EQSecure 3.41 Settings

Wow, the file and registry protection look really comprehensive, I will check it out. I must say that I´m not really satisfied with the registry protection found in SSM Pro (too complex), so EQSecure might be an interesting option.

 

Either I'm missing something, or EQSecure's file protection is rather weak. After reading this thread and fiddling with it for over an hour, I can't help but be disappointed.

Here's the short description of what's bothering me:

- Rules governing parent processes don't apply to child processes
- "Open with" dialog allows the blocked process to override EQSecure's file protection

Let's say that you block firefox.exe from accessing an important folder. You point Firefox to said folder and EQSecure does it's job and prevents Firefox from opening said folder. Now, if I launch notepad or another application from within Firefox, this child process does whatever it wants.

That just doesn't seem very secure.

The other issue I found is that if I set EQSecure to prevent notepad from accessing a certain folder, EQSecure does it's job and keeps it out. However, if I open the file with the "Open With" dialog, the blocked program can be used to open and read the blocked folder. While I'm not a hacker or someone who could figure out a way to exploit this, the fact that the protected folder can still be accessed with the blocked program is still bothersome.

Since I'm new to this software, I'm leaving open the possibility that I made some mistakes somewhere. If someone knows a way to trigger protection for child processes, I'd love to read your thoughts.

 

Unfortunately, that's also how it's designed to work.

 

No kidding. I wonder what the mindset is behind that idea. Blocking only parent processes is like trying to keep the wolves away from the sheep by building a fence with wolf sized holes in it.

Other that Defensewall, I just don't know of another program that completely protects files\folders. GeSWall tries, but it doesn't work with online games.

Defensewall does work with most everything you throw at it, but it's GUI is a mess compared to EQSecure and GeSWall.

If any of you have had a good experience with another program, please let me know.

 

Sorry to interrupt but

I don't see where it fails:

http://img108.imageshack.us/img108/9022/sss1ld1.jpg
http://img405.imageshack.us/img405/6788/sss2dk1.jpg
http://img407.imageshack.us/img407/7947/sss3mk0.jpg

Maybe you can enlighten us?

 

U made a rule to block only FF and EQSecure is obeying that rule. Nothing wrong. MAke a global rule and every process will be blocked, then u can add exception for any process u want.

Not sure about this. I am not an expert. May be it,s due to the reason that explorer and rundll32.exe are used to launch. But you are right that it should not work like this.

I think for every day work this protection is enough. I don,t think any hacker/ malware will try to exploit such a little used software. And if some one want to exploit, any software can exploited, no matter how secure it claims to be.

 

Not sure how but on my system when I tested, EQS failed. Might try it again. Are u sure u did ShutDown?

 

Yep and I'm pretty sure some of your global or application rules were falsely set to "allow".

 

U may be pretty sure but WRONG. No problem with my rule set.

On my system, even the GUI of EQS disappeared. No popups.

 

hmm... Maybe there's a conflict with another software because everything is fine on my side.

 

I will try later on a fresh snapshot without any other software. Give me some time.

 

The proper mindset. Anything else would be stupid. If you block a process from doing something, then that's that - otherwise it would be mayhem.

If you want to block Notepad from reading private folders as well, then add a rule for Notepad as well. If you want to block ALL programs from reading private folders, then you add the corresponding rules.

 

Solcroft mirrors my expectations which in EQS are realized. I still highly admire SSM for connecting a to b and vice-versa for that exact linking so to speak, but i found in EQS more leeway and room to allow safe apps more freedom from sudden interception or as i viewed it uneeded interruptions.

No malware today with any regularity goes after the same targets as yesteryear anymore.

For me and my hyperactive reflexes on typing EQS is very accommadating/forgiving, if i inadvertently by reflex press BLOCK it's only for that moment and the next alert isn't sitting on the same rule (BLOCK) as i made earlier but affords me to simply choose again, UNLESS, i checkmark it as a genuine RULE. I like that and it's been of much help for my lack of speed typing skills.

More importantly though, the "OBEY GLOBAL RULES" under the "OTHER" tab in Program Rules (Default Group) helps immensely to keep programs firmly linked to the solid "Global Rules" you set for any of them.

