EQSecure 3.41 Settings

Hi Kees 1958, I've decided to try EQS again and will certainly look over your filters

edit : okay great, and thanks for saving me some time.

 

What a Champ!

Thank You sincerely Kees for sharing these. EQS is one superb HIPS in the making and i'm anxiously awaiting the next version which i hope will jump by leap and bounds beyond it's already great file/registry protections/rules.

It's a chore for me to fine tune it to exacting standards i want, but very well worth all the effort and testings.

 

Kees1958 can you share your other settings too?

 

Mike,

I have put together a user friendy combo of two classical HIPS on XP.

I use EQS as a second catch safety net.
- file protection (more focussed than standard), see post https://www.wilderssecurity.com/showpost.php?p=1162455&postcount=25
- registry protection (more tight than standard), see post https://www.wilderssecurity.com/showpost.php?p=1162446&postcount=24
- application protection see post https://www.wilderssecurity.com/showpost.php?p=1163738&postcount=9

Now why the on earth would I set the application protection so wide open?
BECAUSE I USE A MORE USER FRIENDLY APPLICATiION: Online Armor FREE

Down load OA Free, I have even set the warn when unknowd programs start to OFF (this makes OA an IDS-like behavior blocker in stead of Anti Executable). OA will take care of the thing you set wide open with EQS application protection.

What next? = WHEN YOU UNSELECT THE WARN WHEN UNKOWN PROGRAM RUNS
Set all your internet facing aps (Outlook Express, Lime Wire, Messenger, Opera = much faster than IE) to run as limited user = RUN SAFER OPTION.

The good thing is that downloaded files inherite this limited user rights, so in fact it acts like a policy sandbox (comparable with GeSWall and DefenseWall).

Conclusion
With only two HIPS you have got a user friendly HIPS like protection combined with a 'soft' policy sandbox.

So for all you people having trouble with application filters of EQS, COMBINE IT WITH Online Armor.

NOTE: Only set this application filter so wide open when you use it in combination with OA!

Regards Kees

 

Thank you Kees for these settings . I have just set it up beside OA AV+. It is working like a charm. I dont run antivirus program at all at the moment.

 

Well thats an interesting enough setup, and so that does it. I've switched boxes tonight and am i'm going to do it.

One little thing i like to ask though, and it might been me because i didn't have some OA (free) settings right, but i noticed the last time i combo OA with EQS, i had to click on the EQS prompts at least 3 times before it finally got the message.

Has anyone experienced this with other HIP type apps when using with EQS? It's was so much a bother for me that i uninstalled OA and then the prompts of EQS responded as expected with just one single click when applying Accept or Deny.

Regards EASTER

 

Probably ur observation is not correct. I noticed that EQS give memory modification popups three times but not others( they appear only once). May be same with Create remote Thread also... but i do not remember well.

 

Ok Thanks. At least there is some confirmation on that occurance besides my own results.

 

Re: EQSecure 3.41 Settings REGISTRY PROTECTION

Maybe missing S? OFTWARE?

"HKEY_LOCAL_MACHINE\OFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

EDIT1: Some more...

Missing \? HKEY_LOCAL_MACHINESYSTEM?

"HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager\Environment"
"HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager\Environment"
"HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager"
"HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\WOW"
"HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\WOW"

EDIT2: I'm trying to add those file and registry filters to Tiny Watcher. Sadly I have to check all registrys because TW needs full paths. My own investigations (file filter):

C:\ntldr
C:\autoexec.bat
[C:\autorun.inf] <- replace C: with your CD/DVD drive letter. mine is disabled.
C:\boot.ini
C:\config.sys
C:\ntdetect.com
%WinDir%\explorer.exe
%WinDir%\system.ini
%WinDir%\win.ini
[%WinDir%\winint.ini] <- I don't have this file in my WIN (XP PRO SP3 RC) folder.
%WinDir%\System32\AUTOEXEC.nt
%WinDir%\System32\bootvrfy.exe
%WinDir%\System32\CONFIG.nt
[%WinDir%\System32\control.ini] <- I found this on %WinDir%.
%WinDir%\System32\svchost.exe
[%WinDir%\System32\wuaudit.exe] <- I don't have this file in my WIN (XP PRO SP3 RC) folder.
%WinDir%\System32\wupdmgr.exe
%WinDir%\System32\smss.exe
%WinDir%\System32\csrss.exe
%WinDir%\System32\winlogon.exe
%WinDir%\System32\services.exe
%WinDir%\System32\lsass.exe
%WinDir%\System32\spoolsv.exe

Most of those are OK!

