EQS question

Discussion in 'other anti-malware software' started by HURST, Apr 29, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi

    I downloaded the latest set of Alcyon's rules today from drop.io/eqsecure

    Now EQS is blocking Sandboxie from deleting the sandbox after I close my browser. I checked the log and selected to Allow it, but it doesn't change. I went through the rules and tried to find what was blocking it, but no luck.

    Here are some screenshots.

    eqs1.JPG

    Here is the log entry:

    eqs2.JPG

    The error message I get is here, it says "access denied".
    eqs error.JPG
     
  2. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Hi HURST

    You get this error message because you're using the rule "Block CMD.EXE" in the blacklist section of application protection settings. Blacklist rules = high priority and application rules = medium priority. If i find the time, i'll post a fix to make this rule compatible with Sandboxie in some hours. I also see that you're using a non-English OS... The rules I made are for the English version of Windows XP so many rules will not work unless you modify them ("Archivos de programa" instead of "Program Files", etc.).
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thanks Alcyon, I'll fix the language ASAP.

    Thanks for your brilliant ruleset and you FAST response :thumb:
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Is there a way to get XML files to accept special characters? It's my first time editing XML, and I found that when I change "Local Settings" to "Configuración Local", the file won't open anymore, because of the "ó".
     
  5. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I think the only way to make eqs work with special characters is to replace them with "?" so "Configuración Local" becomes "Configuraci?n Local".
     
  6. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's a quick fix to be able to use "block cmd.exe" while using Sandboxie:
    Code:
    <EQSysSecureDat Version="2">
        <Rule Type="WatchApp">
            <Rule Data0="*" Type="1">
                <Group Name="Bypass - SandboxIE (Delete Sandbox)" ModeID="1">
                    <Rule SubType="63621" IncludeSub="0" Action="65535" Log="63620" Ask="63620" CheckCommandLine="1" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\cmd.exe" Data1='/c rmdir /s /q &quot;?:\*\*\__Delete_*_?*&quot;' />
                </Group>
            </Rule>
            <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchReg">
            <Rule Data0="*" Type="1" />
            <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchFile">
            <Rule Data0="*" Type="1" />
            <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
    </EQSysSecureDat>
    Copy this code into notepad, save it as an xml, import it in the blacklist section of application protection settings and move this rule above all the others.
    http://img29.picoodle.com/img/img29/4/4/29/f_smtm_2996955.png
     
    Last edited: Apr 29, 2008
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thanks Alcyon!:thumb: :thumb:

    Man you fixed it fast! I hope support for some paid software could be so efficient!
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @Alcyon:

    I'm still getting the same error... maybe i'm missing something
     
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Leave the bypass rule checked, open the group "Block Unrequested URLs (Out)" and for each rules, replace "Terminate/Suspend Process - Action:Block Log:Yes" by "Terminate/Suspend Process - Action:Ignore Log:No". Is it working with these modifs?
     
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, now it's working!
    Should I reset explorer.exe and iexplore.exe to block again and leave cmd allowed?

    EDIT:
    Actually, it's still not working...same error
     
    Last edited: Apr 29, 2008
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I'm wondering if anyone else is experiencing the same issue...
     
  12. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Strange, everything is working fine on my side after the modifs... Verify if the command variable of the bypass rule is:

    /c rmdir /s /q "?:\*\*\__Delete_*_?*" (in Other Settings)

    Aswell, uncheck the "block unrequested urls" rule... Maybe it's the problematic one.

    You could also remove all sandboxie related application rules and revalidate them.
     
    Last edited: Apr 29, 2008
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, now it works. Unchecking the Block Unrequested URLs, SBIE can delete the sandbox.

    I'll try your other suggestion... Thanks for all your help:thumb:
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I tried deleting all Sandboxie entries and revalidating them, no luck.

    I left only the CMD box unchecked on Block Urequested URL's. It works fine.

    Maybe a reinstall of both sandoxie and eqsecure could help.

    Now I only have to figure out why IExplorer isn't working anymore, after I translated folder names on the ruleset... but I think i'll leave it 'til tomorrow
     
  15. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Something else you could try with "block unreqested urls" is to leave cmd.exe checked and change all the actions to "ignore" except "execute application". Try this and tell me if it works.
     
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, it works perfect
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Alcyon, I narrowed it down

    It works perfectly now.

    This is what I did:

    explorer.exe box CHECKED, but Terminate/suspend process set to ignore, all others Block

    iexplore.exe: CHECKED, all Block

    cmd.exe: CHECKED: all Block, EXCEPT: Create remote thread, Modify memory of other process, Terminate/suspend process - these 3 are set to ignore.
     
  18. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    HURST, thanks for the all the infos :thumb:
     
  19. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Your are welcome...thank YOU for a superb ruleset and GREAT support!
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @Alcyon

    Regarding my IExplorer problem:
    I wasn't able to execute IE. It was blocked by EQS.

    I modified the following rules and now it works OK:

    Application Protection, Blacklist;

    Under "Block Unrequested URL's --> iexplore.exe"

    All blocked, EXCEPT:

    Create remote thread
    Modify memory of other process

    Both set to Ignore
     
Thread Status:
Not open for further replies.