EMET (Enhanced Mitigation Experience Toolkit)

Had a problem with adobe flash crashing in EMET with Palemoon in sandboxie. I unticked EAF and Heapspray, but still have problems with flash crashing occasionally. So, Flash Player plugin is deleted from the mitigation settings for now. Plugin Container is still protected though with Heap Spray unticked. Anyone else having problems with Flash and EMET?

 

I had similar problem on firefox, occasional flash plugin crash when I watched video and it was due to Heapspray protection. It was not always, just occasional.
Removing Heapspray in pluin-container greatly reduced those crashes, but still I had to remove Heapspray from firefox.exe too to completely avoid them.
Later I moved to MBAE so I don't know whether situation changed, but at least I posted that in MSDN as a issue by name of Yuki.

 

I noticed the video crashing too. I removed the Flash plugin from EMET and I guess the browser (+ plugin-container.exe) mitigations are really what are enough for the EMET protection. After I read your post wolfrun and checked the crashing behaviour. Also I think EMET offers the same mitigation template for every unknown program. Too lazy to bother testing what combination might work, or if it still would be somewhat unstable.

Remember to remove the Flash plugin line from EMET, not just disable all mitigations. I am not sure but could some Application Opt In features be turned off that are otherwise there for the Flash without EMET. So to be sure I removed the line.

Adobe Flash plugin is a really annoying program and they just can't I guess get it fixed. It is not like a browser, the developers pushing new versions also for just the interest sake. I am sure almost everyone would be more happy if Flash could be fixed with much less frequent updates.
Software like Avast's updater can help this Flash issue so one does not need to go to some website to get it updated or needing to check if a new one is ready to be eaten. Have to update Sandboxie's firefox box that has restrictions every time. And also TinyWall internet rule for that darn flash.

 

Yes, I have done that with Heapspray and unticked both EAF's in Plugin-Container and removed Flash Player Plugin-Adobe Flash Player in APP Mitigations section all together. With Palemoon browser, both EAF's unticked. Seems to have helped as no crashes as of last evening. Also I am running everything in Sandboxie and that might be part of the problem.

Thanks for reply Jarmo. As I stated above with Heapspray and both EAF's unticked in Plugin Container and Flash Player Plugin removed altogether, flash is working better so far. As a side note, was trying to get into the Sandboxie forum and I get an error message so it seems like the site is down for some reason.

 

Seeing the prevalence of Flash exploits nowadays in most Exploit Kits, you might as well remove EMET altogether.

 

Flash plugin needs to be added to EMET manually in the first place. So the user who have not added it, is in the same situation as the one who have added it and then removed it.

Importing the recommended software profile some applications are protected from Flash as told in the EMET's user guide:

"Blocks the Adobe Flash plugin from running in Microsoft Excel, PowerPoint, and Word, and blocks the Oracle Java, Microsoft VML, Microsoft MSXML 4.0, Windows Script Host Runtime, and Microsoft Scripting Runtime plugins from running in Internet Explorer in websites not belonging to the Trusted Sites or Intranet zones."

I imagined EMETting Firefox and plugin-container, they were protected for what is needed since the Flash runs "inside " the browser. I am not going to go further since I am no exploit expert.

EDIT:
Your reply above mine is a typical arrogant geek reply, from a competitor also. You try play some other fool, I am not going into word games with you!

 

Actually under Firefox Flash does not run inside the browser, it runs as a separate child process of plugin-container.exe. So you need to add FlashPlayer*.exe to EMET to protect Flash under Firefox.

 

hxxps://media.blackhat.com/bh-us-12/Briefings/Sabanal/BH_US_12_Sabanal_Digging_Deep_WP.pdf contains a detailed explanation of Flash's FlashPlayerPlugin exe.

 

So if you protect FireFox with EMET, any of its child processes( like adobe reader, java etc) will not be protected unless added manually to EMET's protection?

 

Reader runs within the Firefox browser, but Flash and Java run as separate processes which you need to add to EMET. I've mentioned it before but if you unckeck processes and/or mitigations such as EAF+, Caller, etc. from EMET you're *RADICALLY* reducing its effectiveness and you might as well get rid of EMET altogether so as to not have a false sense of security.

 

Ok, Thanks.

 

Yup, now I also begin to think SBIE might has infuluence about this because you also got similar issue with mine and I always use SBIE for firefox too. If you find good resource in SBIE forum, please inform us!

 

I don't fully agree, though it depends on what mitigation are included in that 'etc'.
Yeah, EAF(+) and caller are quite important mitigation, but even after disabling them still StackPivot & Heapspray protection will block most of ITW heap-based attacks provided attacker is not aware of them and don't try to bypass them.
Mandatory ASLR and bottom up randomization is also good as even one component which is not randomized can be abused and isn't this the part of reason you adopted layer 0 security enforcement protection?
I think DEP & ASLR are drastic remedy for exploit while most ohter mitigation are symptomatic treatment. The fact most of current exploit bypass DEP & ASLR don't negate this fact.
If anyone say disabling some of mitigation is equal to or even worse than not using it at all, then it's too much of 'All-or-nothing' thinking.

Also EMET has its advantages. The most important one for me is cert pinning which no other apps offers as separate application, and Chrome's HSTS is too inconvenient to configure manually if you want to add all SSL sites you use.
Next, system-wide ASLR which can't be done in registry (per-app basis can be done, but AlwaysOn is not).
The third is ASR which is also useful if you can add custom component because many of browser or PDF reader includes unneeded (for my use) component and some of them or their function were abused in past exploit.
And I prefer EMET when I want to protect sensitive process which usually can only be exploitable locally such as lsass.exe or part of security apps which had vulnerability, because only EMET gives user a full control for mitigation thus I can adjust and prevent any problem by myself theoretically.

