EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    confirmed!

    ProcessHacker: disabled, Permanent
    ProcessExplorer: DEP ??

    http://postimg.org/image/yky5gd31z/
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    EMET just punched a big hole in your security. If you uninstall EMET you are stuck with this issue forever!

    If apps now try to call SetProcessDEPPolicy, DEP still cannot be enabled as the API fails since DEP is disabled permanently due to the problem caused by EMET.

    That weird display in Process Explorer is actually a bug in Process Explorer.
    Process Hacker shows it correctly. Also Task Manager displays the same DEP status as Process Hacker. I've been tweeting this a few hours ago: https://twitter.com/erikloman/status/582188559119060992
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I did not turn DEP off. Just switch it in EMET from AlwaysOn to Opt In. Problem occurs on Windows 8 only.
     
  4. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    i've to check if playing *only* with Quick Profile Name the bug is reproducible...
     

    Attached Files:

  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Just tried EMET 4.1 Update 1 on Windows 8. Also suffers from the same issue.

    I will contact the EMET team so that they can address the problem.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No your not stuck with it forever. Only till it is reset via BCDEdit.

    Sorry, but I don't buy your argument. This is a Windows problem, not an EMET problem. Once DEP is set to always on by any means, it can only be reset via BCDEdit. That is the problem.

    Resetting DEP in EMET to opt-in from always on only affects EMET, not the system setting for DEP. If you uninstall EMET with DEP set to always on, system DEP remains always on and cannot be reset via Control Panel option. Further setting DEP always on is not a MS recommended setting for EMET. Additionally, setting DEP always on is not the default setting for it on any Windows OS I know of.

    Bottom line - DEP should only be set to always on by someone who knows what they are doing and what the repercussions are; not by your average user.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    If you been fiddling with the settings, either have set DEP to Application Opt It or changed Quick Profile back to Recommended then 32-bit processes have DEP disabled permanently.

    I do not see why this is not an EMET issue. It is EMET that is making an invalid registry setting. It cannot be overridden by bcdedit either, I just checked:

    bcdedit.png

    The problem is the MitigationOptions registry value. Uninstalling EMET does NOT help. You must delete the MitigationOptions registry value to resolve.

    Nobody is aware of this issue. Windows 8 users using EMET *may* run with DEP permanently disabled without knowing.

    I ran into this issue myself. I hardly consider myself an average user, I know what I am doing. I am unaware of the side affect that DEP gets turned off completely when fiddling with the settings and then go back to Recommended profile.

    This is a real issue.
     
    Last edited: Mar 29, 2015
  8. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Time to reverse engineer EMET? :)
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  10. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
  11. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes. Windows 8 only.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I still think the problem is related to setting DEP to always on.

    Try this scenario. Instead of switching from Always On to Opt In using EMET, do so using BDEdit. And BCDEdit should work:

    Open an elevated command prompt (i.e. run CMD as admin), type the following and press Enter:

    bcdedit.exe /set {current} nx OptIn

    If it says operation completed successfully, then restart the PC and DEP should be enabled.

    If it gives you a different message, then you probably need to temporarily disable secure boot before trying again.

    Ref: https://social.technet.microsoft.co...ngs-settings-locked-out-after-emet?forum=emet

    After reboot, open EMET and it should show DEP option as Opt In. Then uninstall EMET and check to see in DEP is indeed set to Opt In.

    To Verify the Status of DEP

    A) In the command prompt, type in bold below and press Enter. (See screenshot below table)

    wmic OS Get DataExecutionPrevention_SupportPolicy

    B) You will get a number (see table below) that will tell you the status of DEP.

    C) Close command prompt when done.

    Note 2 is the default setting.

    Number Description Status

    blank - AlwaysOff DEP is disabled for all processes.
    1 - AlwaysOn DEP is enabled for all processes.
    2 - OptIn DEP is enabled for only Windows system components and services have DEP applied default setting.
    3 - OptOut DEP is enabled for all processes. Administrators can manually create a list of specific applications which do not have DEP applied.
    http://www.vistax64.com/attachments/tutorials/2392d1370210831t-dep-enable-disable-verify_dep-jpg?s=6c67f6dcd0db11d9ffe54d954928767c

    Ref: http://www.vistax64.com/tutorials/120778-dep-enable-disable.html
     
    Last edited: Mar 30, 2015
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Thinking about this EMET DEP issue a bit more, what the uninstaller minimally should do is reset system DEP back to its default opt-in value and force a reboot. Ideally, EMET should store the system DEP value in place at EMET install and restore that value.

