EQSecure 3.41 Settings

I'm afraid you hit the proverbial Nail squarely on the head with that summation. Also Alcyon is not the first to offer a more concise rulesets to add to EQS and forgive me as his membership name escapes me ATM but it was also a help indeed.

Alcyon's just raised the bar significantly and actually produced a really nice template of sorts for others to benefit from when used with EQS.

EQS like i said many times before is what i consider a very worthy HIPS but is devoid of MANY important rules, and i assume thats by design since it's FREE! But then so is OA & Comodo with their duo combo firewall and HIPS which isn't bad at all in the HIPS department.

I lurked the EQSecure Forums (translated by Google (Ugh) ) last night and read posts from members who are pressing it hard about other HIPS two of them i just mentioned, the rest of the exchanges went into La La land and i closed out the site.

A user needs comprehensive intelligent discussion not one liners, and you'll find plenty of those there, and a shame too, because EQS in my opinion is shown some real promise.

Getting back to bellgamin's statements, EQS unfortunately comes with a very limited ruleset ATM, and it's anybody's guess if they or when they even release another Beta or Final for that matter if that will ever change.

I'm only speculating on that but your very right, without Alcyon's RuleSets there are plenty of areas that can be had, any HIPS in my experiences with them have to cover a lot of territory to be of any use or users will simply have to dismiss it entirely for something more reliable, not as useless for security.

EASTER

 

What is the md5/sh-1 checksum for EQSecure 3.41?

Thanks!

 

Their supposed to be accurately read and databased as confirming file identities which EQS also allows an on-line direct connect to MS to qualify/confirm Microsoft Digital Authentication of system files to assure integrity or in layman's terms reality they are what they are supposed to be when first installed or updated etc. by patches etc.

On a different note, EQS better get some adequate self-protection, i was testing BOTH Comodo D+ & EQS just now and for fun Terminated EQS from Comodo D+'s Active Process List and it blasted EQS to bits. Funny weird thing, the EQS tray icon stayed active but when i brought up the configuration dialogs, every single checkmark had been wiped clean, not only that but the HIPS stopped alerting to anything. Oh oh.

 

Yeah, if someone is using EQsecure 3.41, please let me know what the md5 check sum is too. Much thanks in advance.

 

@ Gargoyle, Wikipedia have a lot of information on md5 checksum.

 

For all eqs junkies who are using my ruleset, there has been major modifications and improvements so i suggest everyone to do an update:

http://drop.io/eqsecure

 

Thanks Alcyon, for the update. Your hard work on these rulesets is very much appreciated.

 

Thanks Alcyon.
I'm translating the ruleset right now, and will try it later tonight.

 

HURST, it'll be less troubles if you simply install an English OS because i'm still updating it regularly

 

Yeah I know, but my OEM XP is in spanish... so I'm stuck with it... don't want to use a pirated copy nor do I want to give away my money buying another license. If anyone knows a way of getting a free legit english copy of XP it would be great.

Anyways, I think I'll update my computer this year, and then I'm definetly getting an english Windows version.

 

Yep, judging by the amount of dropio web page views i can see it's quite popular. I'm surprised.

 

Don't be surprised. It's just the reward for all your hard work and generosity, making this excelent ruleset available for all.

 

Thanks for the update effort on the EQS RuleSets Alcyon

I'm beginning to think it might be a very long time before we see an EQS final released so these should come in very handy for the version we have now.

EASTER

 

Hello!

I am going to give EQSecure anothe try. Can someone tell me how to install alcyons rulesets..Please?

 

New ruleset update ( v05222008 )

changelog:

- Rules added to application protection settings (global rules)
- Minor registry rules modifications
- Help folder (%WinDir%\Help) rules fixed
- New "Block Known Malwares" rules added

v05242008:

- New registry rules added (Explorer UserAssist Logs)

v05262008:

- New "Block known Malwares" rules added

http://drop.io/eqsecure

 

Thanks again. New Improved Rules.

 

Im been using EqSecure along with alcyon's ruleset and think its fantastic. I really appreciate the effort.

However, i was wondering if its possible to create some sort of application whitelist like in Anti-Executable so EqSecure does not constantly alert about the activities of known trusted programs.

 

Hi TVH

I've never used Anti-Executable but there's three kinds of whitelisting you can do with EQSecure: low, medium or high priority whitelisting. We'll skip the low priority rules.

