EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Maybe you are using some other security apps that has competing functions with EMET? Based on my experience you could come across strange problems if you use multiple apps at the same time that have overlapping functions.
    I am using EMET 5 right now on multiple computers and have no problems using EMET on all the apps I throw at it.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The only other real-time security apps I have on the machine I was testing EMET on are those in my signature. Online Armor, NOD 32, and AppGuard. I don't think those applications should be interfering with EMET's functionality. I played it safe anyways when I was testing EMET, and configured those applications to allow everything from EMET. EMET only worked after I made many changes to it's default settings. Adobe reader, IE, Java, Firefox, and Chrome would not work with the settings EMET gave them by default. Did you not have to make changes to EMET's settings in order for those applications to work? I'm using Windows 7X64 Ultimate. I read post from other users that experienced similar issues that I encountered. Novice users definitely will not be able to use EMET if they have to configure it for themselves.

    Edit: 9/7 @ 3:31 There is no overlapping in protection in terms of the mitigation methods EMET uses that i'm aware of.
     
    Last edited: Sep 7, 2014
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yes, I forgot to export my settings. I'm glad I wrote them down though because It will make it easy to list them in a post. Maybe my settings will work for other Windows 7X64 users if they can't get EMET working for themselves.
     
  4. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I have to disable "Deep Hooks" on my 2 PC with Win-7 64-bit, but PC with Win-7 32-bit is OK with "Deep Hooks".
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    That is strange. I have Deep Hooks on on all my Win 7 x64 machines. I had to make very few concessions to get it all to work.
     
  6. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Thanks for suggestion. :thumb:

    I've just changed EMET 4.1 for 5.0 on one my Win-7 x64. There I keep DH on. So far so good. I had only to uncheck 3 mitigations for one app. I think DH worth it.
     
  7. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    I decided to try EMET again and installed the 5.0 version. I can verify that the above is true. I have to force Palemoon to start in Sandboxie in order for EMET dll to load. Using the Start Sandboxie menu with Palemoon as default browser Palemoon does not load the EMET dll. This is with the Sandboxie paid version.
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    given I have deep hooks enabled on emet 4.1, does this mean I can expect a trouble free migration to v5?

    and can I import v4.1 config to v5 for quick migration?
     
  9. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    In case you didn't notice the workaround:
    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
     
  10. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Maybe, but impossible to know for sure! In my case old mitigations that didn't work in 4.1 worked in 5.0. And other mitigations that worked in 4.1 didn't work in 5.0. Mostly CallerCheck worked again in 5.0 but not StackPivot (for some programs, not all)

    If you import an old config you'll lose the benefits of the new mitigations in 5.0 - EAF+ and ASR. These are predefined for several apps in the import files for Popular and Recommended Software.

    Attack Surface Reduction (ASR) mitigation provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites.

    Export Address Table Filtering Plus (EAF+) mitigation introduces two new methods for helping disrupt advanced attacks. For example, EAF+ adds a new “page guard” protection to help prevent memory read operations, commonly used as information leaks to build exploitations.
     
  11. guest

    guest Guest

    Those two added mitigations are only useful when the user configured them manually. I personally don't really think ASR to be all that useful, while I heard EAF+ does not add much value to EMET.
     
    Last edited by a moderator: Sep 8, 2014
  12. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    IMO most users won't know how to configure these manually. Other mitigations you can just turn on/off, but for ASR and EAF+ you have to also specify what dll files to block.
     
  13. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Not working here. Still have to force Palemoon to start to load EMET dll. Another problem, flash keeps crashing on CBS sports and ESPN sports websites. I have EAF unticked for plugin container as well as Flash player plugin. Should I untick anything else? ASR is unticked for all mitigations by default. I have EMET on a short leash and if it becomes too problematic will just uninstall and be done with it but am hoping to the contrary. :thumb:
     
  14. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    I had to uncheck StackPivot for both firefox and the FlashPlayerPlugin.
    StackPivot, at least on my system, can cause crashes without EMET informing me about what mitigation was incompatible :(
     
  15. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Yep, I did the same here with Pale Moon and flash Player plugin and Plugin Container(don't know I had to untick that one as well but I did anyway) Flash seems to be working ok now in those previous mentioned websites. Knocking on wood though. :doubt:
    Edit: Still, so far so good. Played a few crossword puzzle games which needed flash and watched a few videos at ESPN and CBS sports and so far so good. No crashes. Just to add, I would like to know what else to add to mitigations for example, wininit, winlogon, csrss, lsass etc.. Ok to add some of these?
     
    Last edited: Sep 8, 2014
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Adding advanced rules on your own is only for advanced users, but you can add the ones from the Popular Software profile just fine, you can find them here:
    https://www.wilderssecurity.com/thr...xperience-toolkit.344631/page-23#post-2396174
    For EAF+ you don't necessarily need to add advanced rules, half of it works without it:
     
  17. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Uninstalled 5.0 because I was having problems with flash and Palemoon. The notifier wasn't working. Installed 4.1 and it was working yesterday with notifier alert about heat spray problem for plugin container. Corrected that and all was well until today until I updated flash. Now for some reason Palemoon loses connection in ESPN and CBS sports websites when trying to view videos there. Bottom line, I uninstalled EMET alltogether because for me it's just too much of a hassle. Sticking with what I have in my signature and moving on.
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Wolfrun, I don't use EMET or anything like that but I can tell you, to watch videos at cbssports.com, I have to do it in a Firefox sandbox where I don't tick Drop Rights in Sandboxie. If Drop Rights is enabled, I cant watch videos there. This is a rare situation but CBS sports is not the only site that I use on a regular basis where I found I have to untick Drop Rights in order to watch videos. I haven't watched videos in ESPN for a while, I ll check the site later.

    Later my friend

    Bo
     
  19. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Bo, I have no trouble watching videos in ESPN or CBS or anywhere else for that matter with Palemoon in Sandboxie even with drop my rights enabled. Just had a problem when I had EMET installed. Now that I have EMET uninstalled and back to just Palemoon and Sandboxie I have no problems watching said videos. Later bro. (go Vikes) :thumb:
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Since this is not about EMET, I ll send you a video link from CBS via PM for you to test.:)

    Bo
     
  21. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I return to unchecked DH. I prefer to keep more mitigations on as DH requires to remove 2-4 mitigations for some routine apps.
     
    Last edited: Sep 10, 2014
  22. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,541
    Location:
    Triassic
    Of late, Firefox crashes under EMET for me. I get the popup from EMET indicating that a DEP mitigation has caused it. I have sent the requested dumps. However, like other posters here, I have to force FF under SBIE for it to not crash.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Try disabling the mitigations SEHOP and EAF (keep EAF+ intact though) for firefox.exe as well and see if that helps.
     
  24. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    I saw that uninstalling EMET may not revert system wide changes made when it was installed. If a person should choose to uninstall it, how do you assure that all system and program settings are back like they were before its installation?
     
  25. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Set system settings to Recommended, or set the 3 system wide settings to Application Opt-In before uninstalling EMET.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.