Introducing EMET v3

[wat0114]

Quote:

Originally Posted by subhrobhandari

Working fine with me... Waterfox 14.01 here.

I had no issues either until I tried playing some videos off a ctvolympics.ca website.

*EDIT*

after some research, the site utilizes MS Silverlight through plugin-container.exe, and when videos do play, a Silverlight-associated DLL, agcore.dll, is using very high CPU cycles as observed under Process Explorer's Threads tab, so this might be the culprit.

[subhrobhandari]

Just in case someone needed, I have uploaded my EMET configuration file here.

hxxp://flashmirrors.com/files/8hb7znda1vvex1u/subhrobhandari_s%20EMET%20Configuration.xml

I haven't done extensive testing but been using this since the day this tech preview was released.

[Baserk]

Bypassing 3.5 ROP mitigations claimed;

'It seems MS was aware of this kind of bypasses, so I bypassed EMET ROP mitigations using another EMET’s implementation mistake. EMET team forget about the KernelBase.dll and left all its functions unprotected. so I used @antic0de‘s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or krenel32.dll. you can get new exploit at the end of this post.

I have managed to bypass EMET 3.5, which is recently released after Microsoft BlueHat Prize, and wrote full-functioning exploit for CVE-2011-1260 (I choosed this CVE randomly!) with all EMET’s ROP mitigation enabled. ...'

Wordpress link and Twitter link

[m00nbl00d]

It's actually great that Microsoft provides these Release Previews. This way they get a chance for EMET to be tested and solve any issues with it, if it's fixable.

[wat0114]

Thanks Baserk!

oh well *shrugs* the exploits are blocked in my vm testing. IE is set via Group Policy to prompt on signed activex download attempts and block anything unsigned. However, I did allow in all attempts but nothing really happened.

[wat0114]

For those who don't want the EMET notifier running in their system tray and have Task Scheduler available:

Open Task Scheduler as Administrator, select: Action-> Create Task...

General tab:
Run only when user is logged in

Triggers tab:
Specific user: Any user
Begin the task: At log in
Delay task for: 30 seconds (important because EMET_notifier.exe starts some seconds after log in)
Actions tab:
Action: Start a program
Program/script: Location of your batch file eg in my case: C:\Users\user_name\Desktop\kill_EMET_notifier.bat
Conditions:
Defaults are ok
Settings
If the task fails resart every 1 minute
Attempt to restart up to: 3 times

BAT file:

Code:

 @ echo off
Taskkill /IM EMET_notifier.exe

**Note** if using AppLocker or perhaps a HIPS program,, you'll have to create a Script rule, preferably a Path rule, that allows the .BAT file to run.

[m00nbl00d]

Heck!! Why all that? Just use Autoruns and disable it. No more notifier.

[wat0114]

Strange, I could have sworn that didn't work for me using Autoruns the first time I tried it several weeks ago, and that I saw where it was the same for others but it does now

**EDIT**

wait, not so fast. how are you going about disabling it in Autoruns? I ask because now I see what happens. If you open EMET it creates another enabled autorun entry even though the previous one's checkbox is cleared. With the Task Scheduler method, the notifier is prevented from running even though the cleared entry is re-created.

[malexous]

I have disabled the notifier through msconfig Startup tab. Running EMET from Start will create a new autorun entry but running EMET_GUI from the installation folder will not.

[m00nbl00d]

Quote:

Originally Posted by malexous

I have disabled the notifier through msconfig Startup tab. Running EMET from Start will create a new autorun entry but running EMET_GUI from the installation folder will not.

Yes, that's how I call it too. I never bothered with it, but I wonder what command line syntax in the EMET's shortcut in the Start Menu? I'm not running as admin, and only admin can see it in the Start Menu.

[StillAlive]

Emsisoft Online Armor 5.5.0.1616 (oadump.exe, oasrv.exe and oaui.exe) is not compatible with Enhanced Mitigation Experience Toolkit v3.5 Tech Preview (Execution flow simulation mitigation (SimExecFlow)).

[RSpanky]

I have been trying to install EMET 3 on my Vista Home Premium SP2, I keep getting a error message about it could be a bad package. I find it strange that I can't get it to install. I am running AppGuard set to install and Malwarebytes running RT, Can someone point me in the right direction to get EMET installed. Thanks Rick

[kupo]

Quote:

Originally Posted by StillAlive

Emsisoft Online Armor 5.5.0.1616 (oadump.exe, oasrv.exe and oaui.exe) is not compatible with Enhanced Mitigation Experience Toolkit v3.5 Tech Preview (Execution flow simulation mitigation (SimExecFlow)).

Did you add Online Armor's .exe files in the protection of EMET, or it really just affects the operation of EMET?

[StillAlive]

Quote:

Originally Posted by skudo12

Did you add Online Armor's .exe files in the protection of EMET

Yes, I did.

Quote:

Originally Posted by skudo12

, or it really just affects the operation of EMET?

No, it doesn't.



Online Armor 5.5.0.1616 is working:


Online Armor 5.5.0.1616 is not working, because all the three files crash on start up:



[Windows 7 SP1 32-bit (x86)]

[DX2]

Should I leave EMET settings at default, Application OPT In on all 3?

[ComputerSaysNo]

Quote:

Originally Posted by DX2

Should I leave EMET settings at default, Application OPT In on all 3?

Set to MAXIMUM protection I find is the best, you can find the setting in the options bar.