EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Re: EQS v3.41 rules

    what i did is that i block all in the protection mode(normal mode)block all and only allow internet explorer,msn mesenger and windows media player,the rest is block by default:D is this ok?i am doing ok with it?i am a new eqsecure junk user:D
    it is very quiet with no pop ups,only when something is block a red pop up lets me know about the action.
    note:i can always to back to the view log and rebert any changes.
     
  2. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Concerning the first two rules I posted, I forgot to mention that they must not be used while doing Windows Updates.

    @jmonge, It depends... I need to see all your rules/configurations and the logic behind to say if it's correct.
     
    Last edited: Oct 30, 2008
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i see thanks,:thumb: so far is working find here.no problem is fast too:thumb:
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    this is what i did with eqsecure:

    Normal Mode:
    execute application: block
    load library file:block
    load driver:block
    acces to physical memory:block
    low level disk operation:block
    create remote thread:block
    modify of other processes:block
    terminate/suspend process:block
    shut down/restart system:block
    install global hook:block
    install service or driver:block
    log keystrokes:block
    modify system time:block
    debug at system level:block
    imitate a keyboard mouse:block

    apply all this and run eqsecure in normal mode with also enable learning mode
    untill i satisfy my taste:i mean run what i need or use to run like:internet explorer,windows live mesenger and windows media player untill i dont see any alerts about what is allow kind of white list for the 3 apps mention above,
    then untick the learning mode and just leave it in normal mode with eqsecure
    lockdown L and pasword protected.so far so good no problems.any thing new is block here:thumb:
    note:i blocked windows updates which is good,every tuesday or second tuesday i check to see any updates and allow to update and then go back as always blocked
     
    Last edited: Oct 30, 2008
  5. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I rarely use Learning mode but it looks like a good strategy (among others), jmonge :thumb:
     
    Last edited: Oct 30, 2008
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i tested with alot of stuff and blocks all with easy and no slowdown,my system feels harden:D it remenbers me of Samurai Hips:thumb: i love eqsecure already:thumb:
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    the learning mode i only use it just to allow my apps i use and then just go back to normal mode plus all blocks by default:thumb:
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    Again ;) Yet another indeniable testimony of the versaitility and always increased effectiveness of EQS by virtue of Alcyon's Rules.

    And we're not done yet folks. LoL

    EASTER
     
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    You're reading my mind, EASTER :thumb: I'm still working on an even better ruleset ;)
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    There is not another HIPS that is a GRANITE GEMSTONE as EQS for sure Alcyon.

    We're gonna keep it up untill we add secret security rules that even the developer wouldn't have conceived. Come to think of it, your rules have been on that enhanced track for quite some time now :D

    You already no doubt reviewed some of my cosmetic language changes before, but if i tap into the alert box GUI in this great app, i intend to enlarge the alert box as well as add extra "controls" for on-the-fly configuring.

    The possibilites are endless.

    EASTER
     
  11. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I agree 100% :thumb:

    There's nothing phenomenal with the following rules but I think it's a good idea to share them too. It's almost all the protection types transfered in the Application Rules section of Application Protection Settings. They are set to "Prompt and Block" and have an higher priority than your normal or custom modes. Some of you may find that useful, others not. Personally, I keep them always activated and no problems so far:
    Code:
    <EQSysSecureDat Version="2">
        <Rule Type="WatchApp">
            <Group Name="Create remote thread (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="8" IncludeSub="1" Action="65527" Log="8" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Modify memory of other processes (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="16" IncludeSub="1" Action="65519" Log="16" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Terminate-Suspend process (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="512" IncludeSub="1" Action="65023" Log="512" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Terminate-Suspend thread (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="1024" IncludeSub="1" Action="64511" Log="1024" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Install service or driver (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="64" IncludeSub="1" Action="65471" Log="64" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Install global hook (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="32" IncludeSub="1" Action="65499" Log="32" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Access to physical memory (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="4" IncludeSub="1" Action="65531" Log="4" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Low-Level disk operation (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="128" IncludeSub="1" Action="65403" Log="128" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Debug at system level (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="16384" IncludeSub="1" Action="34683" Log="16384" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Shutdown-Restart System (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="2048" IncludeSub="1" Action="63355" Log="2048" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Imitate a keyboard or mouse (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="32768" IncludeSub="1" Action="1915" Log="32768" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Modify system time (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="8192" IncludeSub="1" Action="51067" Log="8192" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Group Name="Log Keystrokes (Prompt and Block)" ModeID="1">
                <Rule SearchGlobal="1" SubType="4096" IncludeSub="1" Action="59259" Log="4096" Ask="65279" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
            </Group>
            <Rule Data0="*" Type="1" />
            <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchReg">
            <Rule Data0="*" Type="1" />
            <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchFile">
            <Rule Data0="*" Type="1" />
            <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
    </EQSysSecureDat>
    
