EQSecure 3.41 Settings

Just in case.........

Like hammerman says, unzip the zip file completely after renaming the Alcyon's RuleSet .txt to .zip

It will show 3 new folders, each will have 3 new files, one for Global Rules, one for Application Rules, and lastly Blacklist Rules for all three protection settings such as Application, Registry, and File protections.

Let's us know how it went.

 

I have it working now, thx guys. and I'm impressed with all these new rules added in, many many thanks to Alcyon for creating these rules probably some thing most us here wouldn't have been able to achieve.

 

arran, i'm still working on something better. Instead of filling the forum with text files, i'll post a link to a web page next time where you'll be able to download my updated rules.

 

Hi Alcyon,

I have a question on your Registry Global Rules.

The group 'Lock Internet Explorer Main Settings' includes the following rules at the end of the group.

*\Software\Microsoft\Internet Explorer\Main
*\Software\Microsoft\Internet Explorer\Main\*

Don't these rules prevent the rules in the following group 'Lock Internet Explorer AutoComplete Settings' from being processed?

 

Alcyon if your still reading this thread you should add they key to your rules to block this delete volume test, https://www.wilderssecurity.com/showthread.php?t=203478

also can can some one help me here, I have Antivir on my pc how would I set it up in EQsecure settings so as EQsecure protects Antivir from being modified or shutdown by malware ?

 

Never mind, I already figured it out, I was being stupid. I haven´t really played with it yet, but looks like some nice rules, great job. The problem is that I don´t really like EQSecure. And why the heck are they not offering an installer?

 

hammerman, the idea behind that is that if the ie main settings rules are unchecked, the autocomplete settings one will work alone. The registry global rules need a complete revision anyway... i probably forgot something somewhere.

arran, it's probably a good idea but this leak test is somewhat suspicious as it doesn't include the source code.

btw, i found an intestesting way to monitor folder creations with eqs:

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2">
            <Group Name="Windows Root Folder (New Folder)" ModeID="1">
                <Rule SubType="1" IncludeSub="0" Action="1" Log="0" Ask="12" ExcludeDirectory="1" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\*" />
                <Rule SubType="1" IncludeSub="0" Action="0" Log="1" Ask="13" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\*" />
            </Group>
        </Rule>
    </Rule>
</EQSysSecureDat>

This example is for monitoring folders creation in windows root folder. A good idea is to do the same for %SystemDrive% and %WinDir%\system32 aswell. This rule must be placed after all windows folder rules so it'll not cancel them. To test it, you need need to copy & paste it in notepad, save it as an xml and import it in global rules of file protection settings.

Edit: making a webpage with only 2-3 lines of text for hosting my new ruselets wasn't a good idea, after all. I'll post a fresh new and more powerful one here soon. The more i play with eqs, the more i find interesting things.

 

Thanks for the tip on detecting folder creation. Works a treat. I was wondering how to achieve that.

 

Thanks for the tips.

I had already some time ago in 3.41 set folder monitoring with EQS, in fact this directory/file monitoring as well as Registry BlackList stupidly simple easily locks down potential trouble areas from penetration permanantly enough to not have to concern about them ever again.

Same goes for executables, scripts, and dam near anything else.

On a little off-note here, i finally found the EQS Sandbox approach beneficial and looking forward to them dusting away it's remaining bugs.

Now that EQS Task Manager is back up and working thanks to Kuririn, EQS seems fluid as ever. It's still Lite although i beginning to notice just a hair more demand going on with it that obviously has to do with that new feature.

Looking forward when they can finally package it up for release with an installer like i read someone else was expecting of them.

All in all, and very welcome improvement for those who fancy themselves on Classical HIPS of this type without all the other crap that bogs HIPS down like networking junk which i detest, a firewall is a firewall and a HIPS should be a HIPS, of course it doesn't hurt to add a Sandbox in with a HIPS though from what i seen of it so far.

Nice Work Indeed!

 

@Alcyon

Have you considered approaching EQS developmet even if thru their represenatives here or even translators to see if they might be encouraged to also add some if not all your Excellent RuleSets either as default or even as an alternative built-in setting for it?

They have to see how well it's been fashioned and the benefits far outweigh it's simple default rules that come with it.

Regards EASTER

 

EASTER, if they think it's a good idea to include some ideas in their own default rules or else, why not but i'm not the kind of guy wich will approach them. I do that only for the fun of it. I'm not an expert and the latest ruleset i posted is far from being perfect. I'm pretty sure that someone someday will have something better to offer. I'm working on something more decent and will post it soon but it's getting more and more complex everyday. As some people already said, it's better to use this kind of ruleset only a as template for your own personal rules.

btw, there's probably a way to reduce the amount of popups by approximately 50% without compromising security... I'm not exactly sure yet. I need to do a battery of tests.

 

Hello Alcyon

Well you are the very first to have come forward with what is really important most, and that's working and effectively placed RuleSets for EQS.

Reason being, a configurable HIPS like EQS with just a 25% to maybe 50% coverage is not going to win many security enthusiasts when they can turn to other products like Prevx or even OA and some others.

