EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    EMET does not block exploits "escape sandbox" JAVA.
    Block "memory corruption" exploitation techniques.

    MBAE blocks exploits "escape sandbox" JAVA.
    I also think HPA3.
     
    Last edited: Aug 3, 2014
  2. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Same here. When EAF isn't compatible you'll see an EMET message about it and you can uncheck it. Next step was more difficult: Programs crash without any information from EMET. Only sometimes common thing in event log was Faulting module: KERNELBASE.dll
    So I tested all mitigations one by one and after a few hours and hundreds of app crashes later I found a surprising pattern: StackPivot.

    The strange thing is that StackPivot works on many exe's, but for Office 2013 programs for example I had to uncheck it on only some of them. For iexplore I could start it without crashing but when going to a few web sites it always crashed when StackPivot was enabled.

    I used the recommended setup (not keeping old setup) and had DeepHooks unchecked. After solving all craches, mostly EAF and/or StackPivot, I enabled DeepHooks and re-tested all programs. No problem!
    Win7 SP1 32-bit

    Also Firefox is no longer under EMET when launched with Sandboxie. Haven't solved that yet.
     
  3. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    stick with sandboxie 3.76, emet loads fine under ff here, newer sandboxie have problem with emet.
     
  4. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    I'm using Sandboxie 4.12 with both Emet 4.1 and 5 and having no problems with Win 7 or Win 8. Different experiences for different configurations I guess.
     
  5. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    are you sure? try using process hacker to view if emet.dll is being injected correctly in the software.
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I've never had a problem with EMET injecting into sandboxed processes, though I was using the licensed version of Sandboxie with forced programs. You don't use the free version by any chance?
     
  7. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    I solved it without changing Sandboxie version :) Since StackPivot for some unknown and strange reason isn't compatible anymore for some programs with EMET 5.0 on my PC, I tried to uncheck it for Firefox even though it DOES work checked for Firefox. Result: now Firefox shows up again as "Running EMET" also when launched with Sandboxie!

    So why is suddenly StackPivot a problem with 5.0 when it worked with 4.1.1? I haven't read anywhere that StackPivot has been modified in 5.0. If anyone has a clue, please share.
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I had to disable SEHOP on Firefox and Skype to get them to work without crashing on launch. This was after adding the "popular software" list.
     
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Good finding! The most unchecked mitigations for silent crashings I have with StackPivot as well.
     
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I had to keep DeepHooks unchecked. The same crashings of most apps.
    Win7 x64
     
  11. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    Same here. Before EMET 5.0, it used to be EAF crashing an app or two but now Stackpivot acts 10 x worse. I have it disabled for many programs, such as Google Chrome.
     
  12. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Well, it seems StackPivot was indeed modified in 5.0. I compared the User Guide from 4.1.1 and 5.0 - changes in 5.0 in bold:

    Stack pivot: This mitigation is used to detect if the stack has been pivoted. This mitigation also validates the stack register present in the context structure of certain APIs. It is compatible with most programs. This mitigation is available for 32 and 64 bit processes.

    So I guess what we're facing here is a validation problem with these "certain APIs" in 5.0.
    BTW, I found a general troubleshooting guide:
    http://blogs.technet.com/b/kfalde/a...ing-an-emet-mitigation-application-crash.aspx
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I don't run Chrome, but so far the only 2 programs I have had to disable it from are Windows Media Player and Skype. You'd think they would make it work with their own software.
     
  14. It started as a free extra mitigation which was install and forget. They somehow had not expected that they started a cat and mouse game with the (white hat) hackers. So they started extra patches, not general purpose protections which were structral enhancements (like mandatory ASLR), but trying to make it more difficult for exploit writers. The current complexity sort of defeats its initial benefits.

    Why did they add ASR rule on flash, flash is embedded in Active X in Office aps. I understoof that flash embedded in word documents was the occasion/trigger for this mitigation. They could also have added a free group policy setting for Home Users which prevented Active X to start within documents, same with visual basic maco's and plug-ins. The internal office mechanisms throw a pop-up with explanation, so it had not complicated the EMET user interface at all. It is also possible to set internet zone's for Windows Media Player and Outlook, why not increasing the settings of medium-high internet zone for WMP/Outlook, to deal with plug-ins/pdf/flash/etc. Why not use what is there already? Why turn a straight and easy to use add-on into a application which needs micor management. That won't be accepted by a broader audience.

