EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    You can say that again, although looks like MAGIC SHIELD is a bust right now.

    There is obviously a problem with the posted link installer, and i can't read jibber dibber scrambled hieroglyphics to make any sense of the error message plus no one is here to help in these cases.

    So, you been right all along Erik, Chinese apps offer little if anything in the way of support for english, or Dutch LoL

    Why in the world can't an english developer come up with something this good? Because they either can't, won't, or rather charge an arm and a leg to balloon their profitability bottom line.

    In the end, we all are stuck without Open Source/Freeware.
     
  2. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Another ruleset update ;)

    eqsecure.v3.41.winxp.rules.v06152008-adv

    changelog:

    - New global rules added (file protection settings)
    - Some global rules fixed (file protection settings)
    - Env. variables: "%SystemDrive%\Program Files" replaced with "%ProgramFiles%"
    - Block Known Malwares rules added.
    - Some registry rules fixed.

    http://drop.io/eqsecure
     
    Last edited: Jun 15, 2008
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks Alcyon:

    For continually fine tuning EQS rules.

    It appears we been abandoned and possibly deprived of Final 4 EQS for Magic Shield which isn't even available in English, so your updating of 3.41's rules become of even more importance and appreciation.

    EASTER
     
  4. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I'm confident that they are (or he is) busy working on something even more solid than what we've seen so we need to stay Zen.

    Anyway, i've once again updated the ruleset with new rules:

    - Program Files (Executable Modification) in global rules
    - Explorer (Allow All Operations) in application rules [file & registry protection section only]

    and some other minor fixes....

    I'm seriously thinking about enabling by default the rules "Explorer (Allow All Operations)" in my next update so if you think it's a really bad idea, just give me strong arguments why i shouldn't. Right now, my logic says you'll not be more vulnerable but i may be wrong.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hi Alcyon

    That might not be a bad idea. I once added some alert/block/pass rules to try to better enforce some additional pressure to explorer actions and it got to be a bit much with the alerts. I really think when dealing with explorer you have to be somewhat liberal due it's very nature of activity, for example every time i would plug in a USB Pen it took several many allows just to get it settled. If there was any of those autorun.inf tricks trying to push off anything it would have been picked up for sure.

    Thanks by the way for the updated RuleSets. All of them have been of huge benefit and useful.

    EASTER
     
  6. ex3

    ex3 Registered Member

    Joined:
    Jul 9, 2008
    Posts:
    34
    looking foe English manual
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Also i'm looking for 4.0 FINAL instead of Magic Shield which has no english translation i been able to find yet.

    I think they cut us off with their latest version but no matter, Alcyon elevated EQS to extremely useful additional security with his rules, and in fact i'm satisfied with it as such since no other versions are likely to be shared again here.
     
  8. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Once again, the ruleset has heen updated.

    eqsecure.v3.41.winxp.rules.v07142008-adv

    changelog:

    - New shortcut fix (Rundll32)
    - New file protection rules added
    - Some file protection rules modified
    - Registry rules cleanup
     
    Last edited: Jul 14, 2008
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    What happened with your summer break?:D :D
     
  10. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Yeah, i cheated ;) A new good one to grab:

    Eqsecure.v3.41.winxp.rules.v07152008-adv

    If you guys have some new ideas to implement, just let me know...

    Critics are welcome too ;)
     
  11. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Alcyon,

    Thanks for sharing the results of your hard work with us again.
    I did start with one of your first rulesets as a template and tweaked it here and there to suit my system. For this reason I tend not to simply replace an entire ruleset with another one. However, I still look to your latest rulesets for inspiration.

    I have added an 'anti-executable' type rule that blocks creation, modification and deletion of ALL .exe files. I figured that the ruleset covers most executables on my system anyway so I might as well add a global anti-executable rule. If I disable this, I am still covered by other rules protecting against executable changes in the important locations.

    Thanks again.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hi Alycyon

    Another nice effort as always. I too have to say i been alternating since i have so many systems at my disposal, your RulesSets since the 3/20 one i think it was, the 26 and so on.

    I must admit however i harbor some reservations that will ever see 4.0 final but i hope i'm wrong about that. But since MagicShield i think i'm on the button.

