9 July 2016
To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD. The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.
I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.
The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.
AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?
I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.
A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:
| Antivirus | Result | Update |
| Fortinet | WM/Poseket.A!tr.dldr | 20160706 |
| Qihoo-360 | heur.macro.powershell.a | 20160706 |
| Symantec | W97M.Downloader | 20160706 |
As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:
AutoOpen Macro with PowerShell Code
I opened the document and followed the instructions to execute the AutoOpen macro.
Invoice_201604469.doc. Click to enlarge.
The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:
 Blocked Program Message 1 |
 Blocked Program Message 2 |
Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:
Windows Error Message
MemoryGuard is a really charming concept, and out-of-the-box available after installation.
This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.
Have a good weekend.
IT Security Matters 