EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Looks like the problem is the Windows binaries don't even support the mitigation techniques, so adding it to EMET would be pointless wouldn't it? Or am I not understanding the situation? I only read like two posts.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Where did you read EMET doesn't support Window's executables? It does for the most part but there are no guarantees that all work for all mitigations without issue; just like any app added to EMET. About the only one I know of that is not recommended to be added is explorer.exe. Note that there could be adverse system performance issues with adding some Windows files to EMET.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    That's what EMET is for, forcing migitation on applications that don't support them. OpenVPN seems to have some problem supporting them with their compiler and it looks like their might be compatibility problems with DEP.
    I added openvpn.exe, openvpn-gui.exe and openvpnserv.exe to EMET with all migitations enabled and haven't noticed any problems so far.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  5. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    TL ; DR: He used syscalls to bypass the hooks. (syscalls have already been used back in 2012 to bypass EMET: https://repret.wordpress.com/2012/08/08/bypassing-emet-3-5s-rop-mitigations/)
    The usage of syscalls is a known limitation of EMET. And Microsoft can't do much about it unless they use kernel mode hooks.

    How does this relate to a real world exploit?
    You still have to bypass EAF+ and this requires some additional work. (Unless you can use an EMET disarm ofcourse)
     
    Last edited: Jun 10, 2015
  6. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    EMET or MBAE-free with Chrome Yes or No? i was reading through some info on Chrome & there was a statement that EMET is not recommended since Chrome's built-in anti-exploit mitigations meet or exceeds that of EMET (can't find a link now). I don't currently have EMET protecting Chrome - what are others doing and why?

    Also i've seen a few sigs with MBAE-free for browsers and EMET for everything else. why bother with MBAE-free? is it providing more protection then EMET?
     
    Last edited: Jun 11, 2015
  7. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Exploiting 64-bit Google Chrome is more likely harder than any other browser. Furthermore, no one has ever captured a Chrome zero-day that was exploited in the wild.
    Does this mean that EMET is useless? Well, at least it is unlikely that exploit kits would be able to exploit a 64-bit version of Google Chrome.

    As a side note: EMET does not offer full protection on 64-bit processes and it might cause a greater slowdown compared to MBAE and HMPA.
     
  8. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    thanks for the reply - sooo for you is that a Yah or Nah for EMET/MBAE with chrome :)

    ok - and MBAE does offer full protection on 64-bit processes? and if so, i assume it would then offer better protection for Waterfox (64-bit firefox) my main browser.
     
  9. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I do not know whether Waterfox is protected by the free version of MBAE.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I believe this is what you were referring to: https://www.chromium.org/Home/chromium-security/chromium-and-emet

    There was a point in time where the EAF+ mitigation was causing performance issues for some users of Chrome and I believe Firefox as well. I experienced those performance issues as well at the time and had to disable the EAF+ mitigation. But after a release or two of EMET, the performance issues settled down and I do not experience it currently and I keep EAF+ enabled. However, some users still report performance issues with EAF+.

    I can't speak for everyone who chose to combine MBAE Free (browsers only) with EMET (all other programs) so I can only speculate. There are probably a few factors. One of the reasons could be that MBAE doesn't have the same performance issues that EMET has with regard to EAF+. Another reason, I believe, is that MBAE has some additional layers of protection that EMET does not have. And one of the more likely reasons would also be because MBAE is very simplistic and "set it and forget it" type of program so there is not as much hassle with configuration as compared to EMET. But everyone has their own reasons and preferences and I believe you would be quite safe whether you go with that combination or if you went with any one of MBAE Free, EMET, or HMPA individually. That's the beauty of choice.

    Personally, I am all EMET all the way. I have tried the combination (MBAE Free with EMET) as well for a period of time, but I much preferred the more granular control of EMET.

    This is actually a pretty important question but I do not have an answer on this. I think that you should ask this particular question in the MBAE thread to find out specifically how MBAE compares to EMET with regard to 64-bit processes. This is just a guess on my part, but I believe that EMET, MBAE, and HMPA may have some limitations with 64-bit processes, although each program may have some advantages over the other in certain areas. It's difficult to find a comparison though because not all of them provide all of the 'under the hood' details.
     
  11. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    The latest EMET seems to work fine for me too. I am not sure if it has anything to do with it updating or just Chrome updating. As always I don't like any antiexploits. So I just run EMET. It used to be so hard to post here with chrome, now it is somewhat better.
     
  12. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Thanks for the feedback all - i think i'll just try adding chrome to EMET and see how it goes
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I will tell you a secret: EMET is also an anti-exploit tool.
    Most of the mitigations present in EMET are also present in MBAE and HMPA.
     
  14. Ro4dRuNn3r

    Ro4dRuNn3r Guest

    Hi Guys,
    i am new to EMET. Is there a site or something else where i can find some more informations about setting EMET right up?

