Does EMET Dial-Out A Lot?

Every since I installed EMET, I am seeing a lot of MS dial-outs. Every time I cold boot, there is one to Hotmail IP followed by one to MSEC, etc. Usually occurs right after the dial-out form EMET notifier occurs.

Normal stuff?

 

Does EMET Dial out.... ? the FW rule created for it allows that.

What I do is block that activity.

 

Ok. I will block it. Thought perhaps MS was updating it in some way.

 

Good you will see the dial outs stop.

When EMET updates to a new official version we will know and you will need to download the upgrade.

Somebody here will know.

 

I disabled the notifier to stop the connection attempts.

 

Appears it is also dialing-out from IE9 using svchost.exe. Same 64.4.11.42 hotmail Ip plus 204.183.124.xxx which maps to ctldl.windowsupdate.com.

Guess I will try to block that domain name from svchost.exe. Or is that part on EMET protection?

 

No, svchost is a sneaky way they EMET is using to link out.

I had the same issue and then blocked every single leak feature in my FW for EMET. That shut it up for sure.

Here is a fw log entry that demonstated this:

4:57:44 PM EMET_NOTIFIER.EXE Block system objects modification System Objects C:\Windows\System32\GDIPFONTCACHEV1.DAT


I also have windows update disabled til next patch Tuesday.

 

me too

 

The MS IP EMET is using to dial-out via svchost.exe when IE9 is active is 65.55.57.27. Appears that this dial-out occurs after something is downloaded from the browser. So the question is if blocking the dial-out is advisable?

Would be nice if MS would clarify if EMET has a cloud component? I have assumed that EMET has no clould functionality and therefore should not be connecting to MS.

The real question is what these EMET Internet connections are all about. It does not have an update notifier per what is stated on it's Technet forum. So EMET should never be connecting to the Internet in my opinion.

 

100% agreed that these questions need answering.

IMHO I have zero faith that they ever will be.

So, I just follow my security policy and block by default and allow by exception. There is no known exception so I block away.

Nothing complains or breaks so there you go!

 

This MS Emet is still leaking !!!! Note I'm on the beta/test version called tech preview. I stopped emet and syshost but now it's the gui!!!

Have a look

10:16:21 PM Allow EMET_NOTIFIER.EXE Network-enabled application launch c:\program files (x86)\emet (tech preview)\emet_gui.exe

This is really starting to p..... me off. Why are they doing this? It is supposed to help with security not report back to the mother ship!!!

I have now blocked emet_gui all the antileak setting and systems objects. Here are the log reports:

10:14:35 PM EMET_NOTIFIER.EXE Block system objects modification Internet Settings HKEY_USERS\S-1-5-21-3999982920-2473791503-924582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
4:20:09 PM EMET_NOTIFIER.EXE Block system objects modification System Objects C:\Windows\System32\GDIPFONTCACHEV1.DAT

 

I haven't seen any of this activity myself, and I have the notifier running (v3.5). No connection attempts, and no suspicious activity in my D+. I have svchost.exe blocked silently though (no logging), so if it were trying to use that as a facade I'd be oblivious to it.

 

Hi L!

Well good! Try logging svchost for a day !

I really hate that MS "service"

Found out today that (Emet tech version) tried used a runonce to access www! That was strike 3 so EMET is out on the basis for me anyway and I have removed the product. This is NOT a recommendation for others and I don't want to start a debate about it but in my world spys are shot.

If somebody someday can show me that emet no longer does this i will try again since the technique is good as a last resort for viruii (sp?) that slip by.

They spoil it by having it "phone home". I guess M$ doesn't expect anybody to notice.

 

My EMET ver. is 3.0.

I am not that worried anymore about the dial-out from EMET notifier at boot time to ctldl.windowsupdate.com. This is the domain MS uses to validate certs.

Ditto for svchost.exe dial-outs while IE9 is running, dialouts are to the same domain. It appears MS is using EMET to validate certficates versus the default processing in IE9? Best explaination I can come up.

This might be a response to the reality that third party digital certs. can't be trusted anymore.

 

Just noticed another glitch with EMET 3.0. I added lsass and spoolsv the other day to the applications list. That day I verified via EMET gui that both were protected. Today I noticed neither are slowing as EMET protected. However, both have the EMET.dll injected so appears this is a bug with the GUI? I did do a repair on EMET. Didn't fix the issue.

 

Whatever the reason EMET is phoning home, it's Disgusting behaviour by MS

I would like to discover why they do this.

They should have Explicity warned about it, BEFORE the install proceeded. And explained why they wanted it to. Then give you the option to refuse the install.

Numerous MS www's STATE for eg "We take your privacy seriously" Blah blah blah. Oh yeah !

 

Hmm, interesting. So this is an EMET program, like the Notifier trying to connect, and not in programs that are using EMET (from the DLL)? I guess that's another reason to have an open source Notifier.