    This little one is if you want to keep TaskManager enabled but don't want your weird friends to terminate displayed processes (I don't remember if it was included in my latest released ruleset, sorry):
    Code:
    <EQSysSecureDat Version="2">
        <Rule Type="WatchApp">
            <Group Name="Deny Processes termination via Taskmanager" ModeID="1">
                <Rule SearchGlobal="0" SubType="0" IncludeSub="0" Action="65023" Log="0" Ask="64767" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\taskmgr.exe*">
                    <Rule SubType="64132" IncludeSub="1" Action="65023" Log="64132" Ask="64767" CheckCommandLine="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*" />
                </Rule>
            </Group>
            <Rule Data0="*" Type="1" />
            <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchReg">
            <Rule Data0="*" Type="1" />
            <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchFile">
            <Rule Data0="*" Type="1" />
            <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
    </EQSysSecureDat>
    It must be placed in the Application Rules section of Application Protection Settings too.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    YEAH!

    Excellent more rules of Total Control.

    Keep on keeping on, very useful and is adding to this HIPS as more an immovable object against tampering, either externally or internally.

    ROCKIN!!! :argh: :thumb:
     
  13. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's another one I forgot to include in my latest ruleset:
    Code:
    <EQSysSecureDat Version="2">
        <Rule Type="WatchApp">
            <Rule Data0="*" Type="1" />
            <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2">
                <Group Name="Executable (Documents and Settings)" ModeID="1">
                    <Rule SubType="63621" IncludeSub="1" Action="65534" Log="63621" Ask="65279" CheckCommandLine="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\Documents and Settings\*.exe" />
                </Group>
            </Rule>
        </Rule>
        <Rule Type="WatchReg">
            <Rule Data0="*" Type="1" />
            <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchFile">
            <Rule Data0="*" Type="1" />
            <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
    </EQSysSecureDat>
    This one goes in the Global Rules section of Application Protection Settings. Much more better than the default "Prompt and Allow" and you can leave it always activated.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    We're on a roll. LoL ;)

    Please check your PM box.

    EASTER
     
  15. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Just to clarify some stuffs, the rules I posted for the application rules sections of application or file protection settings should always be placed below the Default Group:
     

    Attached Files:

    • eqex.png
      eqex.png
      File size:
      42.5 KB
      Views:
      458
  16. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    While doing some researches, I found that the following registry entries created/modified by some malwares aren't included in my latest ruleset:

    MaxOutstandingConnect
    EnableConcurrentSessions

    Reg key:
    HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Terminal Server
    Reg values:
    MaxOutstandingConnect
    EnableConcurrentSessions
    Action:
    Prompt and Block for Create, Modify & Delete.

    It's a good idea to add them, if not already done.
     
    Last edited: Nov 1, 2008
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    The most recent blacklist rules posted are really good ones overall but i did discover a slight little glitch in at least one of them. I found when you instead UNCHECK the checked "Verify Command-line parameters", any batch files are blocked pronto whereas when checked as set in the rules any batch files just simply ignore the blacklisted rule and runs anyway.

    I'm going over them one by one and am absolutely thrilled! If i run across any others that might require attention or tweaking i'll pass it along.

    This EQS is the living end of a true HIPS. The potentials are unending and best of all rock solid protection.

    Also watch your PM box for my latest personally assembly. I hope you don't mind it's english, sorry for my limitation in dialects.

    EASTER
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      3.7 KB
      Views:
      348
    • 2.jpg
      2.jpg
      File size:
      4 KB
      Views:
      349
    • 3.jpg
      3.jpg
      File size:
      5 KB
      Views:
      346
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    EQS 3.41 w/ Alcyon's Super Rules is great no less, but i am having a devil of a time on the very last SCREENSHOT test that shows me a perfect copy every time.

