EQSecure V4 Beta, Morc calling Orson, come in Solcroft

Hello Solcroft! nice to see u here at last.
Hope u will get a good net access soon. Pls keep us informed..

 

Thanks for that. Much appreciated.

 

Ok, two things about Sandbox.

1- SAndbox is very good in a sense that u can edit rules for indivifual sandboxed processes and allow a single process as much exceptions/ libert as u want.

2- Sandbox is still leaky, many registry areas and file protection areas are leaky and give rise to HIPS pop ups. But its beta.

3- One very important point. Whole of Sandbox protection relies upon EQS HIPS filters. If EQS fails as a HIPS against a malware, most probably its Sandbox will fail too. Thus it,s better to have one standalone HIPS and one standalone Sandbox, so if one fails, other can cover.

Is there any way to use EQS just as a Sandbox with no HIPS? In that case it will be very good replacement for Sandboxie, it,s light and tweakable. It can Sandbox programs automatically like paid version of SBIE.

They must add a right click menue as well to run a process in Sandbox.

 

On my system, it still fails System Shutdown Simulator Test.

 

EQS is still for me a very FUN app that strives to accomplish some serious shielding and protections, with that much theres no complaint since it offers PLENTY of personal customization on areas which are likely target sections for baddies.

Thank You xuesisi so very much for all your attention on our behalf here, and thanks for posting the missing extra box for us.

Very Nice HIPS!!!

OK, i'm a little lost on the Sandbox yet, (Learning my way around it) but it still yields some very beneficial results at this stage from my testing apps inside it.

One item of concern, perhaps? I dunno. This is a toss-up because EQS "ALWAYS" alerts to the XP command console as it's activated, but i allowed it to run SDTrestore with DropToDos and it purged "ALL" the EQS hooks in the SDDT table. I dunno if theres something in the works to prevent this or not, but wanted to bring some attention to it because THAT would be an important breach should a malware make it far enough to activate an UnHooker. Quite possibly this is of no real subject for concern, but was curious if EQS is at all looking to prevent any SSDT table unhooker from this type of displacement.

Like i said, EQS "captures" the command console so the protection is adequately made before any such action could be carried out, BUT, if you run SDTrestore it easily unhooks all of EQS in that table.

Overall i am very EXCITED!! and very pleased EQS is progressing ahead, the Physical Memory access prevention is nice and STRONG!! and works flawlessly in my tests so far.

I highly favor the implimentation of the SANDBOX as it's been added and look forward to the developer's efforts in getting it finalized!!

I think it's a fantastic addition to an already EXCELLENT HIPS!!

 

the sandbox of no HIPS vision will be released by EQS when EQ4.0 final be released.

 

All the best to EQS workers in getting this fine tuned, been at it myself most of today and i must say the improvements in raw coverage with the HIPS side anyway are excellent additions long awaited.

The sandbox is quite useful although i find myself stumbling a bit with it right now occasionally but then it's BETA stage so some escapes are expected, one program i run sandboxed completed it's registry work, or so it seems, i'll keep at this since it's a whole other area of functions but the overall app itself is still light as a feather and simply amazing.

As some others are hinting at i just wonder if adding a context menu extension is being considered, no matter but is still a curiosity you can't resist suggesting.

Am delighted that attention was given to restructuring the EQS driver file again, i know those can be a balancing act to level compatibilty/stability with other security apps.

Great Job! & Nice Work!

Keep it up.

I don't think any one app and even a sharp HIPS like EQS can ever expect to make the magic number of 100% with everything out there, but boy it sure closes the gap immensely IMHO.

Thanks aigle for your remarks, opinions, suggestions, and also nice screenshots. LoL

EASTER

 

That,s very good news indeed.

 

Easter! when I run SDTrestore, EQS gives physical memory access warning, I deny it and sdtrestore is dead. EQS stands strong. I will post a screenshot when I go to that snapshot.

 

Here are the sdtrestore screenshots.

