Review EQSecure 3.3

[Kees1958]

Hi,

Just share my experiences on this Chinese freeware.

What is it?

A HIPS which digs real deep into your OS (XP Home in my case). Design of EQSecure is more or less simular to NeoavaGuard. EQ has (compared to NG) more advanced registry control, a few options less (e.g. NG has the ability to stop aps which "act as a server"). EQ is less aggresive than NG (when you leave learning mode of NG to early, it can mess with your system). EQ only stops processes from doing harm, it does not kill them.

It offers:
- startup control of executables, termination of processes and or threads,
- startup of a remote thread,
- system shutdown
- control access to libaries, loading of drivers,
- access to physical memory
- low level data access
- install a global hook
- installation of drivers or services
- keylogger protection
- registry protection
- file protection

When startup control of executables is enabled it also offers parent - child control via pop-ups at first start of a process.

In short it offers both event centric control (like behavioral blockers) and application faced control (like classical HIPS as SSM and ProSecurity).

For which type of PC users is this an interesting ap?
For security aware PC-users who lean more towards event centered contral than application faced control.
Hardcore HIPS users who have paid versions of Antihook, SSM, Prosecurity it offers no extra's. For SSM-free and ProSecurity free users it might be a nice free alternative.
More or less the same applies to CyberHawk Pro users who have painfully entered thier registry protection and file protection, stick to CB-Pro. For CB-free users who have developed a more comprehensive understanding of security and find the step to SSM-free for example to big, this is also a nice free application.

Where can I download it?
http://ht tp://www.eqspywatch.com/do...ecureSetup.exe Thanks to Mitchelson.

Installation
Initial screen is in Chinese, just look for the drop down menu bar and select english (as a language) and everything works fine. Remember when you first install a program don't let it autostart unit you got the hang of it

[Kees1958]

Setup

1. Click icon, main screen appears, click "System Protect" icon and
2. Set all options of the Normal protection mode to "Allow" (you do not want
to risk getting excluded from your system). When you now how to operate
EQ you can tighten the options.

[zopzop]

wow looks promising. and if offers features that you don't find in other freeware of it's type (like lowlevel disk protection). i'd love to see this tested vs killdisk (low level disk access), martin's keylogger/aklt from firewallleaktest (keyloggers), and xpkiller (stops and deletes services).

[Kees1958]

The not so sophisticated reduction (of the Normal mode) to doing nothing is just a precaution, because the on-line help is only in Chinese and variants of Chinese.

3. Choose the add button and
4. Enter Behavior as the name in the pop-up screen which appears
5. Next choose the protection options to set up a strong behavioral protection.

[Kees1958]

Now we are going to activate the Behavior protection mode

6. Click System Protect icon
7. Click Switch mode
8. Select Behavior

Now behavior is selected, next we are going to configure this protection mode
9. Select Setting of the application protection row

[Kees1958]

Next the "Application protection" screen wil pop-up.

On top it has three levels of rules listed:
A- All application's rules (priority low)
B- Application's rule (priority medium)
C- Blacklist (priority high)

Note that when no rules exist for a process the default rules of the protection mode (behavior) apply. There is one irritating of EQ. When you allow a program to execute via a prompt it inherites the rules set of the system default (the initial values of Normal protection mode). This means you have to tighten the rules for an allowed application after a prompt (only 1 time, but still irritating).

How this priority works I will explain with one example.
When you use your favourites within IE, InternetExplorer sets a global hook with IEFrame.dll. You do not want to allow global hooks, possibly only for this exception. This is how you set it up.
1. Enter a rule for InternetExplorer in the "All application's rule" Auto Group with everything you want to be blocked (including global hook setting).
2. Enter a rule for Internet Explorer in the "Application's rule" tab (also in the Auto Group) with the same setting. 3. Under the process InternetExplorer in the "Application's rule" tab of Uato Group add a rule for C:\Windows\System32\IEframe.dll for this rule you can allow a global hook to set. Do not forget to select Check MD5 in the "Other Settings".

Below right are options to enter programs ("Add subprocess") to a group, add a group, delete rules or groups, and move up/down the entered rules.

