EMET - A new Windows security mitigation toolkit

Before EMET was released you could enable SEHOP via this Fix-it or do it yourself with the registry key mentioned. If you then installed EMET later, then Always on would also show as an option, I'm not sure how to do it when EMET is already installed and if that even makes a difference.
http://support.microsoft.com/kb/956607
For ASLR, open registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET, change EnableUnsafeSettings from 0 to 1. This is disabled by default as some video drivers are incompatible with ASLR and will cause a blue screen. However, if your video driver happens to be incompatible and causes a blue screen, just boot into safe mode and set ASLR back to opt-in.

 

Thanks BoerenkoolMetWorst.

 

Regarding SEHOP, I had applied Microsoft fix back then (Windows 7), and sometime after EMET. I was checking some hardware stuff with an application, which also allows to check other stuff like apps, etc, and according to it SEHOP was disabled.

I checked the registry and there were two entries for SEHOP - one by the fix and the other by EMET.

Most likely, EMET entry was conflicting with the fix-it entry, making SEHOP becoming disabled. I wonder why EMET didn't verify if such entry already existed.

I don't know if anyone else stepped into this?

 

Can you tell me what application that was so I can check if SEHOP is enabled or not?

 

I know you are right!

But one of my many flaws is I sometimes lack patience. The other issue for me is when I think I see conflicting advice I get ticked with the situation and this is rapidly followed by confusion.

I somehow got the thought that users can protect windows services as well as 3rd party exe's.

The ones to pick are those listening on ports since the trojans would want to "borrow" them to export private stuff to the mother ship. G,,,,d I hate that mother ship analogy.

Happy 2011 to all!

 

PCWizard.

 

I'd advise to go easy on EMET. First protect the applications that are most likely to be a reliability, like web browsers, e-mail clients, media players, pdf readers, office applications. In case of Firefox, you'd also need to add the executable that starts the plugins.

If you'd like to test what you wish, perhaps you could do it in a testing environment, if you could. See what problems may arise.
One thing is to "mess" with browsers, etc. Another one is to mess with the operating system processes themselves; one never knows what to expect. Even if in a testing environment everything goes OK, the same is not to say it will be OK in a production system.

 

Unfortunately Windows wouldn't boot normally with ASLR always on, so I had to go in Safe Mode and restore my previous settings.

 

The only system setting I set to always on in my relatives systems (Windows Vista and 7) was DEP. SEHOP is opt-out and ASLR is opt-in.

 

This is reported in the 'user guide' (see attachment). I've activated EMET on my Vista Ultimate32 and so far so good, I've followed what's suggested by the website linked by Dogbiscuit post #19.

Many thanks to Mrkvonic for raising the issue (I thought Emet was only available to Win7).

 

Thanks for initiating this thread. A question: I have set EMET up on a per-app basis, is there a way to export the settings?

 

There's no way to 'export' settings but you can always make use of a batch file in order to 'import' settings into EMET without you having to go into the GUI and add them manually...

For e.g:

1. Copy/paste the script below in notepad, save it as a .bat file and run it.
(you can always edit them to fit your needs)
2. Do not worry if the list contain files that are not on your system.
Cmd.exe will just ignore those as 'error, not found on system".
3. Restart applications or better still, reboot.

Code:

c:
cd "C:\Program Files\EMET"

emet_conf.exe --add "C:\WINDOWS\system32\spoolsv.exe"
emet_conf.exe --add "C:\WINDOWS\system32\lsass.exe"
emet_conf.exe --add "C:\Program Files\Windows Media Player\wmplayer.exe"
emet_conf.exe --add "C:\Windows\ehome\ehshell.exe"
emet_conf.exe --add "C:\Program Files\Internet Explorer\iexplore.exe"
emet_conf.exe --add "C:\Program Files\Mozilla Firefox\firefox.exe"
emet_conf.exe --add "C:\Program Files\Mozilla Firefox\plugin-container.exe"
emet_conf.exe --add "C:\Program Files\Google\Chrome\Application\chrome.exe"
emet_conf.exe --add "C:\Program Files\SRWare Iron\iron.exe"
emet_conf.exe --add "C:\Program Files\Opera\opera.exe   
emet_conf.exe --add "C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe"
emet_conf.exe --add "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe" 
emet_conf.exe --add "C:\Program Files\SumatraPDF\SumatraPDF.exe"
emet_conf.exe --add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe"
emet_conf.exe --add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe" 
emet_conf.exe --add "C:\Program Files\Java\Java Update\jusched.exe"
emet_conf.exe --add "C:\Program Files\Java\jre6\bin\java.exe"
emet_conf.exe --add "C:\Program Files\Java\jre6\bin\jqs.exe" 
emet_conf.exe --add "C:\Program Files\VideoLAN\VLC\vlc.exe"
emet_conf.exe --add "C:\Program Files\Winamp\winamp.exe"
emet_conf.exe --add "C:\Program Files\QuickTime\QuickTimePlayer.exe"
emet_conf.exe --add "C:\Program Files\iTunes\iTunes.exe"
emet_conf.exe --add "C:\Program Files\Messenger\msmsgs.exe" 
emet_conf.exe --add "C:\Program Files\Outlook Express\msimn.exe" 
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\PPTVIEW.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\MSACCESS.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\EXCEL.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\OUTLOOK.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\POWERPNT.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\PPTVIEW.EXE"
emet_conf.exe --add "C:\Program Files\Microsoft Office\OFFICE12\WINWORD.EXE"
emet_conf.exe --add "C:\Program Files\Windows NT\Accessories\wordpad.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\soffice.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\sbase.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\scalc.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\sdraw.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\simpress.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\smath.exe"
emet_conf.exe --add "C:\Program Files\OpenOffice.org 3\program\swriter.exe"

The list above is my own custom one which I derived from the recommended applications to add here and a few more apps like other browsers (Google Chrome, Iron, Opera) and non-Adobe PDF readers (Sumatra PDF, PDF-XChange Viewer, Foxit Reader). I've not tested whether the latter 2 works with EMET though...

