EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,154
    Yes I am finding this to be a good hips it seems to be very thorough in monitoring your system and I have tested it on anti keylogger AKLT v3.0,
    sss sytem shutdown Simulator and the dfk-threat-simulator-v2 test and passed so I will probably be using eqsecure forever.

    I now have it running smoothly with hardly any popups as I have clicked allowed and remember for all my current programs on my pc.

    I know that there is probably more advanced configuration's that you can manually put for extra security.

    but even with just the install default configuration's provides a lot of protection.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,573
    Location:
    U.S.A. (South)
    Just in case it escapes attention. Might want to have a read on this.

    https://www.wilderssecurity.com/showthread.php?t=202063
     
  3. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Removed - Read post #93 instead
     
    Last edited: Mar 15, 2008
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,573
    Location:
    U.S.A. (South)
    Interested, Thanks.

    Running SP2 myself for what it's worth. I'll import these in the 4.0 beta because they'll import anyway, then review things and see what develops.

    4.0 beta is running Super here and i been hammering away at the new Physical Disk\Memory protection. The Sandbox is another matter i haven't really put to the test yet, but will.

    Again thanks for the rules, will check 'em out.
     
  5. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    If I remember well, v4 beta don't remember the "include subkeys" option if you import rules from v3.41 to v4 so it may lead to some problems.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,573
    Location:
    U.S.A. (South)
    OK thanks, will check that.
     
  7. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Kees,

    I am having problems with the following registry rule in your rule set for 3.41.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*

    I can add sub-keys and values to this key but EQSecure doesn't pop up any message.

    Does it work OK on your system?

    Thanks.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Check

    A) Whether this rule is also valid for subkeys (just check the tabs which appear on the right when clicking on this key).

    B) When A does not work check whether your registry editor is allowed to edit all registry keys

    C) last chance add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*\*

    I can not check whether it works on my system. I played with beta EQS 4 and crashed my image. I had cleaned up my backup images, so the only actual one after which my wife had bought music was an image with CFP/D+ (you will lose your digital music rights when going back earlier). I will make a new EQS image after version 4 is out.
     
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    @ Hammerman, another option is to try:

    HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\*
     
  10. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks for suggestion.
    I used this rule and when I added a sub-key to \CurrentControlSet\Services I got a prompt from EQS that a sub-key was added to \ControlSet002\Services, which indeed it was. However, I didn't get a prompt that a sub-key was also added to CurrentControlSet.
     
  11. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    You didn't get a prompt for CurrentControlSet but I presume that the sub-key was successfully allowed or blocked.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Is EQSecure planning on a Vista version. I just tried it with XP and see why alot are impressed.
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    That's right. Blocking or allowing sub-key for ControlSet002 also blocked or allowed sub-key for CurrentControlSet. I'll use the rule you suggested. Many thanks.
     
  14. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EQSecure v4 Beta is Vista Compatible but I strongly suggest you wait for the final version. There's still some bugs with the beta.
     
  15. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    While playing with the Windows File Protection of Win XP, I found that that a default rule is missing in the Application Rules of File Protection Settings for EQS v3.41:
    Code:
    <EQSysSecureDat Version="2">
        <Rule Type="WatchApp">
            <Rule Data0="*" Type="1" />
            <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchReg">
            <Rule Data0="*" Type="1" />
            <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
        <Rule Type="WatchFile">
            <Group Name="System" ModeID="1">
                <Rule SearchGlobal="1" SubType="0" IncludeSub="0" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Create Date:2008-03-14 12:08:53,Create rules with asking window." Data0="%WinDir%\system32\winlogon.exe">
                    <Rule SubType="1" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="Create Date:2008-03-14 12:08:53,Create rules with asking window." Data0="*" />
                </Rule>
            </Group>
            <Rule Data0="*" Type="1" />
            <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
        </Rule>
    </EQSysSecureDat>
    Without this special rule, if you remove a critical windows system file, EQS will prompt you that the file you deleted is recreated. In fact, it's a useless prompt so you should copy the code into notepad, save it as an xml and import this rule in EQS.

    BTW, my ruleset, which was updated yesterday, doesn't contain this additional rule.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,573
    Location:
    U.S.A. (South)
    Thanks Alcyon

    I'm sure xuesisi could bring that particular find to the developer's attention. I know i sure missed it, probably some others too but nothing that's caused any serious problem on this end yet.

    Only EQS 4.0 (Beta) where Task Manager crashes immediately each and everytime. I expect they are in full progress by now with fine tuning and bug fixing 4.0 right now so hopefully xuesisi will soon drop us an update note on it.

    I am still actually running 3.41 on the other bootable partition of mine, so this is rather timely.
     