Medium priority whitelisting = Remember this action + Allow

Medium priority blacklisting = Remember this action + Block

High priority whitelisting:

There's three levels of high priority rules: application, registry and file protection. High priority rules are named blacklist rules but they can be used to create whitelists.

In the blacklist section of file protection settings, you can whitelist all files for a specific folder, all files for a folder and all its subfolders, specific files, etc.

Here's some examples:

%ProgramFiles%\abcd\* + Allow action for all operations + Ignore operations towards folders - Include all files in this folder = whitelisting of all files within abcd folder only.

%ProgramFiles%\abcd\* + Allow action for all operations - Ignore operations towards folders + Include all files in this folder = whitelisting of all files within abcd folder and all its subfolders.

%ProgramFiles%\abcd\*.exe + Allow action for all operations + Ignore operations towards folders - Include all files in this folder = whitelisting of all exe files within abcd folder only.

%ProgramFiles%\abcd\*.exe + Allow action for all operations - Ignore operations towards folders + Include all files in this folder = whitelisting of all exe files within abcd folder and all its subfolders.

In the blacklist section of registry protection settings, you can whitelist specific keys, values, etc.

Same story for the blacklist section of application protection settings. To make a whitelist, you make a group of rules with "allow" instead of "block".

High priority rules are triggered first so you should always put your whitelists in the blacklist section.

I hope i answered your question.

edit: clarifications (sorry for my poor english)

 

Thanks for your reply. Thats clarified everything for me.

 

Interesting note Alcyon.

Your personalized new EQS RuleSets is been a huge boost for morale and security both.

Now if EQS will just raise the bar again and add some more new additional features without adding the weight that often times comes with them.

Personally i think it would be useful since they already restart their own modules if & when closed to also add at least a few running processes to restart too but more on the order of instantly rather then after a minute.

Still thats a great feature that comes in handy when installing good clean apps.

EASTER

 

We'll have to wait and see...

Anyway, after reading some posts here at Wilders, i had an idea. Why not making some EQS rules to lock flash player settings and block flash cookies:

Code:

<EQSysSecureDat Version="2">
    <Rule Type="WatchApp">
        <Rule Data0="*" Type="1" />
        <Rule SubType="65535" IncludeSub="1" Action="65535" Log="65279" Ask="65279" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchReg">
        <Rule Data0="*" Type="1" />
        <Rule SubType="7" IncludeSub="1" Action="7" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
    <Rule Type="WatchFile">
        <Rule Data0="*" Type="1">
            <Group Name="Lock Flash Player Settings" ModeID="1">
                <Rule SubType="4" IncludeSub="1" Action="2" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*\Application Data\Macromedia\Flash Player\*\flashplayer\sys\settings.sol" />
            </Group>
            <Group Name="Block Flash Player Cookies" ModeID="1">
                <Rule SubType="1" IncludeSub="1" Action="2" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\Documents and Settings\*\Application Data\Macromedia\Flash Player\?SharedObjects\*\*" />
                <Rule SubType="1" IncludeSub="1" Action="2" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*\Application Data\Macromedia\Flash Player\*\flashplayer\sys\#*" />
            </Group>
        </Rule>
        <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2" />
    </Rule>
</EQSysSecureDat>

I'm not quite sure if everything is right but i'll probably include those rules or something similar in my next ruleset update. These rules need to be placed in the blacklist section of file protection settings.

Edit: something is wrong with them so just forget it for now.... sh#t happens.

 

I done and still do a lot of snatching flash files from my TIF but only those i can use to create attractive and useful automations locally, theres a lot a flash editor can make use of with silly flash advertisements believe me, the remaining are mostly junk and hit the rubbish bin since they only take up space in the TIF's anyway.

I like your idea though of stoppage of flash cookies though and will give that a go.

While were on the subject and pretty much confined to to version 3.41 SP2, Alcyon, keep those ideas flowing and pass any along you feel worthwhile.

At least with EQS we really have some useful elbow room in order to work with on the rules sections areas and i'm sure theres many more available yet to be discovered.

It almost can double as a behavioral blocker since it's actually acting on internal/external signalling to files anyway.

EASTER

 

The "block flash player cookies" rules should be ok but the problem is correctly locking the flash player settings.... I'll work on that tomorrow.

 

New release Alcyon

Now Named MAGIC SHIELD!

https://www.wilderssecurity.com/showthread.php?t=210980

 

And "Magic Rules" also instead of "Alcyon Rules" ?