EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Not the most user friendly process design

    First create a pin-rule, See picture

    Then add website and selected pin rule you just created

    Hopes this helps
     

    Attached Files:

    Last edited by a moderator: Mar 14, 2014
  2. BTW: I allways uninstall dot Net after installing EMET. One of the dot net DLL's is not ASLR enabled :thumbd: Also some EMET dll's are not signed :thumbd: Therefore also disable autostart of EMET GUI

    Less (attack surface) is more (security) :D
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Does EMET run OK without .NET installed?

    hqsec
     
  4. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Thank you. Your manual completely clarifies the process. :thumb:

    BTW when I created pinning for one site I found that there were all certs there preinstalled. :argh:

    Good thing is that all this manual pinning is exportable.
     
    Last edited: Mar 14, 2014
  5. Yes, but you won't get prompts/warnings (so makes cert pinning useless)
     
  6. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    I specifically asked them about EMET 4.0 and Google did not inform Apple about Safari exploits for Pwn4Fun competition.
     
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    So when having installed a new version, like upcoming 5.0, do you uninstall .net immediately afterwards or do you keep it installed for a period to see if any prompts/warnings might pop up?
     
  8. Always keep it for a few days. After dot Net V4 Micrososft issued a lot of security updates for dotNet. Since 4.5 it is a little better, so reason for de-installing dotNet is not urgent anymore. I am not against dot Net, but when I only use it for EMET, it did not make sense for a while to add patch after patch. That is why I decided to de-install it after updating Emet.

    EDIT: have re-installed 4.5.1 to see how often security updates will come through now
     
    Last edited by a moderator: Mar 17, 2014
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Windows_Security, thank you again!

    Your manual picture is very helpful.

    Actually after a couple of repetitions the process of adding websites to pinning is very simple and goes by memory.

    :thumb: :thumb: :thumb:
     

    Attached Files:

  10. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Re: EMET plus Java 8. *HEADS UP*

    Please note.

    For those who updated to Java 8, you must make manual accommodations in EMET 4.1 and EMET 5.0 TP1 to further enjoy the benefits of EMET's protections.

    You must manually open EMET's Application Configuration and make the appropriate path and mitigation choices for your system(s).

    As I do not have any EMET versions before EMET 4.1, I'm guessing similar changes are needed on earlier versions.

    HTH :)
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Re: EMET plus Java 8. *HEADS UP*

    Thanks for the reminder :).

    Note also that some past versions of Java install executable files within \windows folder, so Java 8 might also do that.
     
  12. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    You are always very welcome. :thumb:

    Also, for those of you who may have forgotten, or did not know, Java 8 and any version of Microsoft's XP, are not compatible.

    HTH :)
     
  13. guest

    guest Guest

    Does it only need 1 cert? I see some of the default rules have many certs associated.
    Do I need to check the option "Publickey match"?
    In the protected websites tab do I need to add the domain and the pin rule associated?
    There is any way to check that is working correctly?
    Does it works with any browser?
     
  14. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    464
    Hi, just trialling EMET. I am wondering what sorts of apps should be added to the recommended setup.
    I imagine the usual Internet-facing applications and applications that load data files such as pdf, but I am looking for a confirmation
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, I would set EMET for all those apps. When I was using it I protected my browser, email client, rss reader, P2P software, media players, office suite, pdf reader...

    hqsec
     
  16. guest

    guest Guest

    I would add only very popular internet facing apps. Take into account that will be almost impossible to find a malware targeting an app which is not install in many computers.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    They have created a handy file to get you started by simply importing it.

    Code:
    Import: Popular Software.xml
    Location: C:\Program Files (x86)\EMET 4.1\Deployment\Protection Profiles
    That will get you started with the usual Microsoft Office programs, Mozilla Firefox/Thunderbird, 7-Zip, Adobe programs and so on. Those come with pre-tested settings. Then you can always add whatever else you would like.
     
  18. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    464
    @hqsec @guest
    thanks for your suggestions

    @WildByDesign
    thanks, when I wrote "added to the recommended setup" I meant beyond the suggested profiles
     
  19. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Is it still true for EMET 4 or 5? o_O
     
  20. guest

    guest Guest

  21. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
  22. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I find it really funny how people from Chromium decided that if some malware writters can bypass some of the EMET protections that means that EMET is not needed. This is like saying that if there is no such thing as "100% security" then you shouldn't bother with installing a security solution at all.
     
  23. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Well said. :shifty: How about Firefox?
     
  24. drm2000

    drm2000 Registered Member

    Joined:
    Apr 20, 2014
    Posts:
    18
    I've used EMET for some time on Windows 7/64 and recently upgraded EMET to 4.1. At that time I decided to try out its certificate pinning features for my bank. After creating the rules I wanted to test that it worked ... Not sure how to proceed, I decided to first see if the default yahoo rules were working .... So I went to the yahoo login page (login.yahoo.com) in internet explorer and clicked on the padlock to view the certificates and found only Verisign certificates.

    This surprised me as none of the 7 certificates that are pinned by default for Yahoo when installing EMET are from Verisign. I can login to yahoo without any error notification even though I know the certificates do not match ...

    I have certificate trust pinning enabled. I also have the login.live.com protection "checked" as "active". I've also checked the the rule expiration date .. and set it both in the future and the past ... But I never get a certificate error notification when logging into yahoo.

    So it appears to me that certificate pinning is not at all working for me.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The original Yahoo cert. in EMET expired in early April, I believe. If you look in your event logs, find events for EMET. One of those will give you a warning message that the old Yahoo cert. expired.

    You have to pin the Verisign Certificate Authority where the new certs are stored that Yahoo uses. It is VeriSign Class 3 Public Primary Certificate Authority - G5. The thumb print begins with 4EB6D578 .......
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.