EQSecure 3.41 Settings

Re: EQS v3.41 rules

what i did is that i block all in the protection mode(normal mode)block all and only allow internet explorer,msn mesenger and windows media player,the rest is block by default is this ok?i am doing ok with it?i am a new eqsecure junk user
it is very quiet with no pop ups,only when something is block a red pop up lets me know about the action.
note:i can always to back to the view log and rebert any changes.

 

Concerning the first two rules I posted, I forgot to mention that they must not be used while doing Windows Updates.

@jmonge, It depends... I need to see all your rules/configurations and the logic behind to say if it's correct.

 

i see thanks, so far is working find here.no problem is fast too

 

this is what i did with eqsecure:

Normal Mode:
execute application: block
load library file:block
load driver:block
acces to physical memory:block
low level disk operation:block
create remote thread:block
modify of other processes:block
terminate/suspend process:block
shut down/restart system:block
install global hook:block
install service or driver:block
log keystrokes:block
modify system time:block
debug at system level:block
imitate a keyboard mouse:block

apply all this and run eqsecure in normal mode with also enable learning mode
untill i satisfy my taste:i mean run what i need or use to run like:internet explorer,windows live mesenger and windows media player untill i dont see any alerts about what is allow kind of white list for the 3 apps mention above,
then untick the learning mode and just leave it in normal mode with eqsecure
lockdown L and pasword protected.so far so good no problems.any thing new is block here
note:i blocked windows updates which is good,every tuesday or second tuesday i check to see any updates and allow to update and then go back as always blocked

 

I rarely use Learning mode but it looks like a good strategy (among others), jmonge

 

i tested with alot of stuff and blocks all with easy and no slowdown,my system feels harden it remenbers me of Samurai Hips i love eqsecure already

 

the learning mode i only use it just to allow my apps i use and then just go back to normal mode plus all blocks by default

 

Again Yet another indeniable testimony of the versaitility and always increased effectiveness of EQS by virtue of Alcyon's Rules.

And we're not done yet folks. LoL

EASTER

 

You're reading my mind, EASTER I'm still working on an even better ruleset

 

There is not another HIPS that is a GRANITE GEMSTONE as EQS for sure Alcyon.

We're gonna keep it up untill we add secret security rules that even the developer wouldn't have conceived. Come to think of it, your rules have been on that enhanced track for quite some time now

You already no doubt reviewed some of my cosmetic language changes before, but if i tap into the alert box GUI in this great app, i intend to enlarge the alert box as well as add extra "controls" for on-the-fly configuring.

The possibilites are endless.

EASTER

 

I agree 100%

There's nothing phenomenal with the following rules but I think it's a good idea to share them too. It's almost all the protection types transfered in the Application Rules section of Application Protection Settings. They are set to "Prompt and Block" and have an higher priority than your normal or custom modes. Some of you may find that useful, others not. Personally, I keep them always activated and no problems so far:

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Group Name="Create remote thread (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="8" IncludeSub="1" Action="65527" Log="8" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Modify memory of other processes (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="16" IncludeSub="1" Action="65519" Log="16" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Terminate-Suspend process (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="512" IncludeSub="1" Action="65023" Log="512" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Terminate-Suspend thread (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="1024" IncludeSub="1" Action="64511" Log="1024" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Install service or driver (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="64" IncludeSub="1" Action="65471" Log="64" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Install global hook (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="32" IncludeSub="1" Action="65499" Log="32" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Access to physical memory (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="4" IncludeSub="1" Action="65531" Log="4" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Low-Level disk operation (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="128" IncludeSub="1" Action="65403" Log="128" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Debug at system level (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="16384" IncludeSub="1" Action="34683" Log="16384" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Shutdown-Restart System (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="2048" IncludeSub="1" Action="63355" Log="2048" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Imitate a keyboard or mouse (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="32768" IncludeSub="1" Action="1915" Log="32768" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Modify system time (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="8192" IncludeSub="1" Action="51067" Log="8192" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Group Name="Log Keystrokes (Prompt and Block)" ModeID="1">
            <Rule SearchGlobal="1" SubType="4096" IncludeSub="1" Action="59259" Log="4096" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
        </Group>
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

This little one is if you want to keep TaskManager enabled but don't want your weird friends to terminate displayed processes (I don't remember if it was included in my latest released ruleset, sorry):

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Group Name="Deny Processes termination via Taskmanager" ModeID="1">
            <Rule SearchGlobal="0" SubType="0" IncludeSub="0" Action="65023" Log="0" Ask="64767" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\taskmgr.exe*">
                <Rule SubType="64132" IncludeSub="1" Action="65023" Log="64132" Ask="64767" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Rule>
        </Group>
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

It must be placed in the Application Rules section of Application Protection Settings too.

 

YEAH!

Excellent more rules of Total Control.

Keep on keeping on, very useful and is adding to this HIPS as more an immovable object against tampering, either externally or internally.

ROCKIN!!!

 

Here's another one I forgot to include in my latest ruleset:

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2">
            <Group Name="Executable (Documents and Settings)" ModeID="1">
                <Rule SubType="63621" IncludeSub="1" Action="65534" Log="63621" Ask="65279" CheckCommandLine="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\Documents and Settings\*.exe" />
            </Group>
        </Rule>
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

This one goes in the Global Rules section of Application Protection Settings. Much more better than the default "Prompt and Allow" and you can leave it always activated.

