EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    If the OS is already providing exploit protection and therefore won't show up in EMET or be logged by it if triggered (though Windows will log incidents rather than EMET). Since Microsoft makes both, I would hope this is the case but I don't know for certain.
    cf. EMET 5.5 beta User Guide

    To answer your question, WMP does not show as running EMET for me either after having added it. VLC, however, does.

    Really, though, WMP and WordPad are inferior products; why use them at all or even have them installed?
     
    Last edited: Oct 9, 2015
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    For user error, sure.

    You do realise I didn't tell people to use virustotal as their primary source of defense, right? :)
    virustotal is very useful and since we can't install 56 anvirus engines on our machines it's good to have 56 other different opinions.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Quoted from EMET 5.5 Beta User Manual under General Mitigation Questions section:
    I thought this was interesting. I assume that this means that EMET has it's own implementation of ASLR rather than utilizing the ASLR functionality built into the OS. But what I wonder now is how much more secure EMET's implementation of ASLR is versus the OS implementation.
     
  4. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    The purpose of EMET is to add modern security mechanisms to legacy/non-native software, not to reinvent the wheel. The User's Guide explains this.
     
  5. @Rolo42, @WildByDesign

    Thanks for checking.

    I assumed that new Windows10 binaries are developed with exploit protection in mind AND are created with new compiler thus making EMET redundant. Since EMET was announced for "propriety software", I have only put Office 2007 under protection of EMET (and explicitely added flash*.ocx;jscript*.dll;vbscript.dll to ASR protection). BTW also enabled Untrusted Fonts for Office 2007

    Regards Kees
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    The Untrusted Fonts migitation sounds interesting, a pity it is only available on Windows 10.
     
  7. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    If you're talking about CFG, yes that mitigation makes exploitation quite a bit harder, but still not impossible. Regarding EMET on Windows 10: EAF and EAF+ might still be valuable additions.
     
  8. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    How to make Chrome start in SBIE DefaultBox in incognito mode and be EMET mitigated?

    As you most I hope do know, a browser main process won't get emetted unless you run the payed version of SBIE and make a browser a forced program or start it with explorer.exe.

    Currently my SBIE license has expired and I am running again the free version, and trying to be happy with it.
    I know that this will work in Chrome using the SBIE free version:

    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

    I have just not been able to imbed that -incocnito flag somewhere in that to make Chrome start straight in incognito window. As I have never really bothered or forgot how these command lines work.
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Are you absolutely sure about this? Where can I read more about it?

    I did numerous attempts at checking if this is true, but it turns out that I couldn't exploit Firefox if I listed it on EMET apps section with every mitigation enabled (EAF+, etc).
     
  10. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    You can check this by looking at the processes checked in Emet's 'Running EMET' -column. The browser main window process has a PID number that you can also see in SBIE window and it is lacking the green check-mark. Another noticeable way is to wonder why for instance Firefox starts much faster sandboxed than nonsandboxed.

    This has been posted I think various times and for sure earliest much more than a year ago in this thread. I know that most people are happy in their believe when all seems well. I have no idea about your tests, because I don't use such things myself. I totally refuse to learn any such sleazy hacking stuff myself.

    Another way to check is also using for instance a tool like Process Hacker (Process
    Explorer ... ) and look at the Modules, Threads or Environment tab. Look especially the Environment tab for EMET settings of that PID process if using that tool yourself.

    EDIT:
    With
    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
    the Firefox will be fully EMETted also when sandboxed and the green check mark shown.
    Of course it was assumed that you have set in EMET your browser mitigations under Apps window browser specific line.
     
    Last edited: Oct 14, 2015
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    For me, the green check-mark doesn't appear until I add the program itself to the custom apps rules (the list that is created after you click on the Recommended Settings, while installing EMET). It's interesting that Firefox itself doesn't appear on that list with a checkmark by default (no program will), but EMET will display that it mitigated old games like GTA III or Vice City even when they're not in the apps list.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    From updated Microsoft Security Research & Defense Blog:
    http://blogs.technet.com/b/srd/arch...t-emet-version-5-5-beta-is-now-available.aspx

    Much of that blog is what we already know. So I will just copy some bits here that are newer information.


    On a separate note, not related to that blog post, for any EMET user that does not already know, there are several ways to provide feedback and suggestions to the EMET team and also a support forum.
    And of course the user support forums on Technet:
    https://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet
     
    Last edited: Oct 16, 2015
  13. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    Hrmmm...in trying to deploy EMET 5.2 onto a freshly rebuilt xp machine, I kept getting "entry point not found" errors when launching Chrome and SumatraPDF...had to uninstall. (It did it even with all mitigations turned off on those two)

    It only had 512MB RAM, so had to keep it light anyway.
     