    Since MS hasn't done this to date, doubt they will be open to doing so now.
     
  15. 142395

    142395 Guest

    Thanks itman for your thorough testing and research about cert pinning issue, I'm much appreciated!
    I was busy this week so couldn't test enough, but I use LUA and always InPrivate mode. I will test Chrome too (I added chrome.exe to EMET_CE).
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I just noticed something that could be related to the Cert. pinning problem I wrote of previously. Appears my bank web site doesn't support IE x64. I observed via EMET GUI that IE x86 was running when I was connected to that site. IE will switch auto mode to x86 if the site doesn't support x64.

    This means that the x86 .dll for EMET cert. pinning is being injected and used in IE. Appears that .dll is somehow getting confused perhaps by the prior IE x64 EPM settings?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Eureka! I am getting very close to this cert. pinning problem in WIN 7. Let's say at this point, it appears MS has done a good job of "borking" EMET to accommodate WIN 8.

    Here is an excerpt:

    In the Windows 8 Release Preview, if you enable Protected Mode for the Local Intranet and Trusted Zones, even if you enable EPM, the Intranet and Trusted Zones will run in 32bit LowIL rather than a 64bit AppContainer.

    From this: http://blogs.msdn.com/b/ieinternals...rk-security-addons-cookies-metro-desktop.aspx

    I would advise reading the entire article.

    So I did another test. I removed my bank site from the Trusted Zone in IE 10 x64 w/EPM on for WIN 7 x64. I then connected via IE 10 x64 to that web site. I checked in the EMET GUI what was running. Guess what? IE in x64 mode. So the above excerpt doesn't just apply to WIN 8 but also to WIN 7!

    Bottom line at this point with all this testing ......... EMET cert. pinning presently doesn't work right with EPM enabled. As far as I can determine, it never has worked right with EPM enabled. So my work around of entering your web sites in the Trusted zone in IE x64 is the only alternative. Or, only access your financial web sites in IE x32 if you want certificate pinning to be 100% functional.

    Additionally be fully advised that if your entering HTTP sites into the Trusted zone as a matter of convenience, they are running w/EPM off if your using IE x64.
     
  18. 142395

    142395 Guest

    I confirmed on IE, as itman proved, I can't get warning about cert pinning when I run IE under LUA but if I run it as admin, it correctly warned and blocked.
    But I don't get its behavior on Chrome. Regardless of I run it under LUA or admin, it didn't block access to site. I use Google site for checking, so I made incorrect Google CA rules. But when I launched Chrome, EMET warned about some Google related sites such as translate.googleapis.com, clients4.google.com, and safebrowsing.google.com. We know those are behaind-the-scene connection by Chrome, but it didn't warn about https://www.google.com when I connected to it.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Chrome does has its own root certificate checking: https://www.chromium.org/Home/chromium-security/root-ca-policy . It's hash based and from what I have read, not as effective has the one in EMET. It is possible that Chrome's cert. checking is interfering with that being done by EMET?

    Then there is the question of trying to validate Google's home page. If you look at the default rules in EMET, the logon page for Yahoo, etc. are defined but nothing for its home page. I also know in IE's case, it's tracking protection can downgrade a HTTPS site to HTTP in certain instances.

    Personally, I believe EMET was not designed for general HTTPS verification that is in wide use today; rather secure site logon and the like.
     
  20. 142395

    142395 Guest

    I don't think it is by conflicts with Chrome's HPKP, if so EMET won't warn against those google subdomains which are also covered by CHrome HPKP default rule set.
    Yes, I agree.
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I read that both @142395 and @Windows_Security use custom added modules for EAF+ and ASR and I'm wondering if your willing to share these because I don't have any knowledge on which modules are often exploited during an exploit attack.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
  24. For Libre office has basic scripting, javascript, beanshell and python as scripted content, see https://help.libreoffice.org/Common/Scripting

    You should have a look at the dll's in libreoffice (right click, properties) or ask someone at LibreOffice what the names of those dll's are (remember you can use * wildcards in EMET's ASR).
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    It may be a good idea to add OpenVPN to EMET's protection:
    https://community.openvpn.net/openvpn/ticket/325

    Thanks :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.