EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,855
    Location:
    the Netherlands
    In my September 13, 2014, post, I reported about G Data BankGuard false positives and how I wondered if there was any relation with EMET 5.0.
    I've had about twelve G Data BankGuard false positives in the period August 3 till October 12.
    The October 12 BankGuard false positive has been the last.
    A dump file from that October 12 BankGuard detection was analyzed by G Data Labs.
    G Data Labs informed me that the BankGuard false positive issue probably was not related to EMET.
    October 28, my computer was set up to get a BankGuard dump and additionally also a dumplog with next BankGuard false positives, for further analysis by G Data Labs, but there have been no more BankGuard detections since October 12.
    I guess the G Data program update to 25.0.2.3 fixed the BankGuard false positive issue.
    According to KHL64's post at Rokop Security that update to G Data version 25.0.2.3 should increase G Data BankGuard stability and should reduce BankGuard false positives.
    I suppose it did the trick. :)
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    New to EMET 5.1 Had compatibility issues with EMET 2.0 so, gave up till now.
    EMET 5.1 showing only one ProcessID Running EMET :(
    Imported Recommended, Popular and Trust. Manually configured ProcessID's other than Norton, Sandboxie and VoodooShield.
    Read somewhere here about not configuring Security apps as they have their own protection.
    EMET works great but, that may be because only one Process is Running EMET ?
    Comments
     
    Last edited: Nov 28, 2014
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,855
    Location:
    the Netherlands
    Only active processes of those applications to which EMET mitigations are applied show in "Running Processes, Running EMET".
    Try opening a couple of browser tabs and/or some other applications to which EMET mitigations are applied, hit "Refresh" in the EMET GUI, and you'll see that more processes are now checked in the "Running EMET" column.
     
  4. DX2

    DX2 Guest

    Do I need to use Emet in Chrome if Chrome is sandboxed?
     
  5. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    IMHO yes, as Chrome is included into "Recommended" or "Popular" list.
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Yes, have tried that...but, may have to configure Sandboxie as it appears EMET not reporting FF PID running.
    I've requested help via Sandboxie Forum. I'd like to EMETize what needs to be EMETized to run sandbox'd apps EMETized.
    Since, I run sandbox'd 99%. If I cannot get Sandboxie to cooperate than EMET will sit on the bench a lot.
     
  7. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Try forcing it to start with Sandboxie. If you use the free version so you can't force it then try starting it through another application. Example:

    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    I have a SBoxie license. Does it make sense to force EMET into my sandbox. Won't I be restricting EMET protection to the sandbox. Only browser in my sandbox. Seems the rest of my system would not be protected by EMET mitigation while loafing in my sandbox with just a few processes. I've run Sandboxie for 7 years & now I'm confused that I never had any protection in the sandbox other than being able to dump a nasty. The nasty can still play around in the sand and do damage. Like a malicious browser extension stealing passwords. http://www.pcworld.com/article/2049...-serious-threat-and-defenses-are-lacking.html
    Comments
     
    Last edited: Nov 28, 2014
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I believe what you need is already there. If you aren't sure open SBIE. Click on Sandbox, highlight the one you want to check then select settings. Then go to resource access>file access>full access and see if there are two emet lines there. If not try going to Applications>security/privacy and scroll down to the EMET line if there is no - in the box, highlight it and click add. You may need to close sbie, and maybe reboot not sure

    Pete
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Two points. The Official Template looks like this.
    ________________________________________
    [Template_Microsoft_EMET]
    Tmpl.Title=Enhanced Mitigation Experience Toolkit (Microsoft EMET)
    Tmpl.Class=Security
    # old EMET homepage
    # Tmpl.Url=http://www.microsoft.com/downloads/...FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04
    Tmpl.Url=http://technet.microsoft.com/en-us/security/jj653751
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\EMET
    OpenIpcPath=*\BaseNamedObjects*\emet_pid_*
    OpenWinClass=$:EMET_notifier.exe
    # EMET 4
    OpenPipePath=\Device\Mailslot\EMET_Agent_*
    OpenPipePath=\Device\Mailslot\EMET_Recipient_*

