EMET (Enhanced Mitigation Experience Toolkit)

Yeah, it's a lot to study, a lot to put into practice.

To be honest, I'm a bit afraid of doing it. I wish I had the time. It may go very well or it may go a bit pear shaped. The problem is I use a lot of audio programs, and they have, shall we say, an interesting relationship to things like Date Execution Prevention.

Quite a few are old now and they use Virtual folders which confuses me even more. Let's not even get into the relationship of UAC stuff. No one I know, knows. They all say 'don't do it'. Others say 'you need to do it'.

I'm sure it just takes a bit of time. In fact, I think I am going to do it. I've got my new win7 SSD build going great. I'm over the moon at sorting out a bluescreen problem all by myself. My box would bsod whenever I did a backup with TeraByte IFW, and still have my external WD Elements HD plugged in via usb 3. So, I found out the offending thing was some iomap64.sys or wtf, and apropos of nothing at all, after not being able to find the offending .dll on my system even after using Process Explorer in admin mode, I narrowed it down to the Asus Ai3 mobo software. I ran the USB 3 enhancements that it has on there, after taking a lot of the fan **** off, and you know what, it worked. It was voodoo alright, like waving chickens in the air. But if it works for me, don't spoil the party. Rock solid ever since. But I digress.

Emet. Another bag of fish. Yes, I will. Dedoimedo says I must. He is always right. Never wrong.

But damn, those double negatives do get confusing: Do not start any program that has DEP enabled if it set to not start up with windows, if it has been disabled. . You know what I mean folks if you've ever worked with it. And they give you three options like that to FUD yer brain even further.


I'll probably just make a fresh image in TeraByte IFW/IFL, and then install it. See how it all runs and works. The bad, but the good thing about audio programs like Reaper, and Ableton Live etc. if something isn't right, they fail pretty quickly and they have debugging logs, most the time. If it don't work out, I'll revert.


I was a few iterations into this build for my win7 os when I solved the problem with the bsod and usb3 with asus ai. I thought it was going to be chucked away, but it's a keeper. I'll build on that. There are just too many variables. It it works for me, it works, if not, move on. Plenty other stuff to keep you protected - not the end of the world at all.

 

Hi

Anyone have any info on what will happen with EMET now when W10 comes , i am mostly thinking in regard to the new browser . But the rest also of course .

 

1. I am sure that MS will make EMET compatible with Windows 10. (If it isn't already)
2. Afaik Edge will be 64-bit and have a sandbox by default, so exploitation itself should be substantially harder. (Enabling 64-bit EPM in IE11 also makes exploitation substantially harder)

 

I will start out by saying that I have been running Eset SS 8 and EMET 5.2 together for sometime. Both "appeared" to not conflict with each other; that is no lockups and erratic system or app behavior. However as time went by, it became more obvious that Eset's behavior blocker and advanced memory scanning just were not functioning. Then somewhat by accident yesterday, I discovered EMET was the culprit. It is important to note that EMET runs at the system level. Prior testing I did noted that even when I disabled EMET's service, it's .dlls were being injected into protected apps at boot time.

Well, I finally uninstalled both EMET and Eset. Then reinstalled only Eset SS 8. Then I proceeded to restest Eset using SurfRights HPMA exploit test tool. Prior testing with the tool with both Eset and EMET installed was so-so. Only exploit protection activity was coming from EMET. EMET failed all the heapspray tests, I am running WIN 7 SP1 x64, and a few of the other tests. On the tests where EMET did catch something, the results were sporadic. EMET would give a detection pop-up, IE10 would briefly start-up, then crash when EMET caught the test exploit. Again at no point in this testing did I see any activity that I could attribute to Eset's behavior blocker or AMS.

With EMET removed, a retest using the SurfRight tool was an entirely different story. Eset's behavior blocker and AMS blocked every Surfright exploit test. Further it did so silently. No browser home page display and resultant crash, no calculator download or execution, and get this. The stub load of IE10 from the test tool was still running. In other words, just the exploit activity was blocked by Eset. Impressive indeed. The only thing a bit unnerving about Eset's behavior blocking and advanced memory scanner is that the activity is entirely unrecorded. You don't even get a HIPS log entry of the activity. According to Eset's documentation, the exploit activity is just uploaded to Eset via LiveGrid clould processing and analysis and that is it.

Bottom line - run Eset's behavior blocker and advanced memory scanner or EMET. Don't run both together.

 

@itman, Thanks for your testing. Very useful and interesting.

Yes, maybe they should add an enable/disable setting like "log activity detected by ESET Exploit Blocker"
You could post a request on the ESET forum if you like.

"You don't even get a HIPS log entry of the activity"

No, but I assume you would get a HIPS log entry if you enable HIPS logging, but that would log everything as it is a troubleshooting mode (not meant to be enabled for long periods of time as the log will get huge) including activity not connected to the exploit at all. But since the HIPS also blocks operations that is not malicious it would need to be able to distinguish between blocked malicious and non malicious operations, so the log does not fill up with every singel blocked operation that is meant for troubleshooting. At the moment that is not possible afaik.

