EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I believe there's a GUI bug. But, not sure if it's simply by design and if also that's how previous versions worked. If one disables all mitigations for some process, it will still show that process as being "emeted".

    Does anyone know if it should show it has having no protection? o_O
  2. DR_LaRRY_PEpPeR
    Offline

    DR_LaRRY_PEpPeR Registered Member

    I'm sure that's how it is in previous versions also... And also not a GUI bug, as the GUI merely reports that it finds the EMET_PID_nnn Event (object) for that process, since the EMET DLL is creating it, even if no mitigations are enabled. :) You can see the EMET_Settings env var for the process (Process Explorer, etc.) and verify that everything is disabled... Also, even if you have DEP/all unchecked, EMET will still notify about DEP violations (assuming Windows enables DEP without EMET), so there's that.


    And lucid, new2security, and others against .NET FW: Remember, all things are still "go" after the release of EMET 4 for me to create a new alternative, native EMET interface and notifier. I had been waiting for version 4 at least to make sure there were no "game changer" updates to how the system works. :) I only wondered about different way of signaling the notifier, but resolved that detail right away -- without [being able to implement] the notifier, I probably wouldn't do it, since that's part of the package to me (even if some don't care and may choose not to use it :)).

    The part(s) that I surely can't implement from EMET 4 is the "SSL Certificate Pinning" (seems limited anyway...), and the "EMET reporting to MS 'feature'" (not on XP), but I'm sure the latter isn't a loss. ;) Both of those are implemented in the Agent (notifier).

    I have other things to do first, so it'll be at least several weeks before I could start anything, and I've never made a GUI program before, so that'll be slow-going (gotta get a skeleton)... The actual EMET implementation should be easier -- don't know if anyone would want a command line EMET_Conf first ever before a GUI...?

    And that's while I really should be building a hope-to-be-major Website from scratch that's already been delayed too long. :isay: :oops: o_O
  3. new2security
    Offline

    new2security Registered Member

    If a fully functional EMET 4 without .NET fw is developed and released it'd be great. Btw the EMET 3 notifier sucks because it doesn't even do what it's supposed to do. Recently I've had Chrome crashing on me three times and there wasn't a single peep from EMET. It silently reported to Event Logs that it had detected a DEP and mitigated it.
  4. 0strodamus
    Offline

    0strodamus Registered Member

    I disabled the notifier and created a scheduled task to alert me to the eventlog entries that EMET creates when it blocks something. Doing this also alleviated my concerns over all the network outbound attempts that the notifier was attempting to make. Now if I could find a way to disable svchost from doing that, I would be as happy on 7 as I was on XP. ;)
  5. Mman79
    Offline

    Mman79 Registered Member

    Heh, EMET was constantly telling me Chrome was having DEP exploits, would shut down Chrome...and never once did :D I don't use it anymore after all that because it showed itself to be a piece of crap that didn't do its job. Maybe v4 will be better and some time I'll care to try it out again. Props to Hungryman though for his XML, otherwise it would have been a PITA to set it all up manually.
  6. Sampei Nihira
    Offline

    Sampei Nihira Registered Member

  7. new2security
    Offline

    new2security Registered Member

    Wonder what triggers the DEP mitigation though. When I used an AMD graphic card, there were no crashes. Since Nvidia, I've had three crashes. Must be it. I've disabled GPU rendering and crossed my fingers.
  8. itman
    Offline

    itman Registered Member

    Might be related to nvSCPAPI.dll? I have seen that sucker dynamically load itself into IE9. I am running EMET 3.0 and it doesn't seem to care about it in IE9. I have DEP set to opt-out.
  9. new2security
    Offline

    new2security Registered Member

    I don't have that file. But I'm glad Chrome only crashes because on another system, Chrome repeatedly froze the whole system.
    Opting out EMET didn't help either.
  10. Disney
    Offline

    Disney Registered Member

    Hey. It is Microsoft ! Enough said . Lol
  11. Sampei Nihira
    Offline

    Sampei Nihira Registered Member

    Immagine1.JPG

    SBIE ver 4 [07] beta
    EMET 4 default compatibility (OK). :D :thumb:
  12. ronjor
    Online

    ronjor Global Moderator

    http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx
  13. GrafZeppelin
    Offline

    GrafZeppelin Registered Member

    Currently running version 3.0 with only changed the profile to "maximum security" and imported all.XML. Will wait until version 4 Final is released. :cool:
  14. Syobon
    Offline

    Syobon Registered Member

    wow, this is one best products feedbacks i have seen since privatefirewall, they addressed my bug reports and so of hundreds of other people, good work microsoft.
  15. Solarlynx
    Offline

    Solarlynx Registered Member

    Could someone clarify one issue? I have EMET 3.5 only for the system with maximum protection, not configured any apps. It doesn't allow Advanced Uninstaller to run. How can I make it run without disabling protection? I know Adv.Un. cannot run with DEP on.
  16. DR_LaRRY_PEpPeR
    Offline

    DR_LaRRY_PEpPeR Registered Member

    You can't with AlwaysOn DEP... (Although my Permanent DEP DLL, coming later today I hope, would allow you to have basically all the same benefits of AlwaysOn DEP, with none of the occasional problems like you have, while using OptOut on any Windows version. :))

    It actually may be able to run with DEP. Assuming you've gotten Advanced Uninstaller to run by temporarily backing off AlwaysOn DEP, did you check Process Explorer? (v15.13 and later are broken for DEP status, so have to use 15.12!)

