EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's another one:

    eqsecure.v3.41.winxp.rules.v1.38.0114-exp.zip

    What's new:

    - Alternate Data Streams Rules (File Protection)
    - Minor global rules modifications

    http://drop.io/eqsecure

    Code:
    ADS rules for file protection have been changed 
    from "?:\*:*.???" to simply "?:\*:*"
    [COLOR="Red"]If it's causing problems, please let me know.[/COLOR]
    I'm still working on the ADS rules for application protection...
     
    Last edited: Jan 14, 2009
  2. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Hey guys...
    My configuration now is made from LUA, SRP, EAV 4 beta, System Safety Monitor Pro...
    I simply love EQSecure, more granular than SSM, but it still doesn't work with LUA:'( ...any suggest on how to use it?
    Maybe there is a way to install and make it working well with this config...You are the greatest appreciators of this sftw, maybe there is a solution:D

    Thanks for the attention and sorry for my bad english;)
     
  3. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    222
    You could try adding SuRun and give the EQSecure program elevated rights.
     
  4. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Only a few understand the extreme importance of hips granularity.
    You're the lucky one ;) Btw, my English is bad too.
     
    Last edited: Jan 15, 2009
  5. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    ..so I have to change all my configuration:doubt:
    Otherwise I will think neither to stay with SSM Pro, or better try Netchina (even if too young:cautious:)

    I will not change my LUA + SRP surely...so we'll see:D
    Thanks guys.

    p.s.:Thanks Alcyon, I've used EQS with your rulesets when I used an admin user..thanks for the work that you did/do nowadays...;)

    Regards
     
  6. Murderlove

    Murderlove Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    99
    I am assuming that you know how SuRun works, if you do not, please read about it. Here is what you need to do to get EQS working in a LUA account.

    Install SuRun in your admin account. Then go to your LUA account. Install EQS via SuRun in your LUA account. Problem solved:)
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    Hi Alcyon

    May i ask why that particular change. Reason being AS-IS seems to be blocking ADS perfectly from the ads i've experimented with for those rules.

    Is there a gap you've discovered?

    :Thanks:
     
  8. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Files can have no extensions. That's why you'll see "?\:*:*" for ADS in the global rules.
    On the other side, adding "?:\*:*" in high-priority rules is too permissive so i had to put "?:\*:*.o_O" (in v1.38.0115).
     
    Last edited: Jan 16, 2009
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,155
    Hi guys.

    what about a rule which blocks the creation and deletion of folders and all types of files any where on your hard drive?

    Is this possible?

    especially a rule which blocks the deletion of all your EQSecure files inside your
    EQSecure folder in your Program Files. I did this once and after rebooting my pc
    EQSecure was useless. This would be a vulnerability.
     
  10. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Arran, EQSecure already protects himself against his own files modification and deletion. Delete every files one by one, press F5 and see what happen.

    As for rules which block the creation and deletion of folders or files Anywhere on your hard drive, it's something that can be easily done with EQS.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    I see now your Interceptable Technical Logic in that particular regard Alcyon

    So what do you suppose that we can come up with next for another set of IRON rules to keep adding the granite to EQS' stainless steel/iron shielding against even other potential entry exploits.

    BTW, that was a most WONDERFUL! & BRILLIANT! idea to devise a set of ADS rules to include. Excellent idea indeed!

    EASTER
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,155

    thx Alcyon I shell have a play with EQS and see if I can get these rules to work.
     
  13. josey

    josey Registered Member

    Joined:
    Jan 18, 2009
    Posts:
    4
    I am new to this,but can i ask a question?
    I started with EQsecure v.3.Worked fine,except that My kaspersky started freezing my system.In Task manager,I have 2 instances of avp.EXE running.One under 'admin'(my accnt),other under system.The system one would use 100% of CPU and freeze my poor system.So I uninstalled,and everything came back to normal.Believe me,I didn't mess with any EQsecure settings to cause this.Everything was default.

