Alcyon EQS Command And Control Rules

Discussion in 'other anti-malware software' started by EASTER, Apr 11, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    @Alcyon

    First off all of us are indebted to you for such a brilliant and what had to be exhaustive effort to add an enormous set of useful rules for EQS 3.41 SP2 only. Thanks are well in order again and again.

    My question is will you have the energy, effort, and time at your disposal to also fashion such exotic Rulesets for EQS 4.0 once it becomes final?

    Being the impatient type i tried to impliment them to 4.0 Beta2 and they actually do work in 4.0 Beta 2 to a degree, but i've run into a simple issue (one) like the block menu either not showing up at all when configuring although the Block rules do seem to take effect anyway even though the "text" = block remains an empty blank in the settings themselves.

    You done an outstanding job at command & control coverages with 3.42 SP2, so this is my question i like to pose to you at this time.

    EASTER

    PS: I wish EQS all the best and am anxiously awaiting the final release. Also the Sandbox works like a charm and is very unique approach to a HIPS unlike any other seen before.
     
  2. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Hi EASTER.

    Of course, i'll make the ruleset 100% compatible with EQS v4 but i'll need to wait for the final version to be released. By the way, the ruleset version you are using is maybe good but not as much as the new one i'm working on :) ... Right now, if we addition all the xmls, it's a nice total of approximately 430k unzipped... Give me 2 or 3 more weeks and i'll post it.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Sincerest compliments to you Alcyon for such an exciting and mindboggling wonderful project you've taken it for yourself to fashion my friend.

    I might add that the Folder Monitor addition you posted awhile back is nothing short of absolutely perfect! For once a EQS user can finally be alerted to any folder that would attempt to form in any directory and believe you me i've exercised full use of that single xml to include additional sections that even better keep a sharper watch for just any such an occurance.

    And it works 100%!!!

    EASTER
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Alcyon, Easter

    I noticed the registry defense is extensive. Does it throw a lot of pop-ups at you or is it focussed on static entries (meaning should not be changed under normal operation).

    Regards Kees
     
  5. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I've been using Alcyon's rules for about 3 weeks and I don't get many pop-up's at all for file or registry protection. I think they are well focussed and I've only tweaked the rules here and there to extend coverage.
     
  6. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    For a classical hips, i personaly think that there's not too much popups. Btw, i noticed that it's preferable to remove the following registry keys in "local computer policy settings":

    HKLM\SECURITY\Policy\Secrets\SAC
    HKLM\SECURITY\Policy\Secrets\SAI
    HKLM\SECURITY\Policy\*

    If you guys have some ideas on what should be added or removed in the global or blacklist rules (especially in the global rules of app protection settings), don't hesitate to tell me.

    Here's some good sources to make rules:

    Symantec: http://www.symantec.com/business/security_response/threatexplorer/threats.jsp
    Megasecurity: http://www.megasecurity.org/files_all.html
    TrendMicro: http://www.trendmicro.com/Vinfo/
    Avira: http://www.avira.com/en/threats/
    Computer Associates: http://ca.com/securityadvisor/virusinfo/
     
    Last edited by a moderator: Apr 12, 2008
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Same here. Alcyon's RuleSets have gone a long way to minimizing pop up alerts tremenedously, and that's obviously indicative to how well thought out which ones were taken into account to maximize security while keeping the notify levels at the ready but minimal.

    hammerman sums it up very well, they are well-focused and target a welcomed large contingent of areas otherwise gone omitted or overlooked entirely, but yet critical sections of potential misuse nonetheless at some point if even way down the line in the future.

    Working in unison with the newest release of SuRun is a plus in itself, Alcyon's Rulesets seem to blanket nearly every single conceivable area of concern and for pity sakes the Folder Guard XML is a major boost!!!

    I just hope EQS can LOCK down itself with some super self-protection as well as finally getting around to releasing a FINAL with installer.

    And looking forward to Alcyon's 4.0 Rulesets whenever EQS eventually is satisfied, and us, that this newest release is all it was intended to be.
     
