EQSecure 3.41 Settings

Glad to be of help.

This is just the tip of the iceberg for us EQS loyals. Theres still MORE rules to be discovered and areas to throw a electric fence around in this Super HIPS!

EASTER

 

Here's a new update for all EQSecure v3.41 junkies:

eqsecure.v3.41.winxp.rules.v1.40.0125-exp.zip

What's new: Application rules (low & high priority rules) added

http://drop.io/eqsecure

 

hmm... a little typo error.

In the global rules of application protection settings:
RunDll32 (Lauch Application) = RunDll32 (Launch Application)
Sorry for that.

 

ALCYON

In the File Protection Section where you list the 2 new rules of both "create" & "modify" an ADS, i'm not so sure they are even needed.

You remember i mentioned i had already created before your rules an AD and the BlackList rules with the "read" added prevented my ADS from activating AT all and issued a ACCESS DENIED.

In THE "ALTERNATE DATA STREAMS" (create) in the global rules no matter how i adjusted the ruleset it still created an "alternate date stream" anyway i tried it, "HOWEVER" in the BlackList (again) that rule absolutely refuses an "alternate date stream" from even being created from the same exact rule change i added.

This ACCESS DENIED! also includes refusing adding a folder or any other extension like ROOTKITS have used.

VERY GOOD RULE INDEED! GREAT IDEA!

Might be worth another look for you in that regard. Use ADSSpy.exe or any other "alternate data stream" hunter to verify your results.

I'm going to next try and see if a Hidden ADS can bypass this rule or not.

EASTER

 

The global ADS rules of file protection target every ads and the high priority ones only specifc (more known) streams. This is the main difference. They both fit well together. You can customize them like you want which is the fun part Btw, i tried AdsSpy and eqsecure blocked everything. I found no problems.

 

Awesome Alcyon

I tested the block "alternate data streams" in the blaclist last night against Rustock B and it couldn't even set it's hidden ADS on System32. Useful rule indeed against rootkit and hiders that use ADS.

I used plenty of tools to make sure Rustock B didn't set it's alternate data stream and sure enough it wasn't there. It did how ever hide a TEMP folder that i fished out but i killed it's driver and everything else surfaced nicely.

EASTER

 

@ALCYON

On reading another topic referring to Anti-Executable and recalling script defender/script sentry/script trap etc............. from this post

https://www.wilderssecurity.com/showpost.php?p=1394274&postcount=12

What are the chances of making some sort of ruleset to cover all these extensions and/or even more. For example, the conficker w0rm uses a dll disquised with an odd extension .vmx to perpetrate normal PC disruption.

I guess what i'm driving at is forging if possible a blacklist ruleset but not blocking outright, but being alerted to any of these extensions attempting to make a move on the system.

Or is there already a rule to alert on them i'm missing?

On another note regarding the addition of EQS sandbox feature, i personally would have preferred a (Good) program exclusion list instead of the sandbox. (Wishful Thinking)

Thanks

EASTER

 

if you are adressed to thumb drive protection,the most infamous and 100% working solution is to make urself an autorun.inf file,put it on the thumb drive(invisible preferably so other ppl u lend your thumb drive too will not see/delete it) and make it read only so its an empty autorun.inf that cannot be replaced by malicious one hopping off infested drives cheers

 

Don't forget to strip the permissions too.

 

My latest released ruleset already protect against all file extensions from strategic locations trying to be executed. If you take a closer look at the global rules of application protection settings, you'll see "?:\*.*" (prompt for every executables & don't rely on a limited blacklist) in many places. Will it stop the dropped .vmx file? I haven't tested yet so i can't really tell.

 

thats not actually very important if a malware takes over ownership of item :S
it would still work anyway

 

@EASTER, you can even activate "RunDll32 (Launch Application)" and see if it helps. I'll have a look at it soon. I'm still on Win7.

 

The reason for the "deny" on permissions is to protect the autorun.inf file from being changed and written to. If you think just changing the attribute to read-only will protect you, you'd better think again.

 

doh..soz for that..been in LUA too long and all files i create are that way by default dun mind me had a rough day with some papers

 

Here's another update to stay Zen

eqsecure.v3.41.winxp.rules.v1.42.0130-exp.zip

What's new: low-priority rules (application protection settings)

http://drop.io/eqsecure

 

LoL (Zen)

We'll need to clear away the old rules to test this one (MAYBE TONIGHT), but i pieced together a vb script to do a simple shutdown -r which simply means reboot and in your Application Rules just checked it (RunDll) and as you pointed out earlier on it's syntax "?:\*.*", and it alerts to it as it initializes "first" wscript.exe thanks to the VBS association as the source and then undeneath "run a dll as an app" as the target to launch the command and that's fair enough warning i think. Thanks for the effort.

I'm working on other tests to pit against the rulesets as they become made available by you Alcyon and it just keeps getting better all the time.

Many Thanks a million times over again:

Also For Experimental or research purposes another Great Resource - Listings from A to Z, A RunDll Library if you will..............
http://dx21.com/coding/libraries/rundll32/default.aspx

EASTER

 

I already scanned this site from A to Z Some interesting stuffs were found.

The more i play with EQS, the more i find interesting stuffs. That's crazy! Like you said earlier, this is only the tip of the iceberg. Btw, I'll probably release a beta in some days.

 

Great.

Also Alcyon, if you discover something else that you feel would be of importance (Remember Folder Guard?), would like to see some more of your individual single rules processed.

And yes, this is only the tip of the iceberg in EQS, as much as many potential intrusion paths have been addressed, there still exists other exotics just waiting to be discovered and new rules implimented for them.

EASTER

 

Just a note of interest, can you find the file that is responsible for taking SCREEN SHOTS from the keyboard (PRINT SCREEN) in order so we can add it to the rules?

I spent a little time researching this due to the launching of the screenshot by IrfanView when testing with the last test in AKLT keylogger test app. I feel disabling the PRINT SCREEN (API?) or file that launches it to CLIPSERV.EVE would effectively nullify that screenshot being taken at all, including manually.

EASTER

 

Hmm... I've spent a little time too searching for the file and haven't found something yet. I'm affraid it's something not possible with v3.41.

 

Me either Alcyon, but i'll keep scanning for it on the net and thru some private resources.

What's you opinion on a rule for RunDll.exe by the way, or is it already covered in your mega rules?

Thanks friend and keep up the generous effort, it's really appreciated by EQS junkies everywhere i'm sure.

EASTER

 

RunDll.exe will be wiped out, simply. Unless you're talking about something else?

 

Here's a new ruleset:

eqsecure.v3.41.winxp.rules.v1.49.0213-exp.zip

http://drop.io/eqsecure

If you find it too agressive, freaky, etc. please let me know

 

Whatta Champion in this field of EQS for Windows.

What can i say that hasn't been repeated many times over but again thanks Alcyon

It's so clear that you continue to share in the same confidence that many devoted EQS users do and every new rule that adds even more security to this program HIPS and excitement from the satisfaction of watching it work as expected is thanks to your time & efforts.

EASTER

 

can eqsecure with alcyon rulest block the screen and clipboard keyloggers