EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Just upgraded to Windows 10 Tech Preview and all programs including EMET 5.0 came along with it nicely, however I noticed that EMET 5.0 is not injecting the .dll into any processes despite still having the same configuration. I'm not too surprised, although it's possible that I just need to re-install EMET but of course it's possible that it may just not support Windows 10 Tech Preview. I'll mess around with it later today and report my findings when I have a bit more time.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Regarding Windows 10 Technical Preview, it seems EMET 5.0 nor EMET 4.1 Update 1 are able to inject the .dll to provide protection. Plus continuous GUI crashes as well. I also want to state that I am not complaining, as EMET does not state that it supports Windows 10 yet, just wanted to test it out and be protected while using the Windows 10 Technical Preview. Therefore I'm not surprised. For the time being I am using MBAE Free now to protect the browsers which does seem to work perfectly well in the Tech Preview.
     
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    Would it be appropriate to add OpenH264 Video Codec plugin for FF33 to EMET ?
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    If you have imported the Popular Software settings into EMET already, plugin-container.exe will be protected with EMET and I would assume that gmpopenh264.dll is run by plugin-container.exe and therefore should already be protected. I don't believe that you can add a wildcard for a .dll in EMET anyways. Regardless, it should be protected so long as plugin-contain.exe is protected by EMET. Although if this OpenH264 plugin works differently in Firefox (outside of plugin-container.exe) then hopefully someone can correct me if I am wrong.
     
  5. guest

    guest Guest

    When configuring/removing apps from EMET's additional protection I sometimes get an "Error configuring application. You have a pending update, please reboot" dialog box or something along that line. The app itself is successfully configured or removed despite the warning, so no problem there. It's just annoying to see it. Has anyone experienced this as well?
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Test the Effectiveness of the Enhanced Mitigation Experience Toolkit Using Well-known Attacks on Well-known Binaries" (2014):
    This is a test of EMET 4.1 Update 1 on both Win XP and Win 7.

    Download paper at hxxp://ipv4.os3.nl/_media/2013-2014/courses/ot/bas_hoda.pdf .
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are more papers covering ROPGuard (included in recent versions of EMET) and other EMET and non-EMET material at post #39 (and maybe later posts) in this thread.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    As of Build 9860, Windows 10 Technical Preview is working in perfect harmony with EMET. Initial Tech Preview release caused lots of GUI-related crashes for EMET as well as not injecting .dll into processes to protect them. Anyways, tested 4.1 Update 1 so far and working fabulously. Will test EMET 5 shortly. Now I can test and provide feedback for Windows 10 while staying protected.

    EDIT: EMET 5.0 works great on Windows 10 Tech Preview as well.

    Interesting note: On Windows 10, EMET cannot protect / inject .dll for Windows Media Player or WordPad. I confirmed wildcards/locations and even manually created rules with full path. Not that I care to use those programs, but just for sake of thorough testing. What I do wonder, though, is if this means that Windows 10 will have additional built in mitigations which may be preventing the .dll injection on these two programs.

    Internet Explorer was a mess with EMET. So much so, that I would rather not even talk about it.
     
    Last edited: Oct 22, 2014
  9. I am also running EMET 4.1.1, added AVG Linkscanner to filter out javascript triggering exploitkits (tested it with a 1.5 year old signature data base and it blocked an impressive number of exploit kits https://www.wilderssecurity.com/threads/anti-exploit-testing.368806/ )
    - blocked 75% of the latest malware URL's,
    - 15% of the URL's were cleaned up (because I started from current to past malware domain entries)
    - on last 10% EMET 5 did not trigger either (exploit did not work on chrome browser).
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  11. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    I have disabled javascript but great suggestion, thanks.
     
  12. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    But I don't use MBAE. Also KeePass handles "files" from updating itself. I believe every "common" app somehow is able to handle files and therefor might be an target for exploits. And since the emet.dll isn't really using any ressources, why not just add it? Well.. that's my opinion / my thoughts, just that EMET 5.x just don't seem to work well with many many apps :/
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    EMET works against only certain types of exploits. An introduction to exploits is found at hxxp://badishi.com/on-vulnerabilities-exploits-and-shellcodes/ .
     
  14. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    I'm running win7 64 bit and had the same experience. tried emet for the first time 2 weeks ago installing 5.0 - no apps work with EAF or stackpivot enabled with/without deephooks. after downgrading to emet 4.1 last week i haven't had any problems yet - set to max security and deephooks enabled.

    i do have a few questions though...

    the RAM used after boot up was ~830 meg prior to installing emet - now it's up to ~1 gig after boot up. my initial changes were just DEP "always on" (from "opt in") and SEHOP "opt out" (from "disabled"). is it normal to see that much of a RAM increase?

    emet install notes recommend not using for security software. so does this mean i should set DEP to "opt out", add my AV and firewall in the apps tab and deselect everything - or should i just leave DEP set to "always on" and not add my AV or firewall to the apps tab?? i have the latter now and haven't noticed any issues.

    do i just need to add the main executable for most apps? i know i need to add plugin-container for firefox, but for skype for example, there's also skypebrowserhost.exe and updater.exe - should i add these as well??
     
