EQSecure 3.41 Settings

Greets again Alcyon

I always knew there were other workarounds within EQS rulesets syntax but then came along RDT and diverted my attention from investigating thru trial-n-error to see what if anything could be changed for better improvement.

Looks like you done some precision biopsy on them and surfaced some of those, so another huge thanks in order for your effort.

Let it be known, i don't intend to sway, turn, or otherwise change in my use and interest of EQS in spite of Magic Shield which refuses to Englishnize it for us to use like EQS. I been thoroughly pleased with EQS, 4 beta in my units with the 112Kb driver which does have additional improvements, but this Rules find is yet another plus which is welcome and hats off for sharing it with us Alycon.

It burns my backside they couldn't just finish 4 as a final english release for us, but it's their property to do as they see fit, and i consider it fortunate that it's gotten as far as it has for us EQS loyals, and especially Alcyon for taking it a step above what was plain default settings, hence i call it a great HIPS template from which to work with to strenghten it's ability and make it even of more beneficial protection then before.

Thanks again Alcyon, and i do expect many other encouraged EQS users will continue to find it just as worthy a HIPS as anything else available as many of us do.

EASTER

 

thanks easter for the info.i finaly downloaded after all the japannese language problem.but there is one thing i downloaded an older version of the app which is 3.41.where can i get the newest version?thanks in advance.

 

I am using EQS with Alcyons rule set now.

anyway I notice that EQS hips does not have the feature to block and allow
windows messages, a method commonly used by malware.

can anyone else confirm that EQS does not have windows messages feature like other hips do??

 

Hi EASTER

if you don't already have EQS v4 Beta3 and want it, just PM me. I kept it somewhere. The nice thing with b3 is that it can be perfectly translated and should be a little bit better than Beta2.

Btw, I've released a new ruleset some minutes ago. It's a major update so I encourage every EQS junkies to download it...

 

PM sent.

On the way over to the rules now. LoL

EQS = POWERHOUSE HIPS! AIRTIGHT!

Thanks for the rules, makes all the difference.

EASTER

 

Thanks, your efforts much appreciated!

 

The template is always evolving

That's a pleasure. There's more to come

 

How in the world do you transform these "? ? ? ? ? ? ? ? ? ?. E ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?.", into true english?

I don't mind the effort but geez, what a list.

 

Maybe you haven't installed Chinese PRC/IME3.0 and converted the file to UTF-8?

Edit: you should use Notepad++ to extract the xmls.

 

No, not yet.

Looks like a project to work on now.

Thanks for the tip.

EASTER

 

I can't get rid of file creation warnings from Sandboxie:

~\Sandboxie\SbieSvc.exe (Current application)
~\Windows\Sandboxie.tmp-xxxxxxx (target application)

I've tried the guidelines here, esp. Alcyon's findings in #225, but what ever rules I added to File Protection Settings | Application Rules| DefaultGroup those popups didn't stop. Perhaps some help from the EQS gurus here?

Best regards

mumdigau

 

Hi mumdigau.

It's because you must use "Remember this action" before clicking on "Allow". This way, the files will be whitelisted and will appear inside "Default Group" of application rules in file protection settings.

 

Hmm... wait... If Sandboxie.tmp- is followed by seven random numbers or characters, once it appears in "Default Group" you can replace "Sandboxie.tmp-xxxxxxx" by

Code:

Sandboxie.tmp-???????

or

Code:

Sandboxie.tmp-*

The ? wildcard means "followed by one character".

 

Sandboxie.tmp-* was what I exspected should do it, so this was my first try. But it didn't stop the popups. I now repeated it, but this time I restarted EQS after 'Apply'. It seems to function now. Strange.

mumdigau

 

Hi Guys ,

Can anyone pm me a link to the latest eqs 4 beta ?

I have been using 3.41 and loving it and would like to try v 4 .

Thanks

 

I've been working on an Install Mode setup for EQS 3.41. However, I've noticed that when I change mode, the applied set of rules don't always change. Sometimes the mode change is successful, sometimes not.

Does version 4 also behave like this or does the mode change work with no problems?

 

Beta4 is practically the same same the final and the two haven't been translated yet. It's better to play with the final! While waiting them for a newer fixed version.

Maybe i haven't invinstigated enough! There's a software called Lingobit Localizer Enterprise!! I'll instead concentrate on a new concepts with EQS v3.41. We only scratched the surface

I haven't experienced this kind of problem yet. Maybe you discovered something If I remember well, I think there was no problems with v4!!!

 

Indeed!
The EQS Beta 4 driver seems to have been ramped up (115Kb now) with additional improvements and so far even seems snappier. I say that because the v3 Ruleset is quite a load in the Global Rules settings Many THANKS for those new rules. A concentrated effort no less. LoL

And i tried something a bit unorthodox recently.

I overwrote EQS v3 with v4 but retained the LANG folder for v3 for obvious reasons, (EN), plus added The Alcyon's v3 Ruleset (Rebooted) and found NO ISSUES! (W00T!!)

Still experimenting with the EQS Sandbox but i don't really rely on it at all in active use because SandboxIE is PERFECT enough for me for those containment times neccessary.

EASTER

 

I always wondered if that would work, now I know. Nice going Easter.

 

@EASTER - I would like to try this myself with v4
Could you please provide a link to current v4 ?
Thx
Honore

 

Well, after testing v4 seems i had to revert back to v3 and i suspect that it's in the (115Kb) driver as the v3 driver weighs (112Kb) and it supports ALL those great rules Alcyon put together for us.

