EMET - a dummy's guide

I believe it doesn't work. It blocked a game and gave me "stack hash whatever" error. After that i learnt that it might be about dep configuration. Changed dep settings and game worked. It didn't give me any notify.

 

Just imported allrop.xml - we'll see what happens

 

In version 2 there wasn't a notifier and the understanding was if an app protected by EMET violated one of the parameters it would just close/crash. It may be the notifier is a work in progress.

 

Looks Like AllROP.XML turns on all ROP features for all apps - is that correct? Is it not necessary to tailor these to specific apps?

 

I think the notifier only works on migitaions for configured apps, not systemwide settings.

 

I may have turned off one of them for a program but I can't remember. I haven't had any crashes reported to me.

 

I imported allrop.xml on my laptop this morning and immediately started getting crashes in outlook.exe. I run Windows 7x86 on the laptop. I imported allrop.xml on my desktop, which runs Windows 7x64, yesterday and haven't had crashes in outlook.exe. Same version of outlook on both machines - go figure.

 

Interesting. If you find the culprit I can remove a variable so that x86 doesn't use whatever's causing the crash.

 

Some time when I've got more brain cells working I'll re-enable the rop options for outlook.exe and try to zero in By the way, I have three entries for each EXE in the EMET app list. Is that normal?

Edit: Actually I have four entries in some cases and fewer than three in others - it's inconsistent.

 

I imported allrop.xml last night so far no problems, Thanks Hungry Man, oh by the way nice Blog

 

Thanks.

 

Its booked marked I read it everyday, lot of nice info

 

Always happy to hear that.

 

Im completely new to EMET and have just installed it.Do i just leave it as it is or do i need to configure it in someway?
Sorry for the stupid question.

 

Beethoven1770,

I wrote a guide here with pictures and explanations. There is some setup required but not much.

 

Thank you hungry man your a gentleman.
If a program does not run like it should then how do i configure it to run.?
Im having a slight problem with my dongle getting connected.
Many thanks.

 

Imported allrop.xml. Explorer stop working @ start-up, went to safe mode removed explorer. What settings should be unchecked for Explorer to work for me? Windows7 64bit. Thank you.

 

Current version is 3.5 Techpreview I believe (that is why I have installed here), there a new tabs like ROP etc. Maybe you want to update your blog? - Just a suggestion before people are asking questions.

 

If a program isn't working you should disable protection for it under 'configure apps'. If it's nto configured there it may not work with DEP in which case you should go back to 'Opt In'.

Haven't had that reported yet/ that issue personally. Disable the Anti-ROP techniques and let me know how that effects it.

It may be another program interfering/ injecting into explorer.exe for context menus and that would break things.

 

https://insanitybit.wordpress.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

Did so a while back actually. I just linked to the 3.0 one because it's 'stable'.

edit:
https://insanitybit.wordpress.com/2012/10/05/update-for-emet-3-5-allrop-xml/

There's a new allrop.xml that I've uploaded. Disabled antirop for explorer.exe because I think that problem will be common and I added protection for Java 7 with a variable path.

 

Disable Anti-ROP techniques, no difference Explorer stopped working.
Is "Opt out" the next step down from always on, or "Opt In"?

 

It's trial and error, and always in a non production system. For instance, I got no issues with Explorer in Windows 7 x86. I suppose there's something in the x64 version that isn't playing nicely with one of EMET's mitigations. Or, as Hungry Man pointed out, some other app...

 

I use the 64bit version and have no issues with *all* techniques enabled. It's very likely a separate program causing the issue.

Try disabling EAF. I'll be surprised if that doesn't solve the issue.

edit: Opt Out isn't available for ASLR on Vista/7. So Opt In is the next one down. If you see an 'Opt Out' it might be a bug - I saw it when I was on Windows 8.

 

This as the picture indicates is how i have EMET running at the moment.
Is this correct as im completely new to this program.

 

Looks good to me.