EQSecure 3.41 Settings

I stayed up late looking feverishly for a way to kill the #2 AKLT keylogger test and what i did come up with is making a rule under the File Protection tab in the blacklist and simply blocked mspaint altogether. In the RUN BOX found if you enter pbrush.exe, that command also brings up mspaint which the AKLT Keylogger seems to depend on.

I'm still trying my best to find a setting to disengage that keyboard Print Screen it uses to screenshot your desktop without having to re-map my keyboard to squelch it.

Any and all other alternatives are welcome of course.

EASTER

 

dear all,
do you know how to use "Verify program file with MD5" feature on Other Settings?

i try to protect user from playing game with EQSecure.. but there is hole.

so, for example i allow: C:\dictionary\dict.exe
if user want to playing game.. they just need to copy game.exe to C:\dictionary\ and then rename game.exe into dict.exe and it accessible

please, i need advice..
thanks

 

I'm using 4.0 beta 3 but this should work for you in 3.41

Go to Applications Protection Settings TAB, expand or open the branch under Default Group, select any of your programs already listed, click to highlight your choice app, look now to the Right Side Panel and open "Other Settings", there should be for you a small box next to Verify MD5 Checksum, checkmark it for MD5 Checksum monitoring.

Let us know if this helps or not.

EASTER

 

Dear EASTER,
btw where do you get that 4.0 beta 3, is that already english user interface version?

and maybe, afaik the latest version is 4.1, do you know where to download the english user interface version?

i will test the md5 as your sugestion tonight..

thanks,
yudi

 

v4.0 beta3 was a 3rd party translation.

The current version, 4.1, is Chinese only, at the moment.
There has been some lobbying of the developers to release an english copy and altho something was posted here last month to give us hope, nothing materialised.

If you search this forum you'll find links to the Beta3 and the en.zip required to enable it in english.

I carried out the very same last year, had on a USB stick but not sure where it is to help am afraid, sorry!

 

Easter.. i already test it as your suggestion..
well it's works.. but there is another problem.

i mean, when i try to run another file (for example: game.exe) and then i rename it into dict.exe, there is confirmation box.
It said, "The program file has been changed since its last operation.", but not blocked so just prompt and allow box with timer.

how to automatic block unverify application?

 

so is that mean that after renaming the file it maskarate?

 

sorry for my english.. i try to re-explain

so, i add subprocess: C:\dict\dict.exe and i allow it, then on other settings i enable the "verify program file with MD5" and then i open the dict.exe, so EQSecure can recogize the MD5 of dict.exe

then, i test it by copy game.exe into C:\dict\, then delete/rename original dict.exe and rename game.exe to dict.exe

well, i test it by open again fake dict.exe (which is game), why EQSecure not automatically block it? because it's not untrusted application (different MD5)

do you get what i mean?

thanks..

 

i know what you mean and sorry for my english too it is kind of broken also

 

hopelly some boddy that has more experience with eqsecure will help with your concern

 

I completely understand you.

Trouble is i too experienced the same sort of issue as you. Let's wait for Alcyon to chime in on this for you because he's very familiar since he writes a lot of EQS rules exactly what might could be done to remedy that.

At least we're closing in on something here, just needs finishing touches. LoL

EASTER

 

i read at bbs.eqsecure.com :
---cut---
Check the program file: the program can document the value of MD5 checksum, MD5 value of consistency, it can guarantee that the same two files, so select it, you can prevent the procedure was the same name file bogus. But because of the situation posing limited and conducted in the run-time calibration procedure may have an impact on performance, so I did not try. Everyone is interested, can try to improve the safety level of trust, what experience, please say something.
---cut---

it said.. if i want to use the md5 feature, it will reduce the performance..

well, i think the best way is use File Protection section..
i mean, you just need to block *.exe creation in ProgramFiles sub-folders or dict folder (in last example), Modify: Ignore and Delete (of file): Block. It works.. i already test it...
what do you think?

 

how is the best way to block autorun.inf ?

i try on Application Protection and it doesn't work..

then i try on File Protection: ?:\autorun.inf
Create File - Block
Read File - Block
Modify File - Block
Delete File - Allow

so, the autorun doesn't work, that's great! but why i can not delete it?

tq,
Yudi

 

How to block user opening website from Windows Explorer, so if you open Windows Explorer, then you can browsing by typing URL on address bar. How to block it?

 

I tell you how i keep .inf exploits from using it. I keep AUTORUN "active" on all my PC's and yet to encounter any infiltrations thanks in part to the rule sets for EQSecure.

I simply add a rule in the File Protection section under Black List, created a new group named anything, mine is Guard Rundll32 and in the right column settings "include all files in this folder" as well as select Alert/Pass for the first 3 including and espescially the READ item, and BROWSE to System32/Rundll32.exe for that selection to cover.