Take note that I omitted Skype so if you want it, you can add it in but don't forget that you may need to go to the GUI and "disable EAF protection for skype.exe in EMET".

If anyone has any other suggestion on what other popular apps/threat-gates to add (browsers, media players, IM clients) and have tested and verified that things work right, please inform/share it with me here so that I can add them to my list.

 

thanks safeguy!

 

There have been a few posts about how to get a browser EMETized under Sandboxie, but has anyone tried to EMET Sandboxie itself? There has been a vulnerability once in the past and it has been fixed but there could always be unknown ones and it seems to me that vulnerabilities are the only real weak point of sandboxing (except for the problem between computer and keyboard of course ) so making that a lot harder would certainly interesting for users who often/always use Sandboxie.

Thanks, but it seems it's detection is working correctly. Is says SEHOP is disabled so just to be sure it wasn't a conflict with the MS fix-it I installed EMET in a VM and both with SEHOP on opt-in and opt-out it still indicated it was disabled(and I did reboot after changing the setting in EMET.)

 

See here. Tzuk himself can't advise for/against the idea. The way I see it is EMET is much more suitable to be applied on threat-gates rather than on anything else...it's not a 'magic cure' for all vulnerabilities and might even cause problems for some applications...

E.g. RSS 2011 REL2 conflict with EMET 2.0

That has been fixed with a new build of EMET.

I also found that Returnil 2008 doesn't work with EMET at all. You can't install either one while the other exist on your PC. Correct me if I'm wrong.

Furthermore, what are the chances/possibility of EMET 'protecting' your security software vs EMET 'hidden' conflict with it and thus causing it to function improperly (invisible to the naked eyes). Taking all that into consideration and going by my own logic, I'd probably leave it alone without EMET's intervention, unless someone can prove to me otherwise.

 

Ahhh what is the current stable version of EMET for Windows 7 64 bit?

Is there a link where users can get the SW at MS?

Thanks

 

The installer is the same for both 32-bit and 64-bit, I believe.

 

You might try this, seems to work for me anyway Be sure to place this in the EMET directory..

emet_export.bat

Code:

:: turn off the verbose text
@Echo off

:: make sure to clear the command prompt before beginning
cls

:: verify executable exists and create the export file
IF EXIST emet_conf.exe (
emet_conf.exe --list > EMET_exported.txt
) ELSE (
Echo emet_conf.exe not found. Exiting.
Pause
Exit
)


:: step through the export file, formatting for importing
:: append each line to the import file
FOR /f "skip=3 tokens=1,*" %%i IN (EMET_exported.txt) DO (
Echo emet_conf.exe --add "%%j\%%i" >> EMET_to_import.txt
)

:: give user time to examine and then exit
Echo.
Echo Finished creating EMET import file.
Echo Rename the file
Echo EMET_to_import.txt
Echo to
Echo EMET_to_import.bat
Echo.
Echo Then you may execute that .bat file.
Echo.
Pause
Exit

Sul.

 

I have VMware Player EMETed for a few days now without any visible problems.(Just vmplayer.exe)

Ok, thanks.

 

Wise decision.Unless there's compelling evidence of a vulnerability that can only be mitigated using EMET,security software is best left alone IMO.

 

When you uninstall EMET, do you get to keep your old settings? Unfortunately version 2.0.0.3 doesn't allow me to update my previous installation.

 

I have no problems at all with EMET and Returnil 2008 installed. I've been running them together for several months.

 

I'm wondering about EMET and Sandboxie...
anyone with experiences using them together?

I see that 3.52 has a Software Compatibility entry for the EMET toolkit.
That makes me feel better about running them together.

Any thoughts on redundancy, or conflicts?
I think it might be worthwhile adding EMET.

PS- I'm still reading back on this thread, and another, so forgive me if these questions have been extensively discussed. I don't think I would try protecting SBIE with EMET, though.

 

I just updated my pdfxchange viewer after removing it from EMET protection(max) but the Pdfxchange Firefox plugins (under EMET) still show the old version plugin.Do i have to remove other related programs(Firefox/IE) from EMET for the software plugins upgrades to work?
It seems that i now have to remove Firefox,Firefox plugin container and IE from EMET as well as reinstall Pdfexchage.Every time noscript etc.update i have to follow the same routine

 

Same here. Fortunately, I discovered a workaround which is very simple. With Firefox **not** running:

1) Locate the file npPDFXCviewNPPlugin.dll (typically in Program Files>>Tracker Software>>PDF Viewer) and move the file out of its directory - you can move it to another drive or folder, doesn't seem to matter as long as it doesn't appear in its proper directory.
2) Start Firefox and then close it.
3) Move npPDFXCviewNPPlugin.dll back to its original directory.
4) Start Firefox and check your Plugins again (PDF-XChange should now show the correct version).