EMET (Enhanced Mitigation Experience Toolkit)

On a new Win8-64 setup for a relative, EMET 4.0 with all options applied runs fine.
It's not loaded with security programs though. Only an AV and an extra AM scanner, as per request.
With EMET applied to almost every internet-contacting program, I've yet not been able to find (or force) any issue.
On my Win7-64 box no issues also (sofar).

 

On a relatively clean install, EMET 4 doesn't cause problems on Max settings. If you have the proper ATI drivers, you can even go ahead and set ASLR to Always On. It's most likely those having issues are having conflicts with some other software installed on the system.

 

After reinstalling and booting, EMET 4.0 is now running smoothly on my system.

I did have problems with Microsoft Silverlight and all my extensions crashing in Chrome.

To fix the extension crashes under Chrome I disabled SEHOP and to keep Silverlight from crashing I disabled EAF.

Posting this in case someone else has the same problems.

One problem that is not really a problem for me and I just stumbled across this:
Opening EMET using the tray icon only works if UAC is turned on. I have it set to default. With UAC off, I receive an error that I don't have admin rights. I hope this is on the to do list.

 

After uninstalling Trusteer Rapport, I uninstalled EMET 3.0 and installed 4.0. Started with my old EMET 3.0 system settings and then increased to max. protection including deep hooks. Zip problems so far and no impact on system performance to date. In fact, I was getting occasional IE9 and WIN explorer hangs under EMET 3.0 that I am not getting running 4.0 at max settings. Go figure.

 

Anyone know what might be causing this? Emet.dll is crashing IE9. Now I did add two new cert pinning rules today along will associated web sutes.

Description
Faulting Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: iexplore.exe
Application Version: 9.0.8112.16496
Application Timestamp: 51a55c6d
Fault Module Name: EMET.DLL
Fault Module Version: 4.0.0.0
Fault Module Timestamp: 51ba563b
Exception Code: c0000005
Exception Offset: 0004d56a
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 1e42
Additional Information 2: 1e42b5e3c7f90ee901fe0fa9c078e38b
Additional Information 3: e165
Additional Information 4: e165dad96ce6b6b3d53acbbba2f44644

Extra information about the problem
Bucket ID: 3705494988

 

Are you using any toolbars and such?

http://forums.2kgames.com/showthread.php?90164-How-to-fix-Exception-Code-c0000005

 

Thanks for the link. No toobars of any kind installed except for WOT. WOT btw has been loading slowly on the first startup of IE after a cold boot for the last week or so.

BEX was not the faulting module, it was EMET.dll which had me a bit concerned. The info I posted was from WIN 7 reliability monitor. The event log gave me more info. Showed that the EMET.dll that caused the fault was the one in C:\Windows\AppPatch folder. So I have excluded that .dll plus the X64 one in the same folder from Emsisoft EAM realtime protection. BTW - the EMET.dll from the AppPatch folder is the one injected into IE.

Fabian from Emsisoft did mention that another EAM user was having problems with EAM and EMET 4 certificate processing. In his case, it was totally locking up his PC. So I will keep monitoring and see if I can prove a direct link to EAM.

I also got an app crash from WIN explorer this morning. This one was BEX related. Again occured right after first cold boot for today. I have recieved these before on occasion and not that worried about it.

 

Came across this very informative post on SEHOP in the EMET forum: http://social.technet.microsoft.com/Forums/security/en-US/311605cc-04b8-420b-b211-4c4cbdd27133/explain-sehop-systemwide-policy-setting. Definitly worth a read.

I am still have issues with EMET 4. Explorer on WIN 7 x64 SP1 keeps crashing periodically on me. Everything appears to point to a video driver(nVidia in my case) issue. Reinstalled drivers and that didn't help. Running SEHOP at the opt-in setting appears to solve the problem. However, SEHOP system default setting on WIN 7 w/o EMET installed is opt-out. Without EMET installed or with ver 3.0 installed, I had no crashing issues with Explorer. I tried setting EMET SEHOP at system option to opt-out and disabled all the app SEHOP settings and that didn't help. Definitely a bug here with EMET 4 SEHOP. BTW I do not have explorer.exe defined as an app to EMET. Hum ....... might try that and turn off SEHOP for it?

 

OK. I think I have this sorted out. SEHOP has to be the most confusing setting in EMET.

First, disabling deep hooks stopped explorer from crashing. Looks like there is a conflict with that setting and Emsisoft AM 8.0 on my PC.

For SEHOP if you select Opt-out for the system mitigation setting, WIN 7 will override EMET and the app, IE9 in my case, will crash when a bad guy is detected. Under the Errors section in the Event Log, you will see that EMET.dll was the termination reason. Not very informative unless you want to read the dump file. So in my opinion, it is best to set SEHOP at its recommended Opt-in setting and then control it by individual app settings e.g. on or off to force an alert by EMET.

BTW - as mentioned previously in this thread, SEHOP is set off by default unless your running a server version of WIN. It's setting is control by a registry setting. See KB956607 for more details.

 

Certificate Pinning is not working on Internet Explorer 10 at Windows 8 x64

I've decided to test the certificate pinning in Internet Explorer 10 (Windows 8 x64). I've change the rule for www.facebook.com to the built-in YahooCA. However, when I go to https://www.facebook.com I haven't receive any alerts. Can anyone confirm? Thanks

 

Wonder if Facebook changed certificate?