When you select Add subprocess a sort of windows file open dialog and navigation will appear.

Do not forget to choose Apply before moving over to other controls!

Next I will show samples of B and C

[Kees1958]

Example of B, Application rules within the "All application's rules" (A previous screen).

The navigation is pretty straightforward with + and - sign to show and collapse subprocess under a process or a group

In this example you can clearly see that WGAtray is allowed to access physical memory (where as Explorer.exe is not allowed).

Note you only have to fine tune "Acces to physical memory" and "Shutdown/Restart" options, because in our example those are the only two with "Prompt and Block" options, all other options will be overruled by the "All application rules".

I suggest you set the log options to only exception reporting, otherwise the log will be cluttered with allowed actions (not handy when trying to find a mistake in the options you selected)

Do not forget to choose Apply!

[Kees1958]

In the Blacklist the nag screen of Antivir, cmd and format are blocked from starting.

A nice option is to import and export rule settings (I like it, because I copied this setting of my wife's PC to my son's). The rules are saved in XML format (to me a hint that the architecture is okay and well thought off).

Next registry protection

[Kees1958]

After apply and chosing ok you have to go back to th emain window,
choose

[Perman]

Hi, folks: I took the liberty to view its Chinese web site and its forum. Apparently, latest EQSecure3.3 is a merger of earlier EQSecure and its sibling EQSpywatch(rule-based), and seems to be in its beta form. Few known bugs reported by users:among them, conflict issue w/ sandboxie and high CPU usage(when some different breeds of FW being used simultaneously). Some viewers repoted it is very similiar to SSM in beta. Just FYI. of course. Reported bugs will be ironed out in new release v.3.4 next month. Mind you, its Chinese version 3.3 was released on March 18. There is a time- lag between that and English version (?). For viewers like to try new app and endure an adventurous challenge, this is the one. Good luck.

[Kees1958]

Registry protection
A. All application's rules: are general rules
B. Application's rules: are EXTRA rights (allowed to break the rules described in A), so B overrides A
C. Blacklist also overrides A


EQ standard has some rules preloaded, I suggest you look through this link
http://gladiator-antivirus.com/forum...=0&#entry88429
and add the startup entries missing

[Kees1958]

Entering additional registries yourself

When you press Add registry the following pop-up appears (example of a registry value protected).

The easiest way to build up your exceptions (B) is to either choose "Prompt and Allow" or "Prompt and block" as options. The other option sare block and allow.

Note EQ does now wild cards like Regdefend, but does not have the double **
key* and *key* and \* are the same as in Regdefend

examples
a) *controlset* applies currentcontrolset as controlset001
b) run* applies to run, runonce etc
c) and * in the registry keyname implies that all fields are included,
d) \* implies that all subkey levels are included

[Kees1958]

Example to implement all values and all subkeys (the ** Regdefend wildcard)

First you enter the exact Registry Path with an asterix in registry key name (top op pic), second (bottom) you enter the same registry path followed with an /* and also an * in the registry key name.

Not the best way to enter, but a lot easier than CyberHawk and SSM free (next best to Regdefend).

[Kees1958]

Next the exceptions, processes which are allowed to overule the general registry protection. In this example XP restore (rstrui.exe) to set the runonce registry keys.

The black list works the same way (only it blacklist a allow key to block).

It is not the most straight forward user interface, but it is free and the ap works fast and reliable.

[Kees1958]

Next file protection

It are a lot of screens but then again you will get a transparent CyberHawk Pro for free, a free Regdefend and a free Safesystem2006 all in one. May be in the next release they provide English help files.

Go back to the main screen and select file protection

[Kees1958]

At last an option which is straight forward, see pic

[Kees1958]

Considerations

This is just an example of behavior blocking. In my opinion this ap is as interesting free ap as PowerShadow (EDIT: although it works different)

When you look at the intervals in which they bring out new releases, manpower is not a problem. So this ap is only to become stronger. I found it as fast as SSM-free. Sometimes it has strange CPU bumps (when closing down limewire for instance) and the boot up process takes on average 20 secs longer.

