EQSecure 3.41 Settings

Yea I worked it out now thx.

I put in "C:\Documents and Settings\ZT\Desktop\test" instead of
"%SystemDrive%\Documents and Settings\ZT\Desktop\test\*"

 

Also to our pcs have around 30,000 files and folders Alcyon's rules only cover a very small amount of area, ie the most common places malware infects.

Instead of just creating Rules in certain areas why not Block every single file and folder and everything in the entire system drive in the global rules then put EQS in learning mode and EQS will automatically create the needed allow rules in the application rules. I am doing this now and just taken it off Learning mode so far so good still running nice and stable.

 

I agree.

For a scott free classical HIPS which is EXTREMELY configurable to your own expectations & liking, it's a no brainer. Never mind it's not officially supported as far as i know anymore, as-is, it's quite security worthy in not a few but MANY respects and you can EXPORT & IMPORT rules and they stick!

Alcyon generously took a lot of time to better educate us on what's available in areas of coverage as templates, it's up to the user to refine and add additional rules to it which are there for the using.

One other asset besides being free plus very STRONG! is that it's also easy on the system with no negative impacts even when grouped with other security programs.

Here's an off cuff example, on one partition of mine i also "can" run Real-Time Defender and you would think the two would clash at some point, well although i only run EQS and deaden RTD as a spare or backup, when both are running, they compliment or as some put it, even overlap on the same alerts but without so much as a single crash, hangup, or otherwise.

It's just a very good HIPS that doesn't threaten to bog down your system while at the same time protecting critical areas of the O/S in various ways by the rules set for it. For that matter i even have used it as a SRP better then microsoft's built in one but without the hassle of jockeying this and that etc.

A very clever HIPS without all the annoying pop ups once you set it up right at the start.

EASTER

 

I have to agree with you, but I would like it to implement network protection, in order to be complete.

 

like malware defender

 

Completely valid expectation no doubt. But with EQS we're more or less locked in to what it is without the Network Protection although there are some earlier rules Alcyon was experimenting with at one time to at least nullify certain network storages, but that's about as far as the present model will allow.

Personally, i find Kerio 2.15 handles in and outbound reasonably well with tight custom rules so the lack of that feature really doesn't hamper my traffic security since i've closed down many ports and log ones that could be suspicious for review.

Regards: EASTER

 

EASTER Hi Can I ask what HIPS do you use for blocking programs communicating with others like "Send message" etc ?

because so far the only hips I know of is comodo I wish eqs cauld as well.

like this test for example
http://www.firewallleaktester.com/leaktest26.htm

what this "zabypass" does is send message to csrss.exe and then csrss.exe sends message to your browser to make the outgoing connection to bypass your firewall. EQS does not pick this up I had to install Comodo to find this out.

 

Thats a good one. I run rules up and down including coverage of csrss.exe with no effect. The browser IE is effectively passed like nothing there to stop it.

I'll look into this further to see if anything in EQS can throw up an alert or block.

Thanks: EASTER

 

I read this on page 3 ( https://www.wilderssecurity.com/showthread.php?t=193905&page=3 )
Alcyon wrote this:

%SystemDrive%\*.dll
%SystemDrive%\*.dat
%SystemDrive%\*.bat
%SystemDrive%\*.reg
%SystemDrive%\*.js
%SystemDrive%\*.bin
%SystemDrive%\*.vbs
...

intead of a lot of rules, you could simply do one like:

%SystemDrive%\*.(dll|dat|bat|reg|js|bin|vbs)


I test this.. but doesn't work..
%SystemDrive%\*.(dll|dat|bat|reg|js|bin|vbs)
would you test this on your computer?

actually i want to block all exe, com, cmd, vbs, etc that from usb flash disk.
(a|b|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z)\*.(exe|com|cmd|bat|reg|js|bin|vbs)
So i just trus from C:, but it doesn't work..

 

On Application Protection settings - Global Rules, there is:
Subprocess (Explorer)
%WinDir%\explorer.exe with command variable: ?*

what ?* mean? can you give me some example.. what kind of malicious file can do?

thanks..

 

yudigadget,

regular expressions aren't emplemented yet in eqs or other hips. Hips in general are pretty young and will have to evolve a lot more. A bright future is ahead... Especially with xiaolin around

The meaning of "?*" is "prompt only for executables with command lines". You can live without it.

Btw, I've started another project so the ruleset will probably not be updated anymore.

 

Best of luck with your new project Alcyon but when you get the nostaligia EQS bug again, how about throwing us a few scripts of NEW EQS RULES.

I know it seems it's been taken about as far as it can go without the developer prepping it with more advanced features, but one thing is for sure, this HIPS is really laid it down when it comes to security preventions and personal configurations.

Many Regards

EASTER

 

Alcyon/EASTER

Many, many thanks for your time and efforts with regards to EQS.
You only have to look at this thread to see it.

I only ventured down the EQS route because of this thread and I for one will stay with it, it's light (VERY LIGHT), durable and used in conjunction with SandBoxIE I feel my system is more than secure for my needs.

