EMET (Enhanced Mitigation Experience Toolkit)

You can enable SEHOP for system without EMET by download from Microsoft.

If I enabled Maximum Secur. Set. and want to disable some options (DEP,SEHOP or ASLR) for an application then should I do this in "Configure apps" - just uncheck corresponding box?

 

Yeah, that's the thing I had seen before. And that's just a "Fix It," so the download isn't needed -- it can just be changed manually in the registry...

No, as I said in the P.S. in my last post, it's not possible to "lessen" the System settings on a per-program basis. So if you have Maximum Security, you can't disable part of that for any program. Unchecking things won't do anything for System stuff (DEP/ASLR/SEHOP) that's already being applied. System settings are the "baseline minimum" that will be applied to everything, regardless of whether EMET is configured for a given program, so you're stuck with them!


You can verify with Advanced Uninstaller -- you won't be able to make it work no matter what if the Maximum System settings are a problem...

 

EMET bug: Without EMET I can disable DEP for some programs. When I got EMET installed, it shaded this option in security settings of PC even when DEP is disabled in EMET.

 

NO it's not an EMET bug or anything to do with EMET! That's because you set Maximum with AlwaysOn DEP -- of course you wouldn't be able to disable DEP for anything.

Anyone would have the same result (grayed Exceptions area) if they ran:

bcdedit /set nx AlwaysOn



Oh, what do you mean by "even when DEP is disabled in EMET?" Disabled how? You mean you set System DEP to the Disabled option? Then that's AlwaysOff DEP, and again, nothing can change that (DEP will never, ever be used -- no reason for anyone to EVER choose that). Simply, you can ONLY set DEP exceptions when using the OptOut setting!

 

Yes! You were quite right!
I've done Dep OptOut, and in config for "uninstaller.exe" cleared boxes for DEP, EAF, Caller now Advanced Uninstaller starts OK. (EMET 3.5)

Then anyway this is a "bug" in EMET. In Windows option for DEP I could enable DEP for all apps except thous I mark there. In EMET its vice versa and less convenient.

 

Even if you cleared DEP in EMET, Advanced Uninstaller may still have DEP enabled (you can check in Process Explorer (v15.12 is last that works right for DEP on Windows 7/8 ), etc.), because like I said, DEP itself may not be the problem, but a "special case of DEP triggering" that Windows handles specially (the "ATL thunk emulation" that's never used with AlwaysOn).

You can (and still have to) choose in Windows any programs to exclude from DEP, since unchecking DEP in EMET does NOT make that program opt out, it just does not force DEP on, remember. So you probably don't even need unisntaller.exe configured/listed in EMET (unless of course you want the other EMET protections on it, but doesn't seem needed).


Curious, will it launch if you check the box for DEP again...? That would confirm it it can run with DEP (but it needs that other legacy DEP feature). If it doesn't run if you recheck DEP, but you did NOT add an explicit exception in Windows, that means Windows implicitly opted it out (it does that for certain EXEs detected; again, that doesn't happen with AlwaysOn).

 

Advanced Uninstaller does not start if it's configured with DEP on in EMET.

I know about DEP because in Windows security settings it and some other programs was exlcuded from DEP.

 

Oh that sucks, thanks though!

 

Actually it does not apply to Mandatory ASLR, since it's different:

 

Yeah, it definitely is I admit. Just not what I'm looking for right now given my specific set of circumstances here on XP. If/when I upgrade to Win8, or whatever version seems best when XP's EOL comes I'll probably give it another (hard) look though.

I am very much looking forward to Larry Pepper's tools though, and to Exploit Shields stable/final release to test in a VM... see if any are keepers.

Some really good info. in this thread. Much appreciated.

 

So today is the long waited day:
let's see what's happen...

 

I just hope they don't delay it again.

 

MS is teasing us...

 

I was wondering what the status was. Thanks for the update.

 

Ditto. Thanks for the update..

 

how many is 'a few days'. we are into a new week.

is this a typical microsoft 'few', meaning 'a few weeks' or a normal few, meaning 3 or 4? (days i hope)

or is it going to be a 'real soon now'?

or the dreaded 'when it is ready'. meaning months if at all.

they should at least reschedule the day and give us a target, even if they don't hit it yet again.

 

Obviously they cannot predict when they finish. Otherwise they would proclaim the date. The changes are rather drastic to give the definite date, that's not monthly Malicious Software Removal Tool.

 

I want to try EMET for added security but from reading the EMET forums of conflicts, it seems it would be a headache.

For example, I see conflict lists for some important things (common programs, video card drivers, other device drivers etc.) It seems you have to tweak it for all those programs. Or does Microsoft have files to do that for you?

For example, in MicroSoft's video explaining EMET to a user, the hosts made it seem like it is a program for the average user, and he recommended some data file to use with EMET that would set attributes for common 3rd party programs (the list of programs seemed very large, and he added not to worry if you do not have most of the programs - no conflict from listing stuff you do not have.) So, it seems Microsoft's list of settings would take care of settings for common software if you add that file to EMET.

Is that right? And is the list large enough to cover all but niche software? In other words, would an average user, who uses his computer for spreadsheets, word processor, games, etc., not have many if any conflicts with EMET using Microsoft's recommended 3rd party software settings file?

 

EMET comes with a popular software file you can import which uses known good settings. That'll act as a good baseline.

 

The main things you want covered is your browser, Adobe, and Java if installed. Also if you use the standalone Flashplayer and not the plug-in version, you want to add that. All add-ons to your browser are covered by the browser settings. Also your media player if you do network stuff with it. The majority of exploits come from the above.

I have been running EMET 3.0 for months without issue. On the other hand I have not seen it block a single exploit. I do make it a point to keep all my software fully patched.

 

So if I use Chrome (which is supposed to have the lock-downs EMET does), Chrome's native PDF reader (no Adobe on my computer) and Chrome's native Flash player (no Flash, and use Flash-block add-on), no need for EMET really? It would be overkill?

 

I don't know if it's the case in Windows 8, but I know that in Windows 7 for example EMET uses slightly different (and more thorough?) protections than the OS for things like ASLR.

 

I shoved 40 *.exe into Emet 3.5 and covered them with its all 12 mitigations. I didn't use the data file with Emet. There was only 2 issues with one program. An issue happens when the program starts then Emet shows the incompatible mitigation and the program. You uncheck the mitigation for the program and start it again till you uncheck all incompatible mitigations.

 

What is 40*.exe? An add-on for EMET?