EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Did you "scrub" your PC of all traces of old WOT installation before reinstalling? WOT leaves traces "up the wazoo."
     
  2. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    No problems so far, I think EMET is a keeper. ;)
     
  3. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    @TyRidian: Windows 7

    @itman: The only trace Wot leaves on my system was in the registry... the location HKEY_CURRENT_USER\Software\AppDataLow\Software\Against Intuition\

    ... and I manually remove this.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You running IE x64? I just checked what is injected into my IE x32 process using Process Explorer and it is named emet.dll. Many things are not compatiable with IE x64.

    Also take a look at this thread: https://www.wilderssecurity.com/showthread.php?t=349220. User had problem with tabs in MS Office. Try turning off EAF for IE x64 and see if that does the trick with the WOT issue.
     
    Last edited: Jun 26, 2013
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Both Wot and EMET claims 64bit support.

    You say its WOT issue, but its EMET that's manipulating. Ultimately it's the EMET file shown to be responsible for the crash. ;)
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Per the EMET 4.0 user manual, the following mitigations are not compatiable for x64 applications:

    SEHOP

    -and ROP mitigations -

    Load library checks
    Memory protection checks
    Simulate execution flow
    Stack pivot

    First, I don't know if the default rule EMET has applies to both IE x32 and x64. You might have to create a separate rule for IE x64 and turn off the above mitigations for it. If that doesn't work, then add an application rule for C:\Program Files\WOT\wot.dll and turn off the above mitigations for it. See if that does the trick.

    -EDIT- For reference all the above mitigations are base ROP mitigations. The EMET 4.0 user manual also states that the following are advanced ROP mitigations:

    Deep hooks
    Anti detours
    Banned functions

    They only are applicable if if one or more of the base ROP mitigations are selected. So these advanced ROP mitigations can also give x64 apps problems if any of the base ROP mitigations are selected.

    Whew:eek:
     
    Last edited: Jun 27, 2013
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    See my above post about x64 apps if those are the ones that are crashing.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I sucessfully added the following WIN 7 x64 OS files from System32 directory with all mitigations enabled without any issues:

    Lsass.exe
    Services.exe
    Wininit.exe

    I consider these the most exploitable OS files. Will be adding a few more as time permits.
     
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Thank you. Indeed. Emet 4.0 for x64 apps is a bit problematic. Maybe next version will make ROP suitable for x64 apps.

    Is it better then to use EMET 3.5 for x64 Windows?
     
  10. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    The title of the chart is poorly chosen, the text that precedes it is better. Those are not applicable to 64-bit applications, meaning they won't do anything. They won't cause a crash because they're not being applied.
     
  11. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Yes, but then enabling the "Deep Hooks" would do nothing to my apps if ROP isn't applied to x64 Windows. Anyway it crashes all ROP protected apps.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Again per EMET 4.0 user manual:

    EMET 3.5 Technical preview introduced several experimental anti Return Oriented Programming (ROP) mitigations that aim to block any exploitation relying on this technique. ROP is an exploitation technique that facilitate the execution of code in presence of mitigation like the Data Execution Prevention. In order to do that, the ROP technique use snippets of code that are already present in the application. With EMET 4.0 these mitigations have been enhanced, and many compatibility and performance issues have been solved.

    Please note that ROP mitigations are only available and applicable to 32-bit processes. 64-bit processes are not protected with ROP in this version of EMET.


    The above would lead one to assume that EMET ignores ROP mitigations for 64 bit processes. I beleive this is what Solarlynx and Quitch are stating. I would not "bet my booties" on it. Why would MS go to lengths in the user manual to state specifically what mitigations are not compatiable with x64 apps.?

    To me this illustrates MS documentation at its best; confusing and contraditory. In any case, I would stay away from setting up x64 apps in EMET in its present form.
     
  13. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    While we don't use "compatibility" mean "applicable" in the IT field, technically they're using it correctly. It's not compatible with x64 apps because it's irrelevant to them and isn't used.

    Note that the Microsoft "Popular Software" profile applies ALL mitigations to winzip64.exe.
     
  14. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Why MS enables ROP if it is not working for x64? They would better make EMET x64 without ROP then. This edition with not working ROP is rather misleading.
     
  15. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Probably because it's enabled by default and there's no reason to specify an exception. It isn't applied whether it's enabled or not, so why type out the extra lines in the profile?
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Hi itman.

