EQS users- impressions/ suggestions/ bugs

Discussion in 'other anti-malware software' started by aigle, Oct 9, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I am using EQS since many months and I have found it a real strong defence against malware. It,s a very nice free HIPS with lot of features, having execution protection, registry defence and file defence.

    I am posting this thread to share my experiences with EQS. I tried many times to post on their forums but failed. I hope some user from Wilders can mention them about this thread so it seems to be a good way to convey my message to the developers. Also I wanted to share my observations with other EQS users on this forum. Some of these things I have already discussed in other threads but they need to be repeated here.

    First the bugs/ failures I noticed.

    1- I noticed that when MD5 value of an application/ exe is changed EQS gives a popup about this but when I answer it "Allow with remember this" option, EQS does not remember new rule, it still gives me a pop up about MD5 value changed whenever I launch this application. It will continue like this until I reboot or shutdown and restart EQS. It seems a bug.

    2- I have set Execution of any executable to " Prompt and block" but I noticed that if MD5 value of an executable is changed, this executable is shown as "Prompt and allow" in the popup. It's a serious bug.
    Any changed executable must be " Prompt and block" like any new executable.

    3- When I get a popup alert from EQS, at that time instead of replying the popup if I right click its tray icon and choose Exit, EQS crashes and I get the message about it.

    4- EQS is supposed to protect against direct memory access but I am confused that this feature in EQS is not working same as in some other HIPS. I tried it with some executables that were blocked form direct memory access by other HIPS( Neoava Guard and AppDefend) but no alerts about direct memory access form EQS. See the picture showing alerts about ntvm.exe blocked from direct memory accesss by NeoavaGuard and AppDefend but no warning from EQS.However with sdtrestore.exe( POC for direct memory access, I do get warning from EQS like other HIPS). I am not sure, may be these HIPS implement this protection differently. I guess that NG and AD are intercepting physical memory read and write both while EQS is intercepting only physical memory write( just my guess). It has been discussed here as well.

    https://www.wilderssecurity.com/showthread.php?t=181576&page=4

    5- I used Scoundrel Simulator against EQS registry protection. It failed to block two things( no popup from EQS):

    - disabling internet options
    - disabling Regedit

    6- There is malware that disables Regedit and TaskManager( coolpics worm/ Sohand IM messenger worm) . I tried EQS against this worm and EQS failed to protect RegEdit and TaskManger.
    Similarly its Registry protection module failed to stop malware form disabling Folder Options( like Brontok worm).

    7- Trojan KillXP is able to delete three system services if allowed to execute. EQS gives no warning at all. XP killer trojan deletes System restore, windows firewall and windows update services. Deletion of services must be detected by EQS.

    8- Two software discussed in this thread

    http://forums.comodo.com/cfp_beta_c...by_cfp_defense_add_two_new_ones-t12141.0.html

    ( f**k.exe and restartsystem.exe) are able to shut down the system and no warnings from EQS at all. A clear-cut failure of EQS.:(

    9- I experienced two problems while trying EQSucre against Brontok worm. Firstly, I noted that brontok worm is able to shut down system , thus bypassing EQSecure,s system shut down protection. Here is how u can reproduce it. Disable file protection of EQS. Run brontok worm, allow its exution and all other action like modifying its copies etc except any attempt to shutdown the system. It makes a copy of itself named "winlogon.exe" and this winlogon.exe tried to shutdown the system. Afetr a minute or so, u will get a prompt from EQS that winlogon.exe( a copy of worm, not the legit winlogon.exe) wants to shutdown the system, block this action and wait for few minutes. U will get propmts about csrss.exe terminating some running processes. Now whatever u answer to these popups( allow or block), ur system will reboot in a minute or so. EQS can,t stop it( even if u don,t use default rule set of EQS for csrss.exe). It seem,s a bug.

    Secondly I noticed that Dynamic Security Agent( and GesWall) gave me a warning about ( probably file creation/ modification by inetinfo.exe- a copy of worm) C\Windows\system32\drivers\etc\hosts-Denied By-Shahbaz.com. I don,t get any such warning from EQS although I have set a file protection rule for .com files in EQS. Seems a failure unless I am not understanding this correctly. I am not sure.

    10- A slight slow down impact on the system while launching applications. A slight slow down is must with any such application but I think it was a little more with EQS as compared to other HIPS. Just my subjective feeling and it may be wrong. But if other users feel same, then it might need to be addressed.