  17. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    I tested the OA free/EQS combo thanks to Kees. I liked it a lot.

    I now have OA paid, but still want to use EQS so I am going to download it again. (3.41 not the beta).

    1. Install EQS
    2. Disable application protection (let OA do this)
    3. Do this: https://www.wilderssecurity.com/showpost.php?p=1163738&postcount=9
    4. What now? So many filters posted and updated here from post #37-47 and #78. +more. What to use?

    I guess I could disable registry protection as well (in EQS), but is not this protection stronger with the filters posted in this thread than OA? Can this be disabled in OA?

    I am getting close to my final setup but as you can see I need some advice :)

    Thanks :)
     
  18. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Again, here's my new EQSecure ruleset. It's for v3.41 and Windows XP SP2 only. Make sure to do a backup before testing it. You'll need to replace the .txt extension with .zip .

    Note:

    - All EQS global & Blacklist rules must be removed before importing those new rules.
    - Do not remove your application rules in application, registry & file protection settings (unless needed).
    - Rules Must not be reordered.

    03/15/2008 updates:

    - New registry keys added
    - Missing default system rule added
    - Blacklist rules added

    03/16/2008 updates:

    - Critical app & registry rules errors fixed
    - 03162008-C: Registry Key Added (Worm/Hakaglan.B,etc.)

    03/17/2008 updates:

    - New registry keys added
     

    Attached Files:

    Last edited: Mar 17, 2008
  19. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    Thank you so much Alcyon :) I will try this when I have downloaded EQS.
     
  20. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    I tried the ruleset. (Great job, thanks).

    Some problems I had. 30 second delay in opening video files. Could not show hidden files. If I left the computer long enough for the screen-saver to jump in, I met a blue screen when I came back. Had to push restart button.

    Then I saw you had updated the ruleset. I downloaded the updated ruleset. Opening video files is ok now, no delay. I unchecked a rule to be able to show hidden files, that was easy to figure out. But I still have blue screen after screen-saver has been in action. I probably have to uncheck a rule?

    Im not used to work with rules and registry, I understand only a few of them. This ruleset contain a lot of rules. I dont know if all of them are necessary for security reasons. I guess more rules and more security = more popups. Thats the way it has to be.

    As a less experienced user I guess I probably should not use a HIPS like EQS, but instead of not using EQS I maybe just jump into it and try to learn. I will use this ruleset for a while and see how it works for me.

    If I decide not to use this strong ruleset what are the alternatives? Remember I also have OA paid. Does EQS offer protection without these rules? Those of you who are familiar with both EQS and OA how would you put the two together?
     
  21. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    @ tepe2, I'm unable to reproduce the problem. Something you can do is to verify your eqs log entries and post back what was blocked before this bsod. Edit: Maybe there's a conflict with another software!
     
    Last edited: Mar 16, 2008
  22. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    I tried to reproduce but was not able to. Maybe the problem is gone. The log does not tell me much. And some log listings are deleted, but they should not be because I have only used EQS for two days. In the configuration I have set log to auto delete after 30 days.

    I will try to reproduce this tomorrow and if I succed I will post what the log says.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tepe2,

    Although Alcyon has made an impressive filter :thumb: , it seems that Toni Klein himself assisted OA to enlarge the scope of auto startup protection (only paid version has auto runs management). Together with the run safer option (allows only changes in the user hives of the registry) and web filter protection of the paid version, you should be okay.

    So when you are happy playing with it keep on playing, but I doubt whether it is really nessecary.

    Regards Kees
     
    Last edited: Mar 18, 2008
  24. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    I was wrong when saying logs deleted, sorry. I thaught I could see all logs in the log viewer but I found out I had to click the "open log folder" to see all logs. EQS save one log each day as a text file, I did not know :) There are lots of entries. I have not seen the blue screen again but if I do I will go straight to the log to find out.
     
  25. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    543
    OK I trust you Kees ;) But I still want to use EQS together with OA at least for block low level disk operation. What else OA does not cover I dont know.

    Based on previous threads/posting I guess this would be the way to configure EQS when used in pair with OA:

    Application Protection and Registry Protection - Disabled
    File Protection - Alcyons filter or Kees filter
    Protection Mode - as Kees posted here: https://www.wilderssecurity.com/showpost.php?p=1163738&postcount=9

    This is how I configured the alerts:

    eqs-alerts.png
    I set the duration for prompts to -1. This is because if an alert popup when Im not there the alert will still be there when I come back. Nothing is blocked or allowed until I say so.

    One guy asked somewhere in this or another thread how to stop the notifications from poping up all the time. This is how: Go to Configuration - Alerts - and see picture above.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.