For some reason, v4 seemed like it was choking on the ruleset and i really expect a HIPS like this to be able to accept the weight of Multiple Rules w/o sacrificing performance, which is what i've found with v4.

However i haven't given up on v4 yet, i just need to test it more with less rules and see if that really is the issue or something else.

@honore

Please be patient while i sort thru v4 again.
Needs more testing on this end with & w/o Alcyon's Rules in order for me to trace down accurately enough if there is some issue or possibly a LIMIT to the rulesets that forced me back to v3, because v4 was Lagging noticably after engaged in active use awhile.

Regards EASTER

 

The most annoying thing i found with v4 is its incompatibility with many softwares. I prefer the stability of v3.41 and trying to exploit this tool to the max is fun like hell Next ruleset will be a real beast on Steroids Bad news for v4, my ruleset is growing in size everyday

 

100% AGREE! Alcyon

One thing that is unmistakebly noticeable is that v4 crawls compared to 3.41.

Not only that, but v3.41 supports ALL your rulesets MUCH BETTER!

I've since reverted back to 3.41 because like you say, you can push it to MAX. It does an absolutely incredible job as serving (Thanks To Your Rules & the Ban List section) as an SRP. In effect, the user is completely free to lock down tight, either any directories, extensions, or files by blocking from simply "READING" which effectively seals away any possibility to access them.

KEEP IT GROWING

 

I discovered while experimenting with one of the early versions of EQS that Alcyon's recent rules GREATLY IMPROVE it irregardless that it's the one with the 74Kb driver. And as a bonus, it is XTREMELY FASTER!!!

Then again, it just might be because this test system is running XP Pro with absolutely NO Service Packs whatsoever. And just goes to show that EQS can torque Windows tight as granite even without such an update.

 

EQS v3.41 rules

Hi again, fellow EQS junkies!

Here's three nice little rules you can place in the application rules section of file protection settings:

1) Deny Executable and DLL Creation (System32 Folder)

To use only once all your softwares are installed.

2) Deny Executable and DLL Creation (Windows Folder)

Same as #1 but for Windows Folder.

3) Startup Folders - Deny Malwares Replication (System Drive)

Malwares placed in Startup Folders (via remote admin tools or others) will not be able to copy themselves into your System Drive.

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Group Name="Deny Executable and DLL Creation (System32 Folder)" ModeID="1">
            <Rule SearchGlobal="0" SubType="15" IncludeSub="0" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #1 : SFC Bypass" Data0="%WinDir%\system32\winlogon.exe?*">
                <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="*" />
            </Rule>
            <Rule SearchGlobal="0" SubType="0" IncludeSub="0" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #2 : SFC Bypass" Data0="%WinDir%\system32\winlogon.exe*">
                <Rule SubType="13" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="*" />
            </Rule>
            <Rule SearchGlobal="0" SubType="0" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #3 (Main) : Use only once all your softwares are installed (Rule #1&amp;2 must be enabled)" Data0="?:\*">
                <Rule SubType="1" IncludeSub="0" Action="14" Log="1" Ask="0" ExcludeDirectory="1" Enabled="0" MD5Check="0" MD5Value="" Desc="SubRule #1 (Do Not Disable)" Data0="%WinDir%\system32\*.exe" />
                <Rule SubType="1" IncludeSub="0" Action="14" Log="1" Ask="0" ExcludeDirectory="1" Enabled="0" MD5Check="0" MD5Value="" Desc="SubRule #2 (Do Not Disable)" Data0="%WinDir%\system32\*.dll" />
            </Rule>
        </Group>
        <Group Name="Deny Executable and DLL Creation (Windows Folder)" ModeID="1">
            <Rule SearchGlobal="0" SubType="15" IncludeSub="0" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #1 : SFC Bypass" Data0="%WinDir%\system32\winlogon.exe?*">
                <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="*" />
            </Rule>
            <Rule SearchGlobal="0" SubType="0" IncludeSub="0" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #2 : SFC Bypass" Data0="%WinDir%\system32\winlogon.exe*">
                <Rule SubType="13" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="*" />
            </Rule>
            <Rule SearchGlobal="0" SubType="0" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Rule #3 (Main) : Use only once all your softwares are installed (Rule #1&amp;2 must be enabled)" Data0="?:\*">
                <Rule SubType="1" IncludeSub="0" Action="14" Log="1" Ask="0" ExcludeDirectory="1" Enabled="0" MD5Check="0" MD5Value="" Desc="SubRule #1 (Do Not Disable)" Data0="%WinDir%\*.exe" />
                <Rule SubType="1" IncludeSub="0" Action="14" Log="1" Ask="0" ExcludeDirectory="1" Enabled="0" MD5Check="0" MD5Value="" Desc="SubRule #2 (Do Not Disable)" Data0="%WinDir%\*.dll" />
            </Rule>
        </Group>
        <Group Name="Startup Folders - Deny Malwares Replication (System Drive)" ModeID="1">
            <Rule SearchGlobal="0" SubType="0" IncludeSub="1" Action="2" Log="0" Ask="13" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Malwares placed in Startup Folders will not be able to copy themselves into your System Drive" Data0="%SystemDrive%\Documents and Settings\*\Start Menu\Programs\Startup\*.exe">
                <Rule SubType="1" IncludeSub="1" Action="2" Log="1" Ask="0" ExcludeDirectory="1" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.exe" />
            </Rule>
        </Group>
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

You need to copy/paste the code into a text editor, save as an xml and import in EQS.

Those 3 simplistic rules will block a good amount of malwares.