EMET 3.5 ROP Settings Question

Discussion in 'other anti-malware software' started by 0strodamus, Feb 25, 2013.

Thread Status:
Not open for further replies.
  1. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I just upgraded EMET from 3.0 to 3.5 and was wondering what you guys experiences have been like using the ROP settings in 3.5. I've read through some forum threads here as well as Hungry Man's excellent blogs and gotten some good information from them. I'm currently only locking down my internet facing applications and was wondering if anyone has had any crashes from Firefox, Thunderbird, or IE when using all of the ROP mitigations. Also any issues running in Sandboxie with these all enabled? Thanks in advance for any info you can share.
     
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I can only speak regarding Firefox. I put v3.5 on a friends Windows 7 laptop that uses Firefox, and enabled all the mitigation techniques for it, and it seemed to run fine. But I only kept the laptop around for a few days until giving it back. But they never called me back and told me anything was broken, and every time I talk to them I ask... if everything working okay, and they say yes.

    Firefox seems to be able to keep chugging along fine no matter how many restrictions you put on it. I also have very tight rules for it in Comodo D+... if I apply the same rules for IE8 it won't even boot. IE8 also didn't take to the mitigation techs... it didn't want to boot if I basically enabled any of them.

    I have no idea about Sandboxie. Never tried applying any of them to it.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I haven't used Sandboxie in some time, but I've had no crashes on Windows with many programs using the anti-ROP mitigation techniques.
     
  4. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    I have Outlook Express added to EMET, and it can't use Caller.

    And with Firefox, I found that using Caller, SimExecFlow, or StackPivot would cause some random freezes (no EMET notification). That was few versions ago (4-6 months), and I could reliably reproduce it doing certain things at the time to check and verify with each setting. I haven't tried to re-enable them. plugin-container was and still is fine with them...


    I don't think the OP was asking about using EMET on Sandboxie's own processes (I see no reason to do that). As far as running apps with EMET in Sandboxie, yeah, everything should be just fine. :)

    Of course I'm having a frustrating issue that I can't track down, with EMET's HeapSpray being randomly (sometimes constantly) triggered with Firefox (and plugin-container) in Sandboxie! Sandboxie forum thread; I wonder if tzuk can find anything out. Of course I can just disable HeapSpray on Firefox, but it should work the same as unsandboxed (no issue ever)!
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Enabled it without issues on Chrome, ClipSync Server, Internet Explorer, iTunes, Java, Kingsoft Office, PDF-XChange Viewer, Tor Browser Bundle (DEP mitigation issue is separate), VirtualBox, and WordWeb.
     
    Last edited: Feb 25, 2013
  6. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Thanks for the responses. I'm going to enable all the ROP mitigations on these apps. Thanks again!
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  8. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Thanks itman! I've bookmarked your link. So far I haven't had any issues after enabling ROP, but if I do, I now have a guide to use.
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    780
  2. lodore
    Replies:
    3
    Views:
    655
Thread Status:
Not open for further replies.