Discussion in 'other anti-malware software' started by shadek, Oct 11, 2010.
What Windows processes would you guys recommend to protect with EMET completely?
Does EMET emulate security measures or uses actual implementation of OS? Will it add overhead to protected application? If I enable DEP fully/system wide, do I still need EMET as Windows 7 (both x86 and x64) already have ASLR and I have enabled SEHOP via MicrosoftFixit50096? Does it force protection measure to applied/protected application, even they do not support?
Yes, from what I understand, EMET forces protection measures upon the selected applications, even if they do not support it. This opens up for compatibility issues, although not very common. It's generally not recommended to force EMET protection on security applications as this may cause conflicts. I haven't noticed any overhead on protected applications.
Would protecting iexplore.exe make sense?
Thanks shadek for reply
I thought MS processes and services are already protected by DEP and ASLR.
Anyway, I would also add PDF readers, Flash, Java, Office applications and media players.
I'm having a hard time locating Java and Flash on my computer. In what directories can I find those applications?
For Java on 64 bit:
C:\Program Files (x86)\Java\jre6\bin\java.exe
For Flash I think it depends on the application, because it's all DLL's, there are some exe's but I think those are uninstallers. With standard older browsers it should just be their executable, but with out of process plugins it becomes a little bit more complicated, for recent Firefox versions it's plugin-container.exe found in: C:\Program Files (x86)\Mozilla Firefox
"C:\Program Files\Mozilla Firefox\plugins" contains plugins initiated automatically on each Firefox start (until disabled manually).
"C:\Windows\System32\Macromed\Flash" directory contains executable (FlashUtil10k_ActiveX for IE, FlashUtil10k_Plugin for other browsers) and other components (Flash10k.ocx for programmers ocx control, flashplayer.xpt to be used by FF via plugin-container, FlashUtil10k_ActiveX.dll for IE, NPSWF32.dll is shockwave plugin) which are used for flash functionality in browsers and other software.
It turned out I had forgot to install Java. That's why I couldn't find it. Regarding Flash; I'm not sure I could apply EMET restrictions to it.
any issues using it with Avast
I use this setting has never given me any problems:
I have the Java 32/64Bits, I only have IE8 installed (32/64), Foxit Reader (PDF), WMP 32 and 64Bit and also Flash.
I think EMETizing your browsers process or (if it has one) plugin process should be enough to protect Flash etc. The systemwide setting of ASLR is about randomizing the process, while the application setting MandatoryASLR doesn't randomize the process, but the dynamic link libraries it loads:
Reading through EMET manual can be quite useful
I've set plugin module of Firefox into full EMET protection. That ought to protect any Flash exploits?
Separate names with a comma.