Free Microsoft security tool Enhanced Mitigation Evaluation Toolkit locks down apps

Discussion in 'other security issues & news' started by MrBrian, Mar 7, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://www.theregister.co.uk/2009/10/27/microsoft_security_tool/:
     
  2. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Has anyone tested it against a known buffer overflow? I tried both Acrobat and IE and can't get the damn thing to do anything.
     
  3. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    FWIW, I tested the latest IE and Acrobat 0-days against EMET and it let noth through. Not good.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Version 2.0 is available. The tool has been renamed to Enhanced Mitigation Experience Toolkit.
     
  5. HJO

    HJO Guest

    I was waiting for this...
    Hope it helps...
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ MrBrian :thumb:

    *

    emet.gif

    I'm not one for usually blowing MS's trumpet, but if i had a hat, i'd have to take it off for them with this ;)

    From the PDF

    *

    *

    Appears to be Very configurable with various opt in/out settings :thumb:

    Only for Windows XP service pack 3 and above :thumbd:

    Don't miss - 4. Mitigation caveats

    The GUI requires that .NET 2.0 is installed on the system :thumbd:

    http://blogs.technet.com/b/srd/arch...itigation-experience-toolkit-emet-v2-0-0.aspx

    PDF - http://blogs.technet.com/cfs-file.a...ostAttachments/00-03-35-03-78/Users-Guide.pdf

    Video - http://technet.microsoft.com/en-us/security/ff859539.aspx

    I wonder how many ordinary users will take advantage of it ? Not many i would have thought = pity
     
  7. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    Runs on Windows 7 x64?
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ ExtremeGamerBR

    Yes

    See the PDF for more info
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Darn, ASLR is not supported on XP? :(

    What does it mean that SEHOP is not supported for system, but has an application opt in?
     
  11. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    I had enabled DEP for all programs but EMET showed it's status as Aplication Opt Out o_O I set it to Always On but Google Talk doesn't work now...

    I had also enabled ASLR for all programs, EMET showed the status as Always On but there is no such option in drop down menu o_O
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Registry settings are made for each program you implement EMET for. A GUID is created, but stays local the EMET reg key only. Modifying these values does nothing unless you can also manipulate the .sdb (security database) file located in c:\apppatches\custom\{GUID}.sdb.

    Attempting to open .sdb file with either security config and analysis tool from mmc.exe or with secedit /analyze /db <path> fails with an error - corrupt database. This .sdb is housing some aspect, have not yet confirmed what, but certainly each program you use EMET for.

    This provides decent command line interface, and I like how it can display all EMET values. Might be a worthwhile tool if it had a better interface. A little rough right now, especially if you don't really know what you are doing. Not complex to use, just lacking in infos. The .pdf instructional help file is of use for geeks, not sure about average Joe though.

    Sul.
     
  13. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks MrBrian for update. I am testing it on Windows 7 x64.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Thanks for the update :)

    EMET shows ASLR as Opt-in and I can only change it to disabled, not to opt-out or always on :S

    And how about the other migitation techniques?(NullPage, HeapSpray, EAF) I can only manually add a a program and configure them, but if I don't do that, does that mean they are disabled for every program?

    The standard DEP setting for Windows is on for all MS services and programs and Opt-in for the rest. You can enable it for everything with opt-out for programs that don't work with it. And now with EMET you can also force it on for everything with no excpetions(Always On.) So, Opt Out is good, it means On for everything except your own exceptions, for example Google Talk.
     
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Firefox without SandboxIE protected is able to run under EMET ... but if we protect it with SandboxIE than it won't able to run under EMET ....

    What if i put SandboxIE under EMET with DEP, SEHOP, NullPage, MandatoryASLR enabled? I guess it won't affect SandboxIE functionality..

    Need confirmation :)
     
  16. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Thanks for the explanation, the thing is Google Talk is not in the exception list, process explorer shows it as DEP(permanent), but I guess opt out is good enough...
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Found some info on the ASLR questions:

     
  18. HJO

    HJO Guest

    It seems like not many people are interested in this sotware?
    o_O
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Yes, a pity, it's very nice software.
    I've so far put ASLR to always on without problems and EMET'ed quite some software, including some security software: Eset Smart Security, Avast! Free, Prevx, Sandboxie and Immunet Free. All without problems so far :)
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,716
    I can't run this new version of EMET no matter what I do. The EMET_GUI.exe simply won't run...anyone has any ideas?
     
  21. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Are you trying to run it with Admin privileges?

    Secondly, if GUI is not working for you then do try to run it with command line interface...
     
    Last edited: Sep 6, 2010
  22. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
  24. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    of course but the op mentioned EMET_GUI.exe which reminded me of file names in 1.0.2 command line version. Always good to be clear
     
  25. vmron

    vmron Registered Member

    Joined:
    Mar 14, 2010
    Posts:
    11
    I feel your pain. I have exactly the same issue. Have tried running as admin and tried the command line version, doesn't work for me. I installed it in a vm with xp pro sp3 works great. Does anyone have a guess on what might be going on?
     
Loading...
Thread Status:
Not open for further replies.