    Features request/ suggestions:

    1- Every time an executable modifies the memory of other process, I get memory modification popup almost four times. I think a single popup for this alert might be more appropriate as some other HIPS give a single popup.

    2- Icon color must change in Locked Mode( so that u can know just by tray icon that system is locked down). Also there should be a hot key to start Locked Mode.

    3- A hot key to bring up the main GUI, instead of launching it from tray icon.

    4- An option to get watch messages only in case of blocked events only( not for allowed events)

    5- It will be nice for registry protection warnings to be more descriptive like saying: " IE home page change", "New start up entry", "New IE add-on" etc rather than just showing "Modify Registry content".

    6- Detection of the behavior of making an exact copy of itself by an executable( Application Protect)

    7- Detection of behavior of deleting many files in short time, overwriting executables etc( Application Protect).

    8- An option to Enable MD5 checksum globally for all executables in Application Protect module( it's a pain to enable this option one by one for all executables).

    9- An option to enable and disable logging with single click for each Protect type for all executables( execution, load dll, global hook, memory modification etc), rather than to do it for each executable separately( although this option is not so important as still now by default logging is enabled for most events).

    10- An option to see older log via Log View window( currently log view window only show log from last system/ EQS restart, older logs have to be retrieved manually from EQS log folder that is not user friendly.

    11- An outbound firewall module like many other HIPS

    12- Current GUI( main EQS window and pop ups) is neat and clean and looks good but it will be nicer to have a more elegant and colorful GUI.

    13- Differentiation between "Global hook" and "Hook into a specific process" - Most hooks( legit as well as malicious) are global hooks but there are some hooks that target a certain process ( like Internet Explorer or Explorer.exe) only. I noticed that EQS shows both type of hooks as global hooks but some other HIPS clearly differentiate between two types of hooks. Pls see the pictures to make it clear- global hook by FireHole( leak test) and specific hook into IE by pokapoka.exe( malware)

    14- Detection of posting messages into other window, sending input to other window

    15- Detection of screen reading

    16- An option for pre-defined policies( that can be custom made). U can make a policy, for example, TRUSTED where u will make rules for a trusted group of applications. Any trusted application will be added to this group and it will automatically run according to the rules of TRUSTED group without any further pop ups. Comodo firewall version 3 HIPS has this type of feature.

    For example I will make a strict policy where an application will be only allowed to execute itself but not allowed to execute any child process, not allowed to set any hooks or change memory of other process etc. I will then add my Untrusted applications like web browsers etc to this policy group and browsers will run without any popups without lowering the security of the system. To run certain applications by web browser like media player, flash player etc I can add exceptions in the policy so that only these applications will be allowed to be run as child processes by the web browsers.

    17- Ability to arrange application rules alphabetically in the rules window

    18- A real time process monitor to detect new processes without rules set or processes with changed MD5, started before launch of EQS. Currently if u disable EQS, then run a process that is not allowed to run by EQS rules or has no rules in EQS, then u re-enable EQS while the process is still running in the memory, there is no way for EQS to detect this process( it is supposed to be on to-do list).

    19- An option to Scan and Clean useless rules( rules for applications not present on system) in EQS?

    Thanks for any comments
    mem1.jpg
    mem2.jpg
    EQS .com file protection.jpg
    hook into explorer-NG.jpg
    hook into ie-NG.jpg
     
    Last edited: Oct 9, 2007
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    One more pic I forgot.
     

    Attached Files:

  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for great screenshots and all the testings. I'm also finding disturbing misses with EQSecure 3.4 and it repeatedly fails to keep settings no matter what i try.

    While on the surface it has a lot of potential there still remains MANY unresolved issues that absolutely must be confronted and addressed before some real confidence can return.

    I was in the process of migrating many snapshots/drives over to this EQSecure but am finding System Safety Monitor is much stronger and aggressive plus allows for restarting any closed app if explorer crashes whereas EQSecure to my knowledge has no such protection feature unfortunately.

    I also get repeated PROMPTS even when i set them to IGNORE/NO LOG, obvious bug as it doesn't keep the settings you make.

    I can go on and still mention even more issues but you have really already covered the bulk of most if not all of them IMO.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    U must be missing somewhere the rules otherwise it must not do so. EQS rules are complex and confusing. It,s easy to miss and get troubles. Not a straight forwartd HIPS at all. It,s more cpomplex than SSM IMO.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.