EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Not on my PC now but can't wait to give it a go. I'm predicting that the new .NET requirements will upset a few people.
     
  2. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, and I just realized when it was telling to install .NET 4 on the Win 7 system (I already have it), that it needs the FULL .NET 4 install, not just the "Client Profile" (slightly smaller) that was on that system...
     
  3. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    I got this working shortly after I posted... Doesn't really have much to do with this topic for people using the full, real EMET right now, but in case anyone wanted to see how the notifications are sent differently than EMET 3.x and that previous proof-of-concept Notifier post. This also means that I should be able to proceed as I hoped on an EMET alternative.

    Amazingly (for me), I almost got it on the first try. Just had to redo/compile as Unicode now, after realizing the notification is Unicode now (not in 3.x). You can see that the XML message is much different than the previous basic text in the attached image... Of course not sure about the meaning of the different stuff! But it basically works, which is what I wanted to check for any future tool. ;)

    Full code, for reference:
    Code:
    #include <Windows.h>
    
    #pragma comment(lib, "User32.lib")
    
    #define BUF_SIZE 1024
    
    int main(int argc, char *argv[])
    {
    	DWORD bytes;
    	WCHAR message[BUF_SIZE];
    	HANDLE mailslot = CreateMailslotW(L"\\\\.\\Mailslot\\EMET_Agent_0", sizeof(message), MAILSLOT_WAIT_FOREVER, NULL);
    
    	while (1) // Kill with Ctrl+C
    	{
    		if (ReadFile(mailslot, message, sizeof(message), &bytes, NULL) && bytes)
    		{
    			MessageBoxW(NULL, message, L"EMET", MB_OK);
    		}
    		else
    		{
    			return 1; // Failed
    		}
    	}
    
    	return 0;
    }
     

    Attached Files:

  4. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    I used process explorer and emet.dll is not loading. I am using shortcuts to run a program in a sandboxed.
     
  5. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    OK, then that's Sandboxie's starting of the program that's somehow not letting EMET load right, and not simply a settings problem where the GUI doesn't show it. :) Glad we noticed this now, and hopefully tzuk (Sandboxie) will fix the issue soon!
     
  6. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Try running your browser unsandboxed and see if emet.dll or emet64.dll loads.

    Later...
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    A few things I noticed....

    1. "EMET Agent not running" message if you're running under SUA (like kupo mentioned earlier) which is annoying. :p

    2. A bug with 'unsafe option' (ASLR "Always On")

    By default, the 'unsafe option' (ASLR "Always On") is meant to be unavailable in the GUI as it might prevent some systems from booting correctly (usually due to driver conflict). In order to override this, you have to make the following registry change to make it available:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
    EnableUnsafeSettings = 1

    However, in V4 Beta, the 'unsafe option' (set ASLR to "Always On") is available even if you had not make the registry change. This is not the intended behavior and is a bug.

    If you had not used this unsafe option earlier, just be aware and not to choose it by mistake. OTOH, if you had used made the registry change earlier on, you'll have to revert it to 0 get the 'unsafe option'.

    Again, this is not how it's supposed to be and is a temporary workaround till the issue is resolved.

    More info here:
    EMET 4.0 Beta Possible Bug: Unsafe System Wide ASLR Always On Available By Default

    Luckily this is a "Beta". Hope this and the above mentioned "EMET Agent not running" message" gets fixed when V4 stable gets released.

    @DR_LaRRY_PEpPeR

    Seems like the "DEP broken" issue is fixed in V4 Beta according to a poster by the name of JamesC_836.

    DEP broken in EMET 3.5?
     
  8. Landpaddle

    Landpaddle Registered Member

    Joined:
    Mar 8, 2013
    Posts:
    5
    I have been having no real issues so far with the software. Well, aside from the predictable BSOD when rebooting after enabling ASLR on Win7.

    Also, EMET 4.0 seems to run more smoothly with internet-facing applications, such as browsers or auto-updating services. I'm not sure whether the development team has implemented some undocumented optimizations since 3.5, but all checkboxes can be enabled on their application list without visible lag or crashes. A resource-gentle protection module is a welcome one.
     
  9. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    I have been having issues with EMET 4.0, mainly with my browsers. It seems that the new advanced ROP settings is to blame here (for me at least). If I have them enabled, my browsers consistently crashes. Does anyone experience the same thing?

    Oh, and I have the Identity Shield module of WSA disabled.
     
  10. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Try going to your browser entry and uncheck SimExecFlow, reboot, and see if that helps.

