EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    thx Alcyon I will give malware defender a try. seems eventually when we all go onto windows 7 we will have to say good bye to EQS.


    PS Easter whats your views on Malware Defender?
     
  2. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    actually this malware defender seems a bit better than EQS, not only it is very light but it also has Network rules and more HIPS features like "Send Message to other Processes" This makes it a stronger HIPS and passes 1 or 2 more tests I have which EQS failed on.
     
  3. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    arran, the most important thing is that you Fully understand the hips you're using.
    Will a Network module "à la MD" replace a good firewall like OFP or LnS? I really don't think so.
    Is a classical hips better than another? It depends on the person who's using it.
     
    Last edited: May 1, 2009
  4. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's another major update:

    eqsecure.v3.41.winxp.rules.v1.56.0430-exp.zip

    http://drop.io/eqsecure

    Enjoy,

    Alcyon.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can some one post a screenshot of ADS creation interception rule?

    Thanks
     
  6. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Aigle, you can do it yourself. While in cmd prompt, write "type path1\filename1.exe > path2\filename2.exe:filename1.exe".

    e.g:

    c:\>type c:\windows\system32\calc.exe > c:\windows\notepad.exe:calc.exe
     
    Last edited: May 5, 2009
  7. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's a new ruleset:

    eqsecure.v3.41.winxp.rules.v1.58.0505-exp.zip

    http://drop.io/eqsecure

    I hope you guys will like it :)

    I guess the only remaining thing to do is to correctly translate v3.41.
    English isn't my native language so I prefer to leave this task to someone else.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks Alycon.
     
  9. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi,

    eqsecure.com is now redirected to 3dsafe.cn.
    From there you can access the EQS forums again.

    Cheers
     
  10. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    alcyon and easter :rolleyes:
    i have a mini prob

    in eqsecure 4 beta 3 and 4.1
    in protection mode they are a may type of protection not activated like loading dll & call remote com &reviewing other process & deep level disk

    if you have any sollution for activate this fonctions
    i will be very happy and thanks
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Someone said to me that EqSecure doesn't work fully at the kernel level, but partially at the user....Can you clarify it ?
     
  12. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    If there's a symbiose with the user, it can work beautifully! The same way, it's a... (or was, in my case ;) ) a wonderful learning tool.

    If i remember well, it's under Custom Configuration/General.
    Just a little warning, v4.1 is very unstable.
     
  13. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    The problem is not the user abilities: if part of EqSecure works higher than at the kernel level, it's easier for a specify malware to bypass it
     
  14. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EQS provides all the tools to block a good amount of malwares. You can stop malwares execution, creation, make rules based on specific or general "patterns" and efficiently use all the provided layers of protection to prevent infection. Maybe you could change your mind by taking a deeper look at it! In the end, everything depends on you.
     
    Last edited: May 12, 2009
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Ya, Alcyon, I know it, I used EqSecure last year. But nobody has answered to my question.
     
  16. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I thought I answered your question! Isn't create, read, modify, execute, etc., etc. already at an enough low level?
     
    Last edited: May 13, 2009
  17. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Why does your ruleset interfere with Windows activation? I am prompted to activate Windows.
     
  18. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    This probably has something to do with wgatray.exe. Maybe the lastest ruleset will resove the issue. I suggest you give it a test drive. I've also rewritten the registry rules almost from scratch. Theorically, it now should be faster... but will v3.41 be able to handle it? It remains to be seen. You know, trying to make something perfect isn't an easy task, especially when you're alone to work on a project and nobody is willing to help.

    I need to know what XP edition you're using (home, student, pro, ...), what's the service pack, your EQS version, your OS language and I need to have a look at your eqsecure logs because the answer is there. For the logs, you can make a temporary drop (drop.io) and send me the link via PM. I only need the blocked operations.
     
    Last edited: May 24, 2009
  19. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    EQSecure 4.1 can block "Send Message to other process", in EQSecure case it is called "Process Message".

    Just tested it a while ago with ZABypass.

    Tested it with Comodo Leaktests and it scored 310/340 with the infamous active desktop as vulnerable when it should be stated as protected. Tested it again but with secure-it as untrusted user, scored 340/340. With EQSecure 3.41, it failed on invasion rawdisk while V4.1 was protected, but the former also gave a perfect score when leaktests was performed under untrusted user.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @Alcyon

    Alcyon, i combed all my many units and came up with quite an array of your rulesets going all the way back when you first started them. Just wanted to let you know that and if you still need them please let me know because i been weeks packing and moving and everything is boxed up right now but at least i preserved those rulesets if you still want them.

