EMET - A new Windows security mitigation toolkit

Discussion in 'other software & services' started by Mrkvonic, Dec 17, 2010.

Thread Status:
Not open for further replies.
  1. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    491
    Thanks. I already did a reinstall. Updating Firefox Plugins like noscript etc. is the same painful routine.First you got to remove EMET protection.....update....back to EMET to add it to protection list.I am not complaining since its good protection but it sure is a drag sometimes :D
     
  2. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,248
    Location:
    USA
    Hmmm, not seeing that issue with other plugins, brain. Perhaps it's because I'm still running EMET with XP, though.
     
  3. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I'm not sure why you're having problems. I don't believe you need to remove anything from EMET when upgrading software. EMET monitors running processes only. (Note: If the EXEs that EMET is monitoring have changed name and/or location following the upgrade, you'll need to update EMET's configuration, of course).

    I've just upgraded PDF-XChange Viewer from 2.5.191 to 2.5.193 (including FF plugin) without any problems. I installed over the top of 2.5.191 (with Firefox closed). The 2.5.193 standalone PDF viewer and the 2.5.193 FF plugin are working as expected. My EMET is 2.0.0.3 and it's monitoring firefox.exe and PDFXCview.exe whilst the plugin is in use. (The npPDFXCviewNPPlugin.dll is loaded by the firefox.exe process).

    Add-ons (such as NoScript) install fine too when FF is under EMET, as pointed out by previous poster.

    Regarding the old version of the plugin showing (in about:plugins I presume?). That's just a Firefox display problem not a plugin installation problem. See http://kb.mozillazine.org/About:plugins (near the end). To show the updated version info, close FF and delete pluginreg.dat from your profiles directory. About:plugins will now show the correct information. The pluginreg.dat file will be recreated automatically when you go tools > add-ons > plugins.

    - Edit - The URL above doesn't work properly when you click on it. Just remove the extra characters inserted in the address bar.
     
    Last edited: Feb 16, 2011
  4. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140

    Note that for OpenOffice in your list, I have soffice.bin monitored in EMET as well. It seems to be a separate process in ProcessExplorer...

    soffice_bin.jpg
     
    Last edited: Feb 16, 2011
  5. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    491
    I dont know for sure if this is firefox problem or EMET is supposed to run that way but twice i have had similar problems with plugins.Once updating noscript a few days ago and updating pdfxchange today.Both times i had to remove the plugincontainer.exe for firefox from EMET protection and added it right back after the update.Now, i am just unsure.I have EMET max settings for vista home p. 32bit.When i turn on recommended settings..SEHOP is off,DEP opt.in and the problem is not seen.
     

    Attached Files:

    Last edited: Feb 16, 2011
  6. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I use the following settings (also Vista x86 Home Premium):
    • DEP Application Opt Out
    • SEHOP Always on
    • ASLR Application Opt In
    This configuration is recommended here: http://www.mechbgon.com/build/security2.html#sehop. On my machine DEP is effectively Always On, as I don't have any exclusions set. So our settings are the same, except I've not seen any funny business with anything I've got EMET'd (been runnning v2.0.0.3 since it came out last November).

    I assume your Firefox is 3.6.13? EMET 2.0.0.3. Vista SP2 and fully patched etc... Did you get an EMET error message when things went wrong? What actually happens?

    I notice you mention the plugin_container.exe. That's not used by the PDF X-Change plugin at all. NoScript isn't a plugin, it's an add-on, so it doesn't use the plugin_contain either...
     
  7. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,436
    Location:
    U.S.A.
  8. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    491
    plugin_container.exe is used by firefox.The problem is when its protected under EMET any plugins don't update.I am trying to figure out if the problem is with firefox (plugin_container.exe) or EMET settings that i have and should plugin_container.exe be added to EMET ?
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I've EMETized plugin-container on multiple computers and none give problems so I don't think the problem is with EMET.
     
  10. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I agree that the problem is probably not with EMET. Perhaps try a fresh install of Firefox?

    As you mentioned problems updating NoScript, you could also try creating a new profile as your existing one could be corrupted in some way. http://kb.mozillazine.org/Profile_manager

    As a temporary test, you could also disable the plugin_container.exe process completely and see if things are any different: http://www.tipsinside.co.cc/2010/08/how-to-disable-firefox-plugin.html

    The plugin_container.exe is used predominately for Flash, QuickTime and Silverlight to isolate their operation from Firefox. As I've implied, the PDFXChange plugin (npPDFXCviewNPPlugin.dll) is not loaded in the plugin_container.exe, it is loaded by the firefox.exe process directly. With the plugin_container.exe disabled, Flash, QuickTime etc. will also be loaded by the firefox.exe process directly (as used to happen pre. 3.6.4). The plugin_container.exe process will not be loaded.
     
