EMET (Enhanced Mitigation Experience Toolkit)

I know that you use EMET with Sandboxie. Question, do you add Sandboxie say SbieSvc.exe ,SbieCtrl.exe etc. to mitigations? No doubt you do with FF. How about Flash and Plugin Container. How do you mitigate them? I am in Windows 7 64bit.

 

OK Pete thanx. I think I'll probably do the same down the line either with that or AP Guard;meanwhile I think will just stick with Sandboxie for now

 

That issue in particular was not related to Sandboxie, just Chrome and the latest EAF+ mitigation in EMET 5.1 causing lag.

Easier to just use Chrome or Chromium since Flash runs in process and sandboxed unlike how Flash runs a separate process for Firefox. So just to clarify, are you saying that specifically adding Flash process protection to EMET is causing issues with Firefox now? I remember testing this a few weeks back and discussing it. Is the problem due to EMET 5.1 or caused by the latest Flash update today?

 

Yes, you are the member I mentioned with the delay thing in Chome posting here with EAF+ module enabled. Thank you for telling it was not Sandboxie related, but rather more global. Still wonder why no one else except you and me had that trouble.

The Flash needed to remove from EMET rules, if it we have added it, have been discussed here, to be able to see in Firefox videos without crashing. I have not installed in a few days a new Flash plugin from that bother, so I can't tell any news about that. And yes Chrome is a much easier browser regarding Flash.

About EMET and Sandboxie, I do think the situation is like in this link where tzuk posted his opinions what to do, or not rather: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=40&t=15965&p=91617&hilit=EMET#p91617

And I am for sure happy with the situation, being that, not getting a weakened Sandboxie because of EMET.

Pete here told recently, same as Curt in Sandboxie forum later did, that EMET works with sandboxed applications. But I tend to disagree. Yes it works if you have that app made to force start in a sandbox or if you start that app from explorer. Otherwise not

With Chrome people using say free SBIE will see all processes under Running EMET column checked with a green symbol, except one and I guess that's what matters that one process. Firefox has just one process and it is not shown or the plugged container. Unless you do what Tzuk in his message suggested to do.

That is one reason why I have my browsers forced.

 

I just discovered using Firefox's about:crashes that Firefox has crashed several times in the past month in emet.dll. I used EMET 5.1 in this time period.

 

There have been around 1500 Firefox emet.dll crashes amongst those submitting Firefox crash reports since November 1, 2014.

 

I happened to find there's actually a key to enforce system-wide ASLR, sorry my bad.
The key is HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages

 

Hi, can anyone tell me which version I can use on XP? Do I need to install Net 2 or Net 4 for this?

Thanks

 

Enhanced Mitigation Experience Toolkit 4.1 Update 1
http://www.microsoft.com/en-us/download/details.aspx?id=41138

Code:

- EMET 4.1 Update 1 requires .NET Framework 4. 

EMET 4.1 Update 1 supports the following operating systems and service pack levels:

Client Operating Systems
• Windows XP Service Pack 3
• Windows Vista Service Pack 2
• Windows 7 Service Pack 1
• Windows 8
• Windows 8.1

Server Operation Systems
• Windows Server 2003 Service Pack 2
• Windows Server 2008 Service Pack 2
• Windows Server 2008 R2 Service Pack 1
• Windows Server 2012
• Windows Server 2012 R2 

 

Can you tell me how to set -1 value to the key ? Is it 0xffffffff ? But I see a larger decimal value and not -1 after setting it to all f's.

 

Thanks. BTW I was having problems with 4.1 so I installed v 5 and it seems to work smoothly. Is that fine?

 

That's okay since DWORD vulue only accept positive vulue, and it will displayed as 4294967295 in decimal which is the maximum number in 32 bit architecture.

 

It may not be stated as officially supported for XP for EMET 5.x, but if it's working smoothly without any issues, then I say go for it. Just ensure that the .dll is being injected and that the protected processes are showing up as protected by EMET. If so, then it's all good.

 

Thank you!

 

You're welcome!

 

Thanks

 

Can any one tell me how to change settings in SBIE to allow EMET to inject dll into sandboxes apps? It was posted on this forum but I can't find it now. Thanks

 

I am not sure what you mean with that question? Hope it means how to have sandboxed apps EMET protected: Set in EMET the mitigations for them. Then proceed how it is told in post #956 the latest and many times before that in this thread.

If your question is about you wanting to EMET protect Sandboxie processes, I would not do that myself. And have no experience to help.

I say nonsense, if that is thought to solve anything, except if the apps are forced to run sandboxed (needs a licensed SbIE). I told you have to look for what is shown under Running EMET column in the program's GUI.

 

Thanks peter.

 

Yes I mean this.

I have applications forced. Thanks for the details.

 

Ok, I tried these settings. EMET.dll is being injected into sandboxes apps. I tried MBAE test tool and it does crash on exploit but no pop up message from EMET and there are two error messages m esp one from SBIE. Is that ok?
Thanks

 

I think I just became Santa to myself! And similar to the "jolly, old, fat guy in a red and white suit" (DH: WaV) and the birth of Jesus, I have a gift for millions across the world.

EMET 5.1 working on XP! After falling into a deep depression after the release of 5.1 and then finding out that it wouldn't work on XP , and not thinking about EMET for a while, I'm not sure what made me dive into this again this morning...

We know about the error about fopen_s not found in msvcrt.dll (yeah, I see it's not in the base XP version, only later spearate CRT versions). Anyway, I saw that it's only used in one place in EMET.dll, and another function could be used instead (the chunk of code doesn't seem important, or even used...?).

I knew first I'd have to replace fopen_s in the Import Address Table, which I wasn't sure how to do... But EASY, just change the string! Changed to plain fopen, just to see if that would only reveal an error about missing some other function. But NO, it worked, and stuff shows running EMET now!

Of course the other code wasn't changed, and since the return value of the plain old fopen is "opposite" of the new, secure _s version, the call would trigger the "fail" branch when it succeeds... No big deal, I'll come back later and try to change the instructions there, and use the seemingly-equivalent _fsopen function if there's enough bytes to work with, else just correct for old fopen (no biggie).

It looks like this part is involved in creating a meta.xml file for something?? Anyone know anything about that, or seen a file created with that name? Google didn't find anything... Maybe it has something to do with the added "Local Telemetry" feature?

I'll be back when I have more -- meaning a fully fixed-up EMET.dll you can download to replace the installed one. I'm just in the process of getting ready to move my server too, but shouldn't make much difference...


P.S. There's a good reason why OpenEMET wasn't available months ago (5's changes are a small part for refactoring), but now I really want it done!! Would still be anyway, but disappointing if XP couldn't use 5.1 (though it'll work with any version back to... 5? 4? Prob not 3).