    All others are stopped cold in their tracks except this one. Is there a rule or someting thats preventing a 100% PASS in this latest AKLT keylog test?

    I also notice EQS 3.41 stops some of Zeman's tests just fine also but right now i want to get to the bottom of the last AKLT screenshot test to knock it out first.

    I know for a fact theres a workaround in EQS such as i have rules for a total LockOut of the desktop, but i rather pinch that last pesty test normally if possible.

    EASTER
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ALycon, Easter,

    Being the one who posted the first how to of 3.40 (painfully without English help), I am surprised how this security toolbox acquired a bunch of enthousiastic power users.

    What I noticed is that Alycon and Easter (of which Alycon is carrying the EQS flag and Easter is whistling the HIPS song) are walking way ahead of the average user.

    So I would ask you guys the create a new how to and post it in Castle cops/Wilders

    >> explaining hierachy of rules
    >> what is a good strategy for procescontrol
    a) with execution control
    b) with anomaly control (by allowing executiona and load libraries, closing of processes, threads, all others throw up a pop-up and ask permission)
    >> what is good startegy for registry control
    a) defend all vulnarable keys
    b) defend only startup entrie keys (preferably Toni Klein's set)
    >> what is a good strategy for file control
    a) defend all mutation of executables
    b) defend only system critical files

    In this way people with a high control ambition (a) or lower control ambition (b) can get starting using EQS.

    Next provide a readmap (from high ambition) to use the ultimate control setup (Alycon rules) with some explanation.

    In this way more members will become enthousiastic about this fast and furious HIPSbox.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    Morning Kees

    That;s very needed indeed and thanks for that notice of interest on everyone's behalf, because far too many potential users really are missing out on just how useful and formidable EQS really is to a very solid security shield.

    I been feverisly studying and constantly going over Alycyon's many different rules for many sleepless nights untill dawn because i seem to get the most of my productive efforts accomplished in the dead of night as compared to the 9-5 daylight shifts most make use of but ofter are rushed or in a in a hurry to either pushed to meet some required deadline or any other distractions whereas at night i can piece by piece every code and silently test the effectiveness without interruptions at all.

    And you're so right Kees, more members can benefit from this information and eventually experience and realize that EQS is not as difficult as it seems to be at first glance.

    EASTER
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    Never mind.

    ADding Online Armor (RUN SAFER) killed screenshot #2 easy.

    EASTER
     
  22. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Greetings Alcyon,

    I see you have updated your drop.io website with a new set of beta rules [13.11.08], can you explain (briefly) the changes between this ruleset and the October ruleset?

    Your continual efforts (along with Easter's unending enthusiasm) are very much appreciated by all in getting this program tuned to perfection. :) :thumb:
     
  23. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Rickster, the goal of this early beta is to offer more protection, less popups, less false-positives, etc. There's new rules and changes almost everywhere. There's also, i presume, many remaining minor bugs to fix. The structure have changed and rules are somewhat more complex... The november ruleset will be replaced pretty soon so I'm always open to suggestions ;)
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,535
    Location:
    U.S.A. (South)
    Alcyon is right!

    Theres many plenty of even better changes still left in EQS and i'm hard at it myself to find then and compare how useful they really are.

    Theres a monster group of very strong protections still to be discovered yet in EQS.

    PS: @Alcyon Got some of the what i call the Stop List (blacklist) rules that were evading functioning correctly finally able to put on the brakes where they are neccessary.

    EASTER
     
  25. wat0114

    wat0114 Guest

    Would you HIPS proponents consider EQS significantly better than other established Classical HIPS products such as SSM , Pro Security (now called something else I realize) or even the recent kid on the block, Malware Defender? Would you say single digit percentage points better or even double digit points? Is it going to offer that much better protection if properly set up than the latter mentioned or only slightly better?

    I do appreciate the idea of Alcyon offering a ruleset to "plug in" to the product and away you go, but I would like to figure things out on my own, if possible, and as a result gain a better understanding of how things work. Is the product so difficult to use that someone else's ruleset is required?

    I'm curious and may try it out simply for interest sake, though I do like Malware Defender a great deal atm.
     
    Last edited by a moderator: Nov 14, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.