So i think EQS owes some credit to your efforts in that regard.

How many posts have we read where users say EQS is just too much trouble and cost too much time to build it up where it needs to be in order for it to really become useful for them?

Your efforts IMO have drastically replaced disappointment and instead have encouraged users to take another second hard look at EQS, and once they see what's in store in the way of coverages thanks to your rulesets you worked on, suddenly their not so put off anymore and are willing to try it, and from what i read so far, thanks to your ruleset, more users have turned to EQS as their HIPS because of that.

EASTER

 

Here's a quick modification for my ruleset. It's for the new bits hijack leaktest from Comodo:

https://www.wilderssecurity.com/showthread.php?t=206668

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Group Name="System" ModeID="1">
            <Rule SearchGlobal="0" SubType="0" IncludeSub="0" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Create Date:2008-04-18 16:44:25,Create rules with asking window." Data0="%WinDir%\system32\svchost.exe">
                <Rule SubType="1" IncludeSub="1" Action="14" Log="1" Ask="13" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\Documents and Settings\*\Local Settings\Temp\*" />
            </Rule>
            <Rule SearchGlobal="1" SubType="0" IncludeSub="0" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Create Date:2008-03-14 12:08:53,Create rules with asking window." Data0="%WinDir%\system32\winlogon.exe">
                <Rule SubType="13" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Create Date:2008-03-14 12:08:53,Create rules with asking window." Data0="*" />
            </Rule>
        </Group>
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

You'll need to delete the group named SYSTEM in the application rules of file protection settings, copy the above code into notepad, save it as an xml and import it at the same place (file protection settings/application rules)... Just in case, move this group above all the others.

If everything is done right, you'll have the protected status.

 

Yep indeed!

That killed the BITS alright cold.

Thanks, and even with Beta 4.0 2!

 

For those who aren't affraid of betas and want to test my new ruleset:

http://drop.io/eqsecure

 

I will. EQS is nothing to be afraid of even with beta rules, i always backup the rules/policy anyway to side on caution.

Thanks for the time you put into these. They are absolutely Brilliant!!! and a huge help.

EASTER

PS: I'm getting either depressed or anxious waiting for xeusis or kurinin to turn out for us either beta 3 or Final, i'm going plum crazy waiting for it. You taken some of the sting out this long wait Alcyon, thanks.

 

It's 3:30 AM here in the MidWest and i can bet you i'll be testing many of these til daybreak.

My energy for these things override my sleeping pills so no sense trying anymore of those, i'll just refresh my Iced Tea glass and put this thru some paces.

By the way, on the dial ip i use Connect To.... but i don't see the Red Block Prompt coming up anymore like easrlier rules or the prompt "can't store password" anymore, i like that rule, any idea where i can re-enable that again, perhaps in the RAS settings?

Thanks EASTER

PS: Alcyon You put a pretty good bite on a lot of sections friend, nice work yet again.

 

Hard to figure at 4:45 am... About the missing "can't store password" message, that's probably the "lock local policy settings" rules which have changed a bit or something else... I temporarily removed HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\*... If it continues, i'll fall asleep on the keyboard so we'll continue tonight.

 

Explain please what these lines are far? I assume their divided up into separate categories of coverage but.....

#s02................................................................

#s03................................................................

Do these boxes need checked to enable the categoried coverages or something else?

Thanks EASTER

 

OK! Alcyon, all is good again with this:

I also keep forgetting to "REBOOT FIRST!" after making changes such as adding rulesets. (Duh)

You're doing fine. Hopefully some other EQS users can express their ups or downs with these rules, by the way i once again am using them in 4.02 beta without problem so far.

EASTER

 

Is there a guide to using HIPS? I am using EQsecure 3.41 with Alcyon ruleset. The number one problem is that I'm getting pop ups after popups and I don't know if I should allow or block.

 

Well RootAccess, we can only hope if they ever get 4 final complete someone will draw one up for us becuase this is been a marathon chore for a seasoned vet like myself and it's consumed a great deal of my time to go over them rulesets one by one and then restest them as to their accuracy or not. This EQS is a Chinese development and their lingo is eons apart from say plain english let alone other langiages, so question is no there is no Guide as such yet.

 

These are only separators and they don't need to be checked.

 

I'd say that the probability of being infected with such a lame malware is something around 0.0000000001%

 

I appreciate Alcyon's hard work.

However, isn't the importance of Alcyon's ruleset actually a WEAKNESS of EQSecure?

To be specific... I am reasonably able to configure (for example) SystemSafetyMonitor & Prosecurity on my own. Those classical HIPS work quite well without my having to depend on some third party to configure them for effective protection.

If EQS is so good with Alcyon's rules, then I assume it is not very good without them. I further assume that all the folks in this thread, who have manifested such gratitude to Alcyon, would be unable to adequately configure EQS without someone else's help.

If my assumptions are even *partially* correct, then I must regard EQS as an unfinished symphony -- a do-it-yourself kit useful only to geeks, or to those who enjoy having their teacher do their homework for them while they watch TV.

I await my education as to how terribly wrong I am. (We who are about to die salute you.)