EQSecure 3.41 Settings

Discussion in 'other anti-malware software' started by EASTER, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Hi hammerman

    Some of these leaktests in my opinion border on bogus, Coat is one of them.

    In one respect, the very action of this exectuable launching is immediately intercepted, but after allowing it to run.............

    I just repeated this test and reproduced the exact same results as you. "IF" you click ALLOW then it activates the command console to proceed, (EQS Alerts!), the evidence from this leaktest indicates in print that we failed, however using IE, no launching of IE ever took place, at least i find no evidence in this test that my browser ever reached that website it claims to have.

    I ran lt-coat.exe both from DropToDOS and simply clicking on it, FWIW, my firewall didn't pop up either.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Hi,

    I really don´t have a clue how to make the custom rules work (made by Alcyon), can anyone help? :blink:
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Alcyon and i'm sure others can steer you in the right direction, right now i'm having a field day going over ALL those super cool new entries and trying to sort them out myself.

    One thing i'm perfectly confident of is that once i get all this is sorted out like you, EQS is going to be nearly air-tight because for the first time i can finally use the Ban List as it was intended to effectively LOCK OUT potential malicious drop-ins :cool:
     
  4. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    558
    As an EQS-newbie not familiar whit rules and parent/child processes I really would like to know about the Other options in the popup warning box. If you click the Other options during an alert you can choose between:

    1. Remember this action for this parent process
    2. Prompt again when application is modified (I did notice this one was greyed out last time I got an alert, but dont know why) See picture.

    EQS-warn.png
    If someone could provide info on this subject I would appreciate it:)

    To trigger the alert in the picture I went to Control Panel, Security Center, and clicked "Read help about Security Center". I did block but was still able to read help about Security Center. I may have misunderstood. I dont have a problem with this because I only triggered this alert to be able to shoot a screenie of the alert.
     
  5. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    We are in the same boat as I am using EQSecure as a learning tool.
    As far as Parent Process:
    I can give you an example. If I start a program, say, Winamp, and then launch Process Explorer, and use it to kill Winamp, I'll receive a prompt from EQS.

    If I choose Allow and Remember this action, then Process Explorer will always have permission to kill Winamp, but ONLY Winamp.

    If I choose Allow and Remember this action for this parent process, then I tell EQS to allow Process Explorer to kill ANY process without future prompts, unless, of course, the act of killing a process would conflict with one of the Global or Blacklist rules.

    The priority seems to be (correct me if I'm wrong) an action is checked against the rules you see on the mainpage of EQS:

    2008-03-19_150022.jpg

    In this case, Process Explorer terminating Winamp.
    If no other rule exists in the custom rules, then I am given a prompt (Prompt and Allow).
    If, however, I have created a rule, in this case in Application Protection Settings to allow Process Explorer to terminate Winamp, then I receive no prompt, and P.E. kills Winamp. This rule I have created (P.E. kill Winamp) is also checked against the Global and Blacklist settings, which seem to have the final say.
    Meaning, even if I create a rule permanently allowing P.E. to kill Winamp in the Application Protection Settings, if it conflicts with a rule I've created in either Global or Blacklist, I'll receive a prompt. Delete the conflicting rule(s) from Global or Blacklist, and once again, P.E. can terminate Winamp without prompts from EQS.

    Prompt again when application is modified means that if a process is modified at all, whether legitimately through an update or covertly through malware, you'll be prompted before it can take any action, if you've chosen that option.

    I tried the same steps you took: Security Center (Rundll32.exe)>Get help about Security Center(HelpCtr.exe), and was also able to launch it. However by the prompts I received, and by the picture you've posted, EQS wasn't prompting on HelpCtr.exe executing, it was prompting on a registry change. I believe I was not prompted on the execution of HelpCtr.exe because I have the option Automatically trust processes digitally signed by MSoft enabled. Again correct me if I'm wrong.

    I hope this helps you tepe2. I'm sure other, more experienced users can provide further info and correct any errors I've made.
     
    Last edited: Mar 23, 2008
  6. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    558
    It sure helps a lot Boonie. The way you explain it a newbie like me can understand. Thank you so much :)
     
  7. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    My pleasure:)
    There's a lot to experiment with here. For my part, it's good to have FD-ISR to fall back on should I make a serious error.
     
  8. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    @ Hammerman, thanks for the report. I'll fix it in the next update.

    @ Rasheed187, what exactly would you like to know?

    @ Bonnie, thanks :thumb: It's because the "Automatically trust processes digitally signed by Microsoft" option wasn't unchecked.
     
    Last edited: Mar 24, 2008
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    A new version of my ruleset is available at post #112. Updated to v03242008-2, thanks Hammerman.
     
