EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi DR_LaRRY_PEpPeR.
    Gerardo di Giacomo does not recommend the use of EMET 5.X on XP:
     
  2. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Who? Where? Why??
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    https://www.winhelp.us/microsoft-emet.html

    EMET version 5.1 works in Windows XP (Service Pack 3 required; not officially supported, but it works well), Vista (Service Pack 2 required), 7 (Service Pack 1 required), 8 and 8.1; and Windows Server 2003 and 2003 R2 (Service Pack 1 required), 2008, 2008 R2, 2012 and 2012 R2. Both 32-bit and 64-bit editions are supported.
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    http://www.ilsoftware.it/forum/viewtopic.php?f=32&t=87765&start=960

     
  5. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, I've seen that site (while ago) and forgot to comment... :)

    Not "supported" (meaningless) != not recommended. I want to see what Sampei is referring to!

    And about that EMET page, that guy is obviously an IDIOT, since it certainly does NOT work (until I changed it), much less "work well!" :rolleyes:

    I'll try to change the 64-bit DLL also (didn't disassemble yet) since it's broken on 64-bit XP.
     
  6. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Thanks Sampei. :) Definitely not a strong enough statement for me (and it's from MS/EMET guy).

    I vote for going with EMET 5.x on XP (as long as we can work it somehow) since this statement from him carries much more weight (referring to your winhelp.us link): "Nothing to add to what is in the article: EMET 5.x is not officially supported on XP but it works."


    I really don't see why the OS version makes much difference, anyway... (Ignoring silly loader issues like fopen_s.) A given program is going to be running basically the same code (not counting OS DLLs), with same vulnerabilities, and a given version of EMET should have about the same effect. Its mitigations are self-contained/-implemented and not really depending on the OS, right?

    I'm really curious to see how it runs now. :eek:
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For what it's worth, I've got back into testing of protecting the Flash Player plugin executable with EMET while running under Firefox. I'm using the latest Flash, latest Firefox, latest EMET with Maximum setting and default mitigation settings set for FlashPlayerPlugin_16_0_0_257.exe. I remember a few months back some of us were discussing this and some users were having crashes. I've been pounding this Flash plugin process with YouTube videos and everything else I could find to test it through Firefox for 3 days now. I can also confirm that the EMET dll is properly injected into the Medium integrity Flash process as well as the Low integrity Flash process. No problems whatsoever. Now I suppose it all comes down to whether or not it makes a difference for Firefox/Flash related exploits. It's hard to say because Flash is already running under plugin_container process and Flash process is already brokering itself. So it is already probably already well protected by default EMET settings anyways without the need to add the Flash process to EMET. But I figured that I should mention that it is working great anyways with the latest versions.

    I had been using Chrome only for years but just the past few weeks have been getting back into Firefox more and more. I haven't quite been ready to set it as Default yet but getting close to it. I'm loving the amount of customization available within Firefox. Although I miss the stronger security of Chrome at the moment.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Does EMET 5 have self-protection? I noticed that Zemana's Antilogger injected its .dll into EMET runtime. Does not give me a warm and fuzzy feeling on the self-protection issue.
     
  9. 142395

    142395 Guest

    I don't see the need for self-protection in anti-exploit program except some memory component which if disabled can spoil its protection.
    I think self-protection you're referring to only matters when system has already compromised, which is out of scope for this kind of anti-exploit program.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Is this a bug in EMET 5.1 or has Microsoft catalog update site been hacked? I do know the site is not working correctly. But to trigger a ASR alert ...........?