  15. 142395

    142395 Guest

    IMO not so weird.
    Other security software like AV or HIPS affects the condition of conflicts, in fact I found (and reported in Emsi forum) Online Armor causes some EAF crash if it monitors those apps.
    So I believe now anyone trying to report conflicts have to include not only what OS they use but also what security software, especially AV, BB & HIPS (not limited to anti-exploit).

    Just as a potential FYI, here's a list of AVs which have any kind of behavior-based anti-exploit I'm currently aware of, so potentially more possibility of conflicts though not always the case.

    ESET ver 7+
    F-secure (all products which have DeepGurad 6.0+)
    G-Data (don't know which version)
    KIS 2013+
    Norton 2010+
    Pand Cloud v2.2+

    If you know other one, or any other helpful info, please add them.
     
  16. 142395

    142395 Guest

    As MrBrian said, EMET protects apps only from certain kind of exploits, i.e. memory corruption with arbitrary code execution such as buffer-overflaw or use-after-free.
    In crypt software, usually exploit means e.g. chosen-plaintext attack or side-channel attack which EMET don't protect.
    And it's just an example, there're still other vulnerability & exploits, like cookie theft or security bypass again EMET don't protect.

    However, theoretically adding those apps to EMET still might make a sense―only a bit.
    E.g. As you suggested, an attacker might crack your favorite app's update server and insert exploit―but in such a case it's more straightforward that attacker just sends a malware mimicing the app.
    Or if you have sophisticated malware on your machine, it might try local exploit e.g. to get admin privilege.
    But in that scenario it is more common to exploit Windows and if malware is on your system, it anyway has other options.
    I think such exploit, even if it occurred, only affects targeted attack, especially APT, and in that scenario EMET's value is very limited.
     
  17. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I installed EMET 5 today. I read problems people are having with its mitigations and strangely I have none of them. Seems like a piece of cake easy piecy software on my Win7 64 bit home prem computer. I imported the 'Popular Software' xml. I don't see any noticeable difference in boot up time.

    AppGuard has not seemly any problems with it. Of course as usual with security apps, you don't add them to AG settings unless it is reported to be needed. Which it is not. No AG reports are increased and no mention of EMET5.

    Sandboxie settings I changed back to forced programs for Chrome, Firefox and Acrobat reader after reading that desktop shortcut icon starts might not have sandboxed instances mitigated. Yes I read one post what was needed to put into those icons, but too lazy for that. So I made those programs forced. I added latest FlashPlayerPlugin_xxxx to EMET though it is maybe not necessary.

    Chrome works just fine. Starts fast and has all mitigations set except EAF+ and ASR that are off by default.

    Firefox starts sandboxed quite slow and that is because of EMET, it slows it down. It has all mitigations except ASR from the default profile. But the sandboxed instance then runs fine and same it seems as before EMET. It is just starting slow. Perhaps also AcrobatReader starts slower than before, but not much of an issue.

    Perhaps people who have problems are running some hips type of software or some other security stuff that conflicts, needing to turn off mitigations.
     
  18. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    46
    Interesting to see your list of AVs.

    My observations.

    ESET NOD32 - seems to work fine with EMET 5.0.
    F-Secure AV - default Deepguard settings cause major issues with EMET 5.0
    Solution:
    Deepguard - select 'Use the Compatibility Mode'. Note - they say it lowers security. OTH you're using EMET.
    In EMET 5.0 EAF+ is OK in Firefox but delete advanced rules [eg: mozjs.dll;xul.dll] otherwise Firefox start-ups are very slow.
    Otherwise select all mitigations in Firefox except ASR, as recommended by MS.
     
  19. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Thank you for that information. Yes Firefox starts slow and I might delete what you recommend in your advice if it starts to bother me. Those are found by Apps icon on the EMET GUI and in the popping window selecting firefox.exe and clicking Show All Settings and in the 'Export Address Table Access Filtering Plus' deleting those modules.

    Avast 2014 seems also work fine, though I have not allowed hardening settings as they don't work so well with Sandboxie (betas). No idea if they could conflict with EMET5

    EDIT:
    I tested the removal of those 2 dlls and Firefox startup will speed up much. So it is an option to do to make FF start faster. When you tweak application's settings like that, you can always get the MS recommended "factory" settings back by importing the profile 'Popular Software' , or you can export your current settings too to get them back easy if wanted.

    Chrome does not have EAF+ mitigations by default enabled and in Firefox too guarding those 2 dlls slow down the startup very much. I am questioning myself if I will have any EAF+ mitigations when I delete those modules.
     