 

Here are my comments so far. The bugs/ problems which I noticed with previous version are still there- almost all of them.

Mostly is copy/ paste from a previous thread of mine here:

https://www.wilderssecurity.com/showthread.php?t=187839&highlight=brontok

However I retseted all before posting it now.

1- I noticed that when MD5 value of an application/ exe is changed EQS gives a popup about this but when I answer it "Allow with remember this" option, EQS does not remember new rule, it still gives me a pop up about MD5 value changed whenever I launch this application. Also similar( not exactly same) bug was there in previous version.

2- I used Scoundrel Simulator against EQS registry protection. It failed to block two things( no popup from EQS):

- disabling internet options
- disabling Regedit
- windows start up folder( not protected by default)

Was there with last version.

3- There is malware that disables Regedit and TaskManager( like coolpics worm/ Sohand IM messenger worm) . I tried EQS against this worm and EQS failed to protect RegEdit and TaskManger. Same bug with previous version.

4- Trojan KillXP is able to delete three system services if allowed to execute. EQS gives no warning at all. XP killer trojan deletes System restore, windows firewall and windows update services. Deletion of services must be detected by EQS. It was same with last version.

5- I experienced three problems while trying EQSucre against Brontok worm. Firstly, I noted that brontok worm is able to shut down system , thus bypassing EQSecure,s system shut down protection. Here is how u can reproduce it. Disable file protection of EQS. Run brontok worm, allow its exution and all other action like modifying its copies etc except any attempt to shutdown the system. It makes a copy of itself named "winlogon.exe" and this winlogon.exe tried to shutdown the system. Afetr a minute or so, u will get a prompt from EQS that winlogon.exe( a copy of worm, not the legit winlogon.exe) wants to shutdown the system, block this action and wait for few minutes. U will get propmts about shutdown attempts by winlogon.exe. Now whatever u answer to these popups( allow or block), ur system will reboot in a minute or so. EQS can,t stop it. It seem,s a bug.

Secondly I noticed that Dynamic Security Agent, CFP and GesWall gave me a warning about ( probably file creation/ modification by inetinfo.exe- a copy of worm) C\Windows\system32\drivers\etc\hosts-Denied By-Shahbaz.com. I don,t get any such warning from EQS although I have set a file protection rule for .com files in EQS. Seems a failure unless I am not understanding this correctly. I am not sure.

Thirdly worm is able to disable Regedit( and probably Folder options as well).

Same problems were noted with previous version.

6- A significant delay between executing an application and the appearance of pop up alert. Was not so with previous version.

7- Seems to fail against SSDT Unhooker RootKIt( EZ RootKit). ?

8- Failure against System Shutdown Simulator. Same bug with previous version.

Suggestions/ Features needed( all lacking since last version)

1- Every time an executable modifies the memory of other process, I get memory modification popup multiple times. I think a single popup for this alert might be more appropriate as some other HIPS give a single popup.

2- Icon color must change in Locked Mode( so that u can know just by tray icon that system is locked down). Also there should be a hot key to start Locked Mode.

3- An option to Enable MD5 checksum globally for all executables in Application Protect module( it's a pain to enable this option one by one for all executables)

4- An outbound firewall module like many other HIPS

5- Detection of screen reading

6- An option to Scan and Clean useless rules( rules for applications not present on system) in EQS?

7- Some skinning for pop up alerts.

8- An option to enlarge right side window of application rules horizontally.

Anybody can covey to the developers? Thanks

It,s tooo much I think.

 

I know for a solid fact that it can. Check your rules. You need to block the proper regkeys in both the machine AND user hives.

 

In that case they should incluse these keys in default settings I think, like other HIPS.

 

Just an observation in general instead of a comment directed at any particular person, but I find it kind of sad that many of even the most dedicated HIPS supporters around here really have no idea how to use one.