    I had Comodo 6.1 installed, configured and was receiving the ROP error in Firefox. Unchecking that specific entry allowed Firefox to open. Uninstalling Comodo solved that problem. I was able to recheck SimExecFlow. BTW, I had to uncheck SimExecFlow for KeyScrambler before it would work properly. On Win 8 Pro 64 bit.

    Later...
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,345
    Location:
    Italy
    [XP]

    Bug EMET Agent status:not running:

    1.JPG
    2.jpg
     
  12. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    Running smooth here. Nice update.
     
  13. sly53

    sly53 Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    15
    About the .net 4, will that install with Emet 4 or do you have to install it before Emet or after? Do you just go to Microsoft and download it before? I have Microsoft .NET Framework 4 Client Profile and said here that is not the full one. Thanks sly
     
  14. sly53

    sly53 Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    15
    Been doing some looking and I see there is a 4.5 .net, do I need that or 4. Also do I need to uninstall Client Profile or use a cleaner? I see 4.5 will upgrade Client Profile but see nothing about .net 4.0 upgrading Client Profile. Please give me instructions on what to do about .net before I install Emet 4.
     
  15. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Running EMET 4\Sandboxie 4.01.05 in Windows 8 Pro x64

    Process Explorer displays following:
    If I launch unsandboxed browsers – I.E – Firefox and Palemoon – all load Emet*.dll OK
    If I launch sandboxed browsers from Metro - all load Emet*.dll OK
    If I launch sandboxed browsers using desktop shortcuts - Emet*.dll does not load!

    Curiously, launching the sandboxed browsers using the browser icons on the Task Bar loads Emet*.dll OK
     
    Last edited: Apr 21, 2013
  16. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Forced or using a Sandboxie "Web Browser" shortcut (like Desktop...?)?

    Forced, EMET probably loads before Sandboxie takes over, but if Sandboxie is starting the program, something since 4.01.04 is preventing it from loading... (although not in all cases). When testing, I noticed cases when previous, mostly working Sandboxie versions also didn't let EMET load, as I posted on the forum.


    BTW, this has nothing to do with EMET 4, it's a Sandboxie issue. EMET 3.5 has the same problem on my main system (didn't upgrade to 4 yet). As would probably any AppCompat "Shim DLL" that tries to load.
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I am finding the included templates are wrong. Office 2013 has a path set as:
    *\Microsoft Office 15\root\OFFICE15\
    when it should be:
    *\Microsoft Office\OFFICE15\
    so EMET rules do not apply to Office 2013 until you correct the path. :ouch:
     
  18. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    That's the valid path for Office 2013 but only for 365.
     
  19. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Yeah – I should have mentioned that all browsers were 'forced' sandboxed.
    When using Sandboxie "Web Browser" shortcuts (like Desktop) Emet*.dll does not load.

    I didn't actually check the above when using EMET 3.5!
     
  20. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Verifying that I have the exact same issues with EMET 4.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,345
    Location:
    Italy
    [XP]
    SBIE ver 3.76 free
    EMET ver 4 beta

    Run (desktop) Opera/Thunderbird.
    EMET.dll OK:


    Immagine.JPG
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Not using 365 but good to know. You would think they would cover both since they go all the way back to 2002 with the other entries.
     
  23. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I'm going to wait until the stable build to try 4. And even then run it in a VM first to see how .NET FW 4 takes to XP. If I like v4 of EMET, and feel it's worthwhile to run it all. Otherwise I'll stick with EMET 3.0 and .NET FW 2.

    I am not a fan of the .NET FW requirements, no. I'm not a fan because .NET FW has proven to be vulnerable framework in the past, and don't like the idea of adding vulnerable attack surface to my box in the name of stopping exploits I'll probably never come across anyway. It has nothing to do with it being bloat anymore, as the box I have now can take that added footprint into stride just fine.
     
  24. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    What Settings are you all using in EMET v4 Beta? In EMET 3.5 Tech Preview, I had all 3 settings to "Always On" and had the all.XML list enabled and it was quiet (good thing I suppose). Now the v4 Beta is giving me pop-ups dealing with ROP module for Microsoft Office. I eliminated that, but disabling ROP for them, but I have also noticed more errors in system logs dealing with other software than before and I think its EMET causing them.

    dja2k
     
  25. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Totally agree. Also the up(grade)date style for framework is weird in a sense that you have to install them incrementally or something like that. But it's about weighing the benefits vs cost in form of larger attack surface and adding bloat. I'm having a hard time making the right decision for EMET 4.0.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.