 

Mike,

You deserve a statue. I will correct the filters. All your registry assumptions are right. Now on a different PC.

[%WinDir%\winint.ini] <- I don't have this file in my WIN (XP PRO SP3 RC) folder. SHOULD BE \wininit.ini

I will change this to: [%WinDir%\System32\control.ini] <- I found this on %WinDir%.

[%WinDir%\System32\wuaudit.exe] <- I don't have this file in my WIN (XP PRO SP3 RC) folder Be thankfull, it is a safety measure of one of my tests, forget it, will remove it, should be wuauclt.exe
Thx

 

Hi Kees,
Could you post the corrected registry filters?
Many Thanks

 

Sorry guys,

thx to mike nas update filters

Kees

 

Thanks Mike & Kees. Very much appreciated!

 

Hi all,

Consider this combo EQS + PCTOOLS FW

Set EQS application protection to View attachment 197497 ,

Enable protection against code injection: of PCToolsFW+. Having this enabled will automatically prevent any code injection/hook setting (this PCTOOLS FW setting correspondenses with EQS "Modify memory of other process" and "Install global hook").

Now you have the serious intrusions covered by EQS and the ones happeing often in XP covered by PCT_FW+. Another nice extra is the OLE protection PCT_FW+ offers (in fact teh only thing EQS scored less than D+ of Comodo). When you regret a choice within PCT_FW+ just click pn applications (of the status tab) and delete the rule for the ap with the X. PCT_FW+ does not offer granularity between memory mods and hooks (is the first radio choice within applications).

I am using it for a week now and really starting to like it (also differences pop-ups difference = error severity difference between PCTFW+ and EQS)

 

I noticed that MANY default EQSecure settings of v3.41 are incorrect.

In the Global Rules of application protection settings, the group "IE Cache Directory" contains:

It should be:

as the TIF folder can be moved.

Also, in the Global Rules of registry protection settings, the group "Load automatically on windows startup" contains:

Even if the Include subkeys option is activated, it'll not work. To make it work, you should instead use:

+ Include Subkeys for all (to be even more specific and have less "false-positives", you can use "Script" - without quotes - as the registry value)

Or simply:

Depending on your strategy. What is important is the "\*" at the end of the path. "...\System\Scripts\Startup" alone will not monitor the subkeys even if the Include subkeys option is enabled and you'll be as vulnerable as before.

------

In the registry protection settings section, all paths are set with the "include subkeys" option activated (something useless with many registry keys/values).

------

Just to name a few. The list goes on and on...

 

Very good. And thanks as always. Adding just the right balance to EQS configurations can prove vital so was nice to see mention of this.

Would you also repost RULES again with added corrections when possible?

Thanks Everyone!!

 

I'm still working on something a little bit better than the default settings but it's far from being ready:

File Protection Settings: http://img87.imageshack.us/img87/5341/eqsecurefpstb0.jpg
Registry Protection Settings: http://img503.imageshack.us/img503/8236/eqsecurerpshc8.jpg

Once done, I'll post the xmls just for the fun of it.

 

THANKS Alcyon

This will be helpful for many users of EQS. We appreciate your taking particular note of individual settings/results and bringing them to our attention.

Regards EASTER

 

PFFFFFFFFF registry protection looks impressive

 

Easter,

Here it is View attachment Load automatically on windows startup.txt fixed errors found by Alcyon

 

Thanks a ton Kees1958 for the assistance. What makes EQS so crazy exciting is that it's incredibly CUSTOMIZABLE! Meaning we can just about cover as many important areas that it's been designed to alert on up to this latest release, and given the wide range and pure numbers of vital points of concern microsoft is laid open in XP, this HIPS is been a huge help in filling in those gaps.

 

Some other registry settings you can add to prevent malwares damages:

- Block User Accounts Alteration
- Block All policy Settings Alteration

Just replace the .txt extension with .xml and import.

Rules order is important so those global rules must be placed before all the ones with a similar registry path.

Tested with Windows XP Pro SP2 Only.

 

Another nice one again, Kool!

This is IMHO what makes this HIPS so very formidable, it's XTREMELY configurable from user's end.

I want to test these and the other rules but too excited right now

 

NOD32 v.3, Commodo v.3 and EQSecure.
EQS fails on this test:
https://www.wilderssecurity.com/showthread.php?t=194715&highlight=system shutdown simulator

 

That shutdown simulator is up for grabs IMO so doesn't really present much serious concern for me anyway. I suppose one could invent all sorts of underpinnings to show a potential vulnerability but the chances of actually experiencing it are remote at best, especially when most users are Layered anyway.

But thanks for pointing it out.

EASTER