This is one HIPS that takes into account many possibilities for absolute coverage without having the user to repeat themselves, and another reason it was the obvious choice for me to transition over to it, among other things like adding (more) File Protections, Registry Monitorings, etc.

Like with any HIPS there still remain areas that we can consider limitations although those numbers are shrinking and hopefully next versions will prove even more coverages maybe overlooked. I believe the whole reason the newest version is yet to be released is that whoever they are developing this power house, are running it through very thorough and intense testings with the very latest as well as proof of concept possibilities.

 

I cannot seem to reproduce this problem. In the Applications Rules I blocked my text editor from reading any file in a folder. This rule also prevents me opening any files in this folder by the "Open With" dialog. I can't see the problem.

In the Applications Rules I set.

Process: c:\TextEditor.exe
File: c:\EQTest\* create,read,modifiy,delete = BLOCK

 

What in your opinion is needed in EQS next version to even better sharpen overall coverages of potential or imagined entry vectors for this formidble HIPS.

Would you agree it's whitelist so to speak is enough or is more needed to fully armor in even more detail?

Are there any additional TABLE HOOKS that you would prefer to see more addressed? Perhaps some form of rotating internal code checking to ensure that their hooks continue to occupy to avert being displaced by unhookers?


Thanks EASTER

 

Without digging deeply, what could be really interesting and a huge improvement in the next versions is an "add subgroup" option in the global rules. With that, your rules could be more structured, less bordelic, a lot easier to understand, modify and maintain. As an example, in the global rules of "registry protection settings", instead of having only a group called "IE settings" with a lot of mixed rules, it could be more interesting to see a group called "Intenet Explorer Settings" with the following subgroups: IE General Settings, IE Zones Settings, IE Advanced Settings, IE Critical settings... (followed by another subgroup, etc.). It may not be the best example but anyway....

Another huge improvement that could be made is the implementation of regex into the gobal rules. In "file protection settings", let suppose I have a group called "System Drive root (suspicious files)" containing the following rules:

%SystemDrive%\*.dll
%SystemDrive%\*.dat
%SystemDrive%\*.bat
%SystemDrive%\*.reg
%SystemDrive%\*.js
%SystemDrive%\*.bin
%SystemDrive%\*.vbs
...

intead of a lot of rules, you could simply do one like:

%SystemDrive%\*.(dll|dat|bat|reg|js|bin|vbs)

Another necessity is a "monitor folders creation only" option in "Other settings" of file protection.

Edit: Something annoying that could be modified in the registry protection settings is using the "include subkeys" option without having to write a wildcard at the end of the rules.

For the rest, I'm still out of ideas.

 

Any word or rumor yet that EQS next version is closing in on a release date?

Curiosity is running rampant.

 

I am waiting too!

 

Is EQS working properly for those using it under LUA?

I am unable to read the GUI as it displays a bunch of gibberish. Also the tray icon does not load.

Under the admin account it is working fine.

Thanks

 

I start it as Admin and it works fine with SuRun. In fact i think i run it as Admin, it does need those higher permissions due to it's driver hooking ability to monitor critical areas.

 

Easter, thanks, I'll try SuRun again. I uninstalled SuRun because I thought it might be the problem.

 

How do you stop these popups??

http://img214.imageshack.us/img214/7030/84250954po5.jpg

edit never mind I worked it out now

 

If you're a first time user with EQS it can seem frustrating at times due to pop-ups/monitoring, but keep in mind everything is there in EQS to fine tune the settings to a near a perfect balance as you would expect or want from any pure HIPS.

Just keep at it, it gets easier while your confidence and security begins to grow seeing & realizing positive results.

 

I just noticed EQS v.4 beta is available at http://www.google.com/translate?u=http%3A%2F%2Fwww.eqspywatch.com%2F&langpair=zh%7Cen&hl=en&ie=UTF8
It'll be interesting to have an opinion on it from some daring beta tester, as I myself am both incompetent and a coward when it comes to betas.

 

Janus Solcroft !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I promise to agree with you on TreatFire for the rest of 2008. Please give hints on how to install with the English language. Could you also explain on how to register on the english forums. I tried with your old link, but I have to enter something in Chinese, which looks Chinese to me.

Regards Kees