Discussion in 'other security issues & news' started by ronjor, May 15, 2012.
Looks to be making EMET more enterprise ready but nothing too important for regular users.
I've read that EMET can make some programs unstable or not working properly, but can it also impact Windows stability in general? Can it impact programs/services other than those in the EMET list?
(edit: If discussion about EMET functionality is better suited in its own thread, I'll post this there.)
For those of you using the Native EMET graphical interface this update is fully compatible with NEMET.
EMET deals with system settings as well as applicaiton settings so it can pretty much mess everything up.
Thanks Ron. Anyone try v3 yet? I think I'll wait a few days and see if it is stable. I have had no problems with v2.1.
I'm also going to wait. BTW, anyone tried to install it over the top? I really don't want to reconfigure my EMET settings. Good thing that it now has a notification about applications that closed.
Thanks Ron, have been awaiting for this for long.
Okay, decided to image my drive, and installed EMET v3.
First install is somewhat broken, adding software will not be protected by EMET even though it's in the configure settings. Checked with System Explorer and emet.dll is not in the newly added app.
Decided to do a repair install by running again the installer and viola! Everything is smooth. Now a process named Emet_notifier.exe will run in the background.
Attached image is EMET stopping a legit app (just decided to force crash an application I knew that has issues with EMET), (I used a legit app just to test the notifications
Some quick comments:
You have to exit the EMET graphical interface for the changes to be committed. The same limitation exists within the NEMET graphical interface. The reason for this... is because the antiquated application compatibility database engine (AppCompat) is nothing like SQL where you can update/insert into the database. The AppCompat engine actually re-creates the entire database after each change... which is a huge limitation. So the EMET developers decided to simply commit the changes when the GUI exits.
Did you also notice that the Emet_notifier.exe uses a whopping half gigabyte of virtual memory? That's right folks... you could install an entire OS in the swap space consumed by this .NET application that sits in the application tray. Its amusing... EMET was suppose to be designed for protecting that old PC you have in the back room... you know... that old P4 with Windows XP and only 1GB of RAM? Unfortunately... the new v3 EMET notifier will potentially eat over a half Gigabyte of your pagefile...
I have never used TimeFreeze but a DEP error would not be a problem with Microsoft EMET. I would be willing to bet that TimeFreeze is hooking some functions and not properly using VirtualProtect to set the allocated trampoline as executable. This would be a bug within TimeFreeze.
thanks for the post MessageBoxA and you confirmed my suspicion.
First thing I thought when I read about a new logging feature was why would I care about emet logging and want to add overhead or resource usage to a simple app when I just want to force dep/sehop/alsr to web facing apps...
You are welcome. If I have some free time this weekend I will write a native nemet_notifier.exe application and update the NEMET package. As a minimalist.. I will probably take this opportunity to show off and write it in pure x86 assembler. I'll try to get the memory usage to under 4MB. I will need enough memory to hold at least 32767 unicode characters and 1 or 2 MB for stack space within the main thread.
I like the idea of a new EMET BUT I will wait not wanting to be on the bleeding edge. I don't care about the memory usage as I have scads of that free. No disrespect to those who want to write code to shrink space but unless it comes from vendor I won't use it.
Have had EMET v3 running for a day. No issues so far on my system.
1. Yes, I exit the GUI, I even restarted my computer.
2. I really don't have any memory problems, I have lots of it .
3. I know it's a bug in TimeFreeze (The setup to be exact). That's why it's the one I used to show the notification, I just want to see if it's working properly after I repaired install.
for those of us who do care about ram or disk use can you just disable the logging feature? Does it have to run in the system tray also? I may just end up keeping skipping this version.
YES!!! Just read the user guide after the install of version 3. Mind you that starting this version, EMET is now officially supported by Microsoft. EDIT: You can even disable the notifier so it will not run in the background. All can be done via registry tweaks explained in the user guide.
Windows Registry Editor Version 5.00
Copy in notepad and save as reg file.
Windows Registry Editor Version 5.00
thanks guys, sorry to be a pest I used to be annoyed when people wouldn't just take a minute to 'figure it out for themselves', I've just been super busy and appreciate the help.
The new notifier could really come in handy to solve issues, for example the Java installer crashes with DEP set to Always On, if you didn't recently install EMET before you experience that, it may take you ages to find out EMET is the issue.
According to my experience, the notifier will only worked for applications that is added into EMET, so it will probably not notify with the java installer unless you added it into EMET. (which is weird) lol. I'm not to sure though.
I loaded the "All.xml" set of pre-configured rules and when I start WinZip it crashes the first time you run it after each reboot.. Seems to run after that. I'll probably just remove WinZip from the list. Running WinZip 16.5 64 bit on Windows 7.
the EMETnotifier.exe eats up ~30mb of ram which is quiet heavy for just being a notifier. Notification generally is a good improvement but for that amount of ram usage I could easily add a whole security suite...
Its using 12mb of ram for me. If its really that bothersome, why not just disabled and be done with it? Just saying...