    If it (a working Process Explorer) shows that DEP is on, then it's the "ATL thunk emulation" part of DEP that it needs to work -- which is never used with AlwaysOn DEP. Not that that really helps you at all, but that's what you get with AlwaysOn, and seems as likely to be the issue as DEP itself!
  17. Solarlynx
    Offline

    Solarlynx Registered Member

    How to make it back off?

    Thank you.
  18. DR_LaRRY_PEpPeR
    Offline

    DR_LaRRY_PEpPeR Registered Member

    Change DEP back to Application Opt Out, etc. (e.g. not Maximum). If it works then, DEP is not the problem, but that means it does need that "ATL thunk emulation" thing.

    If that doesn't work, either create a DEP exception for Advanced Uninstaller in Windows Control Panel (System > Advanced System Settings > Advanced tab > Settings > Data Execution Prevention... or something like that :)), or change DEP setting to Application Opt In -- not recommended if you can just add an exception, which may not even be needed if it just works with OptOut!
  19. Solarlynx
    Offline

    Solarlynx Registered Member

    It requires reboot. Sometimes I cannot do that for long time due to computing.

    When I installed EMET this option got shaded. So I cannot change it.

    Anyway isn't there exist any trick to disable and then enable EMET without rebooting?
  20. DR_LaRRY_PEpPeR
    Offline

    DR_LaRRY_PEpPeR Registered Member

    You can't! :) And you'll have to reboot to change it, that's just how it is. :p You'd get the option to add exceptions again (not grayed out) once you go back to Application Opt Out and restart.

    EMET is not doing anything to DEP, other than changing your system settings -- like what can be done from the Control Panel (for OptIn/OptOut only) or by using the command "bcdedit /set nx" (or boot.ini edit on XP).

    I never want to reboot either, hehe, so if you want "maximum" DEP while using OptOut (and be able to add exceptions, if needed), you could try using my add-on, process-initialization DLL that I'll make a thread about soon. Using that you should have no issues and it's totally transparent. :cool:
  21. Solarlynx
    Offline

    Solarlynx Registered Member

    I didn't know that EMET is not doing anything to DEP, other than changing system settings - like what can be done from the Control Panel. That matters.
    Thank you.
  22. GrafZeppelin
    Offline

    GrafZeppelin Registered Member

    Could someone please clarify this? Do we really need to configure the apps? I'm assuming that system configuration is intended for general system, while apps configuration is more into stability. Hence, you can tick/untick certain options there.

    Say, if I didn't add chrome.exe into apps configuration, is Chrome protected? o_O
  23. DR_LaRRY_PEpPeR
    Offline

    DR_LaRRY_PEpPeR Registered Member

    YES you have to configure apps, otherwise NO they will not have any of EMET's [additional] protections!

    Are people really using it to only configure the system stuff? That can all be done without EMET -- DEP is easy, the ASLR and SEHOP stuff I guess is in the registry (I'd have to look it up since I'm only using EMET on XP). But EMET is totally unnecessary for that -- you can do that with EMET 2!

    I'd say you have to configure programs in order to get: RoP mitigations (probably the main ones since EMET 3.5?), as well as EAF and HeapSpray, and BottomUpASLR (?).

    On XP, you'd also need to add programs to get SEHOP.

    On Vista+, depending how you configure System settings, you would, I guess, get the same MandatoryASLR (actually, system forced is better I believe, but if you can't use that...) and SEHOP as if you configured programs with those mitigations. But of course if you aren't forcing those on everything with System settings, then you'd need to specifically enable them on a per-program basis. :)

    Same goes for forced DEP on all Windows versions -- EMET will make it permanent enabled if the program doesn't opt in (although most important ones should on Vista and later especially).


    P.S. You can't "lessen" the System protections on a per-program basis. e.g. unchecking DEP/MandatoryASLR/SEHOP doesn't disable anything IF the system is already applying it.
  24. funkydude
    Offline

    funkydude Registered Member

    v4 was supposed to officially release today, any word? The blog doesn't mention anything. :(
  25. safeguy
    Offline

    safeguy Registered Member