EMET (Enhanced Mitigation Experience Toolkit)

@fearlessscientist. That would make since. I'm Not using the built-in Administrator account, I'm using the unevaluated administrator user account with UAC in default state. You would think it'll be reversed where.. when using the built-in Administrator account with UAC in default state wouldn't be likely to cause the EMET UI alerts. I think the relating code in EMET is incorrectly reversed.

 

I noticed that Microsoft's ruleset in EMET v4.1 doesn't cover the java.exe, javaw.exe, and javaws.exe that are in my system folder (in my case syswow64). I manually added them.

---

I also noticed that Microsoft has a new v4.1 download digitally signed Nov. 25, 2013, but it's the same v4.1.5064.16886 when installed. I'm not sure why Microsoft did this.

 

Hi MrBrian.

Here are the original package MD5 hashes...

e350385cf8113be4a1d5abefc2b0f04c EMET_Agent.exe
fdef7dc7b75c57ba5a60904835703c9a EMET_GUI.exe
655e17161216f678598ad4314e3519d1 EMET64.dll
0184fb8638aa66f66541171a28c96b13 EMET.dll

 

Thanks .

Those hashes are unchanged in the newest download. The new download is smaller than the older v4.1 download.

 

Well, I PM'ed you the rest of the MD5 hashes.

 

Don't the *\java.exe rules already cover them?

 

Not the ones that Microsoft provides.

 

Thanks . All of the md5 hashes in the EMET folder are unchanged from the old v4.1 download to the new v4.1 download. The timestamps changed on most of the files though. Also, the new download is ~900,000 bytes smaller than the old download.

 

Must've been my imported rules after checking the default XML's. EMET mislead me by bolding those entries.

 

Announcing EMET 5.0 Technical Preview

 

Great news.

 

See the new manual for configuration information on ASR and EAF+.
They need to be configured through registry editor as there is no GUI for that. Keep in mind that EAF+ is only configured for Internet Explorer by default.

The information is in chapters 1.2.9 and 1.2.10.

 

Does it install in a separate directory? Did you uninstall the previous version before installing and if so, does that preserve current rules?

 

Export your settings before an 'over the top' install of 5.0 over 4.1

Tried it briefly, errors with IE11 when closing. Back to 4.1, did had not any problems with other tech previews.

 

New attack completely bypasses Microsoft zero-day protection app

http://arstechnica.com/security/201...y-bypasses-microsoft-zero-day-protection-app/


Bypassing EMET 4.1
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/

 

thanks for the info

 

The bypass was done after making disabling ASLR and also remember that the recent flash exploit did not execute itself if they found EMET running in the system.

 

-http://www.youtube.com/watch?feature=player_embedded&v=lP9Vtg1FvEQ-

 

Ah didn't notice the export option.

I exported, uninstalled, installed 5.0 and imported my rules. All went well and no app issues so far. No errors with IE11 or Chrome, lucky me.

 

It gives mistake report at installation. During install I have Avast shields disabled and OA HIPS disabled no SRP and AppLocker. What should I do?

 

so do i.

Anyway i don't know if 5.0TP really fixes the problems highlighted in the study of Bromium even if EAF+ seems to go in that direction...

 

5.0 working great so far..

 

I just returned to a previous snapshot by time machine Eaz-Fix. Installed 5.0 on the top of 4.1. Checked the last mitigation for all apps. Disabled Deep Hooks as all extensions of Dragon crashed. After this it's going smooth so far.