
One thing I encountered in my tests, that could use some improvement, was that only those applications run by the current user are shown. Most users may not do so but sometimes an application can be ran as a separate user. In these cases AppGuards menu failed to show these applications in the above mentioned areas.
Now that we’ve covered most aspects of the program it’s time to go back and take a look at the ‘Activity Report’ again to see it in action. For this purpose I loaded up a game called ‘Wizard101’ which my kid loves (and I have to admit I like it a bit as well)! As you might have noticed from some of the pictures I’ve shown previously this is one of those applications that doesn’t quite follow the recommended guidelines and happens to install inside of ProgramData by default. I added it to the trusted publishers list earlier and after running the game for a while I found a few entries in the log. Normally anything you see in the reports is for informational purposes. Unless you notice abnormal behavior or problems these can be ignored. Just because they show up in the log doesn’t mean an application is malicious or bad. It can be useful if you notice any problems and need to alter rules though.
Despite these blocks showing up in the report, the program ran perfectly well. While software such as browsers, media players, office and peer to peer apps are more likely to be targeted and exploited, AppGuard can handle just about any software. Obviously you wouldn’t want to do anything silly like lock down other security products or your Anti-Virus. I wouldn’t quite call it a replacement for other security software but it can do quite a good job by itself if set up properly. It’s a complementary piece of software that has virtually no impact on the system and with some tweaking at the start and an extra rule here and there as you install more programs you can even forget it is there unless it blinks for your attention or requires a bit of adjustment.
AppGuard will work on just about any current Windows OS, even Windows XP.
Conclusion and final thoughts:
It’s simply an unfortunate fact that many developers don’t follow Microsofts guidelines and they will mess with registry entries they shouldn’t or otherwise dabble with things they don’t actually need to. AppGuard doesn’t care if the program is good or bad, it keeps those doors locked and ensures they keep their hands to themselves regardless. So even if a legitimate application is exploited, if it is guarded, AppGuard keeps it in check!
Overall the usability of the interface is pretty good. Depending on what you need to change you might need a firmer grasp on the concepts used. Some of the choices they’ve made are confusing as they so clearly want the application to be usable by everyone (any it basically is) but then turn around and require more advanced computer knowledge just to check ‘old logs’. If it wasn’t for this and the inability to see applications running as other users from the menu for the ‘suspension options’ AppGuard would have gotten a perfect score from me!
I never saw anything above 1% CPU usage and it normally sits at 0%. The total RAM used by the service and the interface is fairly low at less than 40MB on my system. I didn’t encounter a single crash or issue that might prevent use.
Aside from understanding some of the concepts and terms used, the simplicity of what this program does and how it manages it is truly amazing.
I’ve participated in beta testing and had other reasons to communicate with the folks over at Blue Ridge Networks. There hasn’t been a single time I felt as though there might be a computer looking for keywords and responding with generic answers. It may take a few emails back and forth to get to the root of a problem but the people I’ve encountered have been knowledgeable and helpful. That isn’t something that can be said for every software vendor and it is yet another reason I am comfortable recommending this product. I’ve already suggested this program to my family and friends and think you should give it a try as well!
Mostly easy to use.
Checking older logs requires more technical knowledge than the average user will have.
Understanding the terms and concepts can be confusing at first.