EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Somehow I missed that. Thanks!
     
  2. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    I recently found out while testing EMET with the hitmanpro.alert test tool that if EAF is unchecked then none of the ROP mitigations work which is weird because every mitigation is supposed to work independently, this may be a serious issue for EMET users if some application is not compatible with EAF and the the user turns EAF off for the application then he/she is getting very little protection from EMET for the concerned application, can someone please confirm this?
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I don't believe that EAF is even related to ROP mitigations or even tied into them behind the scenes in any way. Although I am hoping that somebody with more knowledge can confirm this.
     
  4. guest

    guest Guest

    I didn't even pass almost all of the tests. Excluding the webcam and keylogger tests, I only passed one test. I'm thinking that this is not the supposed tool to test EMET.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I wasn't entirely sure how hitmanpro.alert test tool works either with regards to testing EMET either. I added wildcards for *\System32\calc.exe and *\SysWOW64\calc.exe but wasn't certain exactly what the exploit test tool was targeting prior to running the Calculator program. It's not very specific. But at the same time, I didn't read the manual for the test tool last night either when I gave it a try. I don't believe it blocked anything for me. I don't understand the scope of it though.

    EDIT: I suppose we would be better off asking in the Hitman thread about how the test tool works exactly. I'm going to read the manual shortly to see if I can understand it a bit more.
     
  6. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Correct. EMET is not some form of HIPS product, but those with something to gain will try to compare it as such to advertise their product.
     
  7. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    You have to add the test tool in the list of protected apps in EMET and not calc.exe, EMET blocks most of the tests especially when Simulate Exec Flow count is increased to a higher number but none of the ROP mitigations work if EAF is turned off that is the problem you see, anyways I am going to report this in the EMET support forum cause it may be a bug.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thanks Gobbler, I appreciate that. I'll have to try that again tonight and see how it goes. Also, good that you are reporting that to the EMET team as well.

    EDIT: I can also confirm what you stated regarding disabling the EAF mitigation and having it now allow the ROP exploits to slip right through EMET.
     
    Last edited: Sep 11, 2014
  9. guest

    guest Guest

    Thanks for the info. So I'm assuming that the test tool is supposed to serve as a potential threat-gate app.
     
    Last edited by a moderator: Sep 11, 2014
  10. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Thanks for the confirmation BTW, I have already posted the issue in the EMET forum.
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    Hi everyone,

    I didn't intend to post in the EMET thread, I posted in the G Data 2015 thread, but as there was no relevant feedback so far, I decided to post here as well, as GrafZeppelin kindly suggested.

    My question is:
    Does anyone of you use EMET 5.0 together with G Data 2015?
    Do you get G Data BankGuard false positives?

    There were no issues with G Data 2015's Exploit Protection and/or BankGuard with EMET 4.0, EMET 4.1 and EMET 4.1 Update 1.
    But since I implemented EMET 5.0 on August 1, I had nine BankGuard false positives so far (on average that's one BankGuard false positive every 4.7 days).
    Note that I do not get any EMET alerts, but I get BankGuard false positives. G Data seems to falsely react to something, it is not EMET that gives false positives. I cannot tell for sure that it is EMET 5.0 that G Data reacts to. The only relation is that the BankGuard false positives started a couple of days after implementing EMET 5.0.
    It may be something specific for EMET 5.0 (that was not in EMET 4.0, EMET 4.1 and EMET 4.1 Update 1) that G Data 2015's Exploit Protection and/or BankGuard is interfering with.
    Please note that the default Deep Hooks mitigation setting was not new with EMET 5.0 (as was stated earlier in this thread). Deep Hooks is also enabled by default in EMET 4.1 Update 1, issued April 29, 2014.

    Anyhow, getting G Data BankGuard false positives is a pity. The G Data software was perfectly compatible with earlier EMET versions, and the current BankGuard false positives are getting somewhat annoying.
    Of course I reported to G Data Support, but the G Data developers team hasn't been able to fix that G Data BankGuard and EMET 5.0 incompatibility, so far. It is hard to find out what exactly is causing the BankGuard false positives.
    And as I cannot pinpoint what it is that triggers G Data 2015 BankGuard (BankGuard alerts only mention there is 'Unknown malware detected', with no further details) and the issue is hard to reproduce (it just happens again some days later, but with no clue of what triggers it), I guess it won't be easy for the BankGuard team to diagnose and fix the issue.

    Therefore, if any of you use the G Data software together with EMET 5.0, and you get BankGuard false positives (or if you get BankGuard false positives even without using EMET 5.0), would you please report to G Data Support. More information will help the G Data developers team to diagnose and fix the BankGuard false positives.
    Thank you very much.


    Relevant details:

    In all cases the G Data BankGuard false positive occurred with multiple IE9 tabs opened, or while opening multiple IE9 tabs.
    That is how I use my browser, but that never led to any G Data BankGuard false positives before August 2014.

    OS:
    Windows Vista Ultimate SP2 x86

    Browser:
    Internet Explorer 9, version 9.0.8112.16421
    N.B.
    For Windows Vista that is the most up to date IE version.
    I have no other browsers installed.

    G Data version:
    G Data InternetSecurity 2015 version 25.0.1.5

    EMET 5.0 configuration:
    Custom security settings:
    DEP : "Application Opt Out" (but without any opt outs)
    SEHOP : "Always On"
    ASLR : "Application Opt In"
    Pinning: "Enabled"
    Protection Profile: "Popular Software"

    Also active:
    HitmanPro.Alert, version 2.6.5.77,
    Adblock Plus for Internet Explorer, version 1.2.0.0
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hitman pro Alert is doing the same thing EMET is doing. That might cause conflicts. I would only run one of them
     
  13. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    That applies to HitmanPro.Alert 3 Community Technology Preview 3, but not to HitmanPro.Alert 2.6.5.77.
    HitmanPro.Alert 2.6.5.77 does not offer exploit mitigations, other than the Alert and the CryptoGuard functionality.
     