    By the way, have you or anyone ever got a chance to try Magic Shield in "ENGLISH ONLY"? Because try as i may, the only installer i ever found was their own native alphabet and Solcroft i think fell away from translating and/or discussing EQS anymore.

    Still, as-is as they say in the car business, this is one STRONG! Host Intrusion Protector and your generous contribution with these new rules greatly elevated it to an even higher level and set something of a nice safety standard for users everywhere of it.

    Regards EASTER
     
  13. ex3

    ex3 Registered Member

    Joined:
    Jul 9, 2008
    Posts:
    34
    hammerman iam interested to look at your rules set, specially the one anti-executable set,
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Version EQS 3.41 is satisfactory enough for most users but if you really want some progressive improvements dig up the 4.0 Beta EQS. It's just as stable and has more protections, and although Alcyon doesn't recommend or encourage his 3.41 rulesets for that one, i can attest to the fact they work absolutely brilliant!

    EQS all the way!!
    :thumb:

    EASTER
     
  15. Timba

    Timba Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    New to EQSecure after a lot of reading in the forum I have decided to try it but having one issue.

    I grab the EQSecure 3.41 from http://drop.io/eqsecure when i login under limited user account EQSecure 3.41 tabs are all in non english but under Admin they are in English can someone tell me how to fix it so that english shows up under limited user account?

    hammerman would you mind shareing your anti-executable' type rule that blocks creation, modification and deletion of ALL .exe files?

    EASTER or anyone else where can i find the EQSecure 4.0 English version"

    Thanks Timba
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Timba, Ex3

    I added the following rule in File Protection, Global Rules. This blocks creation, deletion and modification of any .exe file.

    You may want to set the action to Prompt and Block for a while in case there are legitimate programs that need to change .exe files. They will then be added to the Application Rules.

    I also added a rule in the Application Settings, Global Rules to block execution of any .exe file that is not covered by the Application Rules. I suggest again you set this to Prompt and Block until you are satisfied that the application rules cover all the legitimate executables.
     

    Attached Files:

  17. Timba

    Timba Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    Thanks hammerman

    EQSecure 3.41
    English is chosen for language under limited user account but its not displaying English, its showing up as Chinese how do i get it to display english

    thanks
     
  18. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Language is selected in the Configuration screen. Select language and Apply. You will then need to restart EQS for language to be changed.
     

    Attached Files:

    • eqs1.JPG
      eqs1.JPG
      File size:
      48.2 KB
      Views:
      635
  19. Timba

    Timba Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    Thank you hammerman for all your help.

    EASTER, Alycyon hammerman do you have the EQSecure 4.0 Beta with English
    translation that was made by EASTER, and posted on the Rapid, can you just post the file name so that i can search for it on rapid or can Alycyon host the
    EQSecure 4.0 Beta with English translation so I can grab it. This is one of the best.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    4.0 "is" a much improved version of EQS without a doubt.

    What really locks things down though is Alcyon's Rules. I've set in the Blacklist FULL LOCKS for many system folders, even My Documents, Desktop, etc. only to confirm the stops work as claimed, and they do wonderfully. If a file can't even "read" a directory it doesn't know that it even exists. Big Plus! But only for dark travels or testing in my experiences. It's not something you want to do all the time, however if you are super paranoid you very well can, and use the disable protection mode for 1 minute or so to execute, access anything in them before the time limit reLOCKS them again. Another superior benefit because this is user-friendly and doesn't leave one groping for multiple settings like some require.

    AS to the other request, you might be best to follow Alcyon's advice on accessing the author's site because unbeknowns to me at the time, it's against forum TOS to post personal links to it.

    EASTER
     
  21. Timba

    Timba Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    Thanks Easter Alycon hammerman for all your help, EQSecure 4.0b3 running great but need help with configuration I would like to be as secure as it can make me blocking all the nasty stuff and protecting the system be as secure as possible. aso how do you configure the sanbox


    thanks
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Greetings:

    Personally since i've always used SandboxIE for those chores the sandbox of EQS doesn't get any use for me. I don't bother with it although i have tested it on occasion.

