EMET 2 recommendations

Discussion in 'other anti-malware software' started by shadek, Oct 11, 2010.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    What Windows processes would you guys recommend to protect with EMET completely?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    browsers, email
     
  3. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Does EMET emulate security measures or uses actual implementation of OS? Will it add overhead to protected application? If I enable DEP fully/system wide, do I still need EMET as Windows 7 (both x86 and x64) already have ASLR and I have enabled SEHOP via MicrosoftFixit50096? Does it force protection measure to applied/protected application, even they do not support?
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yes, from what I understand, EMET forces protection measures upon the selected applications, even if they do not support it. This opens up for compatibility issues, although not very common. It's generally not recommended to force EMET protection on security applications as this may cause conflicts. I haven't noticed any overhead on protected applications.

    Would protecting iexplore.exe make sense?
     
  5. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks shadek for reply :)
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I thought MS processes and services are already protected by DEP and ASLR.
    Anyway, I would also add PDF readers, Flash, Java, Office applications and media players.
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'm having a hard time locating Java and Flash on my computer. In what directories can I find those applications?
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    For Java on 64 bit:
    C:\Program Files (x86)\Java\jre6\bin\java.exe

    For Flash I think it depends on the application, because it's all DLL's, there are some exe's but I think those are uninstallers. With standard older browsers it should just be their executable, but with out of process plugins it becomes a little bit more complicated, for recent Firefox versions it's plugin-container.exe found in: C:\Program Files (x86)\Mozilla Firefox
     
  9. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    For x86:
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Java\jre6\bin\javacpl.exe
    C:\Program Files\Java\jre6\bin\javaw.exe
    C:\Program Files\Java\jre6\bin\javaws.exe

    "C:\Program Files\Mozilla Firefox\plugins" contains plugins initiated automatically on each Firefox start (until disabled manually).

    "C:\Windows\System32\Macromed\Flash" directory contains executable (FlashUtil10k_ActiveX for IE, FlashUtil10k_Plugin for other browsers) and other components (Flash10k.ocx for programmers ocx control, flashplayer.xpt to be used by FF via plugin-container, FlashUtil10k_ActiveX.dll for IE, NPSWF32.dll is shockwave plugin) which are used for flash functionality in browsers and other software.
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    It turned out I had forgot to install Java. That's why I couldn't find it. Regarding Flash; I'm not sure I could apply EMET restrictions to it.
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    any issues using it with Avast
     
  12. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    I use this setting has never given me any problems:

    EMET.jpg

    I have the Java 32/64Bits, I only have IE8 installed (32/64), Foxit Reader (PDF), WMP 32 and 64Bit and also Flash.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I think EMETizing your browsers process or (if it has one) plugin process should be enough to protect Flash etc. The systemwide setting of ASLR is about randomizing the process, while the application setting MandatoryASLR doesn't randomize the process, but the dynamic link libraries it loads:
    Reading through EMET manual can be quite useful ;)
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I've set plugin module of Firefox into full EMET protection. That ought to protect any Flash exploits? :)
     
Loading...
Thread Status:
Not open for further replies.