EMET setup ??

Discussion in 'other software & services' started by Ashanta, Dec 29, 2011.

Thread Status:
Not open for further replies.
  1. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    659
    Location:
    Europe
    Hi,

    I've just installed EMET2.1 under Vista and I have a few questions (look at the attached screenshots):

    1. I'd like to know if my settings are correct.


    Under DEP column, I can see a few processes that aren't appeared
    with green checkmarks:
    ShieldClnt and Shieldtray (from Rollback Rx) + SHDSERV

    Do I need to set up these processes under 'Configure Apps'

    2. Under Running EMET column, I suppose I've to add all apps that I installed on my computer and need to be protected (overall, all Internet facing apps) ?

    3. Audiodg appeared under DEP column with a blue question mark, is that correct ?

    Thanks in advance !
     

    Attached Files:

    • EMET.jpg
      EMET.jpg
      File size:
      108.9 KB
      Views:
      29
    Last edited: Dec 29, 2011
  2. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,101
    Location:
    Adelaide
  3. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    659
    Location:
    Europe
    Thanks but I already read it ! Maybe I've not all understood.

    I need instead an answer to my questions, thanks.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You should have DEP set to Application Opt Out. This way DEP is forced, and if for some reason some application stops working, you can then exclude it from DEP.

    I don't have Always On visible for SEHOP in Windows 7? o_O I only have the options Application Opt In and Application Opt Out.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Always On for SEHOP is Vista only. In 7 it's Opt Out. iirc there's not a whole lot of difference since nothing ever opts out.

    DEP should be to Opt Out. This means that it's Always On except when a program explicitly says not to.

    Opt in means it's Never On except when a program explicitly says to.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I see... Somehow I thought it could be related to the Microsoft FixIt tool that would enable SEHOP, which would then make Always On appear in EMET's UI.

    Correct. I previously confused it with manually having to add exclusions in System Advanced Settings in Windows itself.

    When using EMET, it will be up to the software developer to make the application tell whether or not to use it, if not set to Always On.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I just leave DEP to Always On. I wish I could do that for ASLR too... but ATI is a pain. Not buying a computer with their GPU again unless they solve that issue.
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    The thing I don't like about DEP in Windows 7 is that if a program closes because of it the program just crashes where I am thinking that when it was introduced in XP it gave a message stating a program was closed because of DEP. This would have saved me about 3 days of troubleshooting a program recently. So I set it to Opt Out. And ATi (AMD) is a pain. I stuck it out with them for more than a decade. They didn't make it into the new machine I recently built and I couldn't be happier about it. :ouch:
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think Windows Vista (at least SP0) gives that warning too. I remember to have seen it when a relative of mine had Vista.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    @Ashanta
    Why do you run "a2guard.exe" through the EMET?...it's process of Emsisoft AMW and I don't think it's a good idea to run security software by this way. :blink:
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The question of whether or not to run security software with EMET is... hard to say.

    On the one hand you want your security software protected, you don't want your AV getting exploited for sure.

    But you also don't want additional attack surface or any bugs in your security software either.

    Hard to say.
     
  12. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    659
    Location:
    Europe
    If someone here can give me the exact answers to the following questions, I would appreciated, :)


    1. I'd like to know if my settings are correct.


    Under DEP column, I can see a few processes that aren't appeared
    with green checkmarks:

    ShieldClnt and Shieldtray (from Rollback Rx) + SHDSERV

    Do I need to set up these processes under 'Configure Apps'

    2. Under Running EMET column, I suppose I've to add all apps that I installed on my computer and need to be protected (overall, all Internet facing apps) ?

    3. Audiodg appeared under DEP column with a blue question mark, is that correct ?

    4. Who can explain me what's really mean SEHOP and ASLR ? I have ASLR opt in under Vista, is that correct ?
     
  13. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Two questions:

    - what EMET has that a classical HIPS can't do better ?

    - don't EMET makes conflict with a working HIPS ?






     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    EMET is not at all like a HIPS. EMET applies OS built-in(and some of it's own) techniques to processes to prevent exploiting known and unknown vulnerabilities.
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    More or less I knew it, but, about my second question ?
     
  16. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    659
    Location:
    Europe
    Don't worry about Hips, if you have some troubles you can disabled the features one by one until your Hips program are working again.

    It's working perfectly with EAM 6, WSA and WinPatrol Plus: all three are Hips programs.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Ashanta,

    You should manually add processes of programs that might run into dangerous data. As for your existing global settings, I think they're fine, but some would change the global DEP setting to a higher level.
     
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Personally haven't noticed any with Malware Defender.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Dec 30, 2011
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I can try. I will try to stay as nontechnical as I can while retaining accuracy. Let's see how it goes!

    SEHOP: SEHOP attempts to mitigate the exploitation technique that uses SEH overwrites. SEH overwrites happen when your program runs into a "special condition" and throws what's known as an exception.

    Windows has its own internal method for dealing with exceptions, called the Exception Dispatcher (ED). When the ED is checking this exception it looks at two pieces of code. One of those pieces is a "pointer", which is pretty much what it sounds like - a pointer points to some other piece of code. The SEH does not know what that pointer is pointing to.

    If an attacker manages to use what's known as an "overflow" and manipulates that pointer it can send it to "instructions" that the attacker can then use to execute code on your machine.

    Remember that second piece of code I mentioned? The one that goes with the pointer? SEHOP works by implementing an integrity check to that second piece of code. If an attacker overwrites that first piece the second piece will fail the integrity check. If it fails the integrity check that pointer won't call the instructions.


    I'll write up ASLR in another post. If someone has corrections to what I've said/ I'm mistaken about something please correct me.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See the document that comes with EMET.

    ASLR opt in is the default for your OS.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    ASLR is Address Space Layout Randomization.

    ASLR essentially attempts to randomize certain code, the address space of a process, which contains basically everything the attacker would need to gain control of your computer.

    When an attacker tries to exploit a program they might try to find certain libraries within the program, which would allow them to gain control of your system or make use of another exploit etc. ASLR pretty much just moves this libraries around and that way the attacker doesn't know where to find them and can't use them to exploit your machine.

    Attackers have to guess where these things are, and whether they can or cannot depends on how randomized your address space is. This is one benefit of 64bit Windows, 32bit does not have the power to randomize sufficiently (by default) and therefor is easily brute forced, the attacker can guess only a few times and find it. There's also the matter that even if the libraries are randomized, the stack might not be, so even if the attacker can't perform their return attack they can still attack you via the stack (overwriting the call stack allows for arbitrary code execution.)

    I am leaving out a lot of stuff but this should give you a basic idea. Without knowing heap/ stack and how they can be used against the user this is probably the
     
    Last edited: Dec 30, 2011
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unfortunately, EMET does break some installers, and even some applications from even running. :(

    Recently, I also had to remove explorer.exe as a protected process, because it would make Adobe Reader X crash.
     
  24. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    I have used EMET but removed it as when I tried to update my modem firmware through IE9, IE9 crashed. I have to work with office documents I don't want EMET to crash MS office. Now I use either chrome or its variants as default browser which should protect against the major attack vector (the internet) using many of the same techniques EMET applies. Also Adobe Reader x has restricted mode and MS Office 2010 can open documents in a restrictive environment.
     
Loading...
Thread Status:
Not open for further replies.