    Log Name: Application
    Source: EMET
    Date: 1/21/2015 11:25:23 AM
    Event ID: 1
    Task Category: None
    Level: Warning
    Keywords: Classic
    User: N/A
    Computer: xxxxxx
    Description:
    EMET detected ASR mitigation in IEXPLORE.EXE
    ASR check failed:
    Application : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    User Name : xxxxxx
    Session ID : 1
    PID : 0xA10 (2576)
    TID : 0x1D8 (472)
    Module : scrrun.dll
    Web address : http://catalog.update.microsoft.com/v7/site/home.aspx
    Url zone : Internet
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="EMET" />
    <EventID Qualifiers="0">1</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-21T16:25:23.000000000Z" />
    <EventRecordID>90601</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxx</Computer>
    <Security />
    </System>
    <EventData>
    <Data>EMET detected ASR mitigation in IEXPLORE.EXE
    ASR check failed:
    Application : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    User Name : xxxxxxx
    Session ID : 1
    PID : 0xA10 (2576)
    TID : 0x1D8 (472)
    Module : scrrun.dll
    Web address : http://catalog.update.microsoft.com/v7/site/home.aspx
    Url zone : Internet
    </Data>
    </EventData>
    </Event>
     
  11. 142395

    142395 Guest

    No, ASR warning is not about exploit detection, it's just indicates that site tried to invoke scrrun.dll which must be in your IE's ASR setting. ASR don't distinguish whether it is by exploit or not. Easy workaround is add this site to trusted zone if you haven't changed ASR setting. If you encounter too much ASR aleart of scrrun.dll in other site too, it might be better to remove this entry from your ASR setting.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Thanks for the reply.

    According to this: https://social.technet.microsoft.co...component-microsoft-script-runtime?forum=emet, it is a bug in EMET 5.0 and was supposed to be fixed in release 5.1. Appears that hasn't been the case. :thumbd: Although in my case, I wasn't viewing run without permissions add-ons but actually accessing the web site.
     
    Last edited: Jan 21, 2015
  13. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, I noticed the same thing with IE 6 about 10 days ago -- first I thought the Update Catalog no longer worked with XP or something. :eek: But I don't know what there is to "fix" with it, other than removing scrrun.dll from the ASR list? You can already do that yourself. :) I just added the site to "Trusted sites" zone like Yuki said, since it's a default ASR Exception...


    Sorry never got back here with my XP fix/hack after Christmas! :doubt: After my initial changing of the IAT to remove fopen_s, I didn't get to change the code (simple) so it wouldn't call fopen like fopen_s (like I said, I don't know when that code is run anyway...) until New Years. Didn't feel like working on it in the Santa suit! :isay: (No, I was occupied with server stuff. :blink:)

    Anyway, I've been running 5.1 on XP for over 2 weeks now, and all seems fine with the same stuff: IE 6, OE, old Firefox still (22), Flash/plugin-container, PDF-XChange, Explorer. spoolsv, lsass, etc. A couple differences (again, nothing to do with XP AFAIK, since shouldn't make a difference): I was getting Firefox freezes at first, which seems to have been caused by SEHOP (not enabled by default, but it was in EMET 4.x and ran OK). Otherwise this seems better than 5.0, since that was crashing my IE 6, at least when I manually used its EMET.dll with my 4.x install. And also EMET Agent never actually notifies about anything with the Tray Icon?? Is that typical...? XP problem?

    Also, unlike what I saw reported here, it does NOT fully work with Sandboxie with its current settings Template. Yeah, EMET GUI can show that EMET is running in sandboxed processes, but nothing goes to the Event Log unless you add:

    OpenPipePath=\Device\NamedPipe\EMET_*

    That's for \EMET_Service and \EMET_Agent_n

    I don't think there's anything else to do, but I'll get back here later and post the DLLs for XP -- I thought I still had to change the 64-bit version, but it's already done too (untested). BTW, plain old fopen had to be used instead of _fsopen since we're 1 byte short on the 32-bit EMET.dll and a couple/few bytes short on EMET64 to pass the additional parameter. :'(
     
  14. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Definitely not gone with my old Firefox (22) and Flash (11.8). I've kept versions the same primarily for monitoring this behavior -- guess I'll upgrade soon, but not holding my breath for any changes since it's obviously caused by Sandboxie!