In the event .inf would become changed and try to launch an exploit, the EQS alert report will clearly show the details, and anyway actions are suspended immediately untill your convinced it's safe and your default .inf file.

I've tested this with real malware as well as placebo samples and all actions (since now monitored by the rule) come to a halt and first show what is trying to launch if anything. Normally the .inf in it's normal default manner is merely a dormant file, so with this rule in place, it only ensures that if by chance that DOWNADUP CONFLICKER was to somehow change your .inf, EQS would easily interrupt it before it ever gets a chance to proceed on your system, giving you the safeguard needed to remove it and returning your normal .inf file as it should be.
This is on XP. I dunno the details regarding vista on this type exploit.

EASTER

 

EASTER,
i think your advise not fit to my need.. because i will setup this EQSecure on all PC at office, i just need automatic block autorun.inf and give possibility to user to delete autorun.inf & virus executable/scripts.
Delete mean user can do that via AntiVirus software or delete manually.

I don't want make user confuse about EQSecure alert or prompt to allow or deny.
I know, not all autorun.inf is bad.. but i already make decision that will not accept all autorun.inf

How to do just simple block read autorun.inf, but user can delete it?

 

My rule remains the structural integrity of it's default .INF however are you asking to have .INF protected from deletion altogether?

You can make a rule in EQS to prevent that too. You can set a rule in the BlackList to "BLOCK" read of that file as well as delete protection.

It's really simpler then you might think.

EASTER

 

Has anyone yet tried EQS on windows 7 yet?

 

Hi can some one please help me with the file protection settings.

"Include all files in this Folder" Is not working.

For example I have a folder on my desktop with 100 files in it. how do I prevent
read,modify,delete of all these files. ??

The Folder is protected from modifying and deletion Ive tested that but not all the individual files inside the Folder.

So far the only way I can protect all the files is to individually add them to EQS rules which would take forever.

I just can't work out how to get EQS to protect all the files inside the folder as well from read,modify,delete etc ??

 

I was thinking about giving eqsecure a test, but I found very little documentation in english, can anyone point me towards english-language resources for this application? Also, I am curious to know why some here are continuing their use of the product if it will not support english in future.

thanks in advance

 

To question #2 chrome, it's because this HIPS is very STRONG and reliable as well as "Lite". I've all but given up that they will ever post here again on user's behalf, but be that as it may, as-is, it's workable and highly configurable for areas you might wish to monitor. Aside from that it's a poor showing for them to introduce this EQS and post for a time only to leave User's abandoned. So be it, we'll do what we can to improve what can be configured because at least it does perform a useful purpose in spite of their ignoring us now.

I don't myself have any way to find a documentation for it, but some of us are digging into it and learning enough to be able to make reasonable use of it.

You raise a very valid concern btw.

EASTER

 

Yes, i already tried that in File Protection.. but, it doesn't work, what i want is: block read autorun.inf, but give access to delete it.
I set:
Create File: Block
Read File: Block
Modify File: Block
Delete File: Allow
Have you test it? because i still can not delete the autorun.inf and i need to set Read File attribut to Allow.

Well, i think the solution is make rule in Application Protection to block execution of autorun.inf, but i don't think it's possible. I test it many times, but still can not make it works.

 

Well, so far there is no software bug (or software bug to worry).. i use this EQSecure everyday and it really protect me from virus or malware.
Right now i preparing to use EQSecure on all employee's PC at office.

v3.41 is enough for me.. no need to upgrade it to last version.

and EQSecure is free!

 

please tell us more details (your EQSecure setting, EQSecure version, windows OS, etc).. there is no problem on my PC
I use 3.41 on Windows XP

%SystemDrive%\Documents and Settings\*\Desktop\*.*
checked: Include all files in this folder

it works.. i already test it

 

What is:
Ignore operation toward folders mean in File Protection?
and
Search Global Rules in Application Protection?
please give me some example..


one more,
i just don't get it.. why Acylon create settings (especially on Registry Protection and File Protection): System ByPass (do not disable), etc similiar.
I think by default EQSecure will return allow on undefined rules, so why he must define so many registry for Allow action (is that waste of time)?
Ok, sometime "allow" is usefull for:
C:\folder1\ -> Allow
C:\ -> Deny
it means, you need to make exeption for C:\folder1\

Different case for Application Protection.. it help me so much, because on Protection Mode (i use Normal Mode): I block all protection type and just allow: Load library file & Load driver.
So, system bypass (acylon rules) is usefull to make windows running smoothly, well there are some my own additional rules, for example: userinit.exe haven't set by acylon. So, if i don't set this rule i can't get in to windows and just stuck on windows welcome screen. There are some more.

thanks