  14. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    EMET 5.2 is not designed with Windows XP compatibility in mind, so these kind of issues can be expected from time to time.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is because the fonts mitigation is a feature of the Windows 10 kernel. EMET is providing the GUI to enable it.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  17. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
  18. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    Obviously. It's easy to say that when feasibility is ignored. It simply isn't an option in many cases in the real world.

    I may try to put EMET 4 on it and if that doesn't work, MBAE. (It's a Celeron with 512MB RAM mounted with a projector. Chromixium and Lubuntu ran terribly on it, so it remains xp.)
     
  19. Official sources say that this key is responsible for managing untrusted fonts

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\

    field name MitigationOptions, a QWORD field type (32 when on 32 bits, 64 when on 64-bits) with a complex value structure, e.g.

    See this link
    0xf0000000 = UNTRUSTED FONTS

    f =on (1), off (2), audit (3)


    This registry key seems to be used for a lot more mitigation as unoffical sources mention link (see line 1133 and down)
    0x0000000f = DEP
    0x000000f0 = SEHOP
    0x00000f00 = MANDATORY ASLR
    0x0000f000 = HEAP_TERMINATE ON CURRUPTION
    0x000f0000 = BOTTOMUP ASLR
    0x00f00000 = HA_ASLR

    f = opt-in (1), opt-out (2), all-ways on (5), disabled (6)
     
    Last edited by a moderator: Oct 25, 2015
  20. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    hi Jarmo P - as i'm sure you know, if you add a flag to the target you have then it just launches a sandboxed explorer.exe... chrome doesn't launch.

    the only way i've been able to use flags with SBIE(free)+EMET+chrome is to create a shortcut on your desktop with the following target
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -flag
    then launch a sandboxed explorer.exe - go to 'desktop' - launch your shortcut with the flag

    this is probably more trouble then it's worth :) unless you really need the flag - such as the --no-sandbox flag. i can't get the latest chrome to run in SBIE unless i disable chrome's sandbox...

    one other note- if you remove 'explorer.exe' from your target then as you say the executable is not EMETted, but with chrome only one process is not EMETted and all of the other ones are - not sure what the process is that is not EMETted, but maybe this is an option if that process isn't vulnerable
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Thank you for the reply

    Yes, I noticed also only explorer being launched if -incognito was put there. Currently I am just opening Chrome in a normal window, using the icon with the sequence in post #1208 and then opening from that window an incognito window and closing the normal one. Becomes a bit tedious to do in the long run.

    With the payed version of SBIE and Chrome forced to start sandboxied I somehow was able to make a starting icon for an incognito window, but not with the free one.

    Regarding your last chapter. I suspect this might be more serious, but not sure, even if only the main browser process won't be EMETed. Think that firefox.exe will not be EMETed at all without the explorer start in the sandboxed browsing. Unless you force a browser start in SBIE, a payed feature.
     
  22. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    that's right - i've only noticed this with chrome, but likely it's the same with any executable that has multiple processes
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    0xF000000000000000 = UNTRUSTED FONTS mask
    0x1000000000000000 = Enabled
    0x2000000000000000 = Disabled
    0x3000000000000000 = Audit

    Check out HitmanPro.Alert 3.1 Build 328 which is also able to turn this Windows 10 feature on/audit/off via GUI.
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    64-bit Firefox version 42 seems to be working as intended with EMET 5.5 Beta. 64-bit Firefox.exe and plugin-container.exe are being injected correctly. Also, performance seems great as well. This is my first testing of 64-bit Firefox and so I figured that I would report here that it is working well with EMET.
     
  25. Mitigation options (partly official, party reveiled undocumented options)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\

    field name MitigationOptions, a QWORD field type (32 when on 32 bits, 64 when on 64-bits) with a complex value structure, e.g. See this official link

    0xF000000000000 = UNTRUSTED FONTS

    F (flag) =on (1), off (2), audit (3)

    Enabled (1), meaning stop any font processed using GDI from loading outside of the %windir%/Fonts directory.


    This registry key seems to be used for a lot more mitigation as unoffical sources mention see this unofficial link (scroll to line 1133 and down)

    0x000000000000F = DEP
    0x00000000000F0 = SEHOP
    0x0000000000F00 = MANDATORY ASLR
    0x000000000F000 = HEAP_TERMINATE ON CURRUPTION
    0x00000000F0000 = BOTTOMUP ASLR
    0x0000000F00000 = HA_ASLR

    F = opt-in (1), opt-out (2), all-ways on (5), disabled (6)


    These system wide settings can be changed through regedit, without using EMET (e.g. to use Untrusted Fonts protection on windows10 ):

    upload_2015-11-7_10-20-38.png

    I first checked whether processes and DLL's were ASLR enabled (with ProcessExplorer) before setting "MANDATORY ASLR" all-ways on.
     
    Last edited by a moderator: Nov 7, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.