EMET (Enhanced Mitigation Experience Toolkit)

Somehow I missed that. Thanks!

 

I recently found out while testing EMET with the hitmanpro.alert test tool that if EAF is unchecked then none of the ROP mitigations work which is weird because every mitigation is supposed to work independently, this may be a serious issue for EMET users if some application is not compatible with EAF and the the user turns EAF off for the application then he/she is getting very little protection from EMET for the concerned application, can someone please confirm this?

 

I don't believe that EAF is even related to ROP mitigations or even tied into them behind the scenes in any way. Although I am hoping that somebody with more knowledge can confirm this.

 

I didn't even pass almost all of the tests. Excluding the webcam and keylogger tests, I only passed one test. I'm thinking that this is not the supposed tool to test EMET.

 

I wasn't entirely sure how hitmanpro.alert test tool works either with regards to testing EMET either. I added wildcards for *\System32\calc.exe and *\SysWOW64\calc.exe but wasn't certain exactly what the exploit test tool was targeting prior to running the Calculator program. It's not very specific. But at the same time, I didn't read the manual for the test tool last night either when I gave it a try. I don't believe it blocked anything for me. I don't understand the scope of it though.

EDIT: I suppose we would be better off asking in the Hitman thread about how the test tool works exactly. I'm going to read the manual shortly to see if I can understand it a bit more.

 

Correct. EMET is not some form of HIPS product, but those with something to gain will try to compare it as such to advertise their product.

 

You have to add the test tool in the list of protected apps in EMET and not calc.exe, EMET blocks most of the tests especially when Simulate Exec Flow count is increased to a higher number but none of the ROP mitigations work if EAF is turned off that is the problem you see, anyways I am going to report this in the EMET support forum cause it may be a bug.

 

Thanks Gobbler, I appreciate that. I'll have to try that again tonight and see how it goes. Also, good that you are reporting that to the EMET team as well.

EDIT: I can also confirm what you stated regarding disabling the EAF mitigation and having it now allow the ROP exploits to slip right through EMET.

 

Thanks for the info. So I'm assuming that the test tool is supposed to serve as a potential threat-gate app.

 

Thanks for the confirmation BTW, I have already posted the issue in the EMET forum.

 

Hi everyone,

I didn't intend to post in the EMET thread, I posted in the G Data 2015 thread, but as there was no relevant feedback so far, I decided to post here as well, as GrafZeppelin kindly suggested.

My question is:
Does anyone of you use EMET 5.0 together with G Data 2015?
Do you get G Data BankGuard false positives?

There were no issues with G Data 2015's Exploit Protection and/or BankGuard with EMET 4.0, EMET 4.1 and EMET 4.1 Update 1.
But since I implemented EMET 5.0 on August 1, I had nine BankGuard false positives so far (on average that's one BankGuard false positive every 4.7 days).
Note that I do not get any EMET alerts, but I get BankGuard false positives. G Data seems to falsely react to something, it is not EMET that gives false positives. I cannot tell for sure that it is EMET 5.0 that G Data reacts to. The only relation is that the BankGuard false positives started a couple of days after implementing EMET 5.0.
It may be something specific for EMET 5.0 (that was not in EMET 4.0, EMET 4.1 and EMET 4.1 Update 1) that G Data 2015's Exploit Protection and/or BankGuard is interfering with.
Please note that the default Deep Hooks mitigation setting was not new with EMET 5.0 (as was stated earlier in this thread). Deep Hooks is also enabled by default in EMET 4.1 Update 1, issued April 29, 2014.

Anyhow, getting G Data BankGuard false positives is a pity. The G Data software was perfectly compatible with earlier EMET versions, and the current BankGuard false positives are getting somewhat annoying.
Of course I reported to G Data Support, but the G Data developers team hasn't been able to fix that G Data BankGuard and EMET 5.0 incompatibility, so far. It is hard to find out what exactly is causing the BankGuard false positives.
And as I cannot pinpoint what it is that triggers G Data 2015 BankGuard (BankGuard alerts only mention there is 'Unknown malware detected', with no further details) and the issue is hard to reproduce (it just happens again some days later, but with no clue of what triggers it), I guess it won't be easy for the BankGuard team to diagnose and fix the issue.

Therefore, if any of you use the G Data software together with EMET 5.0, and you get BankGuard false positives (or if you get BankGuard false positives even without using EMET 5.0), would you please report to G Data Support. More information will help the G Data developers team to diagnose and fix the BankGuard false positives.
Thank you very much.


Relevant details:

In all cases the G Data BankGuard false positive occurred with multiple IE9 tabs opened, or while opening multiple IE9 tabs.
That is how I use my browser, but that never led to any G Data BankGuard false positives before August 2014.

OS:
Windows Vista Ultimate SP2 x86

Browser:
Internet Explorer 9, version 9.0.8112.16421
N.B.
For Windows Vista that is the most up to date IE version.
I have no other browsers installed.

G Data version:
G Data InternetSecurity 2015 version 25.0.1.5

EMET 5.0 configuration:
Custom security settings:
DEP : "Application Opt Out" (but without any opt outs)
SEHOP : "Always On"
ASLR : "Application Opt In"
Pinning: "Enabled"
Protection Profile: "Popular Software"

Also active:
HitmanPro.Alert, version 2.6.5.77,
Adblock Plus for Internet Explorer, version 1.2.0.0

 

That applies to HitmanPro.Alert 3 Community Technology Preview 3, but not to HitmanPro.Alert 2.6.5.77.
HitmanPro.Alert 2.6.5.77 does not offer exploit mitigations, other than the Alert and the CryptoGuard functionality.

