EMET (Enhanced Mitigation Experience Toolkit)

So much for EMET 4.1 self-protection. I was testing out Quarri's MyPOQ armored browser. It crashed IE10 and took EMET 4.1 with it.

 

I just saw that 4.1 update 1 was released today so I come back here and see that ronjor doesn't miss a thing. Testing it out now.

 

I've installed EMET 4.1 with default settings just now, not clear though if certificate pinning is needed since I am using Bitdefender AV Pro which carries out its own certificate checks (as I understand it). My thinking is that there may be a potential conflict if Certificate Pinning is enabled, but I would very much appreciate some comments from people who are far more experienced than I am, thank you.

 

It seems that a new precedent has been set Re "x.1 update 1"

 

Hitmanpro is showing bad certificates for several EMET 4.1 files :-(

 

Are your root certificates up to date?
Afaik, last month, new MS certificates were issued though Windows Update (and some soon withdrawn and then re-issued).
Perhaps you've got old 1024bit certificates instead of new 2048bit ones?

 

Just ran Hitman after installing EMET 4.1 today, no bad certificates showing.

 

Thank you.

I installed EMET 4.1 Upd 1 over 4.1. It runs OK. The same issue with "Deep Hooks" - some apps can't work under it. All the rest is OK.

 

EMET 5.0 TP2 has been silently released, but you need to register with Microsoft Connect in order to access it:
https://connect.microsoft.com/emet

 

Downloading now but there is changelog.

 

I couldn't find any. Usually if you install EMET, it also installs a manual(PDF), with shortcut in Start menu. Perhaps there is a changelog in there?

 

Nothing there.

 

Page not found... I'll probably stick with the 4.1 update 1 for now anyway. It seems to be working well.

 

Afaik, that is Technical Preview 1, not 2.

Hmm, a pity.

Just visited it again, it redirects to login.live.com for logging in, like it used to.

 

i found the download page HERE for emet 5 tp 2.

 

Interesting. It shows me as already logged in but still says "page not found". Maybe they just don't want me to get there. Not a big deal, just strange that it works for you and not me.

 

I had the same problem.

I have managed to sign up (clicking "Join") & download using this link awhile ago:

https://connect.microsoft.com/directory/?keywords=EMET

 

I got the same message, then searched on EMET and after joining "connect" finally arrived here:

https://connect.microsoft.com/emet/Downloads/DownloadDetails.aspx?DownloadID=53108

cheers...

 

Running EMET 5.0 TP1,with Recommended Settings. I am having the following problem:

When I finish using IE 11.0, I close it. But then the screen shows a pop-up message which reads: "IE has closed unexpectedly. Windows is looking for solutions..." Then IE restarts.

I also notice that IE has ASR enabled, but Firefox and Chrome browsers do not. I don't experience the same problem with these 2 browsers when I close them. Unchecking ASR box for Internet Explorer doesn't seem to solve the problem.

Any ideas or suggestions to fix this annoying problem? Thanks for your help.

 

what happens if you remove IE from EMET's protection ?

 

Hello KaptainBug,

Your suggestion works, and the problem is gone. Just one fewer benefit of EMET. I have not used IE for a long time.

 

No.. That was not my suggestion.. That was only to see if EMET is infact the culprit for IE freeze.. Now since its confirmed that EMET is causing the problem, add IE to EMET and uncheck each mitigation one by one and see exactly which mitigation is causing IE to hang. So you can disable that particular mitigation alone in EMET and still get protected from other mitigations..

 

Hi KaptainBug,

Sorry I misunderstood you. I put IE back under EMET's protection and did a few tests. Results are as follows:

1. Disable each protection parameter (e.g. DEP, SEHOP) one by one while the rest remains enabled. Open then close IE. Same error message popping up.

2. Disable only parameters of the same ROP Group (i.e. Load, Mem, Caller, SimE, Stack) while the rest of the parameters stays enabled. Same result as in Test#1 above.

3. Ditto for parameters of the "Other" Group (i.e., SEHOP, EAF, ASR). Same result as in Test #1.

4. When I disable only MEM Group parameters such as DEP, Null, Heap, Man and Bott, there's no more error message after opening then closing IE.