I 'was' an habitual installer/remover, lost count of the number of times I installed Comodo's software, ProSecurity, RTD only to remove it because of the GUI or initially the endless pop-ups. Same with AV software too, Avira, Avast etc.+ etc.
I knew what I was looking for, something plain, simple, no 'girly' front end, skins etc. and EQS is it.
The simple backup of the XML is fantastic in order to restore the system, had a couple of BSOD but this was due to me placing it into learning mode mid install/uninstall, something I don't do anymore!!

I know one day I will probably have to migrate away from EQS, hopefully to an English version of their latest release (fingers crossed), but until then EQS is here to stay for me.

Thanks for your assistance months ago EASTER with finding a copy of Beta3 and good luck on your new Project Alcyon!

 

Thanks Smiggy

I'm sure i also share with Alcyon's own sentiments on your behalf in saying Your Most Welcome and it's been a very exciting experience.

It still is for me.

I deliberately Googled cracked sites last night and once you get a redirect and a noticable IE page load delay, you know something is about to drop, and did as usual, and as usual they were interrupted by EQS long enough for me to read the path they headed for then Block & Terminate the funny e.exe and some other weird file name installed in the (what else?) good ole TEMP directory. It's but a simple matter to manually flatten the variants but if i had one wish it would be for EQS to not simply Block/Terminate, which it does fine, but add a way to incorporate either ERASER like SandboxIE does, or it have it's own wipe utility too. I believe all HIPS that show such user data ought to add that feature built-in. (My Wish List)

That would be the icing on the cake for those sneak attacks. Of course you're not likely to encounter such attempts all that much practicing safe surfing, but in my research i drop right down in the hornet's nest and watch for the bugs to pierce thru IE so as to ensure EQS is doing exactly what's expected of it and that the rules are rock solid too.

EASTER

 

or add a rollback funtion like DefenseWall it will be a nice idea

 

One thing is odd with me.

So whatever happened to Google's WARNING PAGE that "This site might be harmful to your computer"?

Saw not a single one in nearly 3 pages of cracks, keygens sites but boy how dee, they were laced to the hilt with a variety of who knows what.

I seen the rock solid prevention that HIPS really offers in warding off (especially IE) intrusions that i dare not try that with simply an AV. It would be PC suicide.

I know you can virtualize with RETURNIL, Sandboxie and those artificial environment container apps, but i;m after a single POWERHOUSE of FULL FORCE BRUTE STRENGTH to stop them in their tracks where they change code to evade AV's routinely, and HIPS definitely serves as that IRON Wall.

These are all tests i like to do without LUA/SRP escapes or permissions protections and mostly with HIPS.

Does anyome know if Malware Defender also wipes an intruder as well as block/terminate these rabid files?

EASTER

 

Malware Defender ?

 

I wouldn't be a bit surprised.

 

yes you can disable,terminates or delete any files that you consider suspicious/rootkits,just with a mouse click

 

That would be the icing on the cake for EQS with me.

EARTH TO ALCYON!

Have you looked into this potential as a RULE possibly? I know it would be a long shot and i'm going to try to examine it myself, but would wonder your thoughts on this, or in your opinion feel it's something required to be hard coded into EQS itself.

Because frankly i don't see any possibility at this point, in spite of always possibilities when it comes to EQS, of rule making for launching a wipe app like ERASER to fully remove a rogue entry EQS has terminated and blocked but requires manually tracking to the file itself to remove it. With that in mind, the EQS Sandbox "DOES" eliminate/delete item inside it's sandbox and is worth a look to see if this can be re-routed to include TEMP folders. That way if a rogue malware entered the Folder it could be deleted thru it's sandbox deletion. Problem with this is can a FOLDER be inserted instead of an executable program in the Sandbox of EQS.

Alcyon

Do you follow my interest in the importance and/or possibility of this?

Regards EASTER

 

I tested this by adding C:\Windows\TEMP\* and added an executable which was alerted to but allowed.

This was a long shot like i mentioned earlier but essentially the same actions ONLY can be applied to the executable.

I engaged the app and sure enough it shows up in the EQS Sandbox but again the only recourse is simply to Terminate, when i try to use the DELETE item which is the only the path to the TEMP folder itself, it deletes the TEMP entry but the executable file remains.

Bahhh!

More study needed to see if it's simply an impossible task or an alternative without having to resort to some third party extra tool can be discovered.

EASTER

 

better late than never for me to reply.

Best of luck and thank you Alcyon for the rules. Can i ask if your new project is
another software product?

 

It kinda seems like the testing of security products has now been exhausted for some people untill the arrival of windows 7

 

That seems to be the anticipation awaiting everyone. It's a wait and see prospect when it does finally come out if it will be accepted far more and welcomed then Vista was.

 

It will be a good challenge to keep our pc's secure when windows 7 comes out
because there may not be very many windows 7 version security products available.

I can't see there being any EQS English version for windows 7, so I guess we might be saying good bye to EQS soon??

I am looking foward to the "New Challenge and Adventure" of securing windows 7 with only a limited amount of security products to choose from.