Review EQSecure 3.3

2007.05.27 EQSecure v3.4 RC2 from official forum (Chinese).
Changelog:
1. Improved KeyLogger detection.
2. Added: UI lockdown.

 

I'm all over this, thanks for posting it. I wonder what they added in keylog protection? It already handled Martin's and 2 of AKLT's 4, Snoopfree grabbed the other 2. LoL

 

EQ3.4RC1 can't block the number key detection in anti-keylogger test.
EQ3.4RC2 can block it

 

the RC2 english edition has some problem. if you want use it , change the language to chinese_simplified.

 

i think EQ can do this.

I uploaded a rules file. please delete the ".txt"

please cleanup all the rules in “Application protect setting”, then import "Auto Group.xml".
enable "Application Protect", disable "Registry Protect", disable "File Protect"

OK, you could test it.

I am very happy to help you.

 

Solcroft,

Could you please translate the flowchart?

Thx K

 

Sorry, but i won't be implimenting simplified chinese at all. Just like in Russia or any other developers native lingo across the land, most true developers find at least a single source to help with the translations over to other languages, english being the most pronounced.

Untill they do, if they do, looks like i won't be getting anywhere near this 3.4 version. It's common practice to accommadate global interests where it concerns public distributions beit freeware or commercial, unless they are content to keeping the program low key and localized to only their country.

 

i got good news from official forum (Chinese). they (developers) will solve all language problems in "EQ v3.4 RC3".

you can use RC3 without the language problems.

 

I tried to translate the flowchart.

 

THX

Could some chinese speaking member post a question to the EQSecure forum for the same flowchart for registry and file protection.

Because you define registry entries/wildcards of files/wildcards in registry and file protection (in stead of processes) at "All applications rules", but you do specify processes (as the parent) and childs (registry entries/files) at the "Application's rules", In the "Blacklist" you have to specify registry entries or files at registry and data protection.

This implies a drop through error when they apply the same logic (of applications) to registry and file protection.

Suppose the process accessing a file is the parent, the file accessed the child. Apply the logic of translated flowchart to this situation. The flowchart for registry and file protection should be (see attached pic).

 

CPCW,

Thanks for translating. Could one of the chinese members ask the EQ forum how the flowcharts (rules logic) of file and registry protection are?

In my review I mentioned some unexpected results. I thought it was my problem (trying to understand a program without a help function or user guide).

Now suppose that EQS developers use a process as the parent and a file as the child and they apply the same logic as shown in the translation of CPCW.

Apply this flowchart on the following situation for FILE PROTECTION

"All applications rules"
- C:\Windows\system32\*.dll
read = allow
create = prompt and allow
modify = prompt and block
delete = prompt and block

"Application's rule"
- process is EXAMPLE.exe, with the following rules
read = allow, create = allow, modify = allow, delete = allow
because this involves all files (practically the default rights).
- files added
GOOD.dll (read = allow, create = allow, modify=prompt and block, delete = allow)


For the deletion of file GOOD.dll by EXAMPLE the traslated flowchart responds with:
- file GOOD.dll not found in "Blacklist"
- process EXAMPLE.exe found in "Application's rules" as a parent
- file GOOD.dll found as child under process EXAMPLE.dll
result: rules of GOOD.DLL are applied

Same flowchart when EXAMPLE.exe does try to modify file C:\Windows\System32\ERROR.dll:
- file ERROR.dll not in blacklist
- process EXAMPLE.exe in Application's rules
- file ERROR.dll not found as a child in "Application's rules" for EXAMPLE.exe
- process EXAMPLE.exe is not found in the "All applications rules" BECAUSE
YOU CAN NOT SPECIFY PROCESSES, ONLY FILES!
result: rules of EXAMPLE.DLL are executed, while it involves a DLL in the Windows Sytem32 directory (for which we had specified a general rule in "ALL applications rules".

Please make could some of the chinese speaking members ask for the flowchart of registry and file protection and address this "drop through error".

Regards K

 

according to your rules. when EXAMPLE.exe does try to modify file "C:\Windows\System32\ERROR.dll". EQ will prompt you if you select the "search all program rule" option.