    Oh, and Adguard with EMET seems to cause a Problem with some sites?!?

    Thanks. :)
     
    Last edited by a moderator: Jun 16, 2015
  15. Emetic

    Emetic Registered Member

    Joined:
    Oct 4, 2011
    Posts:
    73

    I always found Rationally Paranoid a great resource. But I'm a little out of the loop and I guess things have moved on a bit. This is for EMET 3 - probably worth having a look at all the same:

    http://www.rationallyparanoid.com/articles/microsoft-emet-3.html


    I'm just in the middle of building a new win7 box as a Digital Audio Workstation. I'd also like to ask the same kind of question: Is there a good resource somewhere for setting up the latest verison of this?

    I know that Dedoimedo does great tutorials on it as well.

    This is for EMET 4:
    http://www.dedoimedo.com/computers/windows-emet-v4.html

    And this is for EMET 5:
    http://www.dedoimedo.com/computers/windows-emet-v5.html


    I think between getting a bit of background from Rationally Paranoid, and seeing what Dedoimedo has to say on the subject, well, that would be a good place for anyone to start. I'm going to go back and learn it all again. I have EMET 2 on this win7 box I'm typing on now.


    It's just that if anyone could give any other tips, that would be great. Of course I will go back and read the whole thread, but that takes time. A little nudge in the right direction is always appreciated.


    cheers.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I use EMET together with Adguard and everything works smoothly, even with SSL filtering.
     
  17. Ro4dRuNn3r

    Ro4dRuNn3r Guest

    Oh Boy, lot of stuff to read. Thank you! :)

    Hmm, so you don't get any Certificate failure notifications?
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    No cert failures as of yet, no. Which browser do you use? I use Chrome regularly and it works very well. But with Firefox, there was some issues specific to Adguard and I had to follow some additional steps. If it's Firefox that you are having issues with, let me know and I can try to help point you in the right direction to resolve the issues.
     
  19. Ro4dRuNn3r

    Ro4dRuNn3r Guest

    Internet Explorer, all time favourite browser. :rolleyes:

    zertifikat2.PNG
     
    Last edited by a moderator: Jun 17, 2015
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I just set up a rule for www.outlook.com and pinned it to MSLiveCA. Worked fine for me using EMET 5.2 and IE10 on WIN 7 SP1. I then changed it to outlook.com and it also worked fine.

    Perhaps your MSLiveCA cert. list got corrupted somehow? The root cert. it needs is VeriSign - G5; begins with 18DAD19 .............. Also do you have problems on other EMET pinned web sites? Finally, that VeriSign cert. needs to be in your Windows root CA store?
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I think the problem that Ro4dRuNn3r is having must relate to how Adguard acts as MITM for SSL traffic and uses Adguard's built in root cert in place of the cert for the sites and is somehow conflicting with EMET cert trust pinning.

    But unfortunately I cannot reproduce this on my machine even though i am using Adguard's SSL filtering as well. I would suggest asking in the Adguard thread and developer avatar will help.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    That would also apply to any AV product that does SSL protocol filtering and/or has it enabled; Kapersky, Avast, Eset.

    I am surprised anyone is still using Adguard since they were listed among the "hall of shame" perpetrators in the Superfish debacle.
     
    Last edited: Jun 18, 2015
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I am very hesitant when it comes to filtering SSL. I've enjoyed using Adguard for a few months now, but only decided to try filtering SSL the past few days for testing filtering of encrypted advertisements in Windows 10 apps. I am still hesitant regarding SSL filtering in normal use. Personally, I am just trying to keep an open mind at the moment since over the next few years a lot of the major ad services are switching over to HTTPS.

    That being said, I don't recall Adguard being mentioned throughout that Superfish debacle and followed the details of that closely. It wasn't named on the CERT page (http://www.kb.cert.org/vuls/id/529496). I did a quick Google search for "superfish adguard" but did not find much, although I did find a response from the developer here (http://forum.adguard.com/showthread...ps-implementation-similar-to-Lenovo-Superfish).
    But if you have something to reference on Adguard being affected by Superfish, I am always open to being corrected. Or we could bring this up in the Adguard thread here at Wilder's and see if we can get more details. I just don't want to steer this EMET thread off course. Cheers! :)
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I was thinking about Lavasoft's Ad-aware. So I retracted previous statement about Adguard.

    Personally since the major AV's can't get SSL protocol scanning right, I have doubts Adguard would. Only way to know for sure is to test it in this area.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This concern, I agree with you 100%.

    Speaking of EMET, I hope that we will see another point release or major release sometime soon. It will be interesting to see what other mitigations they may implement specifically with regard to the upcoming Windows 10. There's a lot of security stuff going on within Windows 10, but I hope to see more from EMET and see if they can push the pace of anti-exploit software in general.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.