    Last edited: Oct 27, 2014
  20. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    46
    Your post 765 hits the nail on the head. Whether EMET 5.0 works fine seems to depends on the AV [or other security software] in use and whether same needs to be or can be adjusted in its settings.

    1-Chrome can work with EAF+ enabled as far as I can see. Try it - it may work for you.
    2-As far as modules in Firefox, for example, see EMET 5.0 User Guide [under Help] Page 11 - 4 bullet points. Last two bullet points seem to depend on the modules inserted in the additional mitigations. Also see page 22. So without any modules added, seems only part EAF+ operates.
     
  21. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    or are our settings in emet different? i have Avast 2014 (hardened mode - aggressive) and Online Armor 7 running on win7 64 bit. when i tested emet 5 my settings were

    DEP - always on
    SEHOP - opt out
    ASLR - opt in
    deephooks - tested both on & off

    Jarmo P/142395 - what do you have DEP, SEHOP, ASLR set to and what do you set for your AV & firewall in emet - nothing? add them to the apps list and deselect all mitigations?

    also any comments on this question - i can't find any info on this...
     
    Last edited: Oct 28, 2014
  22. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    What is it with this forum now? I need to allow XHR stuff in HTTPSB to be able to reply here. Wilders spying on us?

    Anyways to your question rm22:

    If you had read my first post in this thread you should have realized that I have not made any custom settings to those you asked, they are just like in Guide page 16 (page 19 in reader page selector). And the mitigations are from importing popular software profile.

    What is not so obvious from my post and justifies your question is the EMET settings to my security software. The answer is none settings for Avast, Sandboxie, TinyWall or Appguard. The only addition to the imported profile is the mentioned Flash plugin. It has EAF+ and ASR disabled from mitigations, that setting comes as a default I think with recommended security settings.

    As told I don't have Avast hardened mode on. It gives to me popups with Sandboxie processes and that is not acceptable to me. It might be possible that happens only with new Sandboxie betas that one has been forced to use with the latest updates to Chrome and Firefox browsers. If that hardened mode is not the culprit for your troubles as we have a same windows system, then it must be and I do suspect it is OA.

    To Sealord:
    Thank you again for your post. in Guide page 8 (11 in reader page selector as you sayed) yes it is told: "The actions described in the last two bullet points require users to specify a set of modules that will be used for validation; if no modules are specified, these two actions will be ignored."
     
    Last edited: Oct 28, 2014
  23. 142395

    142395 Guest

    Hi rm22 thanks for your comment in Emsi forum.;)
    Well, my current setting must be differ much.
    My system setting is Always On - Opt Out -Always On, and Deep Hooks, Anti Detours and Banned Functions are On.
    And my apps rules are highly modified since I also use MBAE and I let MBAE to protect most targeted apps (browser, Adobe Reader, Office...) and let EMET to protect others, though there's some exception such as firefox (I want to use Sandboxie but currently it's incompatible with MBAE).

    However I remember even just after imported Popular Software.xml, there're not so many issues.
    IE & firefox launch was somewhat slow but it is addressed after I disabled EAF (I kept EAF+ enabled that time).
    Also Adobe Reader didn't launch until I uncheck EAF (again, EAF+ enabled).
    That's all I noticed.

    I think OA can be culprit, though Fabian said it's compatible as long as you use Recommended settings (not Popular Software).
    Currently I uninstalled OA for other reason.
     
  24. 142395

    142395 Guest

    It seems it's just XHR within the same exact domain (www.wilderssecurity.com).
    No other request observed except my Chrome addons' one and Chrome's DNS request.
    Maybe someone with more knowledge can explain better.

    [EDIT]
    looked source and it seems HTTPSB detected request from thread/brabra to post/brabrabra as XHR?
    Though it's not cross-site http request in exact meaning.
     
    Last edited by a moderator: Oct 28, 2014
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Generally, yes, you only need to add the main executable. In theory, the main executable in this case, skype.exe likely calls upon skypebrowserhost.exe and updater.exe and therefore should be protected. Personally, I would just add skype.exe file. However, you could add the others if you feel it necessary. Or for curiosity sake, I would add skype.exe and then watch/refresh the Running Processes list in EMET, even manually try to update skype from within skype program and refresh the Running Processes list in EMET again to see if those extra two processes come up as protected, under Running EMET will show the green checkmark if they are protected. That will give you an idea. If they come up not showing as protected, then you could go ahead and protect them within EMET manually. Unfortunately I don't use Skype so I am not able to test this or go into more precise detail. But let us know how it goes and others here may be curious as well. Depending on how the main executable spawns the other processes, they should be protected by EMET.

    Also, essentially, you really only need to add Internet-facing program executables to EMET. Particularly ones in which there are known to be actively (or in the past) used for exploits.

    As mentioned here (http://support.microsoft.com/kb/2909257/en-us), you may need to uncheck EAF if Skype fails due to EMET. But every system is different, so you'll just have to try and see how it goes.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.