When I tested against malware many months ago I did get threat notifications when AMS detected malware running in memory, and a log entry saying it was detected by advanced memory scanner, but you say you don't get that when it blocks exploit activity ? Could it be that everything in your test was blocked by the Exploit Blocker and nothing by AMS which is why nothing at all was logged, or have they recently changed something so whatever AMS detect is not logged either ?

 

Just another piece of research regarding EMET 5.1 --> http://tekwizz123.blogspot.com/2015/07/final-year-dissertation-paper-release.html

 

I enabled HIPS logging and still received no entries for any HPMA test tool activity.

It is also possible that Eset's advanced heuristics is stopping the HPMA test tool exploits from running. Whether that logs blocked activity or not, I have no idea. If it is AH that is doing the blocking, then EMET was interfering with it's normal operation.

-EDIT- Just confirmed that it is indeed Eset's exploit protection that is blocking the HPMA test tool from execution. If I run the test tool stand-alone, the test exploit runs OK. If I enabled real-time AH check on file execution option, Eset will terminate the test tool but it's payload i.e. calc.exe is executed. Conclusion - AH will not protect you from a non-web based exploit.

 

Well, futher Eset SS 8 testing shows its exploit blocker is not blocking any of the SurfRight exploit test tool x64 tests using IE10. So I posted over in the Eset forum to see what they have to say about x64 protection.

 

Yes I saw your post, and hopefully they'll answer before we need to bump the thread

 

I just installed MBAE free. I use IE 10 x64 as my browser and I need some exploit protection. Actually it's the only x64 app I use besides Eset.

 

I also installed MBAE free not long ago as well as upgrading EMET to 5.2

It seems even tho you can put tickboxes in for media and pdf apps in the MBAE free app those protections are not actually enabled, as the shields are forced off. Just be aware of that.

I read a post on the malware bytes forum which advised disabled EAF, plus 5 other protections on EMET for apps protected by MBAE, so I did that for browsers and java which it protects, but for all other risky apps I keep everything possible enabled in EMET.

 

Does Emet 5.2 work with Windows 10, Firefox and Sandboxie?

 

Special thanks to @Mister X for pointing out the release of EMET 5.5 Beta

Download: http://www.microsoft.com/en-us/download/details.aspx?id=49166

Digging in right now as we speak.

 

Here is the new Block Untrusted Fonts setting in the main UI:

 

Some preliminary assessments here from early testing of this EMET 5.5 Beta (on Windows 10 x64):

• The time for the EMET icon to show up in the system tray was significant compared to previous versions. It looks to me as though they have changed the EMET service from Automatic startup to Automatic (Delayed) startup. So switching back to Automatic resolved that. But that is not an issue though because the EMET DLL injection was stiff occurring after Windows started, I would start my regular apps, then the EMET icon would show in the tray maybe 2-3 minutes or so later. But I was able to confirm that they were still protected/injected correctly regardless. Either way, switching the service back to Automatic brought back the more comfortable feeling for me.

• EAF/EAF+ performance issues that have been discussed here in the past, particularly with Chrome and Firefox, seem to have been resolved. Both are performing very well here now during initial testing.

• Overall stability of this 5.5 Beta version is quite good so far, no issues to report at the moment.

 

5.5 uses significantly less memory also, for me it dropped from around 15 to c:a 4MB.
No problems with EAF or EAF+ either on IE and the Pc feels smoother.

 

It is nice to see that MS is still maintaining EMET, although no new ground breaking mitigations have been added since the release of EMET 5.0 back in 2014.
The only 'real' advantage of EMET over other mitigation tools just seems to be the presence of ASR, EAF and EAF+.

(Does that mean that other mitigation tools provide better protection? No, bypassing them all should take roughly the same amount of effort. )

 

How did you come up to this conclusion? I ask because many friends of mine depend on EMET for added security.

 

Because @r41p41 is not the only one who has been bypassing exploit mitigation tools.

 

EMET 5.5 Beta User Guide (.pdf) has been published now:
http://download.microsoft.com/download/4/3/3/43364390-96B1-4820-9BAD-4A71F9A3221A/EMET User Guide.pdf

Some notable additions:

 

That guide is useful, @WildByDesign ; thanks for posting it.

To anyone "shotgunning" EMET:

 

Remember kids: security is not one or two products, it's a process. Don't put all your eggs on EMET's plate, sooner or later it will be bypassed. Just this week a member sent me a link where the author demonstrates how easy it is to exploit EMET 5.2.

I'd say use virustotal as much as you can and run ALL your apps virtualized (all those allow such technique).

 

It doesn't matter which exploit mitigation software you use, they can all be bypassed.

Please have a look at the following statement from virustotal.com:

• VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
• In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
• Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

Source: https://www.virustotal.com/nl/faq/

 

Question:

On my Windows 10 Pro 32 bits, both EMET 5.2 and 5.5 beta don't inject their DLL into wmplayer when added to the protected apps. WMplayer also does not show as a protected application in EMET gui. Could any one check with who is also running Windows10?

Thx

Kees

 

@Windows_Security I have noticed this as well with Windows Media Player, Wordpad and a few others. This was with earlier versions of EMET specifically on Windows 10. I will test now with 5.5 Beta as well to confirm.

EDIT: Confirmed. Windows Media Player and Wordpad are still not protected under Windows 10 with EMET 5.5 Beta and previous versions. I will have to mess around with the wildcards and rules and see if I can find a workaround.