    OFF - Deep hooks
    ON - Anti detours
    ON - Banned functions

    Disabled All mitigations for IEXPLORER 64bit and WOT.dll 64bit

    --- First Warning
    Problem signature
    Problem Event Name: BEX64
    Fault Module Name: WOT.dll_unloaded

    ---- Respond to First then promptly a second Warning appears.
    Problem signature
    Problem Event Name: APPCRASH
    Fault Module Name: WOT.dll_unloaded
    ---------------------------------------------------------

    Disabled Anti detours and Banned functions, closed out of EMET GUI and relaunched IE x64. Toy with Multi-IE Tabs and surfing and crash again occurs.
    ----------------------------------------------------------

    After uninstalling EMET 3.0 stable release and before EMET 4.0 stable, no problems. And now Uninstalling EMET 4.0 and toying around again, no crashing.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I agree with a caveat. Good analysis:thumb: The caveat is I would only trust this assumption for MS apps. One probably has to manuallly set off ROP mitigations for x64 third party apps defined to EMET 4.0.

    EventType BEX

    Indicates a buffer overflow (/GS) or DEP exception (BEX64 indicates a buffer overflow (/GS) or DEP exception on 64-bit versions of Windows)

    http://technet.microsoft.com/en-us/library/cc738483(v=WS.10).aspx

    First verify you have the system setting for SEHOP set to Application Opt Out.

    For reference, I fired up IE x64 with all EMET mitigations set on for IE with SEHOP system setting set as above. Surfed for a while purposely doing Yahoo page searches. Zip problems with WOT.

    Finally what is your system setting for DEP? Make sure it is set minimum set to Application Opt Out; that is what I am currently using. If that doesn't work, try Application Opt In and retest on IE x64.
     
    Last edited: Jun 28, 2013
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    By default SEHOP is disabled in Windows 7, and I haven't changed this.

    DEP w/ default setting in Windows 7, which is 'DEP is enabled for only Windows system components and services.'

    btw; After having re-installed EMET 4, and with just their wildcard App rule for IE. Launching IE 32bit and going to sites, IE Tab crashes and connectivity issue message page appears. This happens when 'Certificate Trust (Pinning) is set to Enabled'. Keeping that feature enabled but disabling SEHOP and the problem disappears. So I removed the wildcard IE rule and manually created two rules for the two IE versions and with 'all mitigations' set on both rules and there's no problem, weird right?

    Back to my original experiences... Keep in mind the experiences comes from using Multi-IE tabs frequently. Using just the one IE Tab, no problems.

    My experience was finally reproduced with EMET uninstalled. But It is extremely hard and time consuming to reproduce, unlike how it is with EMET installed and regardless if all the mitigations are off on WOT.dll (64bit) and IEXPLORE.EXE (64bit) files and EMET Deep hooks, Anti detours, and Banned functions are disabled. Anyways I found WOT Debugger tool that e-mails them the information for a crash after experiencing.

    Thanks for the motivation to investigate.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    SEHOP is not disabled on Windows 7 by default, if yours was, that's an issue. Turn it on, it's a pretty important security feature. SEHOP should have absolutely no performance or stability issues, as it only takes effect when a program crashes.
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    "By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008. By default, SEHOP is disabled in Windows 7 and in Windows Vista. To enable SEHOP manually, follow these steps:" - http://support.microsoft.com/kb/956607
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Even after the service pack? I know it came out post-Vista, but I thought they brought it in with a SP.

    Regardless, it should have absolutely no performance or stability impact, and it's a fairly critical security feature. I'd turn it on.
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Correct. Even after Service Pack 1 installation, there was no SEHOP activation.

    Thanks for the suggestion.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I have also uninstalled EMET 4.0 and went back to 3.0.

    No matter what I tried, I could not get Trusteer Rapport's Block Browser Process Alteration from logging a ton of blocked EMET 4.0 activities. I also noticed my CPU activity also signifigantly increased when running IE9 which I assume was due to the above activity. As I noted in a previous post, the EMET activities Rapport did not like were:

    Virtual Protect
    Load Library
    Create Process
    Create file

    These all appear to be related to ROP mitgations but setting off all 4.0 ROP mitigations did not help. Interestingly, I have all the 3.0 ROP mitigations enabled for 3.0 without issue in regards to Trustee Rapport.

    I am beginning to suspect that DEP in EMET 4.0 might be buggy. I noticed that the two x32 Trusteer services Opt Out of DEP in EMET 3.0. MS removed DEP status on all running processes in EMET 4.0 so I have no way of determining if DEP was being set off for the two above Trusteer services. However, I suspect they might still have DEP set on which also could be causing the above EMET mitigations being blocked by Trusteer.
     
  24. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I had to switch to EMET 3.0. My PC (win-7 x64) was very slow with 4.0 and some apps didn't start without any popup from EMET.
    All is OK with 3.0.
     
  25. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    310
    Location:
    USA
    Isn't WOT just a Chrome extension? What do you have to do besides move it from Chrome?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.