EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Kees 1958, I've decided to try EQS again and will certainly look over your filters:thumb:

    edit : okay great, and thanks for saving me some time.
     
    Last edited: Jan 16, 2008
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    What a Champ!

    Thank You sincerely Kees for sharing these. EQS is one superb HIPS in the making and i'm anxiously awaiting the next version which i hope will jump by leap and bounds beyond it's already great file/registry protections/rules.

    It's a chore for me to fine tune it to exacting standards i want, but very well worth all the effort and testings.
     
  3. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Kees1958 can you share your other settings too?
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Mike,

    I have put together a user friendy combo of two classical HIPS on XP.

    I use EQS as a second catch safety net.
    - file protection (more focussed than standard), see post https://www.wilderssecurity.com/showpost.php?p=1162455&postcount=25
    - registry protection (more tight than standard), see post https://www.wilderssecurity.com/showpost.php?p=1162446&postcount=24
    - application protection see post https://www.wilderssecurity.com/showpost.php?p=1163738&postcount=9

    Now why the on earth would I set the application protection so wide open?
    BECAUSE I USE A MORE USER FRIENDLY APPLICATiION: Online Armor FREE

    Down load OA Free, I have even set the warn when unknowd programs start to OFF (this makes OA an IDS-like behavior blocker in stead of Anti Executable). OA will take care of the thing you set wide open with EQS application protection.

    What next? = WHEN YOU UNSELECT THE WARN WHEN UNKOWN PROGRAM RUNS
    Set all your internet facing aps (Outlook Express, Lime Wire, Messenger, Opera = much faster than IE) to run as limited user = RUN SAFER OPTION.

    The good thing is that downloaded files inherite this limited user rights, so in fact it acts like a policy sandbox (comparable with GeSWall and DefenseWall).

    Conclusion
    With only two HIPS you have got a user friendly HIPS like protection combined with a 'soft' policy sandbox.

    So for all you people having trouble with application filters of EQS, COMBINE IT WITH Online Armor.

    NOTE: Only set this application filter so wide open when you use it in combination with OA!

    Regards Kees
     
  5. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    Thank you Kees for these settings :thumb: . I have just set it up beside OA AV+. It is working like a charm. I dont run antivirus program at all at the moment.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Well thats an interesting enough setup, and so that does it. I've switched boxes tonight and am i'm going to do it.

    One little thing i like to ask though, and it might been me because i didn't have some OA (free) settings right, but i noticed the last time i combo OA with EQS, i had to click on the EQS prompts at least 3 times before it finally got the message.

    Has anyone experienced this with other HIP type apps when using with EQS? It's was so much a bother for me that i uninstalled OA and then the prompts of EQS responded as expected with just one single click when applying Accept or Deny.

    Regards EASTER
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Probably ur observation is not correct. I noticed that EQS give memory modification popups three times but not others( they appear only once). May be same with Create remote Thread also... but i do not remember well.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Ok Thanks. At least there is some confirmation on that occurance besides my own results.
     
  9. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Re: EQSecure 3.41 Settings REGISTRY PROTECTION

    Maybe missing S? OFTWARE?

    "HKEY_LOCAL_MACHINE\OFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

    EDIT1: Some more...

    Missing \? HKEY_LOCAL_MACHINESYSTEM?

    "HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager\Environment"
    "HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager\Environment"
    "HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\Session Manager"
    "HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\WOW"
    "HKEY_LOCAL_MACHINESYSTEM\ControlSet*\Control\WOW"

    EDIT2: I'm trying to add those file and registry filters to Tiny Watcher. Sadly I have to check all registrys because TW needs full paths. My own investigations (file filter):

    C:\ntldr
    C:\autoexec.bat
    [C:\autorun.inf] <- replace C: with your CD/DVD drive letter. mine is disabled.
    C:\boot.ini
    C:\config.sys
    C:\ntdetect.com
    %WinDir%\explorer.exe
    %WinDir%\system.ini
    %WinDir%\win.ini
    [%WinDir%\winint.ini] <- I don't have this file in my WIN (XP PRO SP3 RC) folder.
    %WinDir%\System32\AUTOEXEC.nt
    %WinDir%\System32\bootvrfy.exe
    %WinDir%\System32\CONFIG.nt
    [%WinDir%\System32\control.ini] <- I found this on %WinDir%.
    %WinDir%\System32\svchost.exe
    [%WinDir%\System32\wuaudit.exe] <- I don't have this file in my WIN (XP PRO SP3 RC) folder.
    %WinDir%\System32\wupdmgr.exe
    %WinDir%\System32\smss.exe
    %WinDir%\System32\csrss.exe
    %WinDir%\System32\winlogon.exe
    %WinDir%\System32\services.exe
    %WinDir%\System32\lsass.exe
    %WinDir%\System32\spoolsv.exe

    Most of those are OK!
     