    I have raised security levels of my office aps (with trust center/internet zone settings). Don't use IE but use another browser (so you won't be affected by your hardened internet zone rules).

    Now a user of set and forget MBAE-free.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Windows_Security

    I agree with you, EMET is not for me, it´s getting too complex, I prefer tools like MBAE and HMPA. ;)
     
  16. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Seems pretty simple to me, and I have 0 issues with it. Have StackPivot, EAF, EAF+ etc enabled on everything.

    I only have specific exceptions that aren't new to EMET 5 e.g. Caller off for Chrome and SimExecFlow off for DNSCrypt.

    Sounds like the issues you are experiencing are system specific.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ elapsed, I just don´t like the GUI and all the options. :)
     
  18. 59er

    59er Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    46
    Location:
    Oregon
    Installed 5.0 on a Dell Dimension 8300, 1 GB Ram, Windows XP SP3, with Avast free (with moderate hardened mode) and Online Armor firewall (HIPS disabled). Using recommended settings right now. Added Firefox, Opera, Chrome, VLC Player, SMPlayer, Sumatra, and Libreoffice. I had to disable EAF for Chrome to get it to open. All apps opened very slow the first time after install, all normal now.

    I did learn something about a new install of .NET Framework 4 and Windows XP. Re-booting immediately after installing .NET 4 and EMET resulted in a very slow boot, hanging at the wallpaper, no task bar visible, for about 90 secs. Tried 3 more times with the same result. I immediately blamed EMET. First excluded in both Avast and Online Armor....no change. Uninstalled EMET...no change. Ok, might be .NET 4. Did a quick Google search and found there was a slow boot problem on new installs for Windows XP only. There are all sorts of fixes, including this: http://rejzor.wordpress.com/slow-windows-xp-startup-fix/ .
    The one I used was patience, found here: http://social.msdn.microsoft.com/Fo...n-boot-time-network-creation?forum=netfxsetup , Scroll down to January 31, 2011.
    The recommendation said once you finish the install it is not really finished, or more specific, the 'NGEN' process. Basically, it says leave it alone for a few hours and the boot speed will be back to normal. I waited an hour and all was fine after that. Reinstalled EMET and so far happy.
    Cheers!
     
    Last edited: Aug 8, 2014
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
  20. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    i think that the only feasible way is to revert system-wide protections to recommended security settings before uninstalling the tool...
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    EMET 5 is working great here, including the new migitations.
    The only exception I had to make was disabling SimExecFlow for VLC and MPC-HC.
     
  22. Okay, for office users there is a trick to harden office aps (when you don't need macro's = visual basic for applications support):
    1. Remove VB/Macro support
    2. Go to trust center and raise security levels
    3. Use another browser as IE and raise security levels of plug-ins, active, java, etc for internet zone. IE-zone is used in WMP and Outlook also. When you use IE, this hardened settings reduce functionality of rich content. That is why you need to use another browser.
    4. Harden setup of Office aps in EMET
    a) Word, Powerpoint, Excel, Outlook, etc: add flash*.ocx; jscript*.dll;vbscript.dll; to both EAF+ and ASR (well you don't need ocx flash when using Chrome or Chromium)
    b) For WMP make an exclusion for trusted zone
    5. Chrome PPAPI sandbox of build in flash and stripped build-in PDF will make your setup less vulnarable. Because you don't use Adobe's IE-flash and Adobe PDF the reduce potential market share hence the attractiveness for exploit-kit builders to attack that application (e.g. Foxit or Sumatra).
     
    Last edited by a moderator: Aug 10, 2014
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    Thanks for the link. Recently noticed with Chrome that unchecking "stack pivot" isn't sufficient. It still sometimes crashes. I've unchecked "caller" and so far no problems.

    @ I agree with Windows Security's post that EMET is becoming more and more complicated to setup and make it work.
     
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Like I stated earlier "Caller" is the only thing I've ever needed unchecked/disabled for Chrome and that goes back beyond EMET 5.
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Caller is the most important mitigation of EMET. Disabling it severely lowers protection against exploits.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.