Introducing EMET v3

Oh I didn't know Microsoft provided a preset config.

 

As of EMET 3.0 they do. But you'd have to go through and enable each mitigation. I just saved you a few minutes and this way I can update it if anyone reports an issue.

 

Got it, thanks.

Now is the crucial point in developing my security mentality on if I go ahead and take the "risk of IPC conflict" and enable EMET for all internet facing apps, even ones I always Sandboxie.

 

That's your choice but I would.

 

I don't know why I worry about that so much...

...If I remember correctly Sandboxie now has a compatibility preset for EMET.

 

nobody has been able to check if Sandboxie interfers with the new mitigations introduced with v3.5?

Someone in Italy, infact, reports the inability to automatically empty the sandbox if ROP mitigations are enabled on a per-process base (eg: Chrome)...

 

No clue. I haven't used Sandboxie in some time.

 

new allrop.exe

http://www.mediafire.com/view/?6aqb8tc0qixw2e3

I made an *idiotic* mistake and used my own username instead of a variable. Yikes.

 

See that scares me...

Sandboxie is a primary, resident layer of my security setup and I can't risk anything interfering with it and weakening/corrupting its high level of protection.

I consider Sandboxie a near-absolute layer of security, whereas EMET is not...not even close. While I praise Microsoft for making EMET (and I think it is awesome) AND I consider it a paramount layer that one can add to almost any security setup, I still consider it only a supplemental layer. Yeah, they do different things, I get it, but as far as I can tell (and is discussed time and time again) any exploits that EMET could protect from that are run in the Sandbox anyway...well...then who cares if they work or not...it's sandboxed.

Therefore, I still consider Sandboxie > EMET; therefore, I sandbox high-risk internet facing apps (primarily Internet Browsers; not just my default one), and use EMET app protection for legacy apps and/or lower risk internet facing apps such as applications that only access Internet via check for updates and are not widely exploited by malware authors currently.

It is also important to note that I do not apply EMET configuration to Java and Adobe Flash, since those are always run in a sandbox along with the forced sandboxed browser that which they started in.

 

i have to rectify my previous sentence:
after a quick check, it seems that the problem is likely due to CIS and not to Sbxie as stated above.

Sorry for the incorrect information.

 

@STV,

With EMET and Sandboxie you do one thing - prevent any generic exploit from working properly. In either case you'll be dealing with an attacker who uses a direct attack on your system to either bypass EMET or to bypass Sandboxie - it comes down to which you you think is easier.

Is it easier to exploit and infect a system when the program attacked is running EMET or is it easier to exploit and infect a system when the program attacked is running in Sandboxie?

That's all it comes down to.

 

Exactly my point...

Like I said...and I don't think you'd disagree...Sandboxie provides pretty close to absolute protection since everything is isolated (assuming if 64 bit machine, use experimental protection!)

I know for a fact from reading tech articles that some EMET mitigations are not that hard to exploit. In fact, like you said...pseudo-mitigation. There can be not just bugs but flaws in design where a hacker could just rewrite with EMET in mind.

But for Sandboxie, you said yourself, there's really no flaw in the concept itself, they'd need a bug.

Sandboxie > EMET, and as soon as Ronen Tzur can near-gurantee compatibility I'll use both but until then EMET is for only apps I don't sandbox.

 

What system processes would you recommend to put within EMET? I've have task manager, cmd in there.

 

No system services, you should be adding Internet facing applications.

 

Like firefox and such?

 

You can do services as well but I don't think EAF will work.

This would potentially prevent local privilege escalation.

 

Thanks for the replies. Can someone the uses this post some of the exe's they use in EMET?

 

Note: due to issues, I've cleared the StackPivot boxes for plugin-container.exe for Firefox/Waterfox...

 

Damn, I spent like an hour trying to make my own XML file to import to EMET, and the damn thing just wouldn't load. I kept getting an error. It turns out, I forgot to close one of the tags (/>). Now, it's working lovely.

 

thanks everyone.

 

By the way, if anyone is using OpenDNS DNSCrypt, you may want to add it to EMET. I've added it sometime ago, and unless I'm wrong, it didn't break.

 

DNSCrpyt seems to be programmed with security in mind. On Linux it chroots itself and is compiled with PIE, NX, and RELRO.

Not surprising that EMET doesn't break it.

 

Yep. I just hope they will make dnscrypt work in a sandbox in Windows. Considering they're conscious about security implications, and in fact make it chroot in Linux, it makes sense to make it more secure for Windows as well.

They could see if they could make some use of Chromium's sandbox.

 

I don't think it needs any filesystem access but it would have to drop from root to untrusted - there'd need to be a broker process at some point.

 

Working fine with me... Waterfox 14.01 here.