  11. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    491
    Thanks. I think a reinstall of firefox is what i need (or maybe wait for v4). I will play around with my EMET settings for a week or two as well. :)
     
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Will EMET automatically get updated to the latest version through Windows Update?

    What about adding things like:
    ntvdm.exe
    cscript.exe
    cmd.exe
    reg.exe
    hh.exe
    tftp.exe
    ftp.exe
    winhelp32.exe

    Should portable applications be included into EMET?
     
  13. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    No. It's not even officially a supported application at the moment. EMET seems to phone home (if you let it), but I don't know if it version checks itself.

    You could add anything you feel is potentially open to the types of memory exploits EMET guards against. I consider EMET useful for anything facing the internet and anything dealing with complex file types.

    The one's above are perhaps less significantly open to attack then your browser, office app, email client, pdf viewer, media players, etc. Up to you where you draw the line. You can add them to EMET and if they function OK, no harm done. If they don't work then remove them from EMET or amend the per application settings.

    Portable apps can be covered too, subject to the same reasoning.

    I feel the scope of the list upthread is adequate, if you're not paranoid.
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    This is for those of you who want to go paranoid or just tinker around. I have made a list of executable files in the C:\Windows and C:\Windows\System32 folders to be added into EMET. (Windows 7 Ultimate 32-bit...so yours may differ)

    Code:
    c:
    cd "C:\Program Files\EMET"
    
