EMET - DEP Issue

Discussion in 'other anti-malware software' started by Krysis, Jan 4, 2013.

Thread Status:
Not open for further replies.
  1. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    Using EMET 3.5 on Windows 7x64 bit – have DEP set to Opt Out – SEHOP to Opt Out and ASLR to Opt In - when I try setting DEP to 'always on' – or try 'Maximum Security Settings' - I get the message 'Failed to set system DEP' – couldn't find anything meaningful on this message in Wilders or on the net.
    I had DEP enabled prior to installing EMET some time ago with no issues, so I'm presuming that setting was a kind of 'Opt In' – would that be correct?
    Event Viewer > Window log states – DEP System Mitigation has been configured to [Always On] – but it's not.
    Any ideas?
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Try looking in the Task Manager to see the extent to which DEP is enabled on running processes.
     
  3. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    emet 3.5 still alpha
     
  4. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    I checked Task Manager and Process Explorer - I do see some processes missing DEP - one which crashed yesterday when trying to enable 'Always On' - this is a management control program which came with the Notebook I bought.
    Guess it's as good as anywhere to start troubleshooting - Thanks! :thumb:
     
  5. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    EMET literally destroyed my system. Nothing worked right. Internet became really slow, programs started freezing.

    Glad I have RollbackRX, so I could remove this turd. Never trusting MS again.
     
  6. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I've found it to be a decent enough program, actually. I use the settings suggested by HungryMan instead of going all out. However, I have had it cause me some stability issues with browsers and other things. I mostly use it for its ROP settings. Whether I need it or not I'm not all that sure. It's one more thing taking up resources. I may see how things go without it a while.
     
  7. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    More on my EMET DEP issue - I removed everything from 'Configure Apps' - used Revo Uninstaller to unistall EMET 3.5 - then re-installed EMET 3.5 - but my system settings were back to where they had been previously! I repeated the whole process again - this time checking Registry for left over EMET keys (found nothing!) -but installed the older EMET 3. Didn't matter, same result! So I've gone round in circles getting nowhere - (mystified as to how a new install is still picking up my 'old' settings -maybe I've missed something in Registry) Curiously, I had no issues setting 'Maximum Security Setting' in Windows 8 Pro! o_O
     
  8. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Did you check to see if it was still listed under Services? My uninstall went clean, but I've used EMET off and on in the past and noticed this same thing happening. I'm not sure why or how EMET does it.
     
  9. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    Didn't even think to check! - just assumed that if EMET was uninstalled - that was it! I did find a post on EMET forum which said the correct way to uninstall EMET was to remove all stuff from 'Configure Apps' - reset system configuration back to 'Recommended Settings' - then uninstall! (it didn't seem to work for the user who made the post!) I guess if that's the right way to do it - where does EMET store it's settings? Presumably in Registry - but I couldn't find it! o_O
    Anyway, I've got to the stage where I'm going round in circles and 'can't see the wood for the trees' sort of thing. After I finish my weekly round of image backups (3 of them) I'll poke and prod EMET again till I achieve my aim! :D
    Thank's for the reply! :thumb:
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Those of you with EMET compatibility/performance issues might want to give ExploitShield a try. Any feedback would be greatly appreciated.
     
  11. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    I couldn't get Emet to uninstall properly without messing up my box, so I just rolled back the image, saving the day yet again. (clapping for RollbackRX) I don't feel EMET is safe right now, install it at your own peril!
     
  12. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Ive tried everything to remove emet and still no luck even though it isnt causing any issues it would be nice to uninstall it if i can and i dont have an image without it on there.:cool:
     
  13. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    On my issues with DEP – I tried to begin again with EMET in a 'clean slate' eg, get it back to Recommended Settings (Opt In) so I could then add programs and pinpoint what was preventing me from setting EMET to Maximum Settings - (I had no problems with Windows 8 Pro) I've tried uninstalling\reinstalling versions 3 – then 3.5, but found I could not get DEP back to Opt In (the recommended setting) It's as though DEP is 'locked' at Opt Out – I cannot change the setting, one way or another. EMET keeps picking up my previous settings and I'm damned if I can figure out how. I've done a meticulous search of Registry – but can't find anything. So I'm stuck at Opt Out for DEP and SEHOP – and Opt In for ASLR. Mind you, these are my preferred settings – but it's still annoying the hell out of me how I can't change the EMET settings for DEP in Windows 7. o_O
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The global DEP setting is a Windows setting, not just an EMET setting. Have you changed it under Control Panel > System > Advanced system settings > Advanced tab > [Performance] Settings > Data Execution Prevention?
     
  15. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    Yep! - tried both - enabling each setting - restarting Windows - no joy!
     
  16. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    366
    Location:
    DownUnder
    Postscript:
    As I started this post – I thought I should at least give it last rites. For those who know a lot about EMET, this may be boring, however, I thought I may as well outline what I did for those (like me) who don't know so much about EMET.

