EQS versus NG

How do u compare these two free HIPS. I need comments by their users.

Actually for few weeks I am running EQS v 3.4 and NG beta build 302 together. Though it,s mainly for fun and not for security. For security either one will be enough although EQS has a lot more features that NG but NG on the other hand has some very nice features like detection of worm behavior( making copy of itself), detection of posting message into windows, posting data into windows, diffferenciation between global hooks and hooks into a single process, quarantine feature, deleting files rapidly, overwriting executables, reading text files rapidly, reading windows address book, outbound FW, inheriting permissions for executables created by Restricted applicatioons like ur browsers. etc. It,s alos easier to use. So for anybody who want less popups and less " headache". I will recommend NG.
On the other hand if some body is paranoid and want to control every thing of the system and is ready to make exaustive rules, he should go with EQS. A big adavntage of EQS is complex child parent rules, different profiles that can be changed via hotkeys and a full File protection feature.

I am really impressed with NG. It ahs a very nice GUI( popups and tray icon falshing). It has many thing that make it a user friendly HIPS. U can put ur trusted applications in trusted group so no more popups about them, no conflicts. U can secure ur security appliances by single click in the rules, at the same time avoiding unnecessary termination popups for other processes that need not to be secured, U can put ur browsers in Restrricted group with a rather strict rule set and it will work as a policy based sandbox giving very few popups. This is actually a very neat feature( Comodo FW version 3 has a similar function that is more comprehensive but more complex at the same time). This way actually NG has three policies with different rule sets( optionally).

!- Trusted policy- no interception/ retrictions. It is for applications marked trusted by user like security applications and windows system executables- no popups, no conflicts.
2- Restricted- policy for applications marked restricted by the user like web brwosers and other internet applications etc. U can tighten the default rules sets for this policy and avoid unnecessary pop ups.
3- Default policy for all other applications- Here also u can change default rules as u wish.

Main drawback for NG is that there are no complex parent child rules( like ProcessGuard) but NG,s protection is far better than PG. Absence of complex rules is though an adavantage for new users. It makes NG user friendly to them. NG lacks some filters like system shut down protection, protection against changing system time etc

People complain that it has no separate Registry defence module but I have really found its registry protection better than EQS. It protects against common malware registry attacks that EQS can,t inspite of that it has a full registry defence( like protection of disabling RegEdit, TAskMAnager, Deleting Folder options, Deleting important windows services: EQS faileed in all these while NG passed here on my system, I used XPKiller and Brontok worm plus some other malware).

Some main advantages of EQs at the moment are a full File defence module and defence against SSDT unhookers. I ahve given some suggestions top Arman and if he like them and implements them, I hope NG will have a fiule protection feature that will give a good security at the same time giving no annoying popusp like EQSecure,s file defence system. SSDT unhookers might be dealt in the mean time( ATM I tried two SSDT unhookers anf NG dealt with them nicely).

ATM in my opinion NG is far better than PG, PS free and SSM free. Arman has also intention to make it Vista compatible in future( it might take time though).

Actually I was running 5 security appliactiions before: Antivir, SSM free, ThreatFire( CyberHawk), Comodo FW and GesWall. I removed four of them namely Antivir guard( service changed to manual), Comodo FW, SSM free and ThreatFire. Now I am running EQS, GW and NG( why not to consider NG as a FW in my set up rather than a HIPS as I have no outbound FW). At times I turn off EQS. So basically I am using two/ three applications in real time GW and EQS &/or NG. Antivir is on-demand. Ofcourse I use ShadowSurfer when I test malware against these HIPS.

An interseting note. I remmoved ThreatFire as I found it very much like NG with more user friendly( though less descriptive and sometimes ambigious) popups and a default blacklist. To me TF is nothing more than a HIPS like NG but it,s better for ordinary users.

A word of caution, NG has still some install problems, also i noted a conflict with Comodo firewall version 2 and I got a couple of BSODs, some are fixed by Arman and some to be fixed in next build.

 

Aigle,

Welcome to the small group who only use a policy sandbox and a hips or as CogitoEgoSum calls it, living dangerously without an AV or software FW.