No, not a bug with the GUI. Just because the EMET DLL is in a process doesn't mean it's doing anything. The AppCompat layer will load it, but EMET will not necessarily "activate" itself. Assuming you haven't messed with anything (to inject the DLL another way besides AppCompat, which is what the EMET GUI does), that would most likely be because the configured path for the program doesn't match (seems unlikely if you set up lsass and spoolsv).

Anyway, to see if EMET is working, check the GUI, or that the Event \BaseNamedObjects\EMET_PID_nnn has been created (which is what the GUI looks for). Only then is EMET actually active. Assuming the mitigations actually do work, unlike at least DEP in EMET 3.5.

I've always had lsass and spoolsv protected fine (XP).

 

Can I ask a question here? What evil thing(s) do you guys think EMET is doing by dialing out? I mean, really... if you don't trust MS, then why even run Windows, which can easily do all manner of evil things on it's own... lol.

 

I just uninstalled EMET 3.0. I saw a dial-out using hotmail via svchost to an IP I definitely did not like.

I really don't know why EMET is doing these dial-outs but when I see connects when I start browsing that signals tracking activity to me.

Will give Exploitshield a whirl this week.

 

Why in the world would EMET have anything to do with tracking activity? The OS itself and IE could easily do that on their own if they wanted to. I won't even get into whether any of this is worth worrying about in the first place....

 

I had no idea DEP was broken in EMET 3.5... geez. I guess it's a good thing I have Hardware DEP now, and turned Always On through my OS... instead of toggling it as such in EMET instead, as from the sounds of it that wouldn't work.

Also had no idea how instrumental you were in helping out with this tools development. You're doing some fine work, and I take back everything (bad) I ever said about you. If you were ever to grind out this project as you say you might, I'd love to try it out.

And thanks for that link. According to that it sounds like a stable version for 3.5 (with the DEP glitch fixed) should be available very soon. So I'm going to just wait until putting it on my new box. And the moment I'm done setting everything up I'm disabling that notifier... that's for sure. And keeping svchost.exe blocked the entire time... no thanks Escalader, I'll just take everyone's word for it ; )

 

I also believe there's a rational explanation. For one thing, most people are oblivious to EMET. The only people that know of, and use it are mainly IT people & geeks like us... the types that would be likely to notice such activity. You're right that MS has much easier means to acquire such info., from the masses too, not just a few geeks, through IE with a loose rule set or whatnot.

I'd guess that it's main purpose is to acquire info. about any exploits/behavior it's shooting down, and/or conflicts with software/processes to help them improve their product.

But still... it's bad business to not TELL people that from the get-go. I would think anyone in here would acknowledge that. Or maybe such info. even was in a EULA and I just didn't read it... dunno. One should always be upfront about these things. If people find out later on, in the manner it happened here, it looks bad. But if they were out in the open with it and explained it in the way I did above, with an option to opt out... then it's a non-issue. But perhaps they felt everyone would opt-out and they wouldn't be able to acquire any useful info? Still, that's not viable reasoning IMO. But could've been their thinking. And it being a Beta, they may feel justified in doing so, to get feedback. Or does it happen on 3.0 too?

 

So do I, so do I... one of the many benefits of still being on XP is that I don't have to allow shady stuff like that to leak out of my box for it to function properly. This is a perfect example of what I speak of when I say XP has a trimmer, tinier attack surface compared to these newer OS's. And an example of the concessions one must make to have the "newest toy". With each and every OS more & more concessions must be made to a users privacy. But then they throw in a few new tools, or mitigation techniques, and then call it "more secure".

I beg to differ... I've remained free of malware & compromise my entire time on XP, and don't have to make these concessions to obtain it. I have 9 services running right now, and 13 processes... and NONE of them require the ability to leak through my FW for everything to function properly. And that makes me feel safer than having a stronger kernel, an integrated mitigation technique or two (that a 3'rd party app can accomplish essentially the same), and a UAC asking me: "are you really, really sure?" every time I try to do something (and people call HIPS "chatty").

I have no reason to downgrade, err... I mean "upgrade" my OS anytime soon thank you... and every time I see crap like this it only reinforces that idea to me.

I can just picture now the concessions one must have to make to get this free Windows "Blue" OS?... probably a ton of these "services" leaking your info. to every corner of the galaxy. That if you disable them nothing on your box will work.

 

Good points, however, I guess I just don't share the concern that some others seem to have over it. If I'm going to run MS software, including the OS, then that means I trust MS, and expect them not to do something devious with evil intent behind my back. I don't mind if they gather some data for their developmental purposes if that's what they're doing. But others may not feel the same. That's just my take on it...

 

Hi L:

Why are you thanking me? I didn't help you I don't think