EMET 3.5 ROP Settings Question

I just upgraded EMET from 3.0 to 3.5 and was wondering what you guys experiences have been like using the ROP settings in 3.5. I've read through some forum threads here as well as Hungry Man's excellent blogs and gotten some good information from them. I'm currently only locking down my internet facing applications and was wondering if anyone has had any crashes from Firefox, Thunderbird, or IE when using all of the ROP mitigations. Also any issues running in Sandboxie with these all enabled? Thanks in advance for any info you can share.

 

I can only speak regarding Firefox. I put v3.5 on a friends Windows 7 laptop that uses Firefox, and enabled all the mitigation techniques for it, and it seemed to run fine. But I only kept the laptop around for a few days until giving it back. But they never called me back and told me anything was broken, and every time I talk to them I ask... if everything working okay, and they say yes.

Firefox seems to be able to keep chugging along fine no matter how many restrictions you put on it. I also have very tight rules for it in Comodo D+... if I apply the same rules for IE8 it won't even boot. IE8 also didn't take to the mitigation techs... it didn't want to boot if I basically enabled any of them.

I have no idea about Sandboxie. Never tried applying any of them to it.

 

I haven't used Sandboxie in some time, but I've had no crashes on Windows with many programs using the anti-ROP mitigation techniques.

 

I have Outlook Express added to EMET, and it can't use Caller.

And with Firefox, I found that using Caller, SimExecFlow, or StackPivot would cause some random freezes (no EMET notification). That was few versions ago (4-6 months), and I could reliably reproduce it doing certain things at the time to check and verify with each setting. I haven't tried to re-enable them. plugin-container was and still is fine with them...


I don't think the OP was asking about using EMET on Sandboxie's own processes (I see no reason to do that). As far as running apps with EMET in Sandboxie, yeah, everything should be just fine.

Of course I'm having a frustrating issue that I can't track down, with EMET's HeapSpray being randomly (sometimes constantly) triggered with Firefox (and plugin-container) in Sandboxie! Sandboxie forum thread; I wonder if tzuk can find anything out. Of course I can just disable HeapSpray on Firefox, but it should work the same as unsandboxed (no issue ever)!

 

Enabled it without issues on Chrome, ClipSync Server, Internet Explorer, iTunes, Java, Kingsoft Office, PDF-XChange Viewer, Tor Browser Bundle (DEP mitigation issue is separate), VirtualBox, and WordWeb.

 

Thanks for the responses. I'm going to enable all the ROP mitigations on these apps. Thanks again!

 

Check out the first reply in this thread: http://social.technet.microsoft.com/Forums/en/emet/thread/d64fb832-8bd3-44a7-a583-b37c264ad9fc

 

Thanks itman! I've bookmarked your link. So far I haven't had any issues after enabling ROP, but if I do, I now have a guide to use.