EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    620
    Location:
    Canada
    Thanks for the reply. :thumb:
     
  2. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,250
    Location:
    Chaotic Land
    Your welcome.
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,993
    I added explorer and some other OS processes as well without issues. But is it really necessary?
     
  4. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Oh. My. God. It specifically states that for almost every mitigation there will be no performance impact. Yet because the word game isn't used, because games are formed of magic after all, you discount it.

    What. The. ****?
     
  5. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Negligible =/= None. The performance impact of 2 more are also based on coding style.

    My entire post, my entire point, my entire argument was about games. Is this hard for you to understand? Why would I be debating anything else? You directly responded to my post about games, with a response that has nothing to do with games. Well done!

    Brilliant maturity level there, honestly...
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,652
    Location:
    U.S.A.
    I assumed this was from MS:

    Hi Lucas Z.,

    I would suggest simply removing explorer.exe from being protected by EMET. I have not seen this included on any tried and tested list of applications to protect with EMET since explorer.exe is a crucial process that must remain stable.

    Since you are running Windows 7 64 bit (your exception shows this, namely BEX64 and Application Version: 6.1.7601.17567. 6.1.7601 is Windows 7 with SP1) explorer.exe already has DEP, ASLR and /GS (Guard Stack) v2 enabled and this should be enough protection.


    http://social.technet.microsoft.com...a0edd1857875/application-compatibility-issues.
     
  7. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Yes, negligible means as close to none as makes no difference.

    And games aren't applications, because...?

    Will you, at any point, be providing anything, anything at all, to support your point?
     
  8. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,993
    I removed from EMET all OS processes which I added. Moreover there's no any OS process in all "Profiles" from MS.

    On my OS "Deep hooks" causes crash of almost all protected apps: "SimExecFlow" popup appears even if I uncheck it or remove the app from EMET. Who knows what can be the reason?
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    There is an incompatibility issue with Wot reputation IE plugin and EMET. Using EMET v4.0.4913.26122 now but this latest and the previous stable version and the latest and even the previous versions of Wot, IE tabs randomly crashes. I would e-mail both companies but I don't see no e-mail support.


    ..Fault Module Name: EMET64.dll
     
  10. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    I doubt it - you only need to add the things that are exposed to possible remote exploits; if you have svchost or explorer connecting to untrusted servers, you are probably already in trouble!

    I would think it would cause more problems than it could ever solve; it is the majority of your core OS experience and needs to run as expected, imo. The systemwide setting should be ample.
     
  11. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    Aha, you already did!

    Is it something you need to opt out of, systemwide?
     
  12. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Conveniently ignoring the rest of my point, nice. Again, negligible =/= none especially in a game where every frame counts (Why must I repeat myself?)...

    No, I don't think I've ever seen a game referred to as an application. Whilst technically everything on a PC is an application, the term "application" is generally reserved for programs, a category which games do not come under. At least not in my experience. Ever the young hipsters of today that call everything "apps" don't seem to call games "apps".

    Look at your own link? Lol, there's also you know, common sense. Again I repeat myself, "Why would a game need such mitigations?". You can also analyse games with process explorer. I actually know of 2 games I played last year on Steam that required me to DEP blacklist them so that they would function properly, i.e. they opted out of DEP and my forced DEP was breaking them. You may choose to call this poor programming, and it may well be, but why does it really matter?
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Negligible really does mean none in this case. DEP has literally no performance impact, there is extensive benchmarking showing this. ASLR has never been shown to have an impact, though in extreme circumstances there may be, but nothing a game would ever encounter.

    Games don't really have many excuses for not using DEP/ASLR. Especially ones that connect out.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,652
    Location:
    U.S.A.
    WOT plug-in works fine on my WIN 7 x64 SP1, IE9 setup using EMET 4.0 at max. settings including deep hooks. WOT is slow sometimes when loading ratings when a search page is displayed but it has always done that. Further I am running Trusteer that I would believe would interfere with WOT more than EMET. Perhaps an IE10 issue if your running that?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,652
    Location:
    U.S.A.
    Anyone noticing slow boots with EMET 4.0? My first day boots are getting progressively longer .
     