    What i do bother with is fine tuning the HIPS rules (as needed) and found EQS can even double as SRP, in other words you can effectively LOCK access to entire directories just like SRP does and it's solid and from what i experienced more flexible.

    This is one exceptional HIPS i'll keep repeating indefinitely because it covers not only file protections but a whole host of critical points of vulnerability and is not failed me once. It's so "LITE" on the system but extremely "STRONG" in the protection department, and it can't be beat for free, thats for sure.

    It's passed all tests i throwed at it, and despite reports to the contrary, likely because users are still using an older version, 4.0 stops dead AKLT keylog tests (all), with the exception of the screenies that i'm still searching for that blame file or files to stop that too.

    EASTER
     
  23. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    I'm curious how well v4.0 Beta4 would do on various, fresh, undetected malware thrown at it. Running it inside an admin account would still concern me.
     
  24. Timba

    Timba Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    Easter if you don't mind and have time could you share your setting with me or just post some screen shots of your settings.what I need to do is fine tuning the HIPS rules and also use EQS as a SRP and your fine tuned rules would be of great help. trying to protect before heading off to school to many nasty stuff at school had to redo computer to many

    thanks
     
  25. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Medium-priority rules trick

    Hi fellow EQS junkies ;)

    I found something somewhat interesting while playing with a new beta ruleset for v3.41.

    Habitually, making rules with v3.41 is limited to the low-priority and high-priority rules sections. The medium-priority section is where all the user-generated rules (via eqs prompts) belong aswell as some important default static system rules.

    The problem is that if you want to make new groups of medium-priority rules, there's a high probability that these rules will be overwritten. Instead of being placed in "Default Group", EQS will deface your newly created medium-priority rules unless you place the "*" wilcard (and nothing else) for the filename of the subprocess, subfile or for the registry subkey... but what IF you want to make rules for only specific files, subfiles, subprocesses or subkeys while using the special "ignore" action? What follows is in fact simple EQS logic but, the most important: it opens new horizons to EQS v3.41.

    To make real static medium-priority rules instead of dynamic ones with the risk for the rules to be overwritten, you make rules with the "?*" and "*" wildcards at the end of the file you want to control:

    If you want to allow all explorer actions for file protection settings, you do something like this:

    Code:
    GroupName1
    └-->Filename: %WinDir%\explorer.exe (action: ignore all)
    └---->Subfile: %SystemDrive%\* (action: allow all)
    but... Let say you want to allow only specific actions for "explorer.exe". Instead of looking like this:

    Code:
    GroupName1
    └-->Filename: %WinDir%\explorer.exe
    └---->Subfile: %SystemDrive%\*\filename1.exe
    └---->Subfile: %SystemDrive%\*\filename2.exe
    and see your rules defaced after a while due to the intentionally placed "ignore" action somewhere for the file and/or subfile, you instead make rules like these:

    Code:
    GroupName1
    └-->Filename: %WinDir%\explorer.exe[U][COLOR="Red"]?*[/COLOR][/U] (actions: block all) [COLOR="Red"](first rule)[/COLOR]
    └---->Subfile: Subfile: %SystemDrive%\* (actions: block all)
    └-->Filename: %WinDir%\explorer.exe[U][COLOR="Red"]*[/COLOR][/U] (actions: ignore all)[COLOR="Red"](second rule)[/COLOR] 
    └---->Subfile: Subfile: %SystemDrive%\*\filename1.exe (actions: user choice)
    └---->Subfile: Subfile: %SystemDrive%\*\filename2.exe (actions: user choice)
    
    And Voilà! No more problems. The rules are now static and can't be overwritten.

    The first rule with the "?*" wildcards means: all files with a similar filename (in this case, explorer.exe followed by at least one character or more) will not be allowed to perform an action (for security reasons).

    The second rule with the "*" wilcard means: use this rule even if there's a similar one for explorer.exe already existing in Default Group (the first rule with "?*" protecting this second one).

    This may not be the best example but anyway...

    This trick is valid for all medium-priority rules sections (app, registry and file protection settings).
     

    Attached Files:

    Last edited: Sep 20, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.