 

I would change SEHOP from Always On, and test to uncheck StackPivot for IE. StackPivot was changed in 5.0 and is not compatible anymore with several programs on my PC. Other users have experienced the same thing. In my case having it on can cause a crash without any alert from EMET about it. So it's different from other mitigations.

Regarding DeepHooks you're correct! Although the EMET 4.1 Update 1 says: "By default, enables the DeepHooks global flag as part of the Recommended Settings configuration."
I guess there's a chance that it wasn't enabled if you didn't use the recommended settings.....

Overall there were a lot of changes made in 5.0 including fixing the bypasses reported by Bromium Labs for EMET 4.1, and the EMET team collaborated with Bromium Labs on this. For me EMET 5.0 was by far the most difficult version to configure before I could run all protected programs without crashes.

 

I could, but I had no issues with system setting SEHOP Always On before. And as nothing has changed with the system setting for SEHOP, I do not expect that would be the factor that is causing the G Data BankGuard false positives.
(By the way, with Vista there is only system setting SEHOP Disabled or SEHOP Always On, there is no system setting SEHOP Application Opt Out.)

Yes I could, and yes I have read about that.
I will definitely keep this in mind, thank you very much.
But first I would like to find out if others get G Data BankGuard false positives recently.
If there is no one here using the combination G Data and EMET 5.0, or if none of those get BankGuard false positives, I can disable the StackPivot mitigation for IE for diagnostic purposes and see if that changes the G Data BankGuard behavior.

I installed with first choosing "Use Recommended Settings", after which I configured EMET importing the Popular Software profile. So the Deep Hooks mitigation setting was enabled. (And I even have screen captures showing it was enabled.)

Yes, I have read the posts regarding EMET 5.0. It's an interesting piece of software ;-)
But I think the G Data guys are certainly not stupid, so I guess if they want to they must be able to make G Data 2015's Exploit Protection and/or BankGuard work with EMET 5.0 without disabling StackPivot for IE or disabling other mitigations. But first they/ we/ I need to find out what is causing the G Data BankGuard false positives. For the moment I'll wait and see if there are others with the same BankGuard false positives issue, and later I can (and will, if needed) disable the StackPivot mitigation for IE for diagnostic purposes.

 

Yes, there are two methods:

Method #1: Install v5 using option to keep existing rules. Delete the app rules that you want to have replaced with app rules in a profile. Import the desired profile, such as "Popular Software.xml". Any existing app rules are not modified or deleted when you import a profile.

Method #2: Before you install v5, export selected app rules that you wish to keep to a profile. Install v5 with option to use default settings. Delete the app rules that you want to have replaced with app rules in the profile you just created. Import the profile you created. Any existing app rules are not modified or deleted when you import a profile.

I used method #2.

 

Firefox 32.0.1 starts very slowly when using EMET 5.0 default rules for Firefox. Turning off EAF+ for firefox.exe fixed the issue.

 

As a general rule, I disable StackPivot and EAF to avoid program crashes. Sometimes Caller. I wonder if Microsoft really tested all software listed in ther pre-determined list that have EAF, StackPivot enabled.

 

The interesting thing that I have noticed during my testing of EMET of the last year or so is that there's a significant difference between Windows 7 SP1 (64-bit) and Windows 8.1 Update 1 (64-bit). The few mitigations that I had to disable on Win7, same as you mention regarding Firefox, I have not had to disable on Win8. I am wondering if Microsoft mainly tests EMET's Popular Software settings again and up-to-date Windows 8.1 system. I haven't had to disable any mitigations yet and even Adobe Reader is lightning fast. I remember with Win7 and EMET Adobe Reader was ridiculously slow because of a conflict between Adobe Reader's own protections and EMET. As much as it pains me to say this, my current experience with Windows 8.1 and EMET has been a breath of fresh air along with excellent overall performance from all programs.

 

LOL, this is exactly what I wanted to say.
I did not understand why some members here experience various problems with EMET5.0, but on my Win8.1 update1 x64, I experience absolutely nothing unusual - no slowdowns, no program crashing, no conflict of any sort. And it's exactly why I don't use any other third party exploit mitigation tools like MBAE, HMPA and alike.

 

Nothing needed to be disabled here, Windows 7 64-bit. Deep hooks, whatever, even another anti-exploit program (ViRobot APT Shield). No problems running the latest x64 Chrome with plenty of add-ons.

 

Microsoft maybe tests EMET on W8.1 and assumes it'd work on W7 too. But that sounds unreasonable. Or. Not.

 

I'm assuming this is the main EMET thread. Would you recommend I try it on x64 W7 SP1? I see the last couple of posts members had some issues. I've noticed there is a Sandboxie issue with Malwarebytes Anti Ex so I guess that's out. I also run Norton A-V and Malwarebytes (Premium). Thank you!

 

I would definitely give it a try. Norton, Malwarebytes, Sandboxie and EMET run well together. If I were still running Norton it is exactly the setup I would be using. If you have any issues with EMET they are easily fixed by unchecking the offending settings.

 

Thank you!