EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,603
    Location:
    USA
    I normally use Firefox, but i'm giving Chrome a try again. When Chrome was first released I used it for about 2 years, but later on I did not like some of the changes they were making. They kept changing some of mechanics of how Chrome works so I would have to make configuration changes with my security software to accommodate for Chrome. Also, I did not like the layout of Chrome. I found it more difficult to customize for my needs than Firefox. It seems to be much easier to navigate the settings now, and i'm glad they are installing to the Program folders again instead of the user-space. I will give her a try again, and see what I think. There's no way I will be doing away with Firefox though. There's nothing wrong with having more than one browser to use though.
     
  2. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    No they won't! o_O
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Could you explain a bit further.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hey guys thanks for the replies to my questions. I have played with the other configurations, and have the best of what I need. Only remaining issue I have is Iexplore.exe It has problems running when it is in Emet because I also use Sandboxie. I might be able to get to work giving up some of the protections, but it came down to either Emet or SBIE, and for my very limited use of IE I chose Sandboxie. Anyone have any ideas about this.

    Pete
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,457
    Location:
    Outer space
    Indeed, just did a quick check to confirm. Firefox process added, plugin-container added as well, EMET shows a checkmark on the main GUI in the Running EMET column next to plugin-container. Firefox process added, plugin-container not, EMET shows no checkmark.
     
  6. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    779
    Oops, sorry about the child process misinformation.

    Anyway, from the EMET User Guide.pdf

     
    Last edited: Sep 4, 2014
  7. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    As BoerenkoolMetWorst's check confirms: Any program you want protected by EMET has to be added to it. There is no inheriting by child processes or anything after adding any other program.

    And in Sandboxie, AFAIK EMET still will not be loaded into any program that you manually use "Run Sandboxed" on (the weird Start.exe breaks stuff, or something). Forced Programs should load EMET fine, as well as if they're started by any other "normal" sandboxed program (just not Start.exe!).
     
  8. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Try unchecking StackPivot for IE. That works for me with IE + EMET + Sandboxie
     
  9. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Plugins (in-process) != Processes.

    It says right in your quote, "... add-ins that get loaded into an EMET protected process." (Meaning a process that already exists and is protected.)

    Of course any executable code of any sort in a process is protected (or affected) by EMET, but that never extends out of that process itself.
     
  10. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Yes, but in this case the Application is not Firefox, it is Plugin-Container. Firefox is different that way from other browsers, and that's also why Plugin-Container comes predefined in the Popular Software import file.
     
  11. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    plugin-container.exe is used to run plugins. This was created around the time of Firefox 3.6.4 to isolate plugins from firefox.exe because they were responsible for a large percentage of Firefox crashes. Placing them in plugin-container.exe prevened misbehaved plugins from taking down your entire Firefox session (at least, in theory it should do that).
    https://support.mozilla.org/en-US/questions/983843 (How to shut-off or disable "plugin-container.exe")
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Paranoya

    Thanks for that, it did the trick.

    Pete
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,457
    Location:
    Outer space
    As stated before, plugins that get loaded into a protected process are also protected, but if the application uses a separate process for plugins(like Firefox's plugin-container) you need to add that as well.
    Additionally keep in mind that plugins may have their own process, Flash for Firefox is one example, and it's filename changes everytime because it includes the version number:
    FlashPlayerPlugin_14_0_0_179.exe
    Unfortunately EMET only seems to allow wildcards in the path, not the filename, so you need to add Flash after every update.
     
  14. guest

    guest Guest

    IIRC the predefined settings had a setting for Java which can cover any versions. Something that also uses wildcard for the EXE. Unless I misunderstood it, can it be applied to Flash as well?
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    If you try to use wildcards in the file name, EMET gives an error/warning in red stating "Wildcards can only be used in the path". It might be good if we could suggest to the EMET devs to allow wildcards in the file name as well. Although there must be a reason why they specifically only allow it in the path only.

    For the predefined Java settings (and most others as well) it uses the wildcards only in the path.

    Example:
    Code:
    <Vendor Name="Oracle">
        <Suite Name="Java6">
          <App Name="Console" Path="*\Java\jre6\bin\java.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
          <App Name="GUI" Path="*\Java\jre6\bin\javaw.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
          <App Name="Web Start" Path="*\Java\jre6\bin\javaws.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
        </Suite>
        <Suite Name="Java7">
          <App Name="Console" Path="*\Java\jre7\bin\java.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
          <App Name="GUI" Path="*\Java\jre7\bin\javaw.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
          <App Name="Web Start" Path="*\Java\jre7\bin\javaws.exe">
            <Mitigation Name="HeapSpray" Enabled="false" />
          </App>
        </Suite>
      </Vendor>
    A little off-topic, but the predefined settings don't cover the more recent JRE 8. I don't use Java on any of my machines so I haven't been able to test yet whether or not the same mitigation settings from JRE 6 and JRE 7 would be the same.
     