  8. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I had another idea... Malwares sometimes like to borrow a similar name of an already existing file in system32 so I made the new rule "system32 - Similar Filename already exists (Highly Suspicious)" for all default system32 files (except at.exe and sc.exe): http://img441.imageshack.us/img441/2802/eqsadvs2yy3.png ... and a plethora of other rules....

    This new ruleset i'm working on is so different from the last one i posted! It's getting better and better everyday. I'll probably need testers.

    Edit: screenshot
     
    Last edited: Apr 13, 2008
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Greetings in Evening Alcyon:

    Count me in when you're ready for some testing of the new rulesets. Just when i didn't think it could get any better you're dissecting the entire file system for useage in EQS coverage rules.

    More POWER to you Alcyon, you are making this HIPS Xtremely potent with your research and application of various new rules my friend.

    Regards EASTER

    PS: We really need 4.0 to go final soon because it would be a pity to have to reconstitute such a brilliant task like this all over again for it, but something tells me the basic rules structure will for the most part stay in place so as to enable these present rules into their respective categories.

    I can already tell you the BlackList Rules are solid as a rock and LOCK down tight priority areas of concern as well as everything else so far.
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    For those who do not know but would like to review/use where can one get hold of Alcyon's ruleset for EQS...if that is possible?:D
     
  11. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
  12. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Alcyon, with all the effort and time you put into forming essential protection rules i was curious if you have dabbled at all with RegTicPro and any or all it's settings that for the most part can disable quite a plutura of normal windows settings. So far i found SuRun pretty much negates many of them. Just something to toss your way for possible considerations if deemed needed.

    EASTER
     
  14. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Thanks EASTER, there's some interesting registry keys i'll import in my new ruleset.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I just hope we don't run out of time waiting for EQS 4.0 final to be released, surely they're working on it but i culdn't reach their page tonight.

    I think 4.0 final will be as close to the end all of superior classical HIPs and i get an uneasy feeling lately it might be a very long time if ever if we see the next version. I hope i'm wrong because your RuleSets have raised the security bar several notches above from where it once stood and they have included some really fantastic features as well as improvments into the last release.
     
  16. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Well, it's worth the wait :) I haven't played much with the betas of eqs but what i can tell is that if someday we see the implementation of variables and a form of regex à la Proxomitron in this fantastic hips, it'll be even more powerful.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Alcyon it demands of me that i offer my own sincerest of all gratitudes for all your interest and effort that you have helped put into this EQS. You obviously have done EQS (i hope) and all of us supporters and users alike a very generious service with the time you've taken to help better provide security on all of our behalf.

    I no nothing of your history or background Alcyon but your enthusiam and attention to deatils is been nothing short of Stellar my friend; any HIPS regardless, is no simple chore to accurately build up useful configurations on, due to their complexity as well as compatiblity with other apps and the O/S itself to name a few.

    If you have an open PM box i WOULD like to return at least some favor in return for your consideration.

    EASTER
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    What ever you do i would avoid reading the translated pages of EQSecure firums becaue it's full of nonsense 90% of the time and does nothing to focus on this HIPS except only ocassionally.

    I read the worse Russinan Language forums before and still do but nothing comes remotely close or as so goofy as what exchanges surface from their discussions if you want to call them that, EQSecure forums (translated by Google) has me wondering if we'll ever see another update let alone a final.

    Are they off their rocker or what? Do they actaully communicate with LSD comments like the ones i read?

    I'm not trying to be critical but just check it out yourself.
     
  19. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Alcyon

    I'd also like to thank you for your efforts in producing these rulesets. It would have taken me an age to produce something this good. I find there is a dearth of information on the registry and would welcome any advice on where I can obtain more information. Can you recommend a book or web site which contains detailed registry information?
     
  20. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Thanks for all the compliments. I believe i only touched the tip of the iceberg of what can be done with this hips.
    I improve my ruleset on a regular basis (http://drop.io/eqsecure) so those who are interested can use the email alert tool to be notified when it's updated.

    EASTER - My PM box is now open.

    hammerman - There's nothing exhaustive about the registry i found. I think the best tool for now is google.

    edit:typo
     
    Last edited: Apr 26, 2008
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Alcyon

    See your PM

    Regards EASTER
     
Thread Status:
Not open for further replies.