I even degraded from using an anti-executable classic HIPS (SSM Pro and later EQSecure 3.3) to behavior blockers as a second layer behind the policy sandbox (have to confess that I entered custome rules in ThreatFire for additional file and registry portection and that A2's IDS is helped by WinPooch for this).

One question about EQS: did you add registry protection rules or are you just using the default list?

Regards Kees

 

Yes, I'm running without an antivirus now as well. I'm on Vista with UAC on and Sandboxie 3.1.21 (present beta version). I feel a little nervous running without an antivirus but I thought I'd give it a shot. I keep a link to Dr Web CureIt bookmarked in Firefox in case I get a little paranoid. . All I can say is so far so good.

 

Hi, folks: I have a friend currently running his pc almost naked; no software fw, no av,at,as, with only DeepFreeze behind a router. The inconvenience is that he has to reboot pc every 30 minutes if surfing Internet. I told him to add some HIPS, EQS is one of them. By doing that perhaps he does not have to reboot pc that often.

 

I am just using default one. I rely mainly on execution and file protection. Registry is not easy. I just like to cover autorun enteries mainly plus few more( like NG).

I have not dropped the AV and software FW( NG is covering it with windows FW).

 

I'm personally behind a nat router for inbound protection plus Windows Firewall with Advanced Security tweaked for outbound. I ran Dr Web's CureIt everyday for the first few days until I saw/realized that nothing was getting thru. Sandboxie is a very nice application... .

 

If there is a more consise registry list thread plz point me in that direction too. Otherwise, i assume we are to manually add particular entries into EQ's registry rules?

Thanks

 

Easter,

Yep you have to manually add them. Look in the regdefend section of this post. Toni Klein has a great set explained for regdefend.

Regards

 

Kools

Thanks.

Now if they can iron out some bugs/misses in it and get it to save settings and the like. (back to holding my breath again for next version )

 

I wish someone would download Regtick: (http://www.snapfiles.com/get/regtick.html)
and add all the registry settings it can change to EQSecure.

Or maybe someone could tell the developer to do this...?

Please...

 

thanks aigle.i saw your post for the NG thread.in order to have a smooth install do you allow everything/trust during the installation?

 

NG still has install problems. If u have Comodo v2, it will be better to uninstall it as it has conflict with NG( though once I was able to run both together but it,s a pain). Just mark ur security applications trusted and it should be OK. I did not run learning mode. NG by default marks windows system files as trusted, let it do so.

 

playing with NG now. the secure file function does not work .i put a file inside the protection but i still can delete it away.am i missing something?

 

Because by deafult NG makes ur explorer.exe trsuted.
Try deleting file via IE.

Can,t see ur image( 404 error).

 

how to delete through broswer,sorry.

so the files in the secure folder work only when you restrist exeplorer.exe .then i think it will freeze up the com if one to restrist explorer,exe.


p/sk i get what you mean by delete through broswer.but that not what i expected.

 

Tel me what u want exactly. Why u want to make files secret to the explorer even?
U can remove explorer.exe from windows system files group and it will make it untrusted( but I will not recommend because it will cause cpu spikes and some slowdowns and hangs ATM. It seems a bug and I have notified it to Arman).

See how I try to open secured folder via opera!
File> Open> My documents> NG( secured folder).

 

I was wondering about the same thing. Eqsecure is the one I'm using right now but my computer can be bogged down from all the pop up windows that I'm getting.

 

yes i know not adviseable to do this way.so i'll leave it as it default setting.

another thing is now when i open any broswer geswall will not prompt me any more.anyway to enable the setting in NG.i put geswall as trusted

 

What do u mean by this? I did not understand.

 

when you open broswer,geswall will promt you to isolate or not.but after installing NG geswall did not promt anymore.

anyway i uninstall NG after it freeze up when program like procx.exe try to startup.the waiting time to answer 'allow' in NG seem too long.and the tray icon dissappear is an known bug.NG gui use up about 11mb compare to EQ or threatfire which is more lower than NG.

 

I still get the prompt but I have set GW as trusted.,

No such issues with Procx.exe on my system ATM, I just checked.
Memory will not be issue for me unless I have system with very limited resources. Also the numbers are still small.

I experienced two tray icons and greyed out icon, did not saw it disappearing though on my system.

Anyway let,s wait and see how its development goes on.