EQSecure 3.41 Settings

Here's another beta:

eqsecure.v3.41.winxp.rules.beta.v1.35.081230-exp.zip

This is a non-beta release candidate

http://drop.io/eqsecure

 

Currently i work at 2 different company, each company have about 20-30 computers. So i must setup the best protection.. it really waste my time if some computers got infected by virus.
Right now i'm trying setting EQSecure works with BLOCK all, but allow some.
So, each employee can not run anything that not listed on EQSecure, that means to reduce possibility computer get infected with virus/trojan/worm/etc, they can not play game too! sometime they run game from flash disk.

Do you have basic settings of allow general trusted windows process? include access to windows registry.
So, i just use that basic setting and add some application to allow... well i hope, that's the best protection.

I don't think i need all Alcyon's rulesets for this case, because Alcyon's ruleset is suitable for case Allow All, but deny Some..

actually right now, with my ruleset, i can run start windows normaly, restart/shutdown, run firefox, windows explorer, izarc, imagine, media player classic, openoffice 3, unlocker, dictionary, paint.net without any problem.
And can not run any untrusted application (exe, vbs, etc) from anywhere.

 

Not exactly true. It's more Allow some, deny many.

You could try the lock mode feature of eqsecure
Yes, i have some trusted processes (System Bypass in medium priority rules).

 

Here's the final (non-beta). It works like a charm:

eqsecure.v3.41.winxp.rules.v20081230-exp.zip

http://drop.io/eqsecure

This is a major update.

Enjoy,

~Alcyon~.

 

Interesting.

The main gist of the rules strengthens DENY MORE areas of potential malicious penetration as i found them.

Heck, you can configure with Alcyon's Rules to work better then Windows own SRP! A very big bonus!

EASTER

 

Alcyon,
Protection Mode: (Normal Mode) - Execute application, i set BLOCK
i wondering on Application Protection Settings - Application Rules, subprocess of winlogon.exe: %WinDir%\system32\logonui.exe
Why you just set allow for Modify memory of other processes?
because if i don't set the Execute Application from ignore to Allow, it make logonui.exe can not work, so can not display default windows xp logon interface, but display a box with Username and Password (it's like windows 2000 style).

Well i think in your case the logonui.exe still works, because on Protection Mode, you set Execute application to Allow

thanks for sharing..

 

Would you help me to know deeper about EQSecure:
1. what is ignore mean in EQSecure? (at parent process and child/sub-process)
2. what is the difference between Global Rules and Application Rules? Afaik, Blacklist is the highest check control, am i right?
3. when/what case i must put a rule on Global Rules or Application Rules?
4. what is ? and *, is there others?
%WinDir%\system32\wgatray.exe?*
%WinDir%\system32\wgatray.exe*
and on others settings (command variable)

other case:
%SystemDrive%\*\update\*.exe?*
then you have sub-process: *

what the only * mean? is that mean "anything"?
5. on %WinDir%\system32\wgatray.exe* how do you know you need to allow access to physical memory and ignore the others?

thanks

 

I also have my eyes on MD but I have an issue with performance. I use EQS to prevent read access to e-mails and address books and other confidential information. With EQS this works well. When I last used MD, there was a noticable drop in performance when any read blocking rules were added. There have been a few updates since I last tried it so things may have improved.

I find EQS to be ideal for supporting OA and providing the missing file/registry protection. Application protection by EQS is fairly loose as this is well covered by OA.

 

Anyone else having the same issue?

1- Ignore means that the specific operation will be ignored and the next rule that follows will be scanned. "Allow" have an higher priority than "Ignore".

2- Global rules are low-priority rules, application rules are medium-priority rules and blacklist rules are the high-priority ones. It's the highest priority first.
Custom Modes, including the normal mode, can be considered as very-low priority rules.

3- By answering "Allow", "Block" & "remember this action", the application rules will grow by themselves. The rules will be in "Default Group". It's the location of your whitelisted and blacklisted operations.

4- ? and * are wildcards. ? means "at least one character" and * "zero or more characters".

5- All the rules affect each others. Every rules have their reasons

Alcyon.

Edit: clarifications.

 

@ yudigadget, i just want to add that in eqs, the asterisk can be used as a regular expression and as a way to tell eqs that a rule is valid.

 

2009-01-06 12:25:24 Create Files Action:Block
Application Path:C:\WINDOWS\system32\spoolsv.exe
File Path:C:\WINDOWS\System32\spool\drivers\W32X86\3\Old\1
Rules:All Application Rules->System32 (New Folder)->%WinDir%\System32\*\*\*\*\*\*


2009-01-06 12:25:28 Create Files Action:Block
Application Path:C:\WINDOWS\system32\spoolsv.exe
File Path:C:\WINDOWS\System32\spool\drivers\W32X86\3\Old\2
Rules:All Application Rules->System32 (New Folder)->%WinDir%\System32\*\*\*\*\*\*


2009-01-06 12:25:58 Create Files Action:Block
Application Path:C:\WINDOWS\system32\spoolsv.exe
File Path:C:\WINDOWS\System32\spool\drivers\W32X86\3\Old\3
Rules:All Application Rules->System32 (New Folder)->%WinDir%\System32\*\*\*\*\*\*


2009-01-06 12:26:28 Create Files Action:Block
Application Path:C:\WINDOWS\system32\spoolsv.exe
File Path:C:\WINDOWS\System32\spool\drivers\W32X86\3\Old\4
Rules:All Application Rules->System32 (New Folder)->%WinDir%\System32\*\*\*\*\*\*

... until about 100
File Path:C:\WINDOWS\System32\spool\drivers\W32X86\3\Old\99

Do I need to allow these actions (create file)?
This happen after printing..