 

We're on a roll. LoL

Please check your PM box.

EASTER

 

Just to clarify some stuffs, the rules I posted for the application rules sections of application or file protection settings should always be placed below the Default Group:

 

While doing some researches, I found that the following registry entries created/modified by some malwares aren't included in my latest ruleset:

MaxOutstandingConnect
EnableConcurrentSessions

Reg key:
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Terminal Server
Reg values:
MaxOutstandingConnect
EnableConcurrentSessions
Action:
Prompt and Block for Create, Modify & Delete.

It's a good idea to add them, if not already done.

 

The most recent blacklist rules posted are really good ones overall but i did discover a slight little glitch in at least one of them. I found when you instead UNCHECK the checked "Verify Command-line parameters", any batch files are blocked pronto whereas when checked as set in the rules any batch files just simply ignore the blacklisted rule and runs anyway.

I'm going over them one by one and am absolutely thrilled! If i run across any others that might require attention or tweaking i'll pass it along.

This EQS is the living end of a true HIPS. The potentials are unending and best of all rock solid protection.

Also watch your PM box for my latest personally assembly. I hope you don't mind it's english, sorry for my limitation in dialects.

EASTER

 

EQS 3.41 w/ Alcyon's Super Rules is great no less, but i am having a devil of a time on the very last SCREENSHOT test that shows me a perfect copy every time.

All others are stopped cold in their tracks except this one. Is there a rule or someting thats preventing a 100% PASS in this latest AKLT keylog test?

I also notice EQS 3.41 stops some of Zeman's tests just fine also but right now i want to get to the bottom of the last AKLT screenshot test to knock it out first.

I know for a fact theres a workaround in EQS such as i have rules for a total LockOut of the desktop, but i rather pinch that last pesty test normally if possible.

EASTER

 

ALycon, Easter,

Being the one who posted the first how to of 3.40 (painfully without English help), I am surprised how this security toolbox acquired a bunch of enthousiastic power users.

What I noticed is that Alycon and Easter (of which Alycon is carrying the EQS flag and Easter is whistling the HIPS song) are walking way ahead of the average user.

So I would ask you guys the create a new how to and post it in Castle cops/Wilders

>> explaining hierachy of rules
>> what is a good strategy for procescontrol
a) with execution control
b) with anomaly control (by allowing executiona and load libraries, closing of processes, threads, all others throw up a pop-up and ask permission)
>> what is good startegy for registry control
a) defend all vulnarable keys
b) defend only startup entrie keys (preferably Toni Klein's set)
>> what is a good strategy for file control
a) defend all mutation of executables
b) defend only system critical files

In this way people with a high control ambition (a) or lower control ambition (b) can get starting using EQS.

Next provide a readmap (from high ambition) to use the ultimate control setup (Alycon rules) with some explanation.

In this way more members will become enthousiastic about this fast and furious HIPSbox.

 

Morning Kees

That;s very needed indeed and thanks for that notice of interest on everyone's behalf, because far too many potential users really are missing out on just how useful and formidable EQS really is to a very solid security shield.

I been feverisly studying and constantly going over Alycyon's many different rules for many sleepless nights untill dawn because i seem to get the most of my productive efforts accomplished in the dead of night as compared to the 9-5 daylight shifts most make use of but ofter are rushed or in a in a hurry to either pushed to meet some required deadline or any other distractions whereas at night i can piece by piece every code and silently test the effectiveness without interruptions at all.

And you're so right Kees, more members can benefit from this information and eventually experience and realize that EQS is not as difficult as it seems to be at first glance.

EASTER

 

Never mind.

ADding Online Armor (RUN SAFER) killed screenshot #2 easy.

EASTER

 

Greetings Alcyon,

I see you have updated your drop.io website with a new set of beta rules [13.11.08], can you explain (briefly) the changes between this ruleset and the October ruleset?

Your continual efforts (along with Easter's unending enthusiasm) are very much appreciated by all in getting this program tuned to perfection.

 

Rickster, the goal of this early beta is to offer more protection, less popups, less false-positives, etc. There's new rules and changes almost everywhere. There's also, i presume, many remaining minor bugs to fix. The structure have changed and rules are somewhat more complex... The november ruleset will be replaced pretty soon so I'm always open to suggestions

 

Alcyon is right!

Theres many plenty of even better changes still left in EQS and i'm hard at it myself to find then and compare how useful they really are.

Theres a monster group of very strong protections still to be discovered yet in EQS.

PS: @Alcyon Got some of the what i call the Stop List (blacklist) rules that were evading functioning correctly finally able to put on the brakes where they are neccessary.

EASTER

 

Would you HIPS proponents consider EQS significantly better than other established Classical HIPS products such as SSM , Pro Security (now called something else I realize) or even the recent kid on the block, Malware Defender? Would you say single digit percentage points better or even double digit points? Is it going to offer that much better protection if properly set up than the latter mentioned or only slightly better?

I do appreciate the idea of Alcyon offering a ruleset to "plug in" to the product and away you go, but I would like to figure things out on my own, if possible, and as a result gain a better understanding of how things work. Is the product so difficult to use that someone else's ruleset is required?

I'm curious and may try it out simply for interest sake, though I do like Malware Defender a great deal atm.