Free Microsoft security tool Enhanced Mitigation Evaluation Toolkit locks down apps

Apple Safari won't run if you set DEP to always on with EMET.

 

I did run it with Admin privileges...both under my LUA account and under my Admin account - still the same nothing.

And afaik, the command line interface is similar to V1.02 which I've used before...so that isn't my objective.

Yes, indeed. I'm referring to that. Any ideas?

Seems like I'm not alone in this case....thanks for that. I really wish to see what's up with the GUI and if it's gonna make it easier to use.

 

Installed EMET 2.0 on an XP SP3 box. The only thing that appears to work is the system wide DEP indicator (which is correct... set to Opt Out.) (I know that SEHOP and ASLR aren't available in XP.)

Beyond that, nothing shows in the Running EMET column. Should it be? I tired adding apps and nothing happens, even after reboots.

**EDIT**
I kept tinkering and finally got something to show up. But more tinkering and it was gone. So IMO, the GUI is buggy. At least in XP. The command line interface was always right if EMET was activated for an application but you have no granularity of control with the command line. This tool has a ways to go...

 

v2.0.0.1 is available.

From http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx:

 

Thanks, this version fixed my conflict with Returnil. EMET would not run with Returnil installed.

 

No automatic update? lol

 

I'd rather they didn't add useless features.

 

It seems the installer from the official download link is not updated yet, as I tried to install it and the only options were to repair or remove my current 2.0 version.

 

Same here...

 

I am one of the unwashed masses trying to use EMET for the zero day problems with Reader. I downloaded it and installed it.

MS page says simply enter this C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe"
and all will be well. I simply don't understand what has to be done.

I opened a command prompt and entered the text string - not recognized as command. Changed directory I was in to c: and tried. No go.

Changed directory to c:\Program Files (x86) and typed in only the text after that in the MS page. Still nothing.

Could anyone help me out with MSDOS 101 here?

I am also curious if this will resolve the Flash exploit. What I read seemed to say the same file is at fault in both cases.

Never mind about using it. I just used the GUI and that was fine.

However I would still like to know if this also fixes the Flash exploit?

 

Check you program files where EMET 2.0 is installed.. You'll find that EMET.dll, EMET64.dll and MitigationInterface.dll have been updated to version 2.0.0.1 ... GUI and some other files have not been updated to 2.0.0.1 .. So it seems that the most important files are updated

Hope it will help you..

 

Very True .. But command lines have been changed.. You cannot use the old command lines in version 2.0 ... Why don't you try it and find if it is working for you or not..

 

Change the directory to C:\Program Files (x86)\EMET and type this:

Code:

emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe"

 

Wich kind of apps do you protect with EMET?

How could be a normal configuration or how is your configuration?

Is usable for a normal user the profile "Maximun security settings"?

Thanks

 

I've gone for 'Application Opt Out' with the DEP setting because some poorly coded applications refuse to run with it set to maximum.

With regards to applications you can opt-in pretty much everything with no problems,but I suggest giving each program a thorough test after setting it just in case of any anomalies.

The real SRP/LUA experts here will be able to advise on potential issues better than an EMET noob such as I

 

Why is SEHOP when enabled listed as 'Application Opt Out?'

Surely you're 'opting in' to the protection provided by enabling SEHOP?! I'm confused...

 

I thought that SEHOP was possible to turn on for Windows Vista SP2. At least, that's what says at Microsoft page, where it says how to manually apply SEHOP, through registry. Which, I did.
But, today, after installing EMET on a relative's system, it showed as being disabled, and the only way to have it enabled was has "Always on". A crash occured. I let it disabled.

That's odd. Why would Microsoft EMET recommend it to be disabled, if it is supposed to work with Vista SP2 as well? Odd... Odd.

 

Don't you need to turn it on with the fixit tool first?

 

It's working fine for me running Vista SP2 here.I just ran the Fix-It tool despite it saying it was only for SP1 (the beauty of having rollback software).

 

And, I had it done, weeks ago. But, it seems that, for whatever reason, it didn't apply? No idea.

I'll try to re-apply the fix first, once again, and then check again with EMET.

 

That one made my laugh. So, Microsoft says SEHOP only works for Windows Vista SP2 and forward, but you got it working for SP1? That's great.

I wonder what the heck Microsoft is doing. Don't they test it properly?

 

No sorry you misunderstood me,although I'm always pleased to make folks laugh

I ran the MS automated Fix-It tool despite it stating it only applies to Vista SP1 and Server 2008,confusing since I thought it was enabled by default with the latter OS I'm running SP2 here.Anyway the upshot is that it all worked perfectly for me.

 

Without detailed instructions, I would have no idea what to opt in and out of. As an average user, is there any point in my installing EMET?

 

A good starting point is to add the executables for all your programs in there and look for any issues.I've added all my common stuff and there have been no problems so far.It's worth using because it mitigates against a lot of exploits such as the many Adobe pdf,etc.Always better to preemptively block a whole category of exploits than to try to catch individual malware later on.

 

I am using NitroPDF because I read about Adobe's vulnerablity. Would it still be worthwhile using EMET, or just enable DEP and SEHOP in 7?

When you say add the executables, I guess I would add them one at a time and see what happens.

So far all I've done is set EMET to maximum security settings, so DEP is always on, SEHOP is opt out, and ASLR is opt in. So I would be adding the executables to ASLR?

Nothing is showing as running in the EMET column.