Emet 2.1 + Sandboxie, Software Updaters

Do you guys add Sandboxie and Software Updaters under Emet? Is it advisable to do so? Thanks.

 

EMET helps protect against some known and potentially unknown exploits. I am unaware of Sandboxie exploits that EMET would prevent and would be wary of restricting one security related app with another as the potential for conflict is always high. Sandboxie comes with an EMET template for running apps protected by EMET in the sandbox anyway so if what is running in the sandbox is under EMET why would Sandboxie need to be?

Again, some software updaters may be exploited or exploitable (?). Not sure but I do know some apps, JAVA for example, won't update under some EMET restrictions. Others may have tried one or more who can advise but if you feel the need to it may be trial and error.

Cheers

 

Software Updaters like Filehippo Update Checker, SUmo, Secunia PSI etc.

 

Ah, I see - understood.

I think the same logic applies though. These update checker type apps help prevent exploits by keeping your software up to date but I'm not aware of these apps themselves being exploited or even being used by other exploits. I don't suppose adding them under EMET would prevent them working though so if you are super paranoid I suppose........

This article on rationally paranoid might help when deciding what to add http://rationallyparanoid.com/articles/microsoft-emet-2.html

Cheers

 

Thanks!

 

'twas a truly excellent question. I suppose we can still apply a rule-of-thumb that if the executable makes your system look outwards, (towards the Internet) it deserves an EMET shim.

Keep thinking like that! Good stuff!

 

Any application that connects to the internet deserves an EMET.dll =p

 

I do. I have Sandboxie, Adobe Updaters, MS Updaters and Secunia added under EMET since 2.0, And I never noticed any problems so far. Just remember to check the EMET in "Software Compatibility" in SBIE. Also I did get the same results in Win 7 but that was couple of months ago, so I dont really know if there are any changes since then.

Except Skype.

 

Not suggesting you're wrong, just wondering why?

I was under the impression that EMET protected against exploits, usually they will be browser based attacks that exploit vulnerable apps like outdated Java, Adobe etc that the browser calls as part of its normal behavior and uses the vulnerable program to download and run other attacks.

How is an exploit getting to the other apps you suggest running under EMET or is it just a 'belt and braces' approach to cover all, however unlikely, scenarios?

Thanks

 

If your application connects to a server and that server is compromised your application is compromised. Anything that connects to the internet is a vulnerability.

Is it a big deal? Nope.
Does it hurt? Nope.

 

Thanks. No issues, just curious.

EMET gives more cover than I thought then but it makes me curious as to what mechanism implemented by EMET protects against a compromised server feeding malicious instructions to a protected app. I thought it was looking after the protected apps memory not what was being fed to it externally (one can effect the other of course, but....). I'm not very good with 'it just does' I'm afraid I need to know how it works before using it. I thought I did understand EMET and that it was about protecting from (in particular and mainly) browser attacks delivered via scripts etc triggering vulnerable apps to a malicious effect - obviously not!

Any info you could give on this would be appreciated.

Thanks.

 

EMET forces applications to implement certain security methods such as randomizing where the applications are in memory.

Of course, nothing is ever random and all of the methods implemented can be programatically avoided, but it WILL defeat many attacks on your programs.

EMET works with two methods:

1) System wide settings. These will change how programs run on a system wide level. This includes DEP, ASLER, and SEHOP.

2) EMET.dll injection. This lets EMET inject the EMET.dll into specific applications of your choosing and it then forces them to run with specific security methods of your choosing.

Certain methods are not supported by all applications natively but when you force them to use them they will run just fine. Other applications however may not play so nicely with EMET and can break.

If you want a "safe" setting you can leave the system wide settings alone and only force applications that are known to work. Many people do just fine with the Maximum Security settings though.

 

Thanks again, I understood that but I'm still not joining the dots. I don't see how what it protects against means it needs to be applied to or it is even beneficial to use for anything that connects out. Anyway ...... l'll do what I should've done and do some more research.

Maybe just a different take on things, its allowed!

Cheers

 

Well let's say you have Flash running EMET and you visit a site that launches Flash and tries to exploit it. If this vulnerability doesn't take the security methods that EMET implements into account than EMET will prevent the exploit.

 

Absolutely and I've seen it work well for that but I guess I'm struggling to see what's vulnerable about software updaters or why other programs not known to be exploited should require EMET protection just because they connect out.

I use EMET at maximum by the way but as you will gather don't add all apps/exe's etc that connect out

Maybe just a different take on the same issue. I think you are saying why not use EMET for these things as it can't hurt and may help, I'm just saying why use it if it is not required.

Cheers

 

I see. Well there isn't really much reason to except that it's possible that you could have a local attack on your computer or an update server could be compromised or something like that. It's unlikely in my opinion but there's no real downside to it.

Basically, as you said, I'm just saying it CAN help and it won't hurt.

 

While researching this myself, I came across a discussion in the Secunia forum. http://secunia.com/community/forum/thread/show/6721/emet_observations_questions

Please note the 7th post by ddmarshall, which includes the following quote:

If this guy knows what he's talking about (he probably at least knows more than I do!!) then his opinion may be useful to this discussion.

 

Well, sure.

For example a program that only connects to the internet to get updates from a known trusted server is not a huge threat.

Something like Java, which connects to all sorts of different websites is at a much bigger risk.

 

I have EMET running at maximum settings with all internet facing apps configured aswell. I’ve only had a couple of old poorly coded programs that wouldn’t run with EMET which I have since got rid of.

This is the great thing about EMET. I’ve seen a lot of malware that is also poorly coded and EMET breaks it immediatly on execution. A good additional layer, especially on Win7 that uses zero resources.

 

+1

Do remember that simple Internet looking application updates probably wouldn't require any changes to EMET's database, however something like the new Java JRE 7 may get overlooked because of it pathname change.

HTH

 

What's the change? Please do share

 

On a XP system:

C:\Program Files\Java\jre7\bin\java.exe

and not

C:\Program Files\Java\jre6\bin\java.exe

The the real point being that a major update might (create a new) alter the pathname. Hence, EMET might have obsolete information ergo no EMET protection, unless properly re-established.

HTH

 

Yes I just recently cleaned out my EMET list and reentered all of the applications I wanted.

 

Yep, had to re-add Java due to the pathname change. Also, don't forget to add Java from the System32 folder.

 

What exactly do you mean?