    Exactly as always: after almost 5 days of the sandbox being active, constant HeapSpray crashes start with Firefox and plugin-container! All fine once HeapSpray is unticked.

    Absolutely no effort to even attempt to solve it (or even look into it) from Invincea (like tzuk). There's been a few longstanding Sandboxie bugs (still have a major HANDLE leak, ignored), and whatever this is seems to corrupt something over time. I've done nearly 100% of the work telling them everything with previous bugs, and said I'm willing and able to do whatever to investigate the EMET problem more, but I'm not sure what to do without some guidance...
     
  15. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Good to see you replying again Dr.. I have since moved on from using EMET with Sandboxie as I don't think there is going to be a solution to that particular ongoing problem. I know that you have been trying to help solve it for a number of years as I have been following your posts in the Sandboxie forum. In the meantime will be keeping an eye out for your posts regarding the matter. :thumb:
     
  16. 142395

    142395 Guest

    What itman reported is not the bug. The bug is when you navigate to addon manager ASR alerted with popup. This was unintended behavior and seems to be fixed.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  18. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Does EMET protect against the latest Adobe Flash vulnerability? o_O
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes, it protects out of the box with default profile settings. You don't even need to specifically add the Flash executable.

    EDIT: Although that is true only if the latest Flash exploit is based on (or similar to) the prior exploit which I believe it is. Kafeine had tested that one and EMET blocked it.
     
  20. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Very nice, thank you.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    User trparky (Tom) over at DSLReports Forums has created a program (along with source code for review) which automatically adds all Flash executables to EMET and removes older versions of Flash from EMET as well.

    Post link: DSLReports
    Blog with Download links: Add Adobe Flash to Microsoft EMET


    With the fast rate that these Flash updates are coming out lately due to exploits, this tool can certainly be handy for those of us who wish to add Flash plugin executables to EMET. This is an option instead of adding/removing manually with each update.

    All credit goes to Tom in the links above in the quoted forum post.
     
    Last edited: Feb 5, 2015
  22. guest

    guest Guest

    Flash player should be protected automatically when you're running IE or Firefox. (One of the recent 0day's was also blocked by EMET)
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thank you, regenpijp. I respect your opinion and I appreciate your time in replying. I recall seeing Kafeine's blog as well showing EMET blocking one of those recent Flash exploits using default profile settings for EMET which was great news and very reassuring as well.

    I know that there are some users who think that EMET injecting it's .DLL in firefox.exe and plugin-container.exe should therefore also protect the Flash plugin executable running under the plugin-container.exe process. Also, I know that there are also users who think that adding the individual Flash plugin executable in EMET (may) be worthwhile as well because this method allows EMET to inject the .DLL within the Flash plugin executable as well which doesn't occur when only firefox.exe and plugin-container.exe are injected.

    I think the reality is that we just don't know if it is necessary or not and is more precautionary then anything. I guess there is so much variability in exploits in how they could enter the system, whether it's targeting through the Flash plugin executable, or through firefox.exe exploit initially, or other methods. In a way, it's more about protecting from the unknown and being prepared for anything unexpected.

    Although I think a lot of us would love to hear from a security expert who fully understands the Firefox plugin system and the way in which it interacts with the Flash plugin and how exploits could potentially be successful in that regard. That would help clear up the air. Speaking on that point, I do recall one developer on Wilders recently stating that Flash plugin executable does need to be added to EMET to be protected. But other developers could certainly have different opinions. EDIT: I found one of the posts: https://www.wilderssecurity.com/thre...xperience-toolkit.344631/page-38#post-2435073

    Cheers! :)
     
    Last edited: Feb 5, 2015
  24. guest

    guest Guest

    I will prepare some PoC code to see whether Flash under Firefox is protected or not.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I use the full version of FlashPlayer; not the plug-in under IE10. Below is what I protect. The only file names that change for each release is the ActiveX files. Just delete the old ones, save(OK), and close EMET. Reopen EMET and add the two new ActiveX files. Takes 30 secs. max.

    EMET_Flash.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.