Review EQSecure 3.3

Discussion in 'other anti-malware software' started by Kees1958, Apr 4, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle

    AD 2, see pic (yes)
     

    Attached Files:

  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks, cpcw.
    BTW u did not comment about my request about the failure of EQS. Can u convey it to them. Thanks
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. I missed it.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It,s strange that it tries to connect out even when auto-update is disabled.
    Not a good feeling from a HIPS with such behaviour.
     

    Attached Files:

  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I noticed that if I enable File Protection in EQSecure, I can no longer Hibernate my Notebook. I hibernated while keeping EQSecure in learning mode to make rules automatically for this but still no way.

    Currently I have disabled File protection in EQSecure. Can anybody check this with latest verion?

    Thanks
     
  6. cpcw

    cpcw Registered Member

    Joined:
    May 19, 2007
    Posts:
    22
    I agree with you.
     
  7. cpcw

    cpcw Registered Member

    Joined:
    May 19, 2007
    Posts:
    22
    you could try to do this.

    1. please delete all rules in File Protection.
    2. please enable File Protection.

    If your Notebook can Hibernate, we can know that the problem is your rules of File Protection.

    learning mode can not make rules automatically for File Protection(FP). you need to modify the rules of FP.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I might try it sometime later.
    Thanks for the info.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ok., I deleted all file protection rules and was able to hibernate.

    Then I imported these rules again and modified SystemDrive rules to "Allow" and now I am able to hibernate again. That,s OK but I could not find how to put a specific rule to allow just hibernation while still getting alert for any file creation in system partition/ drive C.( I wonder by which rule it allows access to pagefile that is also located in C). Tried to add Allow rule for hiberfil.sys and C\*.sys but it did not work.

    I am not sure what is the purpose of rules under "Application,s Rule" tab.

    Another thing I noticed that though I have settings to keep log for 7 days( by default) but log is cleared automatically each time EQS is closed and restarted.
     

    Attached Files:

  10. cpcw

    cpcw Registered Member

    Joined:
    May 19, 2007
    Posts:
    22
    please look at #88 and #92.
    you will find the answer in the flowchart (#84).

    I think that EQ prevented OS from creating/modifing files when Hibernate your Notebook.

    you'd better look at your log to find the problems.

    you'd better put this rule above the the "%SystemDrive%\*".
     

    Attached Files:

    • OK.png
      OK.png
      File size:
      213.2 KB
      Views:
      724
    Last edited: Jun 3, 2007
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ok, I will see those posts.
    You are right.

    Will try.

    Thanks for your help.

    EQSecure seems a very nice HIPS wiyh a lot of options.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi guys,

    Any news on 3.4 yet?


    Experiencing something funny with EQS, after a declined WMP11 update and some other MS updates. EQS with MD5 hash check causes explorer to use +/30% of processor capacity. Exiting EQS or unchecking MD5 check will lower explorer exe to zero o_O


    Reg K
     
    Last edited: Jun 6, 2007
  13. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    I had several BSOD's with EQS, particularly when resuming from some screensavers, still doing some testing as to what EQS rule is causing this...
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi all,

    I get questions to receive copy of my ruleset. I have uploaded it as txt file.

    Just save (download this txt file) and open with a zip-manager (e.g. 7-zip). Extract the files to your EQS program file directory and import the xml files.

    Reg K
     

    Attached Files:

  15. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Thanks, Kees. Will take a look and try it. :)
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Is there a one click option to implement hash check for all the rules( current and future)?
    I wonder why they did not implement hash check by default like other HIPS. A HIPS without this is pretty useless for protection.

    Rules seem much more complicated than SSM and I am not able to understand them so far. If I am correct, I think "All application rules" are general rules without child parent specification!

    Another Q! Under application rules some parent applications are written twice( with even some child twice under same parent). Why not once only with all childs under it?
     

    Attached Files:

  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Because, unlike SSM, EQSecure is capable of monitoring changes to files in real-time. :D

    Hash check is actually quite the redundant feature for EQSecure IMO.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    That,s not a valid reason at all. What if I am not using file protection option?
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Why is it not a valid reason?

    Saying that is like saying you want your anti-virus scanner to still somehow detect malware in real-time even after you turn off the on-access scanner. You can implement a secondary, inferior function that serves the same purpose... but what's the point?
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft,

    Let's be honest: the automatic (learn) generation of rules is a mess. Running EQS with allow and prompt, implies that after every allow I have to check the created rules. Get rid of some (for instance in all), cut and paste children aand so on.

    I hope version 3.4 improves.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The way I do it is to lockdown ALL executables on my HD (create a rule to block *.exe), then manually whitelist a few apps which I know have a legitimate reason to write to exe files, such as explorer.exe, or whatever antivirus scanner I happen to be using). The problem with using hash verification is that it can only catch changes to files AFTER the damage is already done. It does nothing to stop critical system files from being modified or even deleted entirely.

    The automatic rule generation and "improving" it is rather subjective. There's actually quite a few people who like the current behavior as it is.
     
  22. cpcw

    cpcw Registered Member

    Joined:
    May 19, 2007
    Posts:
    22
    yes. I agree with you.

    the developer has realized that it is a mess. version 3.4 will improve on that.
     
  23. cpcw

    cpcw Registered Member

    Joined:
    May 19, 2007
    Posts:
    22
    it's a mess. you'd better put them together.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ur point is avalid but some body might not want to use file protection, say watever the reason behind.
    BTW why would it hurt to enable/ disable MD5 check by a single click( if some body wishes to do so)?
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. That,s OK. I though it serves some special purpose!!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.