    This time,I installed Alycon's rules+v.3.41.I continue to have the problem with avp.EXE under system.It is not using 100% of CPU,but 8-12% always.The performance seriously affected.Is there anything I can do to continue with EQsecure.I really would love to keep both these softs.Any help is greatly appreciated.
     
    Last edited: Jan 18, 2009
  14. neksus

    neksus Registered Member

    Joined:
    Nov 27, 2008
    Posts:
    54
    You can set kav.exe as trusted in EQS (Application Protection>Settings>Application rules>once there find kav.exe and in the right pane set all of Protection Types under Action to Allow),

    or if that doesn't solve your problem, disable Proactive Defense in KAV, since this feature (with it's HIPSy features) is most likely conflicting with EQS.

    But if you 're using newest version of KAV (2009), then maybe nothing will be helpful since there's a deeper conflict present between those two (judging by my own brief test experience).
     
  15. josey

    josey Registered Member

    Joined:
    Jan 18, 2009
    Posts:
    4
    Thanks Nexus!Yes,I am using the new 2009 version of KIS.Anybody else has a similar experience?
     
  16. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    222
    Will EQSecure 3.41 run a Limited User Account?
     
  17. josey

    josey Registered Member

    Joined:
    Jan 18, 2009
    Posts:
    4
    I managed to fix it with little help.I mentioned kav.exe in my post instead of avp.exe.My bad.

    I posted a thread in the kaspersky forums.The advice which I got was to get rid of Esecqure.LOL.Wasn't that helpful I say.If that was what I wanted,I would've already done that.
    I did just that.Alycon,I am not sure whether you can add that to the rules or not.If yes,it will help people like me.
    Second,under 'Application Filtering' in KIS2009,I moved esequre and its service from low restricted to trusted.This seem to have worked.No probs so far.

    I know,most of you might have already known this and didn't need me to tell ya all.But I thought I will comeback and post what I did,so it will be helpful to anybody else.
    [edit]Sorry.This seems to have worked only as long as Eqsecure is in learning mode.Once learning mode is disabled,AVP is back eating up mu CPU.Guess I spoke too soon!
     
    Last edited: Jan 18, 2009
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    ALCYON

    Do you have on hand a rule to stop an ad from starting that's already been created?

    Or which rule in the Blacklist can i add to abort that ad from starting at all, such as RED STRIPING BLOCKED! when i either start it from wherever such as i initiate the ad (.exe) i put on notepad from either a batch file, vbscript, or typing in the command prompt.

    Thanks

    EASTER
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    Never mind. Got it!

    I used your BlackList Ads creation rule and simply added BLOCK to "reading" in the settings and it stops the ad from activating.

    Cool! It can't run what it can't read, right? Awesome!

    It doesn't stop the command processor from opening/alerting but it definitely refuses to run the .exe ADS i made. RED LINE ALERT! was also enabled to verify the data blocked shows in the details raise up screen.

    Effectively blocks VBS, Batch, and the cmd command start, etc.

    EASTER
     
    Last edited: Jan 19, 2009
  20. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    222
    EASTER, will EQSecure 3.41 run ok on a Windows Limited Account?
     
  21. Murderlove

    Murderlove Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    99
    Yes, but you need to install SuRun. Then install EQS via SuRun in your LUA account.
     
  22. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    222
    Ok, I can do that. But the real answer is....no it won't.
     
  23. josey

    josey Registered Member

    Joined:
    Jan 18, 2009
    Posts:
    4
    Mike at Kaspersky forums at last gave me a working solution
     
  24. neksus

    neksus Registered Member

    Joined:
    Nov 27, 2008
    Posts:
    54
    Thought you already tried that:

    cause Application Filtering is the main component of Proactive Defense...
     
  25. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Thanks for the trick, EASTER :thumb:
    It's MUCH more easier than making ADS rules for the application module!
    I'll include "Block Specific Alternate Data Streams (Read)" in my next update :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.