EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. JohnnyTrevor

    JohnnyTrevor Suspended Member

    Joined:
    Oct 1, 2014
    Posts:
    8
    Thanks! I googled the MD5 ed79e6917f1cbf6e4041638f98ff29af & it seems legit. ;)
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Chrome started to go load pages slow and freezing in some flash content with the EAF+. I removed the chrome_child.dll module and now it is fast again.
    I also removed EAF+ guarded modules in EMET 5.1 Firefox settings, with the result that it now starts fast.

    Perhaps I have malware or something, EAF+ making the browsers so nonresponsive. I have no idea.
     
  3. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    I have added mozjs.dll;xul.dll in EAF+ for Firefox and none in ASR. My setup works flawlessly
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Starting Firefox with the default EAF+ settings takes almost about 45 seconds for my 3 year old then quite powerful laptop, same happened also in EMET 5.0. Deleting I think those modules in EAF+ it takes about 2-3 seconds.
    Chrome starts fast but it has the problems with pages loading slow. Removing what I posted from EAF+ that problem is corrected.
     
  5. controler

    controler Guest

    Known issuesAfter you install this security update, Internet Explorer may crash when you use Enhanced Mitigation Experience Toolkit (EMET) 5.0. This issue affects Internet Explorer 11 on Windows 8.1 systems. To resolve this issue, install EMET 5.1, or temporarily disable the EAF+ mitigation for Internet Explorer 11.

    On my system 8.1 disabling EAF + does not work. Before I install it, I turn on Quietzone and do not reboot until I have seem EMET has broken my computer.

     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Jarmo, try keeping the default mitigations for Firefox as is, but just uncheck SEHOP mitigation. That should do the trick.
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    (Test HPA3)
    EMET 4.1 U1 on Windows XP

    Stack Pivot = Passed
    Stack Exec= Passed
    ROP Win Exec= Passed
    ROP Virtual Protect= Passed
    ROP Nt ProtectVirtualMemory= Passed

    ROP system in msvcrt= failed *
    ROP VirtualProtect via CALL gadget= failed *
    ROP WinExec via anti-detour= failed *


    Null Page= Alert - "Null Page exploit/test failed".

    SEHOP = Passed

    Heap Spray 1= Passed
    Heap Spray 2= Passed (no alert)

    Heap Spray 3= failed *
    Heap Spray 4= failed *


    Anti VM = Failed *

    Hollow process = Alert - "I feel so empty inside".

    Load Library = (No alert)


    URLMon = failed *
    URLMon 2 = Passed
    URLMon 3 = Passed

    Who has the results of EMET 5.1?
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I just installed 5.1, and EAF had to be disabled for Internet Explorer 11. Is that the same behavior being seen by others? I'm using Windows 7X64 Ultimate SP1.
     
  9. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Are you by any chance using F-Secure?
    F-Secure's DeepGuard is not fully compatible with EMET 5.0 and 5.1.
    You would need to choose to enable the compatibility mode for DeepGuard.
    See this F-Secure community thread.
    Also see Sealord's October 27 post at Wilders (which was a reply to 142395's post).
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    No, i'm using NOD 32 V8. Thanks for the info though!
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I just checked Adobe Reader, and Java. EAF had to be disabled for them as well. It looks like disabling EAF did the trick though. I had to disable so many different mitigation methods for EMET 5 that it was not worth having on my machine. I had to disable about half of them for Adobre reader, Java, Firefox, and Internet Explorer. I hope EMET 5.1 does not turn out to be the same deal.
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    All the other mitigations except EAF+ work just fine for me. It also with some annoyances. I might try though exchange EAF+ for disabled SEHOP in Firefox, if EAF+ is the more important mitigation. Will have to surf for more information etc. Ty for your post.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    SEHOP is just known to cause issues with Firefox (as bought up here on Wilders previously), at least the way in which EMET enforces it anyways. Disabling the SEHOP mitigation for Firefox solved the slow startup issue for many people. If disabling the SEHOP mitigation solves your problem, that would be great. And in that case, you might even look into ways for the OS itself to enforce SEHOP mitigation on Firefox as an option. I can't promise that it would work, simply just an idea. That way, hopefully you can have EAF+ still along with all other mitigations for Firefox with the one exception of SEHOP. I would say EAF and EAF+ are likely more important these days but I could be wrong. See how it goes, anyways, and post back and we'll see what works for you.
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    All the mitigations are set on my Internet Explorer 11. Running w/ Windows 7 x64 and w/ Enhanced Protected Mode enabled. I do a lot of browsing and I haven't experienced any problems as of yet. Perhaps test Internet Explorer in No-Addon mode.

