EMET setup ??

Hi,

I've just installed EMET2.1 under Vista and I have a few questions (look at the attached screenshots):

1. I'd like to know if my settings are correct.


Under DEP column, I can see a few processes that aren't appeared
with green checkmarks:
ShieldClnt and Shieldtray (from Rollback Rx) + SHDSERV

Do I need to set up these processes under 'Configure Apps'

2. Under Running EMET column, I suppose I've to add all apps that I installed on my computer and need to be protected (overall, all Internet facing apps) ?

3. Audiodg appeared under DEP column with a blue question mark, is that correct ?

Thanks in advance !

 

Here's a nice user guide.

 

Thanks but I already read it ! Maybe I've not all understood.

I need instead an answer to my questions, thanks.

 

You should have DEP set to Application Opt Out. This way DEP is forced, and if for some reason some application stops working, you can then exclude it from DEP.

I don't have Always On visible for SEHOP in Windows 7? I only have the options Application Opt In and Application Opt Out.

 

Always On for SEHOP is Vista only. In 7 it's Opt Out. iirc there's not a whole lot of difference since nothing ever opts out.

DEP should be to Opt Out. This means that it's Always On except when a program explicitly says not to.

Opt in means it's Never On except when a program explicitly says to.

 

I see... Somehow I thought it could be related to the Microsoft FixIt tool that would enable SEHOP, which would then make Always On appear in EMET's UI.

Correct. I previously confused it with manually having to add exclusions in System Advanced Settings in Windows itself.

When using EMET, it will be up to the software developer to make the application tell whether or not to use it, if not set to Always On.

 

I just leave DEP to Always On. I wish I could do that for ASLR too... but ATI is a pain. Not buying a computer with their GPU again unless they solve that issue.

 

The thing I don't like about DEP in Windows 7 is that if a program closes because of it the program just crashes where I am thinking that when it was introduced in XP it gave a message stating a program was closed because of DEP. This would have saved me about 3 days of troubleshooting a program recently. So I set it to Opt Out. And ATi (AMD) is a pain. I stuck it out with them for more than a decade. They didn't make it into the new machine I recently built and I couldn't be happier about it.

 

I think Windows Vista (at least SP0) gives that warning too. I remember to have seen it when a relative of mine had Vista.

 

@Ashanta
Why do you run "a2guard.exe" through the EMET?...it's process of Emsisoft AMW and I don't think it's a good idea to run security software by this way.

 

The question of whether or not to run security software with EMET is... hard to say.

On the one hand you want your security software protected, you don't want your AV getting exploited for sure.

But you also don't want additional attack surface or any bugs in your security software either.

Hard to say.

 

If someone here can give me the exact answers to the following questions, I would appreciated,


1. I'd like to know if my settings are correct.


Under DEP column, I can see a few processes that aren't appeared
with green checkmarks:
ShieldClnt and Shieldtray (from Rollback Rx) + SHDSERV

Do I need to set up these processes under 'Configure Apps'

2. Under Running EMET column, I suppose I've to add all apps that I installed on my computer and need to be protected (overall, all Internet facing apps) ?

3. Audiodg appeared under DEP column with a blue question mark, is that correct ?

4. Who can explain me what's really mean SEHOP and ASLR ? I have ASLR opt in under Vista, is that correct ?

 

Two questions:

- what EMET has that a classical HIPS can't do better ?

- don't EMET makes conflict with a working HIPS ?

 

EMET is not at all like a HIPS. EMET applies OS built-in(and some of it's own) techniques to processes to prevent exploiting known and unknown vulnerabilities.

 

More or less I knew it, but, about my second question ?

 

Don't worry about Hips, if you have some troubles you can disabled the features one by one until your Hips program are working again.

It's working perfectly with EAM 6, WSA and WinPatrol Plus: all three are Hips programs.

 

Ashanta,

You should manually add processes of programs that might run into dangerous data. As for your existing global settings, I think they're fine, but some would change the global DEP setting to a higher level.

 

Personally haven't noticed any with Malware Defender.

 

A few months ago I changed EMET's global settings back to the operating system defaults due to potential issues like this:

 

I can try. I will try to stay as nontechnical as I can while retaining accuracy. Let's see how it goes!

SEHOP: SEHOP attempts to mitigate the exploitation technique that uses SEH overwrites. SEH overwrites happen when your program runs into a "special condition" and throws what's known as an exception.

Windows has its own internal method for dealing with exceptions, called the Exception Dispatcher (ED). When the ED is checking this exception it looks at two pieces of code. One of those pieces is a "pointer", which is pretty much what it sounds like - a pointer points to some other piece of code. The SEH does not know what that pointer is pointing to.

If an attacker manages to use what's known as an "overflow" and manipulates that pointer it can send it to "instructions" that the attacker can then use to execute code on your machine.

Remember that second piece of code I mentioned? The one that goes with the pointer? SEHOP works by implementing an integrity check to that second piece of code. If an attacker overwrites that first piece the second piece will fail the integrity check. If it fails the integrity check that pointer won't call the instructions.


I'll write up ASLR in another post. If someone has corrections to what I've said/ I'm mistaken about something please correct me.

 

See the document that comes with EMET.

ASLR opt in is the default for your OS.

 

ASLR is Address Space Layout Randomization.

ASLR essentially attempts to randomize certain code, the address space of a process, which contains basically everything the attacker would need to gain control of your computer.

When an attacker tries to exploit a program they might try to find certain libraries within the program, which would allow them to gain control of your system or make use of another exploit etc. ASLR pretty much just moves this libraries around and that way the attacker doesn't know where to find them and can't use them to exploit your machine.

Attackers have to guess where these things are, and whether they can or cannot depends on how randomized your address space is. This is one benefit of 64bit Windows, 32bit does not have the power to randomize sufficiently (by default) and therefor is easily brute forced, the attacker can guess only a few times and find it. There's also the matter that even if the libraries are randomized, the stack might not be, so even if the attacker can't perform their return attack they can still attack you via the stack (overwriting the call stack allows for arbitrary code execution.)

I am leaving out a lot of stuff but this should give you a basic idea. Without knowing heap/ stack and how they can be used against the user this is probably the

 

Unfortunately, EMET does break some installers, and even some applications from even running.

Recently, I also had to remove explorer.exe as a protected process, because it would make Adobe Reader X crash.

 

I have used EMET but removed it as when I tried to update my modem firmware through IE9, IE9 crashed. I have to work with office documents I don't want EMET to crash MS office. Now I use either chrome or its variants as default browser which should protect against the major attack vector (the internet) using many of the same techniques EMET applies. Also Adobe Reader x has restricted mode and MS Office 2010 can open documents in a restrictive environment.