    I hope to get settled in within a month, just have to finish appraisels, inspections, insurance, taxes and finally closing the whole deal so i can finally re-set up my collections in a great more deal space then ever before.

    In the meantime keep em going strong and thanks for making EQS again the very best HIPS i ever had the privilege to be part of chiefly thanks to your excellent rulesets which turned everything on it's heads in the way of protections for that particular app.

    EASTER :cool:
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    It is good how this feature has been added to version 4.1 I might give 4.1 a try. Personally I think it is important that such a feature be added in all HIPS programs which prevents programs from communicating to other programs. It plays an important role in controlling the behavior of running programs.

    and EASTER good to see you again.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks. Good to see you again too. LoL

    So if 4.1 is showing instability problems have you tried the 4.2 english version another member brought to my attention lately?

    EASTER
     
  23. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I'm a long time user of eqsecure 3.41 with alcyon's ruleset. Just tried using 4.1 for a few days now and be testing this version for a while.

    Under learning mode and normal mode with ticked "remember this action", V4.1 felt a little sluggish. Other than that, it is like 3.41 in terms of speed even with the top-heavy alcyon's ruleset.

    Thanks Alcyon's for your wonderful effort which gives many of us an adequate protection using your wonderful ruleset.
    Thanks also to Easter, this thread is a big help.

    Using universal extractor on the 4.1 setup executable to extract the exe, dll, driver files, etc: like EQService.exe, EQSysSecure.exe, dll files like EQShellUI.dll, EQCommUI.dll, and the 115kb driver EQSysSecure.sys to the original 3.41's "EQSysSecure" folder replacing those from 3.41's and not a full re-install is the method I used. And I used the en.zip from here... https://www.wilderssecurity.com/showpost.php?p=1464287&postcount=56

    I have an ISR/Virtualizer and so system and application instabilities nor file corruptions nor malwares getting a foothold if they did successfully bypassed the firewall/EQSecure defenses will not give me anymore headaches nor worries. I made imaging back ups just in case I want to restore back to the ever reliable V3.41.

    EDIT: One instability noted: when under EQSecure's own task manager, I select a process, then right clicking to select "properties", then clicking "verify" to try to check its hash, the application will hang. So I have to do a hard reset(importance of virtualizers or ISR's). Anyways, I don't really need this feature for EQSecure V4 for I have another reliable hash verifier.

    EDIT: I tried V4 beta 3, and likewise did the above procedure. Same result, application hang. Hope Easter can verify this instability problem of version 4. Barring that, I think I will stay with 4.1.

    EDIT: The instability happens due to incompatibilities with concurrent running security processes in my set-up. When I terminated other running processes, instability from the above e.g. didn't occur.

    EDIT: My suggestion to those few or future V4.1 users to let the default "ignore" unchanged to the following protection settings:
    1) read process virtual memory
    2) system device control(?)
    I have experienced some EQSecure application crashes(DEP memory violations) when this settings are changed to "ask to block".

    Good features of this V4.1 which are deficient in V3.41, include:
    -Low-level Disk Read
    -Remote COM Calls or OLE automation or inter process communication mechanism through COM interfaces or DDE(Direct Data Exchange)
    -Message Process or Send Message or DDE
     
    Last edited: Jun 19, 2009
  24. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EQSecure v4.2

    Hi everyone.

    I've installed EQS v4.2 some minutes ago and again, these Chinese weirdos are laughing at us. You can't configure the application, registry and file protection modules to your liking anymore. Same story for the sandbox and the English translation is Extremely miserable. I thought that a hips you had to program in reverse (à la Malware Defender) was the paroxysm of stupidity but this EQS version is definitely very hard to beat:
     

    Attached Files:

    • eqs.png
      eqs.png
      File size:
      42.1 KB
      Views:
      177
    Last edited: Jun 24, 2009
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    @Alcyon i tried this version also:)didnt like it also cause i love to configure hips alot:),but there is one thing some people whose likes not to be bother by bunch of pop ups and this version can be set as default-denny application,just run it in learning mode reboot and then put it to ignore mode and there you go denny all new introduce dangerous files
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.