EQSecure 3.4 released + non-official language file

Why don't you apply the advanced rules of ThreatFire for registry and file protection? ThreatFire knows the system related processes and the trusted ones. Also the limitation of ThreatFire having no wildcards for the registry, will cut it down to a practible scope (e.g. of Toni Klein).


Regards Kees

 

Very Impressive Indeed!!!

As much as i always depended heavily on SSM and have experienced no ill reservations on it's effectiveness, i find myself gradually migrating ALL my snapshots and/or hard drives over to this EQSecure 3.4 HIPS. With a little time spent tightening it's configuration rules, i find it formidable enough to warrant this switch-over.

 

Easter do you use the Locked Mode ? i cant find a good use for it yet.

 

I tried it too today and I must say that I am impressed too ATM.

One question: if the default browser is loaded then any application can launch a new browser window/tab. If the browser is not loaded then its OK, I am always asked first. How can I overcome this?

 

Rules amking is not easy I think but realy I never tried, I will play some day.

 

In System Safety Monitor theres a setting to "keep this process in memory" whereas IF something was to terminate, say your firewall, SSM would auto-restart it again infinitely many times as long as it's running.

Is there a similar setting in EQSecure?

 

In the how to setup custom rules post there is also a text file with all the reg entries.

Regards K

 

I'm really sucked in to this HIPS without reservation. I've tested it and slammed it in an attempt to neutralize it's built-in capabilities and it returns some very promising results, enough that i've began to migrate to it from SSM.
Some are going to think me silly or naive but i also prefer a GUI that has attractiveness as well as efficiency. EQ offers both so far. What bothers me is that just when we get settled into a HIPS we really find satisfactory which we can depend on, they usually make changes that raise eyebrows or complaints. I really do hope that they don't follow suit in that manner.

 

Protection against Physical memory access/ direct mem access doesn,t seem to work, no op ups.
Can anyone confirm?

 

Aigle,

It worked on 3.3, so it would be strange that 3.4 does have this fault.

Regards Kees

 

I still have BOTH. Is there any real truth/proof to this about 3.4?

 

Easter,

Ask Aigle how he tested it, with DEP enabled for all programs I should not worry much.

Regards K

 

I have some files( non-malware) which ehen i run, NG and AD gives me baloon alert about direct memory access but no such warning from EQS!

Just try this, Open note pad, write anything in it( few haphazard alphabets), save it as .exe and run it. It will launch ntvdm.exe and u will see direct memory access alert about ntvdm.exe from ur HIPS.
Or try the file I am uploading, rename it to .exe. It,s harmless file.

I saw it working in nicM tests about SSDT unhookers that it was working with 3.4. May be I am missing something. Unfotunately I have no such malware that accesses physical memory so I can,t test with a malware file.

 

Interesting, just tried this.
EqSecure 3.4 popped up an informational alert stating that action has been allowed and a rule is automatically created for ntvdm.exe to be executed by explorer.exe.
How safe is this? Should the rule be removed? Given that ntvdm provides virtual memory for 16-bit apps, are there any known threats or exploits against ntvdm, wowexec, and 16-bit user mode environments?
Is buffer overflow protection planned for EqSecure 3.5?

 

The reason for this ntvdm.exe fiasco is because EQSecure automatically creates rules for applications digitally signed by Microsoft. Turn off that option, delete the corresponding automatically created rules, and see if you still get no pop-ups.

 

I have no rules for ntvdm.exe and this is the only alert I get.

 

If i run XP Killer trojan, after allowing its execution, EQS remains blind and xpkiller deletes three services, windows update, system restore and firewall. Too bad. No pop up from EQS at all. NG stops it dead.
Can anyone let the developer know about it.

Thanks

No more posts from me for many weeks now, back to no internet!

 

All I can say about this is that perhaps it's part of EQSecure's internal built-in ruleset. For instance, it doesn't raise alarms when programs install global hooks using shell32.dll or browseui.dll. But I can affirm that EQSecure does block direct physical memory access, as I've seen it do so many times before.

Regarding the inability to prevent service deletion, I've raised the issue before, when I noticed that DSA blocks this behavior and EQSecure couldn't. Since the developers have yet to respond, I can only guess that perhaps they don't consider it to be an issue.

 

EQSecure v3.41 released

http://www.eqspywatch.com/bbs/read.php?tid=7649&fpage=0&toread=&page=1

regards

Kaupp

 

Hi, I'm trying EqSecure 3.41, in normal mode: no problem, only a thing that I'm not sure to understand. EqSecure detects all the applications of my system except KIS 7.0: after installing EqSecure, every application that I run for the firts time is correctly detected from it, but NOT KIS. Also if I run the KIS scan EqSecure sleeps. It sees KIS only when KIS is scannning an incoming email attachment or is warning me about a malware in web pages. But when I run for the firts time A-Squared, for example, only to open it, EqSecure immediately detects it.

What about this ? I have some ideas, but I would like to know your opinions.

 

Can any body post about this version- what is new?
Also anybody tried new version?
How u compare it to older one?

Thanks

 

I think the difference in different HIPS may be that different HIPS intercept physical memory access differently. Some HIPS might block write access to direct memory but allow to read, others may block both read and write.

Just a wild guees!