Same flowchart when EXAMPLE.exe does try to modify file C:\Windows\System32\ERROR.dll:
- file ERROR.dll not in blacklist
- process EXAMPLE.exe in Application's rules
- file ERROR.dll not found as a child in "Application's rules" for EXAMPLE.exe
(if you deselect "search all program rule" option about EXAMPLE.exe, EQ works according to the ERROR.dll's parent rule. then EQ allow EXAMPLE.exe modify ERROR.dll)

(if you select "search all program rule" option about EXAMPLE.exe, EQ works according to the follow rule in All applications)
- process EXAMPLE.exe *.dll is not found in the "All applications rules"
according to this rule, EQ will prompt you when EXAMPLE.exe modify file "C:\Windows\System32\ERROR.dll".

 

"All applications rules"
- C:\temp\*.txt
read = allow
create = prompt and allow
modify = prompt and block
delete = prompt and block

"Application's rule"
- process is NOTEPAD.exe, with the following rules
read = allow, create = allow, modify = allow, delete = allow
you should select "search all program rule" option about NOTEPAD.exe.
- files added
*\GOOD.txt (select "Include all files in this fold" option)(read = allow, create =allow, modify=prompt and block, delete = allow)


For the creation of file GOOD.txt by NOTEPAD.exe the traslated flowchart responds with:
- file GOOD.txt not found in "Blacklist" as a child
- process NOTEPAD.exe found in "Application's rules" as a parent
- file GOOD.txt found as child under process NOTEPAD.exe
result: the GOOD.txt was created.

When NOTEPAD.exe does try to modify(or delete/create) file C:\temp\ERROR.txt:
- file ERROR.txt not in blacklist as a child
- process NOTEPAD.exe in Application's rules
- file ERROR.txt not found as a child in "Application's rules" for NOTEPAD.exe
- process EXAMPLE.exe is not found in the "All applications rules"
- file ERROR.txt was found as a child in the "ALL application's rules" according to "C:\temp\*.txt".
result:EQ will prompt you when NOTEPAD.exe want to modify(or delete/create) ERROR.txt.

you could try this rule. EQ works according this rule.

 

There is no parent process in "All application's rule"/"Blacklist". There are only child processes(files).

 

something is missing form the chart that you posted.

"Do you check/select the 'Search all program rule' option?" is missing?

 

we should change "parent process"/"child process" into "parent"/"child" in the flowchart. then we can understand the flowchart better.

 

I uploaded a rules file. please delete the ".txt"

please cleanup all the rules in “File protect setting”, then import "AllApp.xml" and "App.xml".
disable "Application Protect", disable "Registry Protect", enable "File Protect"

You could test it.

 

@cpcw, you are obviously a person with VERY close ties to EQSecure, and speaking for all of Wilder's, we very much appreciate your detailed help.

Thank you very much,
Mike

 

You're welcome!

I'm very happy to help you.

 

Nice work, CPCW.

Hope the V3.4 will include a detailed user's guide(both in chinese and english).

 

Okay thx I thought the file and registry entries were consired as parents (like in the application protection).

I checked your txt and notepad example. When I tested EQ I might not have had check all programs rules on.

Reg K

 

in "All application's rule"/"Blacklist", the file and registry entries are considered as child.

 

According to the flowchart you can't find the parent in the "all application's rule"/"blacklist".

In the flowchart you could find this word "search for the rules of child (not parent) in the AllApplication'sRule" .

when NOTEPAD.exe access good.txt, the parent is NOTEPAD.exe and the child is good.txt.

best regards

 

I have few Qs.

1- What hash it checks for changed applications, SHA1 or MD5
2- Any option to not check this hash for selected files like SSM?
3- Does it gives termination protection?
4- Vista support? any possible plans?
5- I have installed version 3.3. How can I upgrade it to latest 3.4 RC( I have downloaded the rar file). I hope I will not loose my rules!

Can someone from China inform the developer about these issues:

1- Like SSM it doesn,t differentiate between global hooks and specific hooks into a process( see my thread about here https://www.wilderssecurity.com/showthread.php?t=171582&highlight=SSM)

2- It failed against rootkit installation here:

https://www.wilderssecurity.com/showpost.php?p=1008759&postcount=59

3- Not sure how it will behave here, very interesting termination protection test!

https://www.wilderssecurity.com/showpost.php?p=1008759&postcount=59

Thanks for any help.

 

1- MD5
2-
3- yes
4- no. They have this plan.
5- please wait the EQ RC3. RC3 will solve the language bug.

regards