EQS question

Hi

I downloaded the latest set of Alcyon's rules today from drop.io/eqsecure

Now EQS is blocking Sandboxie from deleting the sandbox after I close my browser. I checked the log and selected to Allow it, but it doesn't change. I went through the rules and tried to find what was blocking it, but no luck.

Here are some screenshots.



Here is the log entry:



The error message I get is here, it says "access denied".

 

Hi HURST

You get this error message because you're using the rule "Block CMD.EXE" in the blacklist section of application protection settings. Blacklist rules = high priority and application rules = medium priority. If i find the time, i'll post a fix to make this rule compatible with Sandboxie in some hours. I also see that you're using a non-English OS... The rules I made are for the English version of Windows XP so many rules will not work unless you modify them ("Archivos de programa" instead of "Program Files", etc.).

 

Thanks Alcyon, I'll fix the language ASAP.

Thanks for your brilliant ruleset and you FAST response

 

Is there a way to get XML files to accept special characters? It's my first time editing XML, and I found that when I change "Local Settings" to "Configuración Local", the file won't open anymore, because of the "ó".

 

I think the only way to make eqs work with special characters is to replace them with "?" so "Configuración Local" becomes "Configuraci?n Local".

 

Here's a quick fix to be able to use "block cmd.exe" while using Sandboxie:

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1">
            <Group Name="Bypass - SandboxIE (Delete Sandbox)" ModeID="1">
                <Rule SubType="63621" IncludeSub="0" Action="65535" Log="63620" Ask="63620" CheckCommandLine="1" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\cmd.exe" Data1='/c rmdir /s /q &quot;?:\*\*\__Delete_*_?*&quot;' />
            </Group>
        </Rule>
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

Copy this code into notepad, save it as an xml, import it in the blacklist section of application protection settings and move this rule above all the others.
http://img29.picoodle.com/img/img29/4/4/29/f_smtm_2996955.png

 

Thanks Alcyon!

Man you fixed it fast! I hope support for some paid software could be so efficient!

 

@Alcyon:

I'm still getting the same error... maybe i'm missing something

 

Leave the bypass rule checked, open the group "Block Unrequested URLs (Out)" and for each rules, replace "Terminate/Suspend Process - Action:Block Log:Yes" by "Terminate/Suspend Process - Action:Ignore Log:No". Is it working with these modifs?

 

Yes, now it's working!
Should I reset explorer.exe and iexplore.exe to block again and leave cmd allowed?

EDIT:
Actually, it's still not working...same error

 

I'm wondering if anyone else is experiencing the same issue...

 

Strange, everything is working fine on my side after the modifs... Verify if the command variable of the bypass rule is:

/c rmdir /s /q "?:\*\*\__Delete_*_?*" (in Other Settings)

Aswell, uncheck the "block unrequested urls" rule... Maybe it's the problematic one.

You could also remove all sandboxie related application rules and revalidate them.

 

Yes, now it works. Unchecking the Block Unrequested URLs, SBIE can delete the sandbox.

I'll try your other suggestion... Thanks for all your help

 

I tried deleting all Sandboxie entries and revalidating them, no luck.

I left only the CMD box unchecked on Block Urequested URL's. It works fine.

Maybe a reinstall of both sandoxie and eqsecure could help.

Now I only have to figure out why IExplorer isn't working anymore, after I translated folder names on the ruleset... but I think i'll leave it 'til tomorrow

 

Something else you could try with "block unreqested urls" is to leave cmd.exe checked and change all the actions to "ignore" except "execute application". Try this and tell me if it works.

 

Yes, it works perfect

 

Alcyon, I narrowed it down

It works perfectly now.

This is what I did:

explorer.exe box CHECKED, but Terminate/suspend process set to ignore, all others Block

iexplore.exe: CHECKED, all Block

cmd.exe: CHECKED: all Block, EXCEPT: Create remote thread, Modify memory of other process, Terminate/suspend process - these 3 are set to ignore.

 

HURST, thanks for the all the infos

 

Your are welcome...thank YOU for a superb ruleset and GREAT support!

 

@Alcyon

Regarding my IExplorer problem:
I wasn't able to execute IE. It was blocked by EQS.

I modified the following rules and now it works OK:

Application Protection, Blacklist;

Under "Block Unrequested URL's --> iexplore.exe"

All blocked, EXCEPT:

Create remote thread
Modify memory of other process

Both set to Ignore