  16. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Your framerate tests are where?

    They are clearly going to be exploited sending UDP packets for the position of a player character... not. What exactly are you envisioning here? Games do not run foreign code.
     
  17. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    830
    Location:
    Ireland
    If you uninstall .NET Framework will your added programs still be protected by EMET.dll?
     
  18. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Why? You're the one claiming framerate loss but haven't provided anything to back it up. What are you looking for people to disprove? Something you haven't even provided evidence to support yet?

    The article I linked supports his points as well.
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    Using IE10, but the problem existed long before IE10 when I was using IE9.And with every new stable Wot release, before installing I removed / uninstalled completely the old. The IE Tab crashings kept on rolling. I'm a IE multi-tab user, and at random times opening up a new tab and visiting a page, it happens.

     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
  21. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    No, it clearly doesn't. Whilst "negligible" may only be a few points of CPU for an application, it means a lot for games. Again I repeat myself until it finally sinks into you: the evidence is there in front of your face, look at current games.

    On to the ones that don't say negligible:

    Note "size of images" >> generally quite massive for games.
    Am I getting through to you?

    Infact I'm just going to stop here, it's clear you're just here to continue this pointless debate. Repeating myself is doing nothing.
     
  22. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Both vulnerabilities relate to bad validation of incoming UDP data, I actually guessed someone would link this. Whilst yes this could be called an exploit, it's really nothing other than the developers not properly validating the ONLY source of incoming data. There's really no reason to opt in for this.

    Also note that the other exploits they found were in Origin/Steam, both of which fetch foreign and unknown code. They aren't games. The developers should be taking steps to make sure such clients are secure as adding them to EMET is a risky manoeuvre.
     
  23. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,822
    EMET isn't the only program that display's this behavior.

    Having Comodo Internet Security installed, while using IE 10 and WOT, do the same as you describe (Same behavior).

    Out of curiosity, did this type of behavior happen in Windows 8?
     
  24. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,993
    I has max settings and nothing opted out. Except I cannot use "Deep Hooks".
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Framerate tests are irrelevant here, but you're welcome to flip on EMET and see (I can only provide my own observations, after installing EMET I have seen 0 FPS change, but I'm sure this is not proper evidence in your eyes). DEP has no performance impact, there are benchmarks showing this, though not for games (just for high performance applications that are far more performance critical than a game). ASLR also has no shown performance impact, though there is theoretically one, but it has consistently been immeasurable (ASLR is actually chosen not for its effectiveness but for its ease of implementation and complete lack of performance impact - this was a major factor in its adoption). The potential performance impact would be unlikely to matter for a game.

    You are assuming a performance impact when everyone has shown there isn't one.

    Yes, welcome to how exploits work lol you send code at a program and see what sticks. Send enough UDP packets maybe you'll overflow some counter (we have seen this). Maybe it doesn't filter out usernames when it parses them, so when the username is sent to you, code can be executed. I can think of a million and one ways to exploit a game that takes in UDP packets.

    You don't actually seem to understand how /gs works or why there's a performance impact, or how compilers optimize around this. Nor was GS one of the mitigation techniques we were discussing.

    Same goes for the ASLR, it actually isn't really relevant to games at all. The image size also only matters on initial linking, when the game starts.

    edit: Your link even mentions the /GS optimizations lol it's why programs don't use -fstack-protector-all if they are performance critical (or the MS equivalent).

    That 3% also is not "program-wide" it has to do with function returns.

    edit2: Sorry, my internet is being a bitch tonight.

    I am very uncertain as to why you think that matters, or how that's somehow "less" of an exploit. Because they're UDP? Makes 0 difference. You can send integers, all sorts of values, strings, etc, all of which is parsed *client side*. Why would an attacker need anything more?

    You have just described 99% of attacks.
     
    Last edited: Jun 25, 2013
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.