AppGuard review

AppGuard teams up with your existing antivirus to block never-before-seen zero-day malware. Unknown programs in folders commonly used by malware just can't launch, and programs that do run can't make changes to sensitive system areas. It definitely works, but you'll have to do some finagling to install or update valid programs.
Photo of AppGuard

I can write a perfect antivirus, one that will block every malicious program. Of course, you’ll have to deal with the fact that my amazing utility also blocks every non-malicious program. Don’t worry; AppGuard ($29.95, direct) doesn’t block every program; it’s more subtle than that. In order to head off attack by zero-day malware, it blocks unknown programs launching from sites preferred by malware, and keeps both good and bad programs from modifying sensitive system areas. Even so, it shares a few of the difficulties you’d encounter with my imaginary universal blocker.

Installing AppGuard is a snap, and after the required reboot it goes to work immediately. Its main window is dominated by a single slider that controls the current protection level. At the default Medium level it lets selected applications keep themselves up to date. Crank it up to “Locked Down” and no installations or updates from the Internet are permitted. If you actively want to install a new application or allow an update, you can lower protection to the “Install” level temporarily.

Refreshingly, the $29.95 price tag is a one-time expense, not a yearly subscription. That makes sense, really, since the product doesn’t require the regular signature updates that are a staple of traditional antivirus products.

Similar, Not the Same
Some antivirus products base their protection on whitelisting; any program not on the whitelist won’t get to launch. Anti-Executable 5.0 is an example. Every program present at installation gets whitelisted; anything new gets blocked, unless you actively add it to the whitelist. OK, it’s a little more complicated, but that’s the basic idea.

VoodooShield works in a similar fashion, but tries to stay out of the way by going active only when the user is at risk. Specifically, it blocks unknown programs when the user runs a browser or email client, and when a removable drive is inserted.

AppGuard is quite a bit more complex than simple whitelist solutions, but it does bear a certain resemblance to them. That complexity cuts both ways, as you’ll see.

Vocabulary Lesson
There’s actually a lot more to understand about AppGuard than the simple protection-level slider. In order to use the program effectively, you’ll need to study up and learn some new terms.

First up is “Guarded Applications.” On installation, AppGuard adds most widely deployed applications to the guard list. These apps won’t be allowed to modify protected resources like the Windows folder and certain Registry areas.

These apps are also “MemoryGuarded,” meaning they can’t access another process’s memory. The help does note that this may prevent some programs from working, and explains how to suspend or disable the feature.

The next new term is “User Space.” This refers to storage locations normally accessible to non-Administrator users, locations often abused by malware. User Space includes the current user’s directory and all removable or network drives, among other locations.

AppGuard’s treatment of a program launched from user space depends on the situation. At the default Medium protection level, unsigned apps are blocked from launching while digitally-signed apps launch as Guarded. In Locked Down mode, both types are blocked.

Exceptions, Exceptions
I mentioned that you may need to suspend or disable the MemoryGuard feature in order to allow certain applications to work. You’ll also need to crank security down a notch in order to install or update legitimate programs. In fact, the product’s tray menu includes a number of options specifically for those times when you need an exception to the rules.

Why all these exceptions? Because there are plenty of valid activities that just can’t happen when AppGuard is fully active. Note that AppGuard will revoke the suspension automatically after a few minutes. Anti-Executable’s Temporary Execution mode is similar, and it, too, automatically ends after a set time.

You’ll also have to suspend protection with Anti-Executable or VoodooShield for most installations. In order to run Windows Update or other big changes, you’ll need to put Anti-Executable in what’s called Maintenance Mode. With AppGuard set to Medium, I found that Windows Update failed; lowering protection to the Install level solved that problem.

Any of these solutions can cause big trouble if the user does something dumb. You’re the one in charge of deciding if a given program is safe to run, and you’re the one to blame if you let the wrong program run. AppGuard does have an advantage here over simple whitelist tools, because even if you do accidentally allow a bad program to run, it still operates under the limitations of the various guard modes.