    emet_conf.exe --add "C:\WINDOWS\system32\adaptertroubleshooter.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\aitagent.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\alg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\appidcertstorecheck.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\appidpolicyconverter.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\arp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\at.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\atbroker.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\atibtmon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\atieclxx.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\atiesrxx.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\attrib.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\audiodg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\auditpol.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\autochk.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\autoconv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\autofmt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\axinstui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\bitsadmin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\bootcfg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\bridgeunattend.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cacls.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\calc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\certenrollctrl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\change.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\charmap.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\chglogon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\chgport.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\chgusr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\chkdsk.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\chkntfs.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\choice.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cipher.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cleanmgr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cliconfg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\clip.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cmd.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cmdkey.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cmdl32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cmmon32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cmstp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cofire.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\colorcpl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\comp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\compact.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\CompMgmtLauncher.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ComputerDefaults.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\conhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\control.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\convert.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cscript.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\csrstub.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ctfmon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ctfmon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cttune.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\cttunesvr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dccw.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dcomcnfg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ddodiag.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\debug.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\defrag.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\devicedisplayobjectprovider.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\deviceeject.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\devicepairingwizard.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\deviceproperties.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dfdwiz.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dfrggui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dialer.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\diantz.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dinotify.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\diskpart.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\diskperf.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\diskraid.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dism.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dispdiag.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\displayswitch.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\djoin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dllhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dllhst3g.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dnscacheugc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\doskey.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dosx.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dpapimig.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dpiscaling.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dplaysvr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dpnsvr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\driverquery.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\drvinst.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\drwatson.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dvdplay.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dvdupgrd.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dwwin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dxdiag.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\dxpserver.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\eap3host.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\edlin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\efsui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\esentutl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\eudcedit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\eventcreate.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\eventvwr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\exe2bin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\expand.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\extrac32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fastopen.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fbnative.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\find.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\findstr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\finger.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fixmapi.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fltmc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fontview.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\forfiles.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fsquirt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fsutil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ftp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fxscover.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fxssvc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\fxsunatd.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\gdi.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\getmac.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\gettingstarted.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\gpresult.exe
    emet_conf.exe --add "C:\WINDOWS\system32\gpscript.exe
    emet_conf.exe --add "C:\WINDOWS\system32\gpupdate.exe
    emet_conf.exe --add "C:\WINDOWS\system32\grpconv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\hdwwiz.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\help.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\hostname.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\icardagt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\icsunattend.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ie4uinit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ieunatt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\iexpress.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ipconfig.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\irftp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\iscsicli.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\iscsicpl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\isoburn.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\klist.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\krnl386.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ksetup.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ktmutil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\label.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\locationnotifications.exe
    emet_conf.exe --add "C:\WINDOWS\system32\locator.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\lodctr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\logagent.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\logman.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\logoff.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\logonui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\lpksetup.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\lpremove.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\lsass.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\lsm.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\magnify.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\makecab.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\manage-bde.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mblctr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mcbuilder.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mctadmin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mdres.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mdsched.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mem.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mfpmp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\migautoplay.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mmc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mobsync.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\modifype.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mountvol.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mpnotify.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mpsigstub.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mrinfo.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mrt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mscdexnt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msconfig.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msdt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msdtc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msfeedssync.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mshta.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msiexec.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msinfo32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mspaint.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\msra.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mstsc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\mstocom.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\muiunattend.exe
    emet_conf.exe --add "C:\WINDOWS\system32\multidigimon.exe
    emet_conf.exe --add "C:\WINDOWS\system32\napstat.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\narrator.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\nbtstat.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ndadmin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\net.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\net1.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netbtugc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netcfg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netougc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netplwiz.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netproj.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netsh.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\netstat.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\nlsfunc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\nltest.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\notepad.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\nslookup.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ntkrnlpa.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ntoskrnl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ntprint.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ntvdm.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ocsetup.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\odbcad32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\odbcconf.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\openfiles.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\optionalfeatures.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\osk.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\p2phost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pathping.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pcalua.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pcaui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pcawrk.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pcwrun.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\perfmon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ping.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pkgmgr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\plasrv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pnpunattend.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\pnputil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\poqexec.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\powercfg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\PresentationHost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\PresentationSettings.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\prevhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\print.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\printbrmui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\printfilterpipelinesvc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\printisolationhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\printui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\proquota.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\psr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\PushPrinterConnections.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\qappsrv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\qprocess.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\query.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\quser.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\qwinsta.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rasautou.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rasdial.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\raserver.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rasphone.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rdpclip.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rdpinit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rdpshell.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rdpsign.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rdtleakdiag.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\RDVGHelper.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ReAgentc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\recdisc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\recover.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\redir.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\reg.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\regedt32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\regini.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\RegisterIEPKEYs.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\regsvr32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rekeywiz.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\relog.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\relpost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\repair-bde.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\replace.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\reset.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\resmon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ROUTE.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\RpcPing.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rstrui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\runas.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rundll32.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\RunLegacyCPLElevated.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\runonce.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\rwinsta.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sdbinst.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sdchange.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sdclt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sdiagnhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SearchFilterHost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SearchIndexer.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SearchProtocolHost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SecEdit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\secinit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\services.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sethc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SetIEInstalledDate.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setspn.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setupcl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setupSNK.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setupugc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setver.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\setx.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sfc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\shadow.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\share.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\shrpubw.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\shutdown.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sigverif.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\slui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\slwc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sndvol.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SnippingTool.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\snmptrap.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sort.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SoundRecorder.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\spoolsv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sppsvc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\spreview.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\srdelayed.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\stikynot.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\subst.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\svchost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sxstrace.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\SyncHost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\sysedit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\syskey.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\systeminfo.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\systray.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tabcal.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\takeown.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\TapiUnattend.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\taskeng.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\taskhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\taskkill.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tasklist.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\taskmgr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tcmsetup.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tcpsvcs.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\timeout.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tracert.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tscon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tscupgrd.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tsdiscon.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tskill.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tstheme.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\TsUsbRedirectionGroupPolicyControl.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\TSWbPrxy.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\TsWpfWrp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\typeperf.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\tzutil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\ucsvc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\uharc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\UI0Detect.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\unlodctr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\unregmp2.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\upnpcont.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\user.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\userinit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\utilman.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vaultcmd.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vaultsysui.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vds.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vdssldr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\verclsid.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\verifier.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vssadmin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\vssvc.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\w32tm.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\waitfor.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wbadmin.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wbengine.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wecutil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\WerFault.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\WerFaultSecure.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wermgr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wevutil.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wextract.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\WFS.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\where.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\whoami.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wiaacmgr.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wimserv.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wininit.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\winload.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\winrs.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\winrshost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\WinSAT.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\winspool.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\winver.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wisptis.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wksprt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wlanext.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wowdeb.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wowexec.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wpabaln.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wpdshextautoplay.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wpnpinst.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\write.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wscript.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wsmanhttpconfig.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wsmprovhost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wsqmcons.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wuapp.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wuauclt.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\WUDFHost.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\wusa.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\xcopy.exe"
    emet_conf.exe --add "C:\WINDOWS\system32\xwizard.exe"
    I've omitted a few of them (see below*) and I'm pretty sure some of the remaining listed may be redundant.
    (I'd be nuts to check each and every single thing, right?:p)

    Disclaimer: DO THIS AT YOUR OWN RISK!!! I am not to be held responsible/liable if anything screws up.:D

    P.S. I can't think of a convincing logic or added benefit by doing this. I guess the only purpose for this exercise is to find out and to satisfy one's curiosity (curiosity killed the cat) if it's possible to add "system files/executables" under EMET without much harm and to see if any gets "broken" under EMET.