    Last edited: Feb 4, 2008
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    :thumb: Mike,

    You deserve a statue. I will correct the filters. All your registry assumptions are right. Now on a different PC.

    [%WinDir%\winint.ini] <- I don't have this file in my WIN (XP PRO SP3 RC) folder. SHOULD BE \wininit.ini

    I will change this to: [%WinDir%\System32\control.ini] <- I found this on %WinDir%.

    [%WinDir%\System32\wuaudit.exe] <- I don't have this file in my WIN (XP PRO SP3 RC) folder Be thankfull, it is a safety measure of one of my tests, forget it, will remove it, should be wuauclt.exe
    Thx
     
    Last edited: Feb 4, 2008
  11. Diprivan

    Diprivan Registered Member

    Joined:
    Mar 25, 2006
    Posts:
    66
    Hi Kees,
    Could you post the corrected registry filters?
    Many Thanks
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry guys,

    thx to mike nas update filters

    Kees
     

    Attached Files:

    Last edited: Feb 6, 2008
  13. Diprivan

    Diprivan Registered Member

    Joined:
    Mar 25, 2006
    Posts:
    66
    Thanks Mike & Kees. Very much appreciated!
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi all,

    Consider this combo EQS + PCTOOLS FW

    Set EQS application protection to View attachment 197497 ,

    Enable protection against code injection: of PCToolsFW+. Having this enabled will automatically prevent any code injection/hook setting (this PCTOOLS FW setting correspondenses with EQS "Modify memory of other process" and "Install global hook").

    Now you have the serious intrusions covered by EQS and the ones happeing often in XP covered by PCT_FW+. Another nice extra is the OLE protection PCT_FW+ offers (in fact teh only thing EQS scored less than D+ of Comodo). When you regret a choice within PCT_FW+ just click pn applications (of the status tab) and delete the rule for the ap with the X. PCT_FW+ does not offer granularity between memory mods and hooks (is the first radio choice within applications).

    I am using it for a week now and really starting to like it (also differences pop-ups difference = error severity difference between PCTFW+ and EQS)
     
  15. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I noticed that MANY default EQSecure settings of v3.41 are incorrect.

    In the Global Rules of application protection settings, the group "IE Cache Directory" contains:

    It should be:

    as the TIF folder can be moved.

    Also, in the Global Rules of registry protection settings, the group "Load automatically on windows startup" contains:

    Even if the Include subkeys option is activated, it'll not work. To make it work, you should instead use:
    + Include Subkeys for all (to be even more specific and have less "false-positives", you can use "Script" - without quotes - as the registry value)

    Or simply:
    Depending on your strategy. What is important is the "\*" at the end of the path. "...\System\Scripts\Startup" alone will not monitor the subkeys even if the Include subkeys option is enabled and you'll be as vulnerable as before.

    ------

    In the registry protection settings section, all paths are set with the "include subkeys" option activated (something useless with many registry keys/values).

    ------

    Just to name a few. The list goes on and on... :ouch:
     
    Last edited: Feb 4, 2008
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Very good. And thanks as always. Adding just the right balance to EQS configurations can prove vital so was nice to see mention of this.

    Would you also repost RULES again with added corrections when possible?

    Thanks Everyone!! :thumb:
     
  17. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    THANKS Alcyon

    This will be helpful for many users of EQS. We appreciate your taking particular note of individual settings/results and bringing them to our attention.

    Regards EASTER
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Thanks a ton Kees1958 for the assistance. What makes EQS so crazy exciting is that it's incredibly CUSTOMIZABLE! Meaning we can just about cover as many important areas that it's been designed to alert on up to this latest release, and given the wide range and pure numbers of vital points of concern microsoft is laid open in XP, this HIPS is been a huge help in filling in those gaps.
     
  22. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Some other registry settings you can add to prevent malwares damages:

    - Block User Accounts Alteration
    - Block All policy Settings Alteration

    Just replace the .txt extension with .xml and import.

    Rules order is important so those global rules must be placed before all the ones with a similar registry path.

    Tested with Windows XP Pro SP2 Only.
     

    Attached Files:

  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Another nice one again, Kool!

    This is IMHO what makes this HIPS so very formidable, it's XTREMELY configurable from user's end.

    I want to test these and the other rules but too excited right now :D
     
  24. Muchinga

    Muchinga Registered Member

    Joined:
    Jun 2, 2005
    Posts:
    16
    Last edited: Feb 10, 2008
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    That shutdown simulator is up for grabs IMO so doesn't really present much serious concern for me anyway. I suppose one could invent all sorts of underpinnings to show a potential vulnerability but the chances of actually experiencing it are remote at best, especially when most users are Layered anyway.

    But thanks for pointing it out.

    EASTER
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.