EMET - A new Windows security mitigation toolkit

okay, i have added the 2nd emet exe to my rule set and made sure the reporting/logging is turned on.

now we wait...

fwiw, i use w7 64 bit op fw pro 7.1

 

Well I still have zero log entries for this exe.


Next time you see the pop up maybe you could provide the details.

I have an open mind but am doubtful with no data.

Will continue tracking.

 

Attached is what I logged from the Windows Firewall. I got four similar entries when I opened the EMET GUI (v2.0.0.3). The IPs are all Akamai servers as I've said previously.

Note, I've never specified a firewall rule for EMET and hence it's never connected successfully to the internet since it was installed. I've just created a rule and let EMET do its business on the net (whatever that is). After closing EMET, I disabled the rule and restarted EMET. It was silent this time, no dropped packets were logged. Hence either EMET tries just the once to contact out or it may try periodically.

It certainly does try to send TCP packets out, though.

 

Thanks for this data.


I have W 7 and if I read your signature right you are in Vista? 32 bit?


I'm curious about the folder your EMET GUI is in a device path?


I think now we should put the question to the MS guys behind the product do you agree?

 

I think if I should put questions to the guys behind every product that uses 80/443 I would not be doing anything else.

 

Yes, Vista 32, but I doubt that's of any relevance. The device path is just my C: drive. It's recorded in the log that way for some reason.

It does what it does. I'm not bothered by it. As doktornotor implies, most applications try to connect out for tracking purposes and/or updating.

 

yes.

i see no reason for it to call out so i'll block it.

 

Looks like your firewalls are probably reacting to this...

It's normal behavior for .NET Framework 2.0 apps like EMET. From KB944752...

 

Which is actually a good thing (*cough* Comodo *cough*) and blocking that does not seem exactly like a good idea.

 

Thing is Nick that in my case, my FW has NOT reacted. It has not logged a single access for any EMET exe.

Does the Net framework set of exe's need a FW approval to call out?

If so then would not the FW rules have to include NET's exe's?

I think I'm confused...

 

On a completely different note - I gave this a try on XP Home laptop with administrator account.

Opened Sys-Manage DEPTest Tool v1.00 from unsandboxed EMET-ized IE8 (kinda simulating a drive-by download) - all tests pass (overflow.exe just crashes everytime.)

 

I think it's an Outpost bug. I don't use it, but I checked out the free version on 7 Ultimate 32-bit and 64-bit. It looks like it's ignoring the following settings and automatically adding permissions for signed apps like EMET. If you have alerts suppressed, then you would never know what happened unless you monitor the log files in the \log folder. Since I don't use Outpost, I could be missing some obscure setting.

 

Thanks a lot nick! You went to a lot of trouble for my question/issue!

I believe you are correct that OP has a overridden the user selections in this case. I have a flawed memory but I think I've seen other complaints re OP on this same matter! Creating rules the user didn't ask for.


I'll do some testing on this and report back.

I have rules now for EMET and I'm allowing www connections and logging any that occur.

More later

 

What's the difference between Opt In and Opt Out when it comes to SEHOP? I had to ask because a game I run errors out if EMET's SEHOP config is left at Opt Out but runs fine if it is set as Opt In.

 

Well, opt-in is just pointless, applications do not tend to ask "oh please run me with SEHOP enabled" often. Add the game to applications (via GUI or emet_conf.exe) and uncheck SEHOP there, leave the global settings at opt-out. (Also, report to the game vendor. )

 

I *highly* suggest you do NOT add games, especially if it has some kind of cheat protection.

 

I just went through Windows Firewall with Advanced Security logs and haven't found one single event regarding EMET.

 

I didn't add the game executable under EMET's applications list. Thing is it just wont run if I set SEHOP as OptOut. Is there a way to easily exclude a process from SEHOP just like with DEP exclusions?

 

https://www.wilderssecurity.com/showpost.php?p=1866278&postcount=165

 

Easiest way is EMET.

 

After upgrading to the latest version, I noticed a connection from Emet_GUI.exe to DNS servers.

This was a first.

 

Something like this
https://www.wilderssecurity.com/showpost.php?p=1874580&postcount=17

 

is that on install or after while in use? Can't replicate either

 

That one was on install. I also get an alert when opening the GUI for the first time after a re-boot. I haven't captured that one yet and do not remember if the address is the same. The next time I re-boot and open EMET, I will capture it to see.

 

This happened on the old version as well.

I just set up blocking FW rules for all EMET's exectutables at the time and they are still in place.