    If you tried this (despite the disclaimer) and find anything that doesn't work properly under EMET, then you may want to report back here. (or PM me).

    *These are the files I have omitted/excluded from EMET:

    C:\Windows:

    Code:
    bfsvc.exe (Boot File Servicing Utility)
    explorer.exe
    fveupdate.exe (BitLocker Drive Encryption Servicing Utility)
    C:\Windows\System32:

    Code:
    baaupdate.exe (BitLocker Access Agent Update Utility)
    bcdboot.exe (Bcdboot utility)
    bcdedit.exe (Boot Configuration Data Editor)
    BdeHdCfg.exe (BitLocker Drive Encryption: Drive Preparation Tool)
    BdeUISrv.exe (BDE UI Launcher)
    BdeUnlockWizard.exe (BitLocker Unlock Wizard)
    BitLockerWizard.exe (BitLocker Drive Encryption Wizard)
    BitLockerWizardElev.exe (BitLocker Drive Encryption Wizard)
    consent.exe (Consent UI for administrative applications)
    csrss.exe (Client/Server Runtime Subsystem)
    dwm.exe (Desktop Window Manager)
    EhStorAuthn.exe (Windows Enhanced Storage Password Authentication Program)
    fvenotify.exe (BitLocker Drive Encryption Notification Utility)
    fveprompt.exe (BitLocker Drive Encryption)
    icacls.exe
    infdefaultinstall.exe (INF Default Install)
    smss.exe (Windows Session Manager)
    SystemPropertiesAdvanced.exe
    SystemPropertiesComputerName.exe
    SystemPropertiesDataExecutionPrevention.exe
    SystemPropertiesHardware.exe
    SystemPropertiesPerformance.exe
    SystemPropertiesProtection.exe
    SystemPropertiesRemote.exe
    TpmInit.exe (TPM Initialization Wizard)
    UserAccountControlSettings.exe
    WindowsAnyTimeUpgradeResults.exe
    winlogon.exe (Windows Logon Application)
    winresume.exe (Resume From Hibernate boot application)
    wlrmdr.exe (Windows logon reminder)
    Note: I did try adding explorer.exe into EMET and it does work fine initially but then a few days later, crashes for some reason or another. Hence, I removed it. I've tried the above-mentioned setting on my own PC and so far, things seem fine. ('fine' as in I can use my PC to browse the web...no random crashes, etc. I didn't really load every single Windows executable to really find out if it's going to lead a BSOD) Don't say I didn't warn you....
     
  15. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Anyone know of any potential conflicts running EMET 2 (MS Office & Internet facing apps.) with Seconfig XP. I am running Windows XP Pro SP3 and have been running with EMET 2 for a few days with no problems. Decided to turn Seconfig XP back on (all protections enabled on "home" setting) for a little extra hardening.
     
  16. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Is there an utility to use emet with a software like defensewall or sandboxie/bufferzone, with uac on?

    Thanks.
     
  17. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Works just fine for me w/ Sandboxie and UAC on (W7 x86).
     
  18. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Oh ok thanks, nice news. I'm going to install on my notebook.
    I think it works fine with virtualisation programs but perhaps it could be a matter with defensewall (based on policy restrictions). If somebody use emet and dw, a testimonial please ? :)
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Ahhh I took a look at the network rules in OP for EMET and there were none so it doesn't appear to phone home.

    What data do you have that it does?:D
     
  20. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Whenever I open the EMET GUI I see four (blocked) attempts to contact Akamai server IPs in my Windows Firewall log.
     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    That is very interesting! I'll try the EMET GUI and see if I can replicate what you have seen.

    I'll turn on OP rules wizard since I have no rules for the GUI.
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Well I added TCP and UDP allow rules to the EMET GUI application and can find no evidence of it attempting to "call out".

    I cannot explain the observation in your post.

    Sorry.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I get outbound requests from EMET from my Firewall as well, but it only happens occasionally, not every time I start it.
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Can you post your FW log entry for this please?

    There are multiple exe's for EMET and more that one version of the product and verybodes os is not the same.

    Are you W7?

    32 or 64 bit?

    What FW are you seeing this with.

    Detailed facts are needed to validate this matter.

    As Carl Sagan was fond of saying extraordinary claims require extraordinary evidence.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Yeah, W7 x64, was with Eset Firewall, don't have a log of it, just got a pop-up in interactive mode that it wanted to connect, I don't remember the details.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.