    Last edited: Mar 24, 2008
  10. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Here's a new and probably last version of my ruleset. I did everything i could, spent enough time on it and i'm out of ideas. It's now up to you to improve it. I hope you'll enjoy. You need to replace .txt with .zip

    Edit: some rules renamed & typos corrected
     

    Attached Files:

    Last edited: Mar 26, 2008
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Did you think to include also a Changelog with it? :D

    Only kidding.

    Alcyon you've really gone beyond our wildest expectations and we thank you so very much for all the effort and time that you've obviously taken to perfect those rules as best as humanly possible.

    It's raised the bar of confidence many levels for many of us and it's definitely provided a useful template from which to work from.

    EASTER
     
  12. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    EASTER, some interesting global rules in file protection settings have been added :)
     
    Last edited: Mar 26, 2008
  13. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,207
    Location:
    Canada
    Many thanks Alcyon for your nice and hard work. Your Ruleset is definitly a must for those of us who are using EQSecure:)
     
  14. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    Great stuff! Thanks for all the hard work Alcyon.
     
  15. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks for the new ruleset and I appreciate the hard work that must have gone into this.

    I like the additional file protection rules. The invalid location rules are an interesting addition. I was wondering if there was a case for moving the list of known malware files (eg. variations of svchost, lsass etc) into the Blacklist rather than in Global Rules. Also, there are rules for IE, OE, MSN in both Global Rules and Blacklist. I assume this is simply to offer choice of using one or the other.

    Thanks again.
     
  16. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    hammerman,

    Blacklist rules have higher priority over global rules so if you move the "invalid location rules" in the blacklist, those rules will cancel the ones for the same files in the global section so that's why it's preferable to leave them where they are.
     
  17. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Alcyon,

    I wasn't actually thinking of moving the "invalid location rules" but the malware groups such as System32 (Malware) and Windows Folder (Malware). These groups seem to be candidates for a blacklist since they contain known malware files only that are just blocked. Would welcome your expert advice.
     
  18. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Yes, you can move them to the blacklist without any problems. For "Windows Folder (Malware)", you can also add %WinDir%\service.exe, %WinDir%\spoolsv.exe, etc. Aswell, a good idea could be to make new rules ex: "block tricky names (Malwares)" and put %SystemDrive%\*\scvhost.exe - and any other tricky names -(create:block,read:ignore,modify:ignore,:delete:ignore) so it'll not only be limited to c:\windows and c:\windows\system32. As you can see with http://www.megasecurity.org/trojans/v/virulence/Virulence2.1.html, tricky names can be everywhere.
     
    Last edited: Mar 27, 2008
  19. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    BTW, about the invalid location rules, to close even more doors you could add all windows xp default executables.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,479
    Location:
    U.S.A. (South)
    Very Good. And thanks again for a superb effort.

    It's been said EQS is in a class of "dumb" HIPS;

    Well i like to think of EQS as a pure "Template" HIPS, meaning once enough quality rules for the choicest locations are programmed into the configurations, then it becomes a much more "mindful" or "intelligent" HIPS of course, and not so dumb anymore. Hence a Template, a very useful pattern from which to add & work with maximum results.

    In fact, in this form, i think it's the lightest approach that can be taken, making for the least minimal energy useage from CPU/Memory cycles while intercepting potential areas of vulnerability, startup locales, file extensions/registry keys & values, etc.
     
  21. l0_0l

    l0_0l Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    18
    Hi everyone,

    I have been trying to import those rule set (Alcyon's) but I just do not know how. Are we using the import option in the EQS interface? I also do not understand if the txt file is given the xml or zip extension. Any help will be greatly appreciated.
     
  22. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Change the .txt extension to .zip
    Then use WinZip to unzip the file contents to a folder.
    Go to the File Protection - Settings and import the File Rule sets from the folder. There will be one for Global Rules, one for Application Rules and one for Blacklists.
    Go to Registry Protection - Settings and again import the three rule sets for registry protection.
    Finally go to Application Protection - Settings and import the applications rules sets.
     
  23. l0_0l

    l0_0l Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    18
    @hammerman,
    Thank you so much. That was very easy.

    Alcyon's ruleset are very comprehensive. EQS is now one of the best (if not the best) classical HIPS.
     
  24. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I still can't import Alcyons rule set.

    http://img241.imageshack.us/img241/6028/eqjc3.jpg

    because as shown in the screenie when I select import and navigate to where the rule set is it can't find the file when infact the file is there.

    also does this rule set go into the Application ,registry or File protection??
     
  25. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    You need to change the .txt file extension to .zip. Then unzip the file contents into a folder. You will then be able to import the rules.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.