  16. guest

    guest Guest

    Guess I misread it then. But I could remember seeing a wildcard in the executable name. I know it made no sense so that's why I brought it up.
     
  17. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    This is confusing! I've tried searching about it but no one seem to know for sure - Should we add the FlashPlayerPlugin exe to EMET, or is it enough with plugin-container?

    All exe files for Flash are installers/uninstallers not necessary to add to EMET, except FlashPlayerPlugin_XX_X_X_XXX.exe. That file is used for the Flash Player protected mode for Firefox, the sandbox feature.
    There's no purpose in reading EMET advice on this for Flash Player versions earlier than 11.3 because that's when this feature was introduced. Or from XP users, because XP don't support this.

    Plugin-container loads the file NPSWF32_14_0_0_179.dll, which is the actual Flash Player file, but it's only a broker to the protected process which is run with low integrity = significant restrictions. This process can't communicate with processes with higher integrity, which are almost all other processes.
    http://blogs.adobe.com/security/2012/06/inside-flash-player-protected-mode-for-firefox.html

    So is this enough, or should we add the FlashPlayerPlugin exe too? Any thoughts?

    I found a feature request for renaming the Flash exe files so they fit EMET, but it was closed as deferred:
    https://bugbase.adobe.com/index.cfm?event=bug&id=3646679

    And here's an example to use the EMET_Conf utility to automatically add the exe files without specifying the version number:
    http://superuser.com/questions/491181/how-to-keep-flash-secured-with-emet
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The EMET developers determined that plugin-container.exe needed to be protected even though it was started from the firefox.exe process. Therefore, if NPSWF32_14_0_0_179.dll is started from plugin-container.exe and further starts and/or communicates with FlashPlayerPlugin_XX_X_X_XXX.exe, at that point FlashPlayerPlugin_XX_X_X_XXX.exe would not be under protection from EMET. Although it is probably relatively safe since it is already running with low integrity, personally I would play it safe and protect it with EMET provided that it doesn't cause any issues. I mean, if it can be protected and poses no issues whatsoever, I'd say "Why not?". But I agree it is quite confusing. Hopefully someone else can help clear this up a bit more.

    You could always ask the EMET developers over at the EMET forum and see what they think: http://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,603
    Location:
    USA
    I'm protecting plugin-container.exe with EMET. I just had to untick EAF protection. I have not run into any problems yet, but I just started using EMET yesterday.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    If there are still many people using the free Microsoft Office Starter 2010, here are the settings to protect Excel Starter and Word Starter. This is the Click-to-Run based one that runs from hidden drive [Q:]. Just copy the code below and save it as a .XML file and can be easily imported into EMET. The predefined settings from the Popular Software.xml file for MS Office will not work for the Starter Edition.

    Code:
    <EMET Version="5.0.5324.31801">
      <Settings />
      <EMET_Apps>
        <AppConfig Path="*\OFFICE1*" Executable="EXCELC.EXE">
          <Mitigation Name="DEP" Enabled="true" />
          <Mitigation Name="SEHOP" Enabled="true" />
          <Mitigation Name="NullPage" Enabled="true" />
          <Mitigation Name="HeapSpray" Enabled="true" />
          <Mitigation Name="EAF" Enabled="true" />
          <Mitigation Name="EAF+" Enabled="false" />
          <Mitigation Name="MandatoryASLR" Enabled="true" />
          <Mitigation Name="BottomUpASLR" Enabled="true" />
          <Mitigation Name="LoadLib" Enabled="true" />
          <Mitigation Name="MemProt" Enabled="true" />
          <Mitigation Name="Caller" Enabled="true" />
          <Mitigation Name="SimExecFlow" Enabled="true" />
          <Mitigation Name="StackPivot" Enabled="true" />
          <Mitigation Name="ASR" Enabled="true">
            <asr_modules>flash*.ocx</asr_modules>
          </Mitigation>
        </AppConfig>
        <AppConfig Path="*\OFFICE1*" Executable="WINWORDC.EXE">
          <Mitigation Name="DEP" Enabled="true" />
          <Mitigation Name="SEHOP" Enabled="true" />
          <Mitigation Name="NullPage" Enabled="true" />
          <Mitigation Name="HeapSpray" Enabled="true" />
          <Mitigation Name="EAF" Enabled="true" />
          <Mitigation Name="EAF+" Enabled="false" />
          <Mitigation Name="MandatoryASLR" Enabled="true" />
          <Mitigation Name="BottomUpASLR" Enabled="true" />
          <Mitigation Name="LoadLib" Enabled="true" />
          <Mitigation Name="MemProt" Enabled="true" />
          <Mitigation Name="Caller" Enabled="true" />
          <Mitigation Name="SimExecFlow" Enabled="true" />
          <Mitigation Name="StackPivot" Enabled="true" />
          <Mitigation Name="ASR" Enabled="true">
            <asr_modules>flash*.ocx</asr_modules>
          </Mitigation>
        </AppConfig>
      </EMET_Apps>
    </EMET>
     
  21. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Thanks for the input. I fully buy the "Why not?" :)

    I created a script that refreshes the FlashPlayerPlugin exe App. Save as a .bat file in the EMET folder. EMET_conf requires elevated rights so I've added a check for that. Support for both 32 and 64 bit.

