Emet 2.1 + Sandboxie, Software Updaters

Discussion in 'other anti-malware software' started by enemyofarsenic, Jul 29, 2011.

Thread Status:
Not open for further replies.
  1. enemyofarsenic

    enemyofarsenic Registered Member

    Joined:
    Jun 18, 2011
    Posts:
    63
    Do you guys add Sandboxie and Software Updaters under Emet? Is it advisable to do so? Thanks.
     
  2. chris1341

    chris1341 Guest

    EMET helps protect against some known and potentially unknown exploits. I am unaware of Sandboxie exploits that EMET would prevent and would be wary of restricting one security related app with another as the potential for conflict is always high. Sandboxie comes with an EMET template for running apps protected by EMET in the sandbox anyway so if what is running in the sandbox is under EMET why would Sandboxie need to be?

    Again, some software updaters may be exploited or exploitable (?). Not sure but I do know some apps, JAVA for example, won't update under some EMET restrictions. Others may have tried one or more who can advise but if you feel the need to it may be trial and error.

    Cheers
     
  3. enemyofarsenic

    enemyofarsenic Registered Member

    Joined:
    Jun 18, 2011
    Posts:
    63
    Software Updaters like Filehippo Update Checker, SUmo, Secunia PSI etc.
     
  4. chris1341

    chris1341 Guest

    Ah, I see - understood.

    I think the same logic applies though. These update checker type apps help prevent exploits by keeping your software up to date but I'm not aware of these apps themselves being exploited or even being used by other exploits. I don't suppose adding them under EMET would prevent them working though so if you are super paranoid I suppose........

    This article on rationally paranoid might help when deciding what to add http://rationallyparanoid.com/articles/microsoft-emet-2.html

    Cheers
     
  5. enemyofarsenic

    enemyofarsenic Registered Member

    Joined:
    Jun 18, 2011
    Posts:
    63
  6. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    'twas a truly excellent question. I suppose we can still apply a rule-of-thumb that if the executable makes your system look outwards, (towards the Internet) it deserves an EMET shim.

    Keep thinking like that! Good stuff! :)
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Any application that connects to the internet deserves an EMET.dll =p
     
  8. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    I do. I have Sandboxie, Adobe Updaters, MS Updaters and Secunia added under EMET since 2.0, And I never noticed any problems so far. Just remember to check the EMET in "Software Compatibility" in SBIE. Also I did get the same results in Win 7 but that was couple of months ago, so I dont really know if there are any changes since then.

    Except Skype.
     
  9. chris1341

    chris1341 Guest

    Not suggesting you're wrong, just wondering why?

    I was under the impression that EMET protected against exploits, usually they will be browser based attacks that exploit vulnerable apps like outdated Java, Adobe etc that the browser calls as part of its normal behavior and uses the vulnerable program to download and run other attacks.

    How is an exploit getting to the other apps you suggest running under EMET or is it just a 'belt and braces' approach to cover all, however unlikely, scenarios?

    Thanks
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If your application connects to a server and that server is compromised your application is compromised. Anything that connects to the internet is a vulnerability.

    Is it a big deal? Nope.
    Does it hurt? Nope.
     
  11. chris1341

    chris1341 Guest

    Thanks. No issues, just curious.

    EMET gives more cover than I thought then but it makes me curious as to what mechanism implemented by EMET protects against a compromised server feeding malicious instructions to a protected app. I thought it was looking after the protected apps memory not what was being fed to it externally (one can effect the other of course, but....). I'm not very good with 'it just does' I'm afraid I need to know how it works before using it. I thought I did understand EMET and that it was about protecting from (in particular and mainly) browser attacks delivered via scripts etc triggering vulnerable apps to a malicious effect - obviously not!

    Any info you could give on this would be appreciated.

    Thanks.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    EMET forces applications to implement certain security methods such as randomizing where the applications are in memory.

    Of course, nothing is ever random and all of the methods implemented can be programatically avoided, but it WILL defeat many attacks on your programs.

    EMET works with two methods:

    1) System wide settings. These will change how programs run on a system wide level. This includes DEP, ASLER, and SEHOP.

    2) EMET.dll injection. This lets EMET inject the EMET.dll into specific applications of your choosing and it then forces them to run with specific security methods of your choosing.

    Certain methods are not supported by all applications natively but when you force them to use them they will run just fine. Other applications however may not play so nicely with EMET and can break.

    If you want a "safe" setting you can leave the system wide settings alone and only force applications that are known to work. Many people do just fine with the Maximum Security settings though.
     
  13. chris1341

    chris1341 Guest

    Thanks again, I understood that but I'm still not joining the dots. I don't see how what it protects against means it needs to be applied to or it is even beneficial to use for anything that connects out. Anyway ...... l'll do what I should've done and do some more research.

    Maybe just a different take on things, its allowed!

    Cheers
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well let's say you have Flash running EMET and you visit a site that launches Flash and tries to exploit it. If this vulnerability doesn't take the security methods that EMET implements into account than EMET will prevent the exploit.
     
  15. chris1341

    chris1341 Guest

    Absolutely and I've seen it work well for that but I guess I'm struggling to see what's vulnerable about software updaters or why other programs not known to be exploited should require EMET protection just because they connect out.

    I use EMET at maximum by the way but as you will gather don't add all apps/exe's etc that connect out :)

    Maybe just a different take on the same issue. I think you are saying why not use EMET for these things as it can't hurt and may help, I'm just saying why use it if it is not required.

    Cheers
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I see. Well there isn't really much reason to except that it's possible that you could have a local attack on your computer or an update server could be compromised or something like that. It's unlikely in my opinion but there's no real downside to it.

    Basically, as you said, I'm just saying it CAN help and it won't hurt.
     
  17. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    149
    Location:
    Australian Capital Territory
    While researching this myself, I came across a discussion in the Secunia forum. http://secunia.com/community/forum/thread/show/6721/emet_observations_questions

    Please note the 7th post by ddmarshall, which includes the following quote:

    If this guy knows what he's talking about (he probably at least knows more than I do!!) then his opinion may be useful to this discussion.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well, sure.

    For example a program that only connects to the internet to get updates from a known trusted server is not a huge threat.

    Something like Java, which connects to all sorts of different websites is at a much bigger risk.
     
  19. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    I have EMET running at maximum settings with all internet facing apps configured aswell. I’ve only had a couple of old poorly coded programs that wouldn’t run with EMET which I have since got rid of.

    This is the great thing about EMET. I’ve seen a lot of malware that is also poorly coded and EMET breaks it immediatly on execution. A good additional layer, especially on Win7 that uses zero resources.
     
  20. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    +1

    Do remember that simple Internet looking application updates probably wouldn't require any changes to EMET's database, however something like the new Java JRE 7 may get overlooked because of it pathname change.

    HTH :)
     
  21. enemyofarsenic

    enemyofarsenic Registered Member

    Joined:
    Jun 18, 2011
    Posts:
    63
    What's the change? Please do share :)
     
  22. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    On a XP system:

    C:\Program Files\Java\jre7\bin\java.exe

    and not

    C:\Program Files\Java\jre6\bin\java.exe

    The the real point being that a major update might (create a new) alter the pathname. Hence, EMET might have obsolete information ergo no EMET protection, unless properly re-established.

    HTH :)
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes I just recently cleaned out my EMET list and reentered all of the applications I wanted.
     
  24. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    Yep, had to re-add Java due to the pathname change. Also, don't forget to add Java from the System32 folder.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    What exactly do you mean?
     
Loading...
Thread Status:
Not open for further replies.