Free Microsoft security tool Enhanced Mitigation Evaluation Toolkit locks down apps

After EMET version 2 installation, there is EMET 2.0 GUI to set opt-in/out settings.
DEP should not be grayed out. Something is surely interfering in your setup.

 

Boyfriend, thanks for your reply

I'm using EMET v2.0. But I can't find GUI to set opt-in/out, e.g. for SEHOP opt-out. Or do you mean its the "Configure Apps" button at the bottom right corner?

As for my DEP settings (in windows performance options) being grayed out, I wonder is it because I have DEP set to Always ON in EMET? I could try another setting to see but since reboot is required, I'll have to wait since I'm doing some video encoding right now...

 

Just noticed mine and it's the same, DEP is now grayed out with no selection. Doesn't a PC have to have hardware support for this type of DEP setting?

 

Greg S, do you have EMET set to DEP Always ON? Could be the reason since I have that setting too.

Boyfriend, pls ignore my confusion abt the missing GUI to opt-in/out. I've been using it all along (!), but thought wrongly that there would be one for SYSTEM, one for APPS.

 

Can someone help clear things up for me? I'm using Win7 x64 Home Prem, and not too clear abt things.

Before installing EMET, I had set DEP ON for all programs & services. Read that Win7 already has ASLR (default ON?)

Q1: When I install EMET, at max setting ASLR is "Opt-In". Is it default OFF now?

Q2: But when I start some programs I did not configure in EMET, I see in Process Explorer they do have ASLR?

Q3: So EMET's ASLR is not same as Win7's own ASLR? EMET's different as it includes NullPage, Heapspray, EAF?

TIA

 

Yes I do. Even though DEP option is grayed out in Win 7's Performance dialog, Task Manager shows that DEP is on for most all programs/processes listed in it

 

Without EMET, developers have to do certain things in order for their applications to use ASLR. That's what "Opt-In" refers to, and that's why you see Process Explorer showing certain programs as using ASLR. If you force ASLR on (with EMET) for a given program that otherwise wouldn't use ASLR, Process Explorer won't show the program as using ASLR. All of this is covered in the document distributed with EMET.

 

Hi MrBrian

I've read the Users Guide 4-5 times over (admittedly too quickly ) but couldn't find the answers. Your post is most informative to me, thanks!

Just to clarify:
Q4: So for ASLR, even if we didn't "opt-In" using EMET GUI, the program WILL still be cover by Win7 ASLR if it possible?

Q5: But for DEP & SEHOP, if we didn't "opt-In" using EMET GUI, the program WILL NOT be covered by DEP & SEHOP

---------------------

Hi Greg S,

Setting EMET's DEP to "opt-out" will bring DEP settings in windows performance options back to normal (since it matches the Win7 settings).

 

Q4: If the developer opted in correctly, then even without EMET a program will use ASLR.

Q5: DEP and SEHOP can also be set system-wide by other means besides using EMET. See https://www.wilderssecurity.com/showthread.php?t=270357 for example.

 

MrBrian, Thank you!

 

Thanks! I switched to opt-out, did the reboot to a system crash,lol. Chkdsk did it's blessing and all booted up on the second go round. Got a question, if DEP is on for IE8 and IE8 has been added to EMET configurable apps with DEP being unchecked in EMET, does the performance/DEP tab in Advanced System Properties add IE8 as an exclusion? So far for me, I'm seeing this EMET thingy as useless and not needed. DEP can already be turned on for all programs and services with exclusions added in the DEP tab. SEHOP can be added via registry and if I"m not mistaken ASLR is already on for IE8. As for the middle check mark options in EMET configurable apps, I've already commented on my bad experiences with them being checked for net facing apps. Not trying to bash this EMET but personally I don't think I need this smoke and mirrors security extra.

 

Damage limitation: Mitigating exploits with Microsoft's EMET

 

It looks like EMET is having a hard time protecting against Java-based Neosploit exploit pack; I've tested on an XP VM fully EMETed (all Acrobat and Java executables as well as all the suggestions found here -- scroll down for SuperEMET.bat comment), yet an exploit pack succeeded and installed a rogue AV and dropped a TDSS rootkit on top.
Here's an image of VM in question, note how pretty much everything is DEPed, including Acrobat's A3Dutility.exe, yet a rogue AV is in full force.
http://i52.tinypic.com/k4yy9y.png

 

From Testing exploits against systems running Microsoft EMET:

This link was already posted by Dogbiscuit in the EMET v2.0.0.3 thread, but those who skipped that thread will have missed it.

 

I'm unsure why you're surprised considering you're using XP, the tool can't perform at it's full functionality.

Nice link, I just started using EMET today after reading it. Keeping it on my browser, flash player, and PDF reader only at the moment though. I don't see the need for adding anthing else to it at this moment.

 

A possible bypass of EMET?
Bypassing Browser Memory Protections... hxxp://taossa.com/archive/bh08sotirovdowd.pdf