    Code:
    @ECHO OFF
    :: Set current directory to the same as this batch file (should be the EMET folder)
    cd /d %~dp0
    mode con: cols=160 lines=40
    color 06
    AT > NUL
    IF %ERRORLEVEL% EQU 0 (
        rem ECHO you are Administrator
    ) ELSE (
        ECHO Not launched with elevated rights / Administrator!
        GOTO END
    )
    ECHO           ********** Show current EMET App FlashPlayerPlugin*.exe: **********
    emet_conf --list | find "FlashPlayerPlugin"
    ECHO.
    ECHO.
    ECHO           ********** Deleting existing EMET App FlashPlayerPlugin*.exe **********
    for %%f in (%windir%\system32\Macromed\Flash\FlashPlayerPlugin*.exe) do EMET_Conf --delete %%f
    for %%f in (%windir%\SysWOW64\Macromed\Flash\FlashPlayerPlugin*.exe) do EMET_Conf --delete %%f
    ECHO.
    ECHO.
    ECHO           ********** Adding EMET App FlashPlayerPlugin*.exe **********
    for %%f in (%windir%\system32\Macromed\Flash\FlashPlayerPlugin*.exe) do EMET_Conf --set %%f -EAF -StackPivot
    for %%f in (%windir%\SysWOW64\Macromed\Flash\FlashPlayerPlugin*.exe) do EMET_Conf --set %%f -EAF -StackPivot
    ECHO.
    ECHO.
    ECHO           ********** Show current EMET App FlashPlayerPlugin*.exe: **********
    emet_conf --list | find "FlashPlayerPlugin"
    ECHO.
    ECHO.
    :END
    pause
    If you don't have any problems with StackPivot then remove the 2 occurrences of -StackPivot (incl. the minus sign). Same for -EAF if you don't have any problems with that.

    ********** Show current EMET App FlashPlayerPlugin*.exe: **********
    FlashPlayerPlugin_14_0_0_179.exe C:\windows\system32\Macromed\Flash DEP SEHOP NullPage HeapSpray MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow


    ********** Deleting existing EMET App FlashPlayerPlugin*.exe **********
    The changes you have made may require restarting one or more applications


    ********** Adding EMET App FlashPlayerPlugin*.exe **********
    The changes you have made may require restarting one or more applications


    ********** Show current EMET App FlashPlayerPlugin*.exe: **********
    FlashPlayerPlugin_14_0_0_179.exe C:\windows\system32\Macromed\Flash DEP SEHOP NullPage HeapSpray MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow
     
  22. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    On some programs but not all. I only have the free version of Sandboxie(no "force" possibility) so this is how I need to start Firefox in order to have it protected by EMET, launched through explorer.exe:

    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,603
    Location:
    USA
    I have been trying EMET 5.0 for 2 days now, and I found it very strange that nearly all the applications it was protecting with it's default settings would not function lol I had to change the settings for almost all of them in order for these application to work with EMET. Examples are Adobe Reader, IE, Java, etc.. I added Firefox, and Chrome myself and the settings EMET gave them by default blocked them both from functioning. I had to disable 2 mitigation methods enabled for Firefox, and I had to disable 4 that were enabled for Chrome. I'm just puzzled that so many settings had to be changed to make EMET even usable. I wonder what is so different about my Windows 7X64 OS than that the developers used lol I would have thought the default settings would have worked much better than they did. I guess EMET just comes with almost all mitigation methods enabled by default without checking to see if those applications would actually work with those settings. I wrote down the settings I had to use with each application in case I decide to use EMET. I'm looking at other options now so I can decide which works best for me before making a decision.
     
    Last edited: Sep 7, 2014
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Most likely you're running some software that's conflicting with EMET. Try disabling deep hooks instead of tweaking all the apps.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is a current Application Compatibility List for EMET: http://support.microsoft.com/kb/2909257/en-us
    I agree, I am also quite puzzled because I also run Windows 7 64-bit yet haven't had to disable any mitigations for Chrome, Firefox, IE, Adobe Reader, etc. Although I have seen others who have had to disable certain mitigations such as StackPivot and SEHOP.
    One beauty about EMET is that you can easily Export all settings or Export Selected settings in the Apps (Application Configuration) section which exports your program settings to an .XML file which you can easily import later if you choose to try EMET again.
    That's the best thing about having choice. Lately I've been protecting my browsers with Malwarebytes Anti-Exploit Free (since it only protects browsers) and using EMET to protect everything else. Although I'm likely going to dump MBAE later today and just go all EMET all the time.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.