What I see in Chrome is Verisign Class 3 Secure Server CA - G3 issued to *.facebook.com.

Also read through what "Public" cert. permissions mean in the user manual. They are not as strick as non-public permissions.

 

First, here is the reference for certificate pinning: http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx.

I just did what you are trying to do on WIN 7 x64 SP1 and IE9. You should not have IE open when making cert. pinning changes or at least shut down and restart IE before accessing the facebook site. Did you Click on the OK button after making your pinning changes and also verify that the pinning rule changed before testing?

I received the EMET popup on my desktop in the lower left hand corner. Note that the popup does not stay fixed on the desktop and will disappear after a short period of time. Perhaps you missed it? Is the Tray Icon option checked on the main EMET GUI screen?

Did you check for EMET entries in the error section of your event logs? You should have EMET entires there noting the invalid certificate if you checked the Windows Event Log option on the main EMET GUI screen.

Finally, EMET will not block access to the web page; www.facebook.com in this instance. All it does is warn you of a cert. mismatch.

Or ............. The cert. feature doesn't work for WIN 8 and IE10.

 

Got another one for you guys. Really odd response from EMET.

So I'm testing Comodo 6.2 and EMET 4.0. Strong EMET set up (Always on, Opt in, Opt Out, No pins). I added app ROP mitigations to Daum PotPlayer.exe (mini). Loadlib causes problems (EMET crash). So turn that off. Also crashes on closing with Deep Hooks checked. The response though EMET is as simexflow.

So I have potplayer with all checks except: no deep hooks, no loadlib. Seems to work fine.

Then I start opening and closing the app quickly trying to stress it. Going into sleep with the file playing etc. Now after 10 tries or so, Potplayer crashes. DEP mitigation (global on). Huh??

Now where it gets really odd. The avi/mkv that caused the DEP gets ERASED as in removed from the drive with no other context other than a fault window or EMET flag with DEP mitigation. Just gone. No trace. HDD space regained. Event viewer shows the DEP.

So emet/DEP is ERASING files. One actually ended up not erased and found in Werfault in the WER file in appdata when the app hung on an EMET crash.

WTF??

Tl, dr: EMET DEP mitigation is erasing or moving randomly the suspect file without context.

Any takers??

 

Yup, I tried changing the rule while IE is closed. I asked in their forums but still no answer from them.

 

With EMET there is always more info in the manual. Apparently you need to have a certain update installed for it to work on Windows 8 and Certificate Pinning doesn't work on all platforms, but I'm not sure if they mean the Metro version of IE, or all versions on Win8.


@Sordid
That sounds weird, I've never experienced it. Perhaps it's best to create a thread on the EMET forum from Microsoft.

 

KB2790907 is not even listed in Windows Update. However a quick search indicates that this update is for Windows 8. But I've read in another user's post that KB2790907 is not also available in his Windows Update.

EDIT:
Tried to install it in my computer and an error occurs saying that this update is not for my computer. :/

 

http://support.microsoft.com/kb/2790907 Did you download the correct version for your OS? There are two downloads for WIN 8; one for x86 and one for x64.

 

Here is a nifty web site that will give you info on a web site's cert. without having to rummaging around in the cert. itself: http://www.digicert.com/help/

 

Personally I run DEP in EMET 4 as opt-out. That is the default setting for WIN 7 and one I never had any conflicts with - EMET or otherwise.

I had mutiple explorer and IE9 crashes since I installed EMET 4. What finally stopped those was clearing out the taskbar notication area. I had all kinds of crud in there including a few that looked like old malware remenants.

 

Things with EMET 4.0 get weirder as time goes by.

Yesterday I had at least 8 IE9 crashes caused by EMET.dll. Always the same error - c0000005. OK. I would get these periodically but not like this.

Since this is an access violation, I reset DEP from opt-out to opt-in keeping IE9 DEP set on. Still issues but I did find a web site that would crash IE9 with above error each time I tried to access it: http://boardreader.com/site/Wilders_Security_Forums_10574.html. Site is 100% clean per ZULU. Then I noticed on the site web page something very strange indeed. It denied me access due to detected Botnet activity? WTF?

No clue what was going on but I did reset my WIN 7 firewall and since have been able to access the above boardreader web site without issue. Also not an IE9 crash since. I am beginning to believe that web site protection such as that provided by Alkami can cause emet.dll to go spastic?

BTW - PC is clean as a whistle per full EAM 8.1 and MBAM full system scans. Also no weird Internet activity per TCPView observation.

I would dump EMET 4.0 for 3.0 if it were not for the certificate pinning feature.

 

Try update to IE10?

 

PC running like a champ today. Not one IE9 crash. So really don't beleive this was a browser issue as much as something interfering with EMET.

 

Please, can somebody knowleadgeable clarify is it the same for OS DEP "Always ON" and "Opt Out"? I know there difference for an app - you can specify it to be out. But is there difference for other unspecified apps. Is "Opt Out" the same strong as "Always ON"?

 

This may be of help: https://www.wilderssecurity.com/showthread.php?t=347514

 

Thanks, it's very interesting. But there's no direct answer on my question:

Is DEP "Opt Out" of the same strength as DEP "Always ON"?