 

To be very honest I am not one of the most dedicated HIPS supporters. I am an ordinary user. I like to use a HIPS but without the need to add a lot of tweaks. Especially I am not familiar with registry. I might add the keys needed for this but it will take for sure a handsome amount of time to me.

Why not to add these keys by default while there is real common mlaware who attacks in these registry areas?

I am not shy to accept if I know little about the things( registry is one of them). I did made a lot of custom file protection rules in EQS( last version) but very little or none in reistry module.

 

Try the registry set I posted in 3.41

 

Many of the HKLM entries are mirrored in the HKCU hive. To enable these defenses for your specific user account, you need to block the proper regkeys in the HKCU hive as well.

While there's no real reason to not add those keys as default, there's no real reason to add them as default either, since EQSecure is a classical HIPS. If you want everything done for you by default, why not ThreatFire?

 

If other HIPS like CFP n NG can do this, why not EQS?

TF doesn,t do many things that EQS or other HIPS do.

 

As I said before, no real particular reason. But there's no real particular reason to do it either. I'm sure the default rulesets of the HIPS you mentioned don't defend against 100% of registry keys affected by either.

Like I said, if you want something that does it all for you out of the box, go for ThreatFire. You're given a highly configurable program that can be made to do whatever you want it to do. If you're going to complain that you need to tweak it, well... why are you even using it??

 

BTW Solcroft! does this version intercepts NTFS file permission changes?

 

I don't know yet, sadly. I'll need to test this.

Maybe baerzake or xuesisi can answer this one.

 

Thanks for the tips solcroft

It's a sure bet "THAT" is the reason SDTrestore was able to unhook when i allowed the command console, so i got some fine tuning of my own to configure it more securely on this test i think.

I agree it would be nice if such items were included by default but listen folks, the good people at EQS have already laid a pot 0' gold in our laps with this HIPS, why shouldn't we also have to do some work to it ourselves. It's not fair to expect them to do everything for us and still offer it for free now is it? So solcroft is right, if you value such generosity as the EQS team is made available for us, it's only right that they leave us something to do for ourselves. Afterall, it's not so difficult really and can also help bring you some attention for your own coverages that you might "LEARN" better where these potential areas for risk reside.

Now as for me, i am absolutely tickled pink the improvements and filled with plenty of anxious anticipation for it to become final.

Greatest HIPS take time to place as much coverage as possible within our reach, we only have to meet them halfway and do something for ourselves too in order to realize it's FULL POTENTIAL!!

There are of course some issues to be worked out, what app doesn't that's been improved and added with new features.

 

Easter! SDTrestore is stopped out of the box. See my screen shot above.

 

Of course, it should be. Did you run it via CMD from the windows RUN box?

I used another app called DropToDos, brought up the SDTrestore app and typed "Y" to fix and afterwards used BOTH ice sword & RKU to review the SSDT Table and the list was all the same default file, in effect it purged it of other entries.

I'm gonna try this again because i'm sure something is out of place or missing because it can't be a fluke. Also it might have been after EQS crashed when trying to access Task Manager, i couldn't access it at all without EQS crashing immediately.

Is anyone else experiencing Task Manager crashing and closing this beta? I'll have to repeat my tests of yesterday but will do it on a different drive this time.

I'll show up with any results when it's run thru these steps/tests again.

Thanks EASTER

 

Hi,

Thanks Xuesisi thank you very much for the temporary translation.

Finally got to test drive EQS. What a nice detail to prioritise application protection to process and system level (plus advanced). Because I am behind a policy sandbox, I have all process protection options set to ignore (use a HIPS only for second line defense against real heavy malware)

There is a trick to save your old settings when copying the beta over your old 3.41 installl. First copy your old EQSysSecure.xml to a save location. Then overwrite directories with 4.0 rar content. Then open application rules, click the "Tools" icon, select restore policy and select the file you just set aside.

Also a new protected key in the autorun (regsitry protection) HKEY_LOCAL_MACHINE\SYSTEM\*controlSet*\Control\Session Manager for *FileRenameOperations.