    The basic procedure for changing EMET system settings - IF - you cannot change them via the EMET GUI, is to use bcdedit.exe commands.
    The EMET System Settings appear to be written to the boot partition (the 100MB Active Primary one) – so removing EMET Registry keys will probably not remove your previously configured 'System' settings.
    The boot partition is normally 'hidden' and does not have a drive letter. You must 'unhide' this partition and assign it a drive letter. If you don't – using bcdedit will most likely bring up the message - "The boot configuration data store could not be opened. The system cannot find the file specified."

    For one reason or another, I kept hitting brick walls when attempting to resolve my DEP issue.
    When I r\clicked on the boot partition in Disk Management – instead of getting the option to add\change drive letters – I got a useless box with 'Help' inside it! I ran into many other problems, but that's another story.
    In the end, I used both Diskpart and Mini Tool Partition Wizard (bootCD) to resolve the problem. Firstly, at the command line I entered (in succession)
    diskpart
    >list disk
    >select disk 0
    >list partition
    >select partition 2
    (this was the system 100MB partition)
    >detail partition
    >set id=07
    >assign letter S
    (assign any letter you wish)

    (some of the above commands are just to ensure you are on the right track – need to be careful when playing around with this partition!)

    Edit:
    Should read - when using set id=07 command, I got a 'Diskpart has encountered an error: the device is not ready' message

    Following this process, I saw that although the partition appeared as drive S – any options to work with the partition in Disk Management were still 'greyed out' – it was still 'hidden' – and I couldn't use bcdedit. I then used Mini Tool Partition Wizard to unhide the partition and was able to then use - bcdedit.exe /set {current} nx OptIn – to reset DEP back to Opt In.

    Other snippets to pass on are : (please correct me if I'm wrong)

    The System Protection > Performance > DEP - 'Turn on DEP for all programs and services – except, etc'... option is the Opt Out setting.
    The System Protection > Performance > DEP - 'Turn on DEP for essential Windows programs and services – is the Opt In setting.
    When Maximum Security Settings is selected – both these options should be 'greyed out'!

    According to a post I saw in the EMET forums – the recommended method of uninstalling EMET is to reset System Settings to 'Recommended Settings' (Opt In for all 3 options) – then uninstall EMET.

    And by the way, it was unclear when my DEP Opt Out setting became 'locked and loaded' as this setting had been in force since I first installed EMET in december 2011 (version 2.1?) I had simply installed each subsequent version over the other. So for me - lesson learnt!

    Useful links for bcdedit commands:
    http://www.sevenforums.com/tutorials/2676-bcdedit-how-use.html

    http://sourcedaddy.com/windows-7/how-to-use-bcdedit.html

    Cheers!
     
    Last edited: Jan 23, 2013
  17. zitch

    zitch Guest

    I recently set up Microsoft Emet on my XP/SP3 32 bit machine. I had been running ExploitShield prior to installing EMET. I know ExploitShield works well, it has blocked a Java exploit on my 'puter. Now, what can I expect running EMET in addition to ExploitShield? Are the 2 programs compatible? I did NOT add ExploitShield -to- EMET's protected list, it runs free. If an exploit would occur, which program would pick it up first? That is the 64 million dollar question....o_O
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    They should be compatible although I've heard of one occasion where there was some type of conflict.

    In terms of who picks up exploits first based on design EMET should fire off first. But if you do some testing with both EMET and ExploitShield against exploits I'd be very interested in hearing about what you see.
     
  19. zitch

    zitch Guest

    Thanks for the reply. I have not seen any compatibility issues so far. Everything seems to be working fine. I work long hours, I don't know when I will have time to test both programs against exploits. I DO know how to do that, if I find the time I will. BTW, I think ExploitShield is a fine program, and I am glad to have it in my arsenal protecting me against the bad guys out there.
     
  20. zitch

    zitch Guest

    I was worried about that happening, as I added every .exe I could find in my windows/windows system 32/program files list to the protected files in EMET. Guess I am lucky, no slowdowns, no conflicts, nothing. Everything running smooth. I guess it would be a problem to rectify, because it would be difficult to find the conflicting file. I have a suggestion for you- download and run ExploitShield. I used it before I installed EMET. I think it is a good program, it works well, not buggy, it just sits in the background and does it's job. I know it works, have seen it in action. BTW, I run BOTH programs (EMET and ExploitShield) together, no issues. I have ExploitShield running free, it is not under EMET's umbrella.
     
    Last edited by a moderator: Jan 25, 2013
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I installed EMET yesterday on my WIN 7 x64 SP1 installation. Have it set to maximum settings. So far, only app I have set up is IE9. Have NIS 2013 and Zemana Antilogger paid running realtime. Everything running great so far!
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    755
  2. lodore
    Replies:
    3
    Views:
    649
Thread Status:
Not open for further replies.