EQSecure some tests

Discussion in 'other anti-malware software' started by Kees1958, Apr 16, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Tested EQSecure, in short it does all it says (just to mention a few: dll injection zapass = pass, sdtrestore (physical memory)= pass, killdisk = pass, TrojanDemo=pass), some other tests:

    Registry:
    1. regtest 1 = pass (with my ruleset)
    2. regtest 2 = fail, does not protect against data injection (messages send to
    explorer, I have asked for an additional feature since EQS does not claim to protect against it)

    Keyloggers
    1. Anti-Keylogger Test at firewallleaktester.com
    - GetKeyState = pass
    - GetAsyncKeyState = pass
    - DirectX = pass
    - both screenshot grab tests failed

    2. Keyhook (auditmyPC) = pass

    3. Keylogger HelpprotectMyPC = pass

    Could not download martin's undetectable keylogger any more (anyone knows where I can find a copy?). Could not get APT working due to DEP protection within XP

    Regards K
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I wonder how my frozen snapshot would do in this test.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Erik Albert,

    Can not be compared, my actual off line external harddisk backup stays unaffected, my initial XP clean install DVD backup never gets infected
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Image Backup is not the same as a frozen snapshot in FDISR, snapshots aren't images, which are safely stored off-line. A frozen snapshot is constantly ON-LINE.

    A frozen snapshot cleans itself by adding, removing and replacing objects until the frozen snapshot = freeze storage.
    The question is : is this method good enough to remove any kind of infection ?

    I see you had two failures in your test, a frozen snapshot is supposed to remove these failures IF it is strong enough.
     
    Last edited: Apr 16, 2007
  5. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    WOW! thanks for these tests kees (especially the one i bolded, you got guts) :)

    you can get martin's keylogger here :
    http://www.winsite.com/bin/Info?26000000037599

    click where it says "download now".

    eqsecure is looking more and more awesome!
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Out of curiosity, I tested EQSec for myself against Regtest. Regtest failed to reboot my PC and I had to do it manually, and upon the restart I noticed nothing out of the ordinary.

    What happens if the test goes unblocked, btw? My PC restarted straight into Windows normally, no messages, no nothing.
     
  7. EASTER.2010

    EASTER.2010 Guest

    Kees1958

    I posted the results of the keylogger test someplace here but please take notice. If you also run snoopfree with EQSecure, all tests from AKLT are stopped from bypassing. The two you mention DOES escape EQSecure but snoopfree handles them instead. Thats why i always use a layered approach.
    That being said i follow your points about EQ's misses as well as something i discovered when throwing malware at it, it blocked it sure enough but some still remained in the running process list of taskmanager. This MUST be addressed also.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft,

    That is good news. I added Toni Klein's/where malware hides article protection to the default EQS registry protection. I noticed in the EQS log it had three blocking notes due to regtest2. Still I got 1 startup message (I allowed windows restore to change/add runconce and allow logg-off/log-on to explorer and rstrui, possibly made a mistake doing so, I will check this).

    Did you change anything on the default registry rules of EQS, if yes could you tell me what?

    Thanks in advance K
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well Easter I sort of feel mixed about behavior blockers, turning into ap killers (read the experiences of others regarding NeoavaGuard which does so when an ap has collected enough bad behavior points to get killed). In theory you are right, but from a usability point of view this should be option (kill in stead of block only).
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Did that got an error message, looks like martin is the best webpages are not there anymore
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I know, but you can obtain the same results with PowerShadow, that is how virtualization works. Just teasing.

    The question should be: is your other defense strong enough to refrain malware from sending private data oubound, during the session in which you got infected? The infection will be over once you have rebooted.

    STill when your other protection is not strong enough: Yes you will be fine when you use common sense to re-boot before doing sensitive transactions. No better security then common sense.
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yeah his webpage is down, but the "download now" link worked for me. kees i uploaded martin's keylogger to rapdishare, here is the link :
    http://rapidshare.com/files/26427339/Keylog.zip.html

    if you've never used rapidshare before, it's a free file hosting site. after you click on the above link, select the "free" button, and follow the instructions on the next page.

    hope that helps and thanks for testing eqsecure :)
     
  13. EASTER.2010

    EASTER.2010 Guest

    I must have suffered a mental block. (kick me)
    I just realized the EQ TaskManager is enough to kill any running process/malware blocked. (Duh me)

    I'm still stuck on how another HIPS used to do that, CyberHawk. My bad, and thanks for bringing that up. Option is Perfect!

    This HIPS is really beginning to grow on me and i'm afraid before too long i'm gonna be fiercely supportive of it like i was for SSM & Cyberhawk. It really is a very good program and with some of those changes you mention i can't see it doing anything else but only getting better.

    And besides, some like myself really don't mind tweaking the rules to tighten even more it's sensory perception ;)
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx Zopzop,

    The funny thing is that EQS says it blocks keylog, but the program somehow manages to get through and records the key-strokes under a continues stream of notification pop-ups of EQS. The keylogger is also ables to save the keystrokes to log.txt = Fail

    I will post EQS
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hrm.

    It seems strange, but I can't seem to reproduce this, i.e. EQS fails every Regtest2 since the first one.

    At any rate, I've dropped a note on the official forums about it, and the developers say they'll look into it before the release of v3.4 - the beta of which is looking dandy so far. :D
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi all,

    Inspired by ZopZop positive DSA test, I changed my security aps:

    PC1: GeSWall Pro + EQSecure + Antivir
    PC2: DefenseWall + DSA + Antivir

    The helpdesk of EQ replied that EQ did tacle Marin's undetectable key logger. Uhh: I am not mad am I? Surprise: with DefenseWall and SensitiveGuard running along side EQ failed Martin's keylogger test fails, in the current setup EQS passes (o_O)

    Another strange behavior: PC1 boots as fast as it did (35 secs). Both PC's start their first uncached internet google window faster. So although programs do not give problems when running along side, the performance differs...
     
  17. EASTER.2010

    EASTER.2010 Guest

    Hi Kees1958

    Your configurations with those security programs are different as others likely are too and am just curious to what results from this latest new release will pan out to be.
     
Loading...
Thread Status:
Not open for further replies.