    I asked Invincea if I may create a Local Template as the Official Template seems not to apply to EMET 5.1
    Besides pointing to EMET 4. The top Url goes to page not found and I suspect the FamilyID may not jive with 5.1.
    Have not been able to find FamilyID for 5.1
    I would edit the Official Template except SBoxie says not. At some point the Official Template may be updated and get confused with my edited version. SBoxie manual suggests creating a Local Template.
    ____________________________________________
    I've been told to Force EMET. I've been told not to Force EMET. I've been to told to Force FF. Why IDK. I been told to open EMET with Windows Explorer...again IDK. I even got slammed at Sandboxie for asking questions that have already been answered. I slammed back so, we're even.
    Then after being told more than once that Sanboxie has a Template. I looked at same.
    My issue is that running processes are not seen by EMET while FF is sandboxed. FF is not seen as a running process.
    To use Peter2150 words. "They need to talk to each other" and I think that ain't happening.
    Security / Privacy [--] EMET
    OpenPipePath=\Device\Mailslot\EMET_Agent_*
    OpenPipePath=\Device\Mailslot\EMET_Recipient_*
     
    Last edited: Nov 30, 2014
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay on the template, my bad. I have one machine with EMET still on it. Let me update and test.

    Pete

    PS. I don't and wouldn't force any security software into the sandbox.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay. Tested.

    First update Firefox,Sandboxie and Emet to latest versions

    1 Ran FF unsandboxed. EMET 5.1 said it was running by green check mark
    2. Ran FF sandboxed EMET 5.1 said it was running by green check mark

    I didn't have to do anything special

    Pete

    And I repeat, I didn't Force Emet.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    bjm, I think all Pete did to make Sandboxie work with EMET was add the template from Sandbox settings>Applications>EMET. If you add the template and you are still having problems, then Perhaps you are experiencing a conflict. You are using now, Norton, Sandboxie, EMET and VS. To me, that looks like too much security and a conflict can be expected. Get rid of something and try again. Try doing things without EMET or VS to see what happens and dont use ANY of Nortons addons.:)

    Bo
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Bo

    It may not be the too much as much as which ones. I am running EIS,Appguard,NVT's ERP,SBIE and HMPA. Some might say to much, but it all works together.

    Oh and yes you are right, that's all I did on the first EMET install.

    Pete
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Thats right, Pete, finding the "which one" might be the key for bjm:cool:.

    Bo
     
  17. DX2

    DX2 Guest

  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You may have added it at some point and not realized it. Probably the first time you installed EMET
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Then you are better off. Sometimes its possible that Sandboxie and some software might even work better in your computer without the Software compatibility settings being enabled. That might happen after a program gets updated and the known compatibility settings become pretty much obsolete. When you upgrade a program and all the sudden it doesn't work with SBIE, disabling this settings is a good thing to check and see if the problem goes away.

    So, don't think that you have to use them or a program wont work with SBIE. Let me give you an example, I have 7Zip installed in one of my computers. I never ticked the Software compatibility settings for it and the program works great. Always had and I am safer for not allowing those settings to water down Sandboxies protection a little bit. The less of this settings that you use, the safer you are (from the SBIE side). So, be happy that you don't have to use them for EMET and Sandboxie to work well together in your PC.:)

    Bo
     
    Last edited: Nov 30, 2014
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    He might of Ticked Software compatibility during installation. He can check for the settings in File access>Full access and see if EMET appears there or not.

    Bo
     
  21. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    702
    Location:
    North America
    I'll put my two cents in to this discussion if I may. I had a problem about your a half year ago with EMET 4, Palemoon and Sandboxie with EMET not loading the dll shim for palemoon when started in Sandboxie via Sandboxie Default Start. The only way in the end the I could get the EMET dll shim to load for Palemoon was to force Palemoon to start in Sandboxie and clicking on the Palemoon desktop icon to start, not the the Sandboxie default start icon. A copy of my post is here in the Sandboxie forum back in June of 2013 http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=15811&p=91323&hilit=EMET#p91323 (Seemed like it was also a problem with Firefox according to Guest30)
    Anyway, just for GP's I went ahead and installed EMET 5.1, also having the latest updates for Palemoon and Sandboxie respectively, the above problem still persists. Can't blame it on A/V's or firewalls etc.. as I'm currently running without an A/V or any other superfluous junk. :cool:
     
  22. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
    that explains why my sandboxed FF isn't on EMET list when running... :/
    Hope they find a work around for this... as i am currently using the freeware version of sandboxie...
     
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

    Edit:
    For the browser to be EMEtted, in the free Sandboxie (or in licensed version too, if not forcing browsers), you will have to start it with explorer.
     
    Last edited: Dec 1, 2014
  24. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
    what about those paths?? I don't get it..??
     
  25. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    702
    Location:
    North America
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.