     
  15. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    EAF+ (note EAF works just fine) is the cause of the FireFox slow start. Firefox seems to work well with all the other default mitigations. I tested with disabling SEHOP and having full EAF+ .... same slow start.

    I am interested from other persons experiences, if they are same as mine. Users always have to bear in mind what other security software they are running. That can make differences how EMET works. Mine are in my signature.

    EAF+ disabled or modules removed from it (might be the same I guess), Firefox seems working just fine. But I keep in mind your SEHOP advice if Firefox behaves badly in the future. And then remove it too.
     
    Last edited: Nov 14, 2014
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Firefox starts more slowly for me with EMET 5.1 if EAF+ is used.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I would like to apologize, Jarmo. I guess that I misunderstood you initially regarding your Firefox slow startups. I jumped to conclusions and assumed that it was SEHOP since that had affected a larger majority, particularly after EMET 5 release as well. You are 100% right, different OS versions, different configurations, different software and especially different security software certainly could cause varying results between EMET users.

    If disabling EAF+ is what works for your system with Firefox, then absolutely I would disable it as well. Or as you said, simply removing certain modules from EAF+ as well. I remember reading somewhere before that if you remove all modules from EAF+, yet keep EAF+ enabled, that you still retain some EAF+ protection. Although I can't confirm that and I could be mixing that info up with ASR. I'll take a dive into the User Manual again in a few minutes to see.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Your comment as well as Jarmo P's comment about EAF+ causing slow startup of Firefox got me thinking into what has caused my slow performance issues with Chrome that started with EMET 5.1 as well. Oddly, EAF+ doesn't seem to cause startup delay with Firefox for me though.

    I can confirm, at least in my case, that EAF+ (chrome_child.dll) has been causing slow performance of Chrome (64-bit). This has been just general all over sluggishness of UI, like opening new tabs and even typing in forum text boxes having a delay of what I am typing. Removing EAF+ for Chrome has solved my issue. So thank you both for bringing up EAF+. Just a heads up in case anyone else has degraded performance in Chrome since EMET 5.1 release.
     
  19. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Same here, Firefox starts in 30+ seconds. About 45 secs when started with Sandboxie.
    But if I remove the module xul.dll from EAF+ settings for Firefox, it starts in only a few seconds.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From EMET – The Ultimate Installation and Deployment Guide:
     
  21. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    The HIPS in NOD32 also has an exploit blocker, so that might conflict with EMET:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2908
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Excellent read. Thank you for the link, MrBrian.

    This reminds me. Several days ago I started added some Windows services to EMET, assuming at first that it might not even work. But it works great. I use ICS BIND DNS as local proxy for DNS resolve/caching/adblocking and decided to add the 'named.exe' Windows service. EMET injects it properly before the desktop is even loaded and no negative effects. It made sense to give extra protection to a DNS server. I am going to explore more, a little every few days so that I can track down possible side effects if any.
     
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I used to add drivers, services, etc to EMET. Intel, NVIDIA drivers.. basically every .exe that was running in the backround (such as explorer.exe, dwm.exe,...). But since 5.x 90% of them won't work anymore or cause heavy freezes.
     
  24. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Firefox slow start with EAF+

    As I mentioned in a previous post, removing xul.dll from EAF+ modules solves the slow start. I did a search to try and find out how important it is to protect that module, and I found this: http://www.vupen.com/blog/20140520.Advanced_Exploitation_Firefox_UaF_Pwn2Own_2014.php
    The article refers to xul.dll and also the other EAF+ module mozjs.dll several times. The article ends with the statement "It is also possible to bypass EMET but this step is left as an exercise for the reader!"

    Unfortunately I'm not one of the readers that have the skills to do that, or to fully understand the article, so my question is:
    If I keep both modules in EAF+ settings, am I protected from this?

    The description for EAF+ modules is:
    "Prevent memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as “read primitives” for memory probing"
    But I'm not sure if that's related to the above article?
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The specific Firefox vulnerabilities used have very likely been fixed already by Mozilla, so you probably don't even need EMET to protect against exploitation of those specific vulnerabilites. This EMET mitigation is perhaps an attempt to prevent exploitation of similar potential zero-day vulnerabilities in Firefox.

    @WildByDesign: You're welcome :).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.