Alcyon's EQS RuleSets

Discussion in 'other anti-malware software' started by EASTER, May 14, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi Alcyon.

    Small question for you please.

    Again and again all our thank you's for your exceptional effort in making EQS better secure for everyone who uses it now. Your scrutiny of every conceivable area of concern has given EQS and it's users a big boost of confidence and security.

    My question is this:
    Is there anyway from your perspective and knowledge of EQS rules where we can DENY closing of an app from an application crash? And just how would we apply it?

    I use a quick launch app named RunMe and been experiencing numerous sudden crashes when just accessing it since it drops down a menu of apps to run.

    I was curious if there was within EQS rules a setting whereby i could abort this type of sudden closure and keep it active.

    Thanks and Keep Up The Great Work

    EASTER
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Little *BUMP and final only one to see if this is doable with EQS or not.

    Thanks EASTER
     
  3. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Hi EASTER.

    I believe it's not possible to do that and this tool works perfectly well on my side. No crashes, etc. even if i put tons of apps.
     
    Last edited: May 15, 2008
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi Alcyon

    No, no, no though. EQS Doesn't crash at all anymore thank goodness, it 's that same old plague that haunted Microsoft O/S third-party tools back when "this program has performed an illegal operation and must close" crap, then down went explorer.exe.

    It's only a single app named RunMe, and not a big deal, but a handy restart app would fire it up again when it pukes down, and something similar like ole SSM's "keep process in memory" would restart it again.

    EQS with your absolutely amazing RuleSets is performing stellar!
     
  5. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I was talking about RunMe :)

    I'm unable to make RunMe crash so i really can't tell if it's possible to do something about it with EQS.

    By the way, i updated my eqs ruleset on drop.io some minutes ago ;)
     
    Last edited: May 16, 2008
  6. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi Alcyon

    Where can I get a copy of your latest ruleset?

    Thankyou

    Terry
     
  7. TVH

    TVH Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    227
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Please don't waste your good time with my issue on that third-party app. It very well could be i need to reinstall it again or it's clashing with something else, but surely EQS has nothing at all to do with it.

    Can you give us a hint though what new additions you added to the newest rulesets though?

    EASTER
     
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EASTER,

    There was some minor fixes and additions in the global rules of the registry, some changes in the global rules of file protection settings (recycle bin rules,etc.) and some additions in the "block known malwares" rule (blacklist section).

    I'll include a changelog with my next updates ;)
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    K, Thanka a 'plenty for you all the attention you've given it and shared with us.

    Makes EQS an even better HIPS when users can cover possible areas of vulnerabilities.

    I did just recently get inside word that 4.0 final is in development full force and like others wait in anxious expectation & hope to see a nice surprise for us all when it comes time to be posted.

    EASTER
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Short of having to DISABLE PROTECTION MODULES in autostart, what can be done to stop me from having to click dozens of times for ALLOW just to plug in a Pen Drive.

    Thanks EASTER
     
  12. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EASTER, you could use "remember this action" for each prompts except:

    Code:
    Modify memory of other processes,
    current application: svchost.exe
    target: explorer.exe
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks Alcyon

    Will give this a try.

    EASTER
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    @Alcyon

    Is there a simple way to transfer the Folder Guard ruleset over to the BlackList instead of File Protections?

    In EQS you can virtually seal off the entire main directory branches (temporary) and i've tested this against many malwares and thwarted the old Finjan VBS test by locking down both the desktop from creating it's folders AND blocked it from accessing folders to try to copy files from to that "you been hacked" test.

    I like to transition the more harsher LOCK OUT rules to the BlackList.

    By the way, you put a whole new spin on EQS security and is turned it into a Steel Wall as well as a Super Alerter to everything from the most common to the uncommon potentials for forced intrusions into so many areas.

    EASTER
     
  15. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Folder Guard ruleset?! You mean the folder rules from the global part to the blacklist, i presume. The xml structure is the same so you make a new blacklist group and paste them... If you like it that way... Unless you're talking about something else.

    There's a lot of rules to add before turning steel into gold. The problem is that people will freak out a little.
     
  16. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Easter, from reading this thread alone, you have got to be behind a virtual Fort Knox of impenetrability.

    Do you have time for anything else?


    :argh:
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Pretty much so, and thats the purpose. Preventing the common nusance from ever getting so much as a toe hold without being alerted to it as well as anything new that might would try to circumvent or work around using some clever alternative method, and get this, the best part IMO, all without even an AV! I been free of an AV for nearly a year now and never been more better for it, system performance-wise and no issues of incompatibility which used to be a common expectation with them.

    HIPS completely changed that, as has virtual systems & sandboxes.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Bring them on.

    I've tried and tried to get comfortable with the LUA approach but in all honesty that method just doesn't appeal to me anymore, IMO far too many restrictions that prohibit freedom of maneuvering plus i found i can rely on this HIPS to accomplish much more in the way of TOTAL CONTROL w/o sacrificing mobility and at the same time monitor and KNOW FOR SURE if something is trying to compromise that shouldn't be. I know LUA relies on an event Log but it only goes so far, this HIPS dictates "Live" reports and the rules allow for floating different security/blocking strengths that LUA doesn't offer.

    So bring on those new rules and great job Alcyon!
     
  19. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Tend to agree with you. With zero-days and other types of threats today, one's security approach needs to adapt, too.

    I'm curious about all the apps you have listed in your sig, however. Seems to be considerable redundancy. Are you actually using FD-ISR, Deep-freeze, and Returnil all at the same time??
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    No.

    Pls see topic "Whats your security setup" for my latest running configurations.

    I use several Hard Drives but on any one of them any combination of the apps in my sig below are employed in different set ups for determining which group seems best suited for ultimate security.

    EASTER
     
  21. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    I see. OK, thanks. ...and, secure computing!!!

    Sam Spade


    |||
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    @Alcyon

    Any idea yet when your latest EQS Rules will be accessible from your host site?

    Also would you care to share anything new about EQS that you might have run across while researching and fashioning EQS's rulesets?

    I'm still as Hyped up as ever over EQS as the first day it came out, along the same lines as when i discovered FD-ISR was a Mega-ISR Recovery Product. LoL

    EASTER
     
  23. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    It depends on the weather and the mood ;) I can't predict. I have some new stuffs written down. It should not be too long.

    I think there's nothing new you don't know about EQS. Rather too easy hips! In fact, i learned more about Windows... Nice tool to learn, really.
     
  24. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I learned some stuff about Windows just looking at your rules when I translated them to spanish. I imagine how many know-how you have invested in that ruleset. Great job!
     
  25. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I'll take a little summer break anyway ;)
     
Thread Status:
Not open for further replies.