EQSecure 3.41 Settings

Here's another one:

eqsecure.v3.41.winxp.rules.v1.38.0114-exp.zip

What's new:

- Alternate Data Streams Rules (File Protection)
- Minor global rules modifications

http://drop.io/eqsecure

Code:

ADS rules for file protection have been changed 
from "?:\*:*.???" to simply "?:\*:*"
[COLOR="Red"]If it's causing problems, please let me know.[/COLOR]

I'm still working on the ADS rules for application protection...

 

Hey guys...
My configuration now is made from LUA, SRP, EAV 4 beta, System Safety Monitor Pro...
I simply love EQSecure, more granular than SSM, but it still doesn't work with LUA ...any suggest on how to use it?
Maybe there is a way to install and make it working well with this config...You are the greatest appreciators of this sftw, maybe there is a solution

Thanks for the attention and sorry for my bad english

 

You could try adding SuRun and give the EQSecure program elevated rights.

 

Only a few understand the extreme importance of hips granularity.
You're the lucky one Btw, my English is bad too.

 

..so I have to change all my configuration
Otherwise I will think neither to stay with SSM Pro, or better try Netchina (even if too young)

I will not change my LUA + SRP surely...so we'll see
Thanks guys.

p.s.:Thanks Alcyon, I've used EQS with your rulesets when I used an admin user..thanks for the work that you did/do nowadays...

Regards

 

I am assuming that you know how SuRun works, if you do not, please read about it. Here is what you need to do to get EQS working in a LUA account.

Install SuRun in your admin account. Then go to your LUA account. Install EQS via SuRun in your LUA account. Problem solved

 

Hi Alcyon

May i ask why that particular change. Reason being AS-IS seems to be blocking ADS perfectly from the ads i've experimented with for those rules.

Is there a gap you've discovered?

:Thanks:

 

Files can have no extensions. That's why you'll see "?\:*:*" for ADS in the global rules.
On the other side, adding "?:\*:*" in high-priority rules is too permissive so i had to put "?:\*:*." (in v1.38.0115).

 

Hi guys.

what about a rule which blocks the creation and deletion of folders and all types of files any where on your hard drive?

Is this possible?

especially a rule which blocks the deletion of all your EQSecure files inside your
EQSecure folder in your Program Files. I did this once and after rebooting my pc
EQSecure was useless. This would be a vulnerability.

 

Arran, EQSecure already protects himself against his own files modification and deletion. Delete every files one by one, press F5 and see what happen.

As for rules which block the creation and deletion of folders or files Anywhere on your hard drive, it's something that can be easily done with EQS.

 

I see now your Interceptable Technical Logic in that particular regard Alcyon

So what do you suppose that we can come up with next for another set of IRON rules to keep adding the granite to EQS' stainless steel/iron shielding against even other potential entry exploits.

BTW, that was a most WONDERFUL! & BRILLIANT! idea to devise a set of ADS rules to include. Excellent idea indeed!

EASTER

 

thx Alcyon I shell have a play with EQS and see if I can get these rules to work.

 

I am new to this,but can i ask a question?
I started with EQsecure v.3.Worked fine,except that My kaspersky started freezing my system.In Task manager,I have 2 instances of avp.EXE running.One under 'admin'(my accnt),other under system.The system one would use 100% of CPU and freeze my poor system.So I uninstalled,and everything came back to normal.Believe me,I didn't mess with any EQsecure settings to cause this.Everything was default.

This time,I installed Alycon's rules+v.3.41.I continue to have the problem with avp.EXE under system.It is not using 100% of CPU,but 8-12% always.The performance seriously affected.Is there anything I can do to continue with EQsecure.I really would love to keep both these softs.Any help is greatly appreciated.

 

You can set kav.exe as trusted in EQS (Application Protection>Settings>Application rules>once there find kav.exe and in the right pane set all of Protection Types under Action to Allow),

or if that doesn't solve your problem, disable Proactive Defense in KAV, since this feature (with it's HIPSy features) is most likely conflicting with EQS.

But if you 're using newest version of KAV (2009), then maybe nothing will be helpful since there's a deeper conflict present between those two (judging by my own brief test experience).

 

Thanks Nexus!Yes,I am using the new 2009 version of KIS.Anybody else has a similar experience?

 

Will EQSecure 3.41 run a Limited User Account?

 

I managed to fix it with little help.I mentioned kav.exe in my post instead of avp.exe.My bad.

I posted a thread in the kaspersky forums.The advice which I got was to get rid of Esecqure.LOL.Wasn't that helpful I say.If that was what I wanted,I would've already done that.

I did just that.Alycon,I am not sure whether you can add that to the rules or not.If yes,it will help people like me.
Second,under 'Application Filtering' in KIS2009,I moved esequre and its service from low restricted to trusted.This seem to have worked.No probs so far.

I know,most of you might have already known this and didn't need me to tell ya all.But I thought I will comeback and post what I did,so it will be helpful to anybody else.
[edit]Sorry.This seems to have worked only as long as Eqsecure is in learning mode.Once learning mode is disabled,AVP is back eating up mu CPU.Guess I spoke too soon!

 

ALCYON

Do you have on hand a rule to stop an ad from starting that's already been created?

Or which rule in the Blacklist can i add to abort that ad from starting at all, such as RED STRIPING BLOCKED! when i either start it from wherever such as i initiate the ad (.exe) i put on notepad from either a batch file, vbscript, or typing in the command prompt.

Thanks

EASTER

 

Never mind. Got it!

I used your BlackList Ads creation rule and simply added BLOCK to "reading" in the settings and it stops the ad from activating.

Cool! It can't run what it can't read, right? Awesome!

It doesn't stop the command processor from opening/alerting but it definitely refuses to run the .exe ADS i made. RED LINE ALERT! was also enabled to verify the data blocked shows in the details raise up screen.

Effectively blocks VBS, Batch, and the cmd command start, etc.

EASTER

 

EASTER, will EQSecure 3.41 run ok on a Windows Limited Account?

 

Yes, but you need to install SuRun. Then install EQS via SuRun in your LUA account.

 

Ok, I can do that. But the real answer is....no it won't.

 

Mike at Kaspersky forums at last gave me a working solution

 

Thought you already tried that:

cause Application Filtering is the main component of Proactive Defense...

 

Thanks for the trick, EASTER
It's MUCH more easier than making ADS rules for the application module!
I'll include "Block Specific Alternate Data Streams (Read)" in my next update