EMET (Enhanced Mitigation Experience Toolkit)

trparky here, the same trparky that WildByDesign introduced.

Anyways, the program I wrote scans the registry to remove obsolete files from EMET and then scans for Flash-related executable files (FlashPlayerApp, FlashUtil, etc.) and adds them to EMET. Simple, easy, and quick to use. What may take several minutes to do by hand can be done by the program in less than ten seconds.

 

I performed some limited testing using an old vulnerability in Flash Player.

Windows XP with Flash Player 12.0.0.44 + EMET 4.1:
- iexplore.exe configured in EMET: blocked (stack pivot)
- plugin-container.exe configured in EMET: blocked (stack pivot)

 

Thank you for taking your time to do these tests and for sharing the results, it's definitely appreciated.

 

What does FlashPlayerApp.exe do? I've never seen it running before while browsing on Flash enabled sites.
EDIT: Just ran it to find out, it is the Flash settings manager, so it seems unnecessary to add it to EMET.

 

The standalone version of Flashplayer uses FlashplayerApp.exe.

-EDIT-

For starters, FlashplayerApp.exe has been historically the prime infection vector for malware. Next, if you use the FlashPlayer control panel to check for updates, this app is what is used. It also spawns your default browser to connect to the Adobe update web site.

 

EMET 5.2 is available

 

Excellent, I was wondering if Control Flow Guard would show up in EMET. This is interesting.

Some CFG details from Trend Micro: http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
Relevant for Windows 8.1 as well as Windows 10

 

Had to clear "Simulated Execution Flow" check box, in order to be able to open Internet Explorer IE11 (iexplore.exe) which I just updated today.

 

I just installed EMET 5.2 on Windows 7X64 Ultimate to give her a try. I used the recommended settings, and so far I had to remove EAF mitigation from IE, javaw.exe, javaws.exe, and AcroRd32.exe. I manually added Firefox, and I also had to remove EAF mitigation. Is anyone else seeing the same behavior? I wonder if another security product i'm using could be triggering EAF mitigation. Online Armor injects into all these processes. I left the mitigations unchecked that were unchecked by default. The mitigations unchecked by default were mostly EAF +, ASR, and Heapspray as you can see in the screenshot below.

 

I'm going to try adding some of the mitigations unchecked by default with recommended settings, and see what happens.

 

I can no longer run IE11 on 8.1 regardless of settings used...

 

Same here, using IE11, 64bit browser with Enhanced Protective Mode activated. IE just crashes using EMET recommended settings, tried unchecking EAF+, ASLR, no success. Had to uninstall and go back to 5.1 on Windows 8.1. Also NOD32 installed.

 

txs a lot for the report, i've just sent a mail to the support.

 

That was my experience when testing EMET on Windows 7 previously, having to disable EAF for Firefox and possibly a few other programs. Although with Windows 8.x and Windows 10, I haven't had to disable any mitigations. Windows 7 seemed to be a bit picky with EMET and certain programs.

 

Kudos to GreenCat on MS Connect Portal, the culprit is related to certificate trust (pinning).

Disabling this feature, IE 11 (on 8.1) works as expected...

 

Thanks, I'll give it a go.

 

Anyone try EMET 5.2 on WIN 7 x64, IE10, and cert. pinning enabled? Is IE10 also crashing?

 

Martin Brinkmanns review on ghacks...

http://www.ghacks.net/2015/03/13/microsoft-emet-5-2-with-control-flow-guard-now-available/

 

Running great here on WIN 7 x64, SP1 and IE10.

Installed over 5.1. I did export my app and cert. settings from 5.1 and imported them to 5.2. I have protection settings set to maximum i.e. DEP always on. Also EPM set on in IE10. And I do have a number of web sites pinned. Just browsed to one and connected fine.

 

Summing up what has changed is not a review.
If you want to write a review, measure its performance and create a bypass.

 

Running w/Windows 7 Home Premium x64.

Internet Explorer 11 w/All the latest updates. With IE Enhanced Protected Mode enabled. Using the 64bit IE 11.


Using just the one EMET Application rule for IE which applies to both 32bit and 64bit IE executable files. All the Mitigations are set and worked flawlessly using EMET 5.1 and seems to be working flawlessly now with EMET 5.2. However after testing a little then I remove jp2iexp.dll from IE ASR modules list to run java scripts.


In addition; like with EMET 5.1 I also enable all the Mitigations except for the ASR on all the java components.


I thus far never experienced any problems.



Using TorBrowser the Firefox can't be set with 'ROP Simulate Execution Flow', only problem I've encountered thus far.


Kind Regards,
Phant0m``.

 

Can someone post a list or screen shot of 5.2 ASR and EAF modules since I imported my 5.1 rules? Want to check if anything changed. Thanks ...............

 

EAF_modules → mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll

ASR_modules → npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
ASR_zones → 1;2 (1 = Intranet; 2 = Trusted)

 

This is driving me nuts.

Started with ver. 5.1 and appears to be continuing in 5.2. I guess the first question is does anyone know if there is a limit on the number of new apps that can be added to the popular software profile? What is going on is the GUI at times chops off the top of the display where the 7*** apps start. Sometimes the first, sometimes the first and second, etc.. Other times, I have had one or more apps randomly deleted; again starting at the top 7*** apps. No rhyme or reason to this.

I have added around ten new apps to the profile.

 

I just noticed that Adobe Flash is not listed in the default list of applications being protected by EMET 5.2. Also how is the user suppose to disable EMET 5.2 when they need to update an application like java, or any other application being protected by EMET?

Edited 3/13 @ 8:35: I use Firefox so I will need to add it manually, but I read somewhere that IE11 runs flash player inside it's own process so it does not need to be added. I'm not sure about previous versions of IE.