These are reason I run EMET along side MBAE, basically I made them not to protect same app except some processes which only ASR is enabled in EMET.

 

The paper in post #756 lists which EMET (v4.1 Update 1) mitigation - if any - stopped various exploits.

 

Nice informative posts yuki . I am at less than minimal awareness on these exploit protections technologies. Sorry, if the questions are invalid or too basic . My questions are related to HMA RC Vs EMET usage.

Does HMA has system-wide ASLR protection?
I am not sure the benefit of adding protection to sensitive processes such as lsass.exe/cmd.exe. Isn't the exploits being discussed served are from browsers/readers/e-mail clients? If so, if we add mitigation protection to only these processes, what benefit we get by adding to sensitive processes? Unless the threat vector is from USB and Or any other..

Can you explain. I am not sure if i understand. Isn't the protection added at the process level?
And ASR means Application Surface Reduction?

Thanks, Harsha.

 

I'm currently not a HMPA user though I asked erikloman for test license.
But AFAIK, HMPA don't have system-wide ASLR.

The benefit is quite a little, basically you don't need to do that and although I do, I know it won't help much. Protecting internet-facing apps is because they can be remotely exploitable, but most of those sensitive processes are only locally exploitable. It means attacker already intruded your computer, and still try to exploit something, maybe to get more privilege or other specific reason.
Anyway if attacker already intruded in your system, he'll have many options. I protect those apps just because it don't causes slowdown or other problem as long as I keep minimal mitigation applied (most problematic mitigation such as EAF, Caller, and SimExceFlow are disabled for such processes).
As already mentioned by Pedro, EAF & Caller are the most important mitigation so my adding them to EMET w/out those proteition don't make much sense in regard to security.

ASR is Attack Surface Reduction, it prevents specified component to be loaded into that process. So it don't add protection, but reduces potential attack vector.

 

Thanks Much! So, i will stay with my current setup. i.e., Will use only HMA for now for exploit mitigations. Also, in ESS (eset smart security) there are behavior kind exploit mitigation, which typically tries to identify the behavior of the perpertor process for exploit like activity. Though not sure how effective are they.

Ok. HMA also has some kind of control on what actions can be performed and what not by an application. It has two feature called Appl Lock down and network lockdown. I believe this is similar to what EMET provides.. Isn't it?

 

No, EMET don't provide such behavior lockdown.
Just as a note, some AV such as Norton or Kaspersky actually provide behavior lockdown for vulnerable program, though I don't know their effectiveness.

 

Ok Thanks!!
Just FYI, also ESS has botnet protection, which will stop communication to C&C servers. Not sure if it is completely based on black list approach or some kind of behvioral lock down

 

I don't know well about HMPA's network lockdown, but ESET one is different thing, not for exploit protection but for detecting and blocking already intruded malware (bot).
In short, exploit protection is to prevent initial intrusion, but botnet detection is after intrusion.
Of course ESET's exploit blocker & vulnerability shield are for blocking exploit. The difference btwn those 2 is, EB is behavior-based and works in local while VS is signature-based and works in network layer.

 

Ok Thanks.

 

Still having the problem even with flash player plugin removed and keeping plugin container with heapspray unticked. Here are posts from Sandboxie forum, the first being an older one. http://forums.sandboxie.com/phpBB3/viewtopic.php?t=16174
The second rather more recent http://forums.sandboxie.com/phpBB3/...p=103448&hilit=EMET heapspray problem#p103448
Personally, I am pretty much at the end of my rope with this problem. Seems like Sandboxie is the problem with EMET and the flash player plugin issues. I am about to let EMET go because no way will I sacrifice Sandboxie for EMET just to watch videos. Thanks for your help and advice.

 

Hmm... one poster says it's gone on EMET 5.0, so your issue might be different one.
You can post the issue here, though probably it takes long time to be fixed.
But maybe MBAE or HMPA is better for you?

Not much of help, rather thanks for your effort to search in the forum, I'm now more informed bout the issue

 

Not a problem. I think for the time being I will be sticking with a restricted Sandboxie for now minus EMET.

 

This could be Sandboxie related, yes. I never run FF unsandboxed. I noticed my video braking when I just started Chrome with no Flash content and then the FF video got broken.

But only after I saw your post wolfrun, I noticed not able to play some video with none other browser than Firefox running. Without removing the Flash from EMET. Might be the new flash plugin. Then it worked.

Even more wierd is this: Few weeks ago, I was not able to post anything on this wilders forum with Chrome, because there was a terrible lag. Other forums, the few I tried worked fine. Another member on here confirmed this behaviour. Now I am not sure if I tried posting with Chrome unsandboxed. Only after removing the dll module from EAF+ mitigation, posting here worked. As it does now too, with my Chrome sandboxed. But I can't remember now anymore if I tested this with Chrome not sandboxed.

And I know this is some hacker infested forum, aaargh.

I have googled Flash mitigations trying to find what is needed for the flash to work. Only answers I have got are from here. I might try Flash again with the reduced set. Or not and then that MBAE guy will be happy. There is life for us all in internet without some mitigations and careful surfing. Not so sure we can avoid some targeted attacks.