 

Where do you think to list allowed application? right now i put them on Application | Global Rules, and how about application that have child process/thread, where should i put them (right now i put them on Application | Application Rules)

thanks,
Yudi

http://img162.imageshack.us/img162/3679/20090109120030zh1.jpg


http://img210.imageshack.us/img210/1676/20090109120059cs0.jpg

 

@ Yudigadget, spoolsv.exe is creating inoffensive folders so it's safe to allow these operations.

There's no problems making whitelist groups in global rules (low-priority rules), it's your personal choice, but it's preferable to put them in the blacklist section (which in reality is high-priority rules and can be used for whitelists aswell). If you want to deal with child processes, the easiest way is to put your rules in the auto-generated "default group" of the medium-priority section.

 

Here's another ruleset fresh from the oven

eqsecure.v3.41.winxp.rules.v1.36.0111-exp.zip

What's new:

- Added low, medium & high priority rules
- File protection rules almost rewritten from scratch.
- Minor fixes, etc.

~Alcyon~.

 

Will it remove the Spanish and Windows Starter Edition from my unallocated HD space?
Thanks for the updates Alcyon.

 

@ Searching, i don't quite understand the question. Can you be more specific? Hips have nothing to do with removal of files residues.

 

Alternate Data Streams

Here's 3 simple file protection rules for Alternate Data Streams i made for EQS:

1- Alternate Data Stream (Create)
2- Alternate Data Stream (Modify)

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1" />
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2">
            <Group Name="Alternate Data Stream (Create)" ModeID="1">
                <Rule SubType="1" IncludeSub="1" Action="10" Log="1" Ask="13" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*:*.???" />
            </Group>
            <Group Name="Alternate Data Stream (Modify)" ModeID="1">
                <Rule SubType="4" IncludeSub="1" Action="11" Log="4" Ask="13" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="" Data0="?:\*:*.???" />
            </Group>
        </Rule>
    </Rule>
</EQSysSecureDat>

Those two rules have to be placed in the gobal rules section of file protection settings as the first rules.
They will work for all drives.

3- Block Alternate Data Stream Creation (All Drives)

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1">
            <Group Name="Block Alternate Data Stream Creation (All Drives)" ModeID="1">
                <Rule SubType="1" IncludeSub="1" Action="14" Log="1" Ask="12" ExcludeDirectory="0" Enabled="0" MD5Check="0" MD5Value="" Desc="Files and folders" Data0="?:\*:*.???" />
            </Group>
        </Rule>
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

This rules have to be placed in the blacklist section of file protection settings.

You must copy/paste the code (separately) inside a text editor, save it as an XML and import it in EQS.

If everything goes well with those three rules, they will appear in my next ruleset. If there's something wrong with them, please report it.

Those three rules will work for ADS created on files and folders. They are disabled by default.

 

Hammerman I have good news for you.

a) When you use DefenseWall, Ilya has implemented resource protection of your e-mail directory and WAB book, meaning untrusted processess have no access to this (it was a former extra rule I had created with resource protection, it is now a default rule).

b) With newest MD (beta 2), you get additional outbound protection

c) With the newest OA beta 3.1 you also have autostart protection with the free version.

d) When you have OA paid, just select this feature of OA-paid
- choose NOT to be warned when an unknown program runs (that is the whole point of having DW)
- select the sub choice to RUN unknown programs as SAFER. This will provide the limited user file and registry protection with no pop-ups.

SO when you have OA paid, you really do not need EQS or Malware Defender for file and registry protection, because OA + DW cover a lot of ground (with the experts having made the choices for you).

When you run OA free, you might consider MD V2: I have it running to allow executions, process creation, message sending and data access of other programs (all others are set to ask). This will greatly reduce pop-ups, providing excellent protection still.

I have MD and limited the access of registry and files for Iron (to a few selected keys and one download directory plus chromium data directory and temporary IE director, while it runs in a policy sandbox.

I use IE7 for normal browsing and Iron for tricky browsing. Fast and SAFE

 

@ Kees1958,

Hmm... I'm affraid you're posting in the wrong thread. This thread is for EQS rules, not for promoting other hips for unknown reasons.
If you have something to promote, it's preferable to do it via PMs, start a new thread or use an already existing one related to the product in question.

Have a nice day,

Alcyon.

 

Instant Karma again Alcyon!

I been experimenting with ADS by forming some on notepad etc. in the Windows folder and making them to launch an .exe like rootkit-type malware hiders impliment.

Your NEW rules are Brilliant against this technique. Many thanks and keep up the superb work.

Remember! Theres plenty more protections to be discovered. The possibilities are many.

EASTER

 

Joining executables with folders is weird too. While in cmd prompt, write:

Code:

type c:\windows\notepad.exe > c:\:notepad.exe
start c:\:notepad.exe

To make an application rule for ADS, e.g: "Executable (Alternate Data Stream)", you could use:

Code:

?:\*:*.??? 
include all files in this folder=enabled
run cmd var check=disabled

 

Thanks Alcyon

I believe Haxdoor or Gromozon copied that technique off LYZ32 or whoever that writer was. At the time it was a fantastic new implimentation to launch malwares, set & hide keyloggers, etc.

Although the exceitement and worry over time wore off, it still on XP a very present exploit thanks to MS.

Nice Ruleset for it indeed for EQS.

EASTER

 

ACCESS IS DENIED

EXCELLENT RULE!!!!

 

i love the word
ACCESS IS DENIED

 

Never heard about those guys, i'll have to do some researches.

I love those words too