Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.
Thanks for the reply.
I added explorer and some other OS processes as well without issues. But is it really necessary?
Oh. My. God. It specifically states that for almost every mitigation there will be no performance impact. Yet because the word game isn't used, because games are formed of magic after all, you discount it.
What. The. ****?
Negligible =/= None. The performance impact of 2 more are also based on coding style.
My entire post, my entire point, my entire argument was about games. Is this hard for you to understand? Why would I be debating anything else? You directly responded to my post about games, with a response that has nothing to do with games. Well done!
Brilliant maturity level there, honestly...
I assumed this was from MS:
Hi Lucas Z.,
I would suggest simply removing explorer.exe from being protected by EMET. I have not seen this included on any tried and tested list of applications to protect with EMET since explorer.exe is a crucial process that must remain stable.
Since you are running Windows 7 64 bit (your exception shows this, namely BEX64 and Application Version: 6.1.7601.17567. 6.1.7601 is Windows 7 with SP1) explorer.exe already has DEP, ASLR and /GS (Guard Stack) v2 enabled and this should be enough protection.
Yes, negligible means as close to none as makes no difference.
And games aren't applications, because...?
Will you, at any point, be providing anything, anything at all, to support your point?
I removed from EMET all OS processes which I added. Moreover there's no any OS process in all "Profiles" from MS.
On my OS "Deep hooks" causes crash of almost all protected apps: "SimExecFlow" popup appears even if I uncheck it or remove the app from EMET. Who knows what can be the reason?
There is an incompatibility issue with Wot reputation IE plugin and EMET. Using EMET v4.0.4913.26122 now but this latest and the previous stable version and the latest and even the previous versions of Wot, IE tabs randomly crashes. I would e-mail both companies but I don't see no e-mail support.
..Fault Module Name: EMET64.dll
I doubt it - you only need to add the things that are exposed to possible remote exploits; if you have svchost or explorer connecting to untrusted servers, you are probably already in trouble!
I would think it would cause more problems than it could ever solve; it is the majority of your core OS experience and needs to run as expected, imo. The systemwide setting should be ample.
Aha, you already did!
Is it something you need to opt out of, systemwide?
Conveniently ignoring the rest of my point, nice. Again, negligible =/= none especially in a game where every frame counts (Why must I repeat myself?)...
No, I don't think I've ever seen a game referred to as an application. Whilst technically everything on a PC is an application, the term "application" is generally reserved for programs, a category which games do not come under. At least not in my experience. Ever the young hipsters of today that call everything "apps" don't seem to call games "apps".
Look at your own link? Lol, there's also you know, common sense. Again I repeat myself, "Why would a game need such mitigations?". You can also analyse games with process explorer. I actually know of 2 games I played last year on Steam that required me to DEP blacklist them so that they would function properly, i.e. they opted out of DEP and my forced DEP was breaking them. You may choose to call this poor programming, and it may well be, but why does it really matter?
Negligible really does mean none in this case. DEP has literally no performance impact, there is extensive benchmarking showing this. ASLR has never been shown to have an impact, though in extreme circumstances there may be, but nothing a game would ever encounter.
Games don't really have many excuses for not using DEP/ASLR. Especially ones that connect out.
WOT plug-in works fine on my WIN 7 x64 SP1, IE9 setup using EMET 4.0 at max. settings including deep hooks. WOT is slow sometimes when loading ratings when a search page is displayed but it has always done that. Further I am running Trusteer that I would believe would interfere with WOT more than EMET. Perhaps an IE10 issue if your running that?
Anyone noticing slow boots with EMET 4.0? My first day boots are getting progressively longer .
Your framerate tests are where?
They are clearly going to be exploited sending UDP packets for the position of a player character... not. What exactly are you envisioning here? Games do not run foreign code.
If you uninstall .NET Framework will your added programs still be protected by EMET.dll?
Why? You're the one claiming framerate loss but haven't provided anything to back it up. What are you looking for people to disprove? Something you haven't even provided evidence to support yet?
The article I linked supports his points as well.
Using IE10, but the problem existed long before IE10 when I was using IE9.And with every new stable Wot release, before installing I removed / uninstalled completely the old. The IE Tab crashings kept on rolling. I'm a IE multi-tab user, and at random times opening up a new tab and visiting a page, it happens.
Multi-player Online games can share the same problem. Anything that uses network environment. Example #1 - Researchers Discover Dozens of Gaming Client and Server Vulnerabilities http://threatpost.com/researchers-discover-dozens-of-gaming-client-and-server-vulnerabilities/
No, it clearly doesn't. Whilst "negligible" may only be a few points of CPU for an application, it means a lot for games. Again I repeat myself until it finally sinks into you: the evidence is there in front of your face, look at current games.
On to the ones that don't say negligible:
Note "size of images" >> generally quite massive for games.
Am I getting through to you?
Infact I'm just going to stop here, it's clear you're just here to continue this pointless debate. Repeating myself is doing nothing.
Both vulnerabilities relate to bad validation of incoming UDP data, I actually guessed someone would link this. Whilst yes this could be called an exploit, it's really nothing other than the developers not properly validating the ONLY source of incoming data. There's really no reason to opt in for this.
Also note that the other exploits they found were in Origin/Steam, both of which fetch foreign and unknown code. They aren't games. The developers should be taking steps to make sure such clients are secure as adding them to EMET is a risky manoeuvre.
EMET isn't the only program that display's this behavior.
Having Comodo Internet Security installed, while using IE 10 and WOT, do the same as you describe (Same behavior).
Out of curiosity, did this type of behavior happen in Windows 8?
I has max settings and nothing opted out. Except I cannot use "Deep Hooks".
Framerate tests are irrelevant here, but you're welcome to flip on EMET and see (I can only provide my own observations, after installing EMET I have seen 0 FPS change, but I'm sure this is not proper evidence in your eyes). DEP has no performance impact, there are benchmarks showing this, though not for games (just for high performance applications that are far more performance critical than a game). ASLR also has no shown performance impact, though there is theoretically one, but it has consistently been immeasurable (ASLR is actually chosen not for its effectiveness but for its ease of implementation and complete lack of performance impact - this was a major factor in its adoption). The potential performance impact would be unlikely to matter for a game.
You are assuming a performance impact when everyone has shown there isn't one.
Yes, welcome to how exploits work lol you send code at a program and see what sticks. Send enough UDP packets maybe you'll overflow some counter (we have seen this). Maybe it doesn't filter out usernames when it parses them, so when the username is sent to you, code can be executed. I can think of a million and one ways to exploit a game that takes in UDP packets.
You don't actually seem to understand how /gs works or why there's a performance impact, or how compilers optimize around this. Nor was GS one of the mitigation techniques we were discussing.
Same goes for the ASLR, it actually isn't really relevant to games at all. The image size also only matters on initial linking, when the game starts.
edit: Your link even mentions the /GS optimizations lol it's why programs don't use -fstack-protector-all if they are performance critical (or the MS equivalent).
That 3% also is not "program-wide" it has to do with function returns.
edit2: Sorry, my internet is being a bitch tonight.
I am very uncertain as to why you think that matters, or how that's somehow "less" of an exploit. Because they're UDP? Makes 0 difference. You can send integers, all sorts of values, strings, etc, all of which is parsed *client side*. Why would an attacker need anything more?
You have just described 99% of attacks.
Separate names with a comma.