EMET (Enhanced Mitigation Experience Toolkit)

Using EMET since v3 but with 5.1 I get a lot of crashes and slow downs. I imported my v4 apps and suddenly 75% of apps are crashing (including system or nvidia files). e.g. mpc.exe, photoshop, keepass, etc.

Even with EAF disabled they do cash. My only solution was to completely remove them from EMET :/

 

EMET 5.1?

 

Why are EAF+ and ASR in EMET 5.0 disabled by default when adding Firefox? Are the migitations known to cause crashes or are they not available for Windows 64 bit?

 

The default settings are not always suitable. On my Win x64 they are OK for some apps.

 

EAF+ and ASR also require additional tweaks specific for each apps and I bet Microsoft is too lazy to figure out many of them. And besides, ASR is rather useless.

 

EAF+ is on in EMET 5.0's defaults for firefox.exe. See post #691 for how to get the default settings.

 

I think Impet meant adding firefox.exe manually, which is true that EAF+ and ASR are disabled by default, so as for all programs the user manually adds. The XML does enable EAF+ (and also ASR for IE) for web browsers.

 

Disarming EMET v5.0

http://www.offensive-security.com/vulndev/disarming-emet-v5-0/

 

Interesting, thanks! I took a quick look and it seems they still used the same IE8 vulnerability for their tests. If you look that up here http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876 it says:
"Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code...."

So IE versions above 10 Consumer Preview should be fine if I interpret this correctly, with the big Q being "have I understood this correct" ??

 

Interestingly, the disarming EMET 5 article shows than enabling EAF+, even without custom rules, makes it harder to bypass. (Though not much it seems)

They don't mention it because it is 2.5 years old, so probably IE10 CP was the newest version back then.
Patches were released for all versions incl. IE 6:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876
https://technet.microsoft.com/library/security/ms12-037

They're using this old vulnerability because they used it with their older EMET bypass research and want to remain consistent. Their bypassing techniques are not bound to a specific vulnerability so it doesn't matter much.

 

Sry.. EMET v5.

I literally removed most of my .exe files from EMET as it slowed down my laptop a lot. Most app's wouldn't even start (media player classic, photoshop, keepass, ......). Even after disabling EAF and EAF+

I usually also had my running nvidia processes added to EMET but then my laptop wouldn't even want to boot as usually anymore.

Any suggestions? Maybe someone want to look in my "exported list of app" ? I added A LOT and with "smart" wildcard to use the same config file on all of my systems.

Thanks

 

Anyone here find that if you update an FF add-on you get a DEP mitigation pop-up from EMET? I always get this. The restart FF does not show the add-on as being installed. If I clear FF cache and history and then restart FF, the add-on shows as installed.

 

From the manual:

EMET mitigations guidelines (KB2909257). This link also contains a list of known incompatible mitigations for some programs.

 

From the manual:

(My bolding.)

 

I wouldn't worry about this too much, all this stuff is by-passable, the question is: will exploit writers really go to this length to infect "average Joe", who is probably not even using anti-exploit tools.

 

No, that sounds weird. If I remember correctly you've had problems with FF history before. Try setting history to Never remember and see if that helps. That mode won't write to disk and only use RAM. Other than that, clean installs can sometimes do miracles Of FF I mean.

 

Ok, so we should only be a little worried then, as always

 

I find it interesting that they state EAF+ (AcroRd32.dll) as an incompatible mitigation with EMET 5.0 yet they add that specific mitigation/module by default with the Popular Software settings. I still have that mitigation/module enabled on Windows 8.1 and have no issues. I wonder if it just affects Windows 7 and others because I remember Reader having lots of problems with EMET when I was running Windows 7.

 

You are correct on that. I changed it and after the restart it reverted back to custom. Not sure why. Interestingly if I chose clear history from the options menu it does not work either. I have to use CCleaner. It has been several releases now since I undertook a clean install of FF ... guess it is time. If that does not work, it must be something that I am doing, that I shouldn't be doing (wouldn't be the first time!).

 

I used the recommended settings and manually edited the config file for v5. But in any case, it is still weird that emet vv5 doesn't work with many apps such as mpc.exe , keepass,... ? Even when disabling the migtiations.

 

It would also be interesting to know if this exploit can bypass apps with "execution control" like MBAE, HMPA, EXE Radar and AppGuard. This is something that EMET lacks.

 

There's no need to add KeePass, graphic card processes, etc to EMET IMO. Just add threat-gate apps which are typically being the entrance for malware.

According to some people an anti-exe is already too late in the game.

Pair it with AppLocker. =D

 

Yes but what I mean is: if all exploit protections are bypassed, you can at least still stop the payload with anti-exe. But with EMET alone, it's game over.

 

It's already game over if EMET was bypassed no matter what you put behind it lol. But yeah, at least they can still do some preventive countermeasures. In this case anti-exe like that one in AppGuard is IMO better than only whitelisting-based anti-exe. Why? Two words: process hijack.

 

@ GrafZeppelin

We already discussed this. Almost all exploits will need to launch a payload from disk. So if EMET is bypassed it's not a big deal if some anti-exe app can stop the payload. So in theory, whitelisting-based anti-exe will perform just as good as AppGuard. But yes the HIPS capabilities will come in handy if the payload manages to run.