EQSecure V4 Beta, Morc calling Orson, come in Solcroft

Bearzake,

Can you also run files in the sandbox. (If so it would be stronger than expected )

 

Even though I can,t understand chineese and the language is not installed on my PC, I tried the Sandbox. Looks cute BTW!

1- Run IE isolated and I run MoboMeter via IE and child process( mobometer.exe) was unable to load driver- privilege reduction is inherited. Same results with IceSword and siw.exe( SystemInformation) launched via sandboxed IE.

2- Run IE isolated and via IE deleted two files from system32 folder. Failed to do so.

3- No indication on running process window whether it is running Sandboxed or not.

4- No rt. click option to run applications in Sandbox.

5- I am not sure ATM if Sandbox is similar to SBIE( full virtualization) or similar to GW, DW( only registry virtualization). Need to test.

And memory use by EQS is so little. It,s still light as before, very light indeed.

 

Hey, Guys n galls! I can now confirm that the Sandbox is similar to SBIE, with file and registry virtualization. There is a virtual disk just like SBIE. Grossly I did not find any purge/ clean option for Sandbox( but may be it,s there as I can,t read it).

There is option to terminate Sandboxed applications individually one by one or all together by a single click.

Also i noticed that Sandbox has policy restrictions that are stronger than SBIE( stopped some keylogging methods) but less stronger than GW, DW and SafeSpace.

But it,s toooo light.

Tried AKLT Sandboxed.

Method: 1, 2, 3 and 7- Failed
Method: 4, 5, 6 - Passed

Not so bad with the first beta.

 

Have they added Network access monitoring( outbound FW)? I think not!
It,s the main lacking feature in EQS ATM.

 

Ok, I have tried Sandbox against some malware. Results might not be so accurate, just a crude type of testing.

Browsezilla adware- once failed, second time passed
Prueba trojan- Passed
Brontok worm- Passed
Elitebar adware- PAssed
XP Killer- Failed - needs to be retseted
Sohand IM worm- Passed
BlackDay worm( File infector)- Once failed, second time passed
Termination by TaskManager, Spy.exe and VideoLinkParser- Passed
EZ rootkit( SSDT unhooker) - failed

BTW, I saw that Comdod FW was able to stop outbound of hidden rootkit files inspite that EQS sandbox was bypassed- looks nice for CFP( see the snapshot). May be the reason is that driever/ service did not load due to EQS sandbox. I am not sure, did not check that. Infact I am not even sure how to check all this stuff reliably. Might try it later while running rootkit without any HIPS and will see for any CFP alerts. Anyone please?

 

Hi, U can isolate folder in SandBox and all applications launched from that folder will be automatically isolated.

What do u mean by running files in the Sandbox?

By the way I added an image on my desktop to be isolated in its sandbox, I then opened the image and it was opened in my default image viewer 'FS ImageViewer'. When I checked sanboxed processes, FS Image Viewer was not running isolated. I expected it to run isolated thgough.

One good thing, Sandboxed processes window is real time. U can see processes appearing and disappearing from it in real time.

 

Thanks, aigle, for the analysis. I was going to install this beta today but think now I will wait for the next beta version.There appears to be too many "hole" to suit me but it is to be expected.

Thanks for the info.

Later...

 

Hi All

Can anyone give me the download link for EQSecure v3.41 so I can try the new beta.

Thanks

Terry

 

http://www.eqsecure.com/html/download.html

 

First of all thx for the pre-testing. With running files in the sandbox, I mean double clicking files which start an application. When the file is created by an untrused application it should als run untrusted, even when it starts a trusted application.

E.g. Like double clicking a example.mp3 file in GeSWall, when this file is downloaded with the sandboxed application LimeWire, the music file should start WMP and run also with limited rights even when WMP is marked as a trusted application).

 

I did not check it in this way. Now I have removed it from my system. Will try to see it if I install it again, possibly after we get an English version or a working english transalation

 

Hi Aigle,

I think EQS is going to cause another freeware frenzy (like PowerShadow, ThreatFire, Comodo and Online Armor have caused in the past).

When the sandbox works like Sandboxie or SafeSpace personal (I has had hoped it would work like GW or DW), EQS will be the champ on XP (Comodo still has Vista64 advantage). On our single core AMD 3900, EQS will be my choice (we are behind a router so I wil forget a software FW).

Regards K

 

Hi Muchinga

Thanks for the link to download V3.41.

I cannot find any links on that page to download v3.41. I can find version 4. Any ideas?

Thanks

Terry

 

Boy, that was fun.

Well, don't try to install 3.41 on a Vista machine. I tried and my computer immediately rebooted and would not boot into Desktop. I had to go into Safe Mode and uninstall 3.41 from there. Guess I'll have to wait until beta 4 is released as a stand-alone installer.

Yes, I know that 3.41 is not compatible with Vista but I was hoping it would at least install and then I could over-write EQSecure's Program Files folder with the beta...but no go.

Didn't take long to reinstall Sandboxie, though.

Later...

 

EQS is lighter than CFP no doubt. I like it to have atleast these features added:

- option to enable hash check globally
- network access filter( i like outbound control)

And a proper Englisg forum for it. And yes, some skinning for pop ups GUI.

 

Check ur PM pls.

 

Hi Aigle

Already done & downloaded thanks to you.

Terry

 

HI all, EQ4.0 also can support vista now. the only thing we need to do is waiting for the final. this bate still have some bugs, so my suggestion is dont use this bate in your work machine.
the sandbox also has something need to improve sach as anti-keylogger. this bate cant pass APT test and AKLT test yet. But I have reported to the developer and it will be fixed as soon as possible.

 

OK, can u tel me what happens if I browse to Sandboxie virtual hard drive and launch an mpeg file from there, will the WMP run isolated or not?

In GW n DW it will be isolated but not sure about SBIE!

 

- sorting feature for rulelists

Maybe this is not relevant with chinese ideographs, but it drives me nuts if I try to find an app, especially with explorer.exe as parent.

Cheers

 

Aigle,

It is a lon time ago since I used Sandboxie. As far as I can recall is that you are either in or out the sandbox. Sandboxie and SafeSpace use file virtualisation, meaning in the sandbox you play with the file, when you move it out, it is out. That is why I prefere policy sandboxes (can be used seamlessly) and disk virtualisation programs.

 

...or Sandboxie + LUA (+ SRP) which gives you the best of both worlds (virtualization and policies).

/C.

 

I always used the search function and it,s very good. U can easily find all rules about any application.

 

Any SBIE user?

 

Sure, it is out - it is out, it is in - it is in and so on. If you don't trust the files, don't put them out..
It's down to preferences really.

I think i agree with Cerxes in that i would prefer SBIE+LUA over EQS's copy of SBIE. SBIE is SBIE, no substitute, no copies.

I find it confusing that an application like EQS is being developed like this. It seems like they just add stuff, just like they saw on their fav program and add up. Just like i would do a year ago with Comodo, heh, only to regret today (it would be a grave mistake, bloating it with virtualization).

They try to catch all possible actions that can lead to compromise, just like SSM/PG/AD and so on. They put dll control just like HIPS users always wanted. They seem to be detecting pretty much anything that executes excepting scripts (?), and now they get a sandbox, just like SBIE?

Right now, i'm thinking: of course it will never be as good as SBIE. Pepsi ain't Coke either. (Hell, Coke ain't Coca-Cola anymore, it's lost)

One would think they don't really know what they want. Are they going to detect XSS next?

Note: I'm not trying to anger anyone, this is my honest opinion. I just tried EQS yesterday for the 2nd time and actually liked it, all for the dll handling. Seems solid.