I just tested this same FakeAV in Virtual XP.
Protection mode: Locked down
Allowed guarded user-space launches and ran it from the documents folder.
It successfully terminated AppGuard; in fact it's very good at terminating most things.
Unfortunately for Mr Malware, the BrnFileLock driver blocks it from writing its start entry, so upon reboot poor FakeAV is dead.
Even if it didn't block writing the run once start entry, it would not have been able to launch from its user-space directory.
RIP malware
Reply With Quote
Just an update to my previous post.
The AppGuard service is not terminated by this malware. This was just a fault in my testing, in that I didn't disable the VM integration features. It's just the GUI front end that is terminated and prevented from restarting, meaning all you lose is the notifications.
AppGuard completely restricts the malware's actions.
As for testing as shown in the YouTube video, I'm unable to reproduce any sort of bypass from any exploit kit. I don't doubt the legitimacy of the video, but do question whether AppGuard's protection was weakened by the presence of the many other commercial rootkits (aka security apps) installed.