Alcyon's EQS RuleSets

Hi Alcyon.

Small question for you please.

Again and again all our thank you's for your exceptional effort in making EQS better secure for everyone who uses it now. Your scrutiny of every conceivable area of concern has given EQS and it's users a big boost of confidence and security.

My question is this:
Is there anyway from your perspective and knowledge of EQS rules where we can DENY closing of an app from an application crash? And just how would we apply it?

I use a quick launch app named RunMe and been experiencing numerous sudden crashes when just accessing it since it drops down a menu of apps to run.

I was curious if there was within EQS rules a setting whereby i could abort this type of sudden closure and keep it active.

Thanks and Keep Up The Great Work

EASTER

 

Little *BUMP and final only one to see if this is doable with EQS or not.

Thanks EASTER

 

Hi EASTER.

I believe it's not possible to do that and this tool works perfectly well on my side. No crashes, etc. even if i put tons of apps.

 

Hi Alcyon

No, no, no though. EQS Doesn't crash at all anymore thank goodness, it 's that same old plague that haunted Microsoft O/S third-party tools back when "this program has performed an illegal operation and must close" crap, then down went explorer.exe.

It's only a single app named RunMe, and not a big deal, but a handy restart app would fire it up again when it pukes down, and something similar like ole SSM's "keep process in memory" would restart it again.

EQS with your absolutely amazing RuleSets is performing stellar!

 

I was talking about RunMe

I'm unable to make RunMe crash so i really can't tell if it's possible to do something about it with EQS.

By the way, i updated my eqs ruleset on drop.io some minutes ago

 

Hi Alcyon

Where can I get a copy of your latest ruleset?

Thankyou

Terry

 

http://drop.io/eqsecure

 

Please don't waste your good time with my issue on that third-party app. It very well could be i need to reinstall it again or it's clashing with something else, but surely EQS has nothing at all to do with it.

Can you give us a hint though what new additions you added to the newest rulesets though?

EASTER

 

EASTER,

There was some minor fixes and additions in the global rules of the registry, some changes in the global rules of file protection settings (recycle bin rules,etc.) and some additions in the "block known malwares" rule (blacklist section).

I'll include a changelog with my next updates

 

K, Thanka a 'plenty for you all the attention you've given it and shared with us.

Makes EQS an even better HIPS when users can cover possible areas of vulnerabilities.

I did just recently get inside word that 4.0 final is in development full force and like others wait in anxious expectation & hope to see a nice surprise for us all when it comes time to be posted.

EASTER

 

Short of having to DISABLE PROTECTION MODULES in autostart, what can be done to stop me from having to click dozens of times for ALLOW just to plug in a Pen Drive.

Thanks EASTER

 

EASTER, you could use "remember this action" for each prompts except:

Code:

Modify memory of other processes,
current application: svchost.exe
target: explorer.exe

 

Thanks Alcyon

Will give this a try.

EASTER

 

@Alcyon

Is there a simple way to transfer the Folder Guard ruleset over to the BlackList instead of File Protections?

In EQS you can virtually seal off the entire main directory branches (temporary) and i've tested this against many malwares and thwarted the old Finjan VBS test by locking down both the desktop from creating it's folders AND blocked it from accessing folders to try to copy files from to that "you been hacked" test.

I like to transition the more harsher LOCK OUT rules to the BlackList.

By the way, you put a whole new spin on EQS security and is turned it into a Steel Wall as well as a Super Alerter to everything from the most common to the uncommon potentials for forced intrusions into so many areas.

EASTER

 

Folder Guard ruleset?! You mean the folder rules from the global part to the blacklist, i presume. The xml structure is the same so you make a new blacklist group and paste them... If you like it that way... Unless you're talking about something else.

There's a lot of rules to add before turning steel into gold. The problem is that people will freak out a little.

 

Easter, from reading this thread alone, you have got to be behind a virtual Fort Knox of impenetrability.

Do you have time for anything else?

 

Pretty much so, and thats the purpose. Preventing the common nusance from ever getting so much as a toe hold without being alerted to it as well as anything new that might would try to circumvent or work around using some clever alternative method, and get this, the best part IMO, all without even an AV! I been free of an AV for nearly a year now and never been more better for it, system performance-wise and no issues of incompatibility which used to be a common expectation with them.

HIPS completely changed that, as has virtual systems & sandboxes.

 

Bring them on.

I've tried and tried to get comfortable with the LUA approach but in all honesty that method just doesn't appeal to me anymore, IMO far too many restrictions that prohibit freedom of maneuvering plus i found i can rely on this HIPS to accomplish much more in the way of TOTAL CONTROL w/o sacrificing mobility and at the same time monitor and KNOW FOR SURE if something is trying to compromise that shouldn't be. I know LUA relies on an event Log but it only goes so far, this HIPS dictates "Live" reports and the rules allow for floating different security/blocking strengths that LUA doesn't offer.

So bring on those new rules and great job Alcyon!

 

Tend to agree with you. With zero-days and other types of threats today, one's security approach needs to adapt, too.

I'm curious about all the apps you have listed in your sig, however. Seems to be considerable redundancy. Are you actually using FD-ISR, Deep-freeze, and Returnil all at the same time??

 

No.

Pls see topic "Whats your security setup" for my latest running configurations.

I use several Hard Drives but on any one of them any combination of the apps in my sig below are employed in different set ups for determining which group seems best suited for ultimate security.

EASTER

 

I see. OK, thanks. ...and, secure computing!!!

Sam Spade


|||

 

@Alcyon

Any idea yet when your latest EQS Rules will be accessible from your host site?

Also would you care to share anything new about EQS that you might have run across while researching and fashioning EQS's rulesets?

I'm still as Hyped up as ever over EQS as the first day it came out, along the same lines as when i discovered FD-ISR was a Mega-ISR Recovery Product. LoL

EASTER

 

It depends on the weather and the mood I can't predict. I have some new stuffs written down. It should not be too long.

I think there's nothing new you don't know about EQS. Rather too easy hips! In fact, i learned more about Windows... Nice tool to learn, really.

 

I learned some stuff about Windows just looking at your rules when I translated them to spanish. I imagine how many know-how you have invested in that ruleset. Great job!

 

I'll take a little summer break anyway