Still for Niente, Nada, Noppes, Null Euro's, dollars, Yens, Pounds you will get more or less the functionality of CyberHawk Pro, Regdefend and SafeSystem2006 combined.

On our PC's it works flawlessly on configs below
Regards K

Quote:

EQ only stops processes from doing harm, it does not kill them.

That is very important to point out. Add that VERY IMPORTANT! capability with an update and it's well on it's way to many an audience IMO. How about it?

Quote:

It is not the most straight forward user interface, but it is free and the ap works fast and reliable.

I already got the hang of this one and frankly is more user friendly than you might expect. The List is clear cut but you need to take time as suggested in changing the ALLOW/BLOCK rules to your expectations, the program WILL do the rest as set by the user.

I must admit i am really in awe of this new program and even more so than CyberHawk when it first came on the scene. Power Shadow is not designed with this same purpose in mind so i really wouldn't mention it in comparison as it's more a virtual sandbox of sorts whereas EQSystemSecure appears 100% totally behavioral based and does that with excellent success IMO.

[Kees1958]

Hi Easter,

I more or less compared EQ with PowerShadow because it surprised me as a protection ap, not the way they work.

Indeed EQ is a behavior based ap with a whitelist feature (when you set the execure application to "Prompt and Allow" or "Prompt and Block").

Point is you can use it as both (behavior and whitelist HIPS).

I really think they should change the application protection way of working, so it it will work simular to registry protection and the way most hips work. You set tight rules and allow exceptions.

Regards

Quote:

Originally Posted by Kees1958

I really think they should change the application protection way of working, so it it will work simular to registry protection and the way most hips work. You set tight rules and allow exceptions.

Regards

Hi Kees1958

I quite agree and hopefully they will do just that in upcoming versions if they are going to make this an ongoing project. I really don't have much reservations about it or too many complaints aside from the fact that it does need to also TERMINATE what it also blocks. That is completely neccessary AFAIK because if nothing else the lame-duck process is still occupying CPU time and cycles even though it's restrained from carrying out malicious instructions.

I expect we all are sometime soon to find those improvements in upcoming versions we can finally be satisfied with. I like this initial release in concept and practice and it can be improved to compete on the same level and even surpass capabilities of already accepted behavior blockers currently being trusted & used.

[Kees1958]

Because some asked me, here are the rules I use on both machines

Open the file with notepad, save as (all files) a file with .zip extention. Delete the rules of EQSecure and import them. Do not forget to create a protection mode called Behavior (see this tread).

When you game a lot, some programs (TeamSpeak, Xfire) used to speak and chat while internet gaming require the global hooks set to "prompt and block", so you can enable them.

Regards K

[zopzop]

kees1958 how much megs of ram does eqsecure take up? is it light like SSM?

[Kees1958]

Hi Zopzop,

EQSecure slows doen your boot up, so it must be loading something. When you do not start the configuration screen it only uses 1 to 2.1 MB. With the config screen activated about 4.8 MB. With the taskmanager and config about 6.4 MB.

Info windows task manager (added all security aps to show differences)
- Antivir's AVGNT = 1.128 KB
- ANtivir's AVGUARD = 424 KB
- Defensewall = 7.172 KB
- SensiveGuard Service = 3.208 KB
- SensiveGuard Client = 4.652 KB
- EQSecure = 1.008 KB

With EQSecure's taskmanager (see pic), explain the differences to me (actual memory and virtyal memory)?

[pvsurfer]

First, I really appreciate your effort in presenting this EQSecure overview. Just a few questions before I try this puppy...

• How do I open your ruleset (post #21) so that I can read it?
• Have you encountered any reason EQS would not co-exist with NOD32 and Comodo FW?
• Have you noticed much of a start-up or performance 'hit' when using EQS?

Thanks again!

[Kees1958]

Try opening them with notepad
- save the zip named one as txt file ansi with the .zip extention
- ditto for the tar named one (.tar)

EQ slows down boot up about 15 secs on 3400+ AMD64 with 1 gig

I do not have NOD32 or Comodo, I would not know, I allowed the antivir updater to update systems files, so I suppose you should allow NOD32 also