Advanced Settings
As noted, the main window just lets you choose one of three protection levels. Clicking the Customize button brings up a dialog that lets you dig in for detailed configuration. Here you can redefine what folders are part of User Space, add new Guarded Applications (or edit permissions for existing ones), and add publishers whose digitally signed applications will be allowed to run unguarded, among other things. Anti-Executable can also automatically whitelist applications digitally signed by trusted publishers.

You could seriously mess things up by making a wrong tweak here. For example, removing Microsoft from the list of trusted publishers would be a bad idea. I tried removing Microsoft and rebooting the test system. On reboot, the desktop and taskbar appeared, but neither would respond to mouse clicks or keystrokes. Good thing it was a virtual machine!

If you use AppGuard alongside a traditional antivirus (and you really, really should), you’ll want to define the antivirus as a “Power Application.” That means that AppGuard will leave it strictly alone, allowing it full power to fight malware, update its definitions, and so on.

Parental Controls
The parental controls feature is not what you might expect. Immediately after installation, AppGuard treats all users of the system equally, allowing them to make any necessary changes to the configuration. Invoking parental controls lets you define one or more user accounts as “SuperUsers” and severely limit what other users can do. With Anti-Executable, the user account that installed the program automatically becomes the equivalent of SuperUser.

Naturally an ordinary user can’t change the parental control settings once a SuperUser has been defined. You’ll have to log in to the SuperUser account to make any changes. Be very, very sure that you know the username and password for that account; otherwise you could lock yourself out.

Hands On with AppGuard
Just for kicks, I tried my usual malicious URL blocking test. Naturally AppGuard didn’t block any URLs; that’s not its job. Nor did it prevent downloading the malicious executables. But when I tried to launch any of files I had downloaded to the desktop, I got a Windows error message saying it was not a valid executable. That’s right; not a message from AppGuard, a Windows error message. VoodooShield and Anti-Executable at least let you know why the program didn’t launch. I’d like to see clearer messaging from AppGuard.

The exact same thing happened when I tried to launch valid programs from the desktop; they all failed. Note that if any of these had been digitally signed, AppGuard would have allowed them to launch, in Guarded mode. Digitally signed malware is rare, but not unheard-of.

As noted, with AppGuard set to Medium protection, Windows Update failed. It also interfered with Firefox’s automatic update. You’ll want to update your programs and OS manually after putting AppGuard in Install mode, and with nothing else running.

Don’t Go Solo
There’s no question that AppGuard can help against zero-day threats—those unknown programs just won’t get to run. Even if you do accidentally permit a malicious program to launch, its ability to harm your system is tempered by the various guard modules. In that, it’s better than a simple whitelisting solution.

However, you’ll also find it gets in the way of many everyday actions, forcing you to suspend protection. And when it does prevent a program from running, it throws a Windows error message.

Before you consider installing this tool, make sure the system is clear of malware using a free cleanup tool like Editors’ Choice Malwarebytes Anti-Malware 1.70. I’d also recommend ongoing real-time protection, perhaps Bitdefender Antivirus Plus (2014), or the free AVG AntiVirus FREE 2014. And consider taking the 10-day trial before purchasing AppGuard, just to be sure it’s a good fit for your particular style.

Specifications
Tech Support Online documentation, email
OS Compatibility Windows Vista, Windows XP, Windows 7, Windows 8
Type Business, Personal, Enterprise, Professional

Verdict
AppGuard teams up with your existing antivirus to block never-before-seen zero-day malware. Unknown programs in folders commonly used by malware just can't launch, and programs that do run can't make changes to sensitive system areas. It definitely works, but you'll have to do some finagling to install or update valid programs.
Published under license from Ziff Davis, Inc., New York, All rights reserved.
Copyright © 2012 Ziff Davis, Inc