    Last edited: Sep 13, 2014
  14. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    I would change SEHOP from Always On, and test to uncheck StackPivot for IE. StackPivot was changed in 5.0 and is not compatible anymore with several programs on my PC. Other users have experienced the same thing. In my case having it on can cause a crash without any alert from EMET about it. So it's different from other mitigations.

    Regarding DeepHooks you're correct! Although the EMET 4.1 Update 1 says: "By default, enables the DeepHooks global flag as part of the Recommended Settings configuration."
    I guess there's a chance that it wasn't enabled if you didn't use the recommended settings.....

    Overall there were a lot of changes made in 5.0 including fixing the bypasses reported by Bromium Labs for EMET 4.1, and the EMET team collaborated with Bromium Labs on this. For me EMET 5.0 was by far the most difficult version to configure before I could run all protected programs without crashes.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    I could, but I had no issues with system setting SEHOP Always On before. And as nothing has changed with the system setting for SEHOP, I do not expect that would be the factor that is causing the G Data BankGuard false positives.
    (By the way, with Vista there is only system setting SEHOP Disabled or SEHOP Always On, there is no system setting SEHOP Application Opt Out.)

    Yes I could, and yes I have read about that.
    I will definitely keep this in mind, thank you very much.
    But first I would like to find out if others get G Data BankGuard false positives recently.
    If there is no one here using the combination G Data and EMET 5.0, or if none of those get BankGuard false positives, I can disable the StackPivot mitigation for IE for diagnostic purposes and see if that changes the G Data BankGuard behavior.

    I installed with first choosing "Use Recommended Settings", after which I configured EMET importing the Popular Software profile. So the Deep Hooks mitigation setting was enabled. (And I even have screen captures showing it was enabled.)

    Yes, I have read the posts regarding EMET 5.0. It's an interesting piece of software ;-)
    But I think the G Data guys are certainly not stupid, so I guess if they want to they must be able to make G Data 2015's Exploit Protection and/or BankGuard work with EMET 5.0 without disabling StackPivot for IE or disabling other mitigations. But first they/ we/ I need to find out what is causing the G Data BankGuard false positives. For the moment I'll wait and see if there are others with the same BankGuard false positives issue, and later I can (and will, if needed) disable the StackPivot mitigation for IE for diagnostic purposes.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, there are two methods:

    Method #1: Install v5 using option to keep existing rules. Delete the app rules that you want to have replaced with app rules in a profile. Import the desired profile, such as "Popular Software.xml". Any existing app rules are not modified or deleted when you import a profile.

    Method #2: Before you install v5, export selected app rules that you wish to keep to a profile. Install v5 with option to use default settings. Delete the app rules that you want to have replaced with app rules in the profile you just created. Import the profile you created. Any existing app rules are not modified or deleted when you import a profile.

    I used method #2.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Firefox 32.0.1 starts very slowly when using EMET 5.0 default rules for Firefox. Turning off EAF+ for firefox.exe fixed the issue.
     
  18. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    As a general rule, I disable StackPivot and EAF to avoid program crashes. Sometimes Caller. I wonder if Microsoft really tested all software listed in ther pre-determined list that have EAF, StackPivot enabled.
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The interesting thing that I have noticed during my testing of EMET of the last year or so is that there's a significant difference between Windows 7 SP1 (64-bit) and Windows 8.1 Update 1 (64-bit). The few mitigations that I had to disable on Win7, same as you mention regarding Firefox, I have not had to disable on Win8. I am wondering if Microsoft mainly tests EMET's Popular Software settings again and up-to-date Windows 8.1 system. I haven't had to disable any mitigations yet and even Adobe Reader is lightning fast. I remember with Win7 and EMET Adobe Reader was ridiculously slow because of a conflict between Adobe Reader's own protections and EMET. As much as it pains me to say this, my current experience with Windows 8.1 and EMET has been a breath of fresh air along with excellent overall performance from all programs.
     
  20. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    LOL, this is exactly what I wanted to say.
    I did not understand why some members here experience various problems with EMET5.0, but on my Win8.1 update1 x64, I experience absolutely nothing unusual - no slowdowns, no program crashing, no conflict of any sort. And it's exactly why I don't use any other third party exploit mitigation tools like MBAE, HMPA and alike.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Nothing needed to be disabled here, Windows 7 64-bit. Deep hooks, whatever, even another anti-exploit program (ViRobot APT Shield). No problems running the latest x64 Chrome with plenty of add-ons.
     
  22. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    :) Microsoft maybe tests EMET on W8.1 and assumes it'd work on W7 too. But that sounds unreasonable. Or. Not.
     
  23. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    I'm assuming this is the main EMET thread. Would you recommend I try it on x64 W7 SP1? I see the last couple of posts members had some issues. I've noticed there is a Sandboxie issue with Malwarebytes Anti Ex so I guess that's out. I also run Norton A-V and Malwarebytes (Premium). Thank you!
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,761
    Location:
    USA
    I would definitely give it a try. Norton, Malwarebytes, Sandboxie and EMET run well together. If I were still running Norton it is exactly the setup I would be using. If you have any issues with EMET they are easily fixed by unchecking the offending settings.
     
  25. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Thank you!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.