NEMET

Discussion in 'other anti-malware software' started by luciddream, Jan 16, 2013.

Thread Status:
Not open for further replies.
  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I can't believe I was oblivious to it all this time:

    http://www.scatternetwork.com/

    Only I'm a bit confused (and dismayed). From what I gather, since he's unwilling to release his own .dll (this is where the dismayed part comes into play), you still have to install EMET to get this to work... right?

    Only the point of this project seems basically to be able to run EMET without having to install .NET Framework on your computer. A huge benefit for XP users. But wouldn't you have to do just that (install .NET) in order to get EMET... in turn to then get NEMET to work?... thereby creating a Catch 22?

    Or am I not understanding something here?

    Somebody please shed some light on this subject for me...

    This has been discussed here:

    https://www.wilderssecurity.com/showthread.php?t=312495
     
    Last edited: Jan 16, 2013
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    If somebody happens to have the .dll needed, and/or some info. on how to get this thing running without putting .NET Framework on my box, I'd be much obliged.

    I would owe you one... and I'm the type of guy that returns favors.
     
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Since you're running XP SP3, it should work for you. (no support for XP SP2)

    EMET basically allows you to enforce mitigations
    - 3 system-wide settings (DEP, SEHOP, ASLR)
    - application-specific mitigations (these are provided by EMET.dll)

    For XP, DEP is there but SEHOP and ASLR are unavailable. For those, you might want to consider WehnTrust
    http://wehntrust.codeplex.com/

    Back on topic:
    EMET.dll itself doesn't require .NET Framework.
    EMET_GUI.exe (to access and modify settings) requires .NET Framework
    NEMET is basically an alternative GUI that doesn't need .NET.

    As you need EMET.dll to get the application-specific mitigations, you have to install EMET 1st. You can always do any one of these:

    a) Install EMET on another computer with .NET.
    b) Install EMET on a Virtual Machine with .NET.
    c) Install .NET on your existing setup and then install EMET.
    You can uninstall both later on but if that doesn't suffice for you, make an image of your computer beforehand ;)

    Once you're satisfied with the settings:

    1. Use NEMET and "Create Redeployment Pack" (.zip file) .
    This file contains the EMET.dll and needed registry settings.

    2. It's only a matter of importing the settings into your existing setup. Use NEMET and "Install Redeployment Pack" for that.
    If you had chosen to do c) earlier instead of a) or b) , simply remove both .NET and EMET or restore image.

    Naturally, it takes a bit more work if you do not want to have .NET on your box :p
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why all the hassle just to get EMET's protection? o_O Just install .NET Framework and use the native GUI. .Net Framework is updated via Windows Update, so unless you prefer to check for updates manually and not get them through Windows Update, then it will be updated automatically.

    Just enjoy your system.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    It's a hassle but I don't do all of that since I no longer run XP. :p

    It was a suggestion for luciddream since he insists on not having .NET on his box. Check the web and you'll see that he's not alone.

    Heck I still remember those days when I ran XP. Although I don't 'hate' .NET, I had a preference not to install it since none of the programs I used then needs it. Since Vista onwards, I've just kept it updated.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I understand that, but some people even refuse to use useful programs, and I'm not talking about EMET, simply because they require .NET Framework. I don't understand the fear, that's all. :)
     
  7. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    The GUI is in .NET. This is the GUI without it. Remember, EMET is simply an interface for pre-existing OS tools; this activates them otherwise.

    You should consider upgrading your OS.

    HTH
     
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    The thing is, to me this is a contradictory statement. I enjoy my system in large part due to the fact that bloat like .NET Framework isn't on there. I notice a definite increase in sluggishness when I put it on my box. That and it's been riddled with vulnerabilities over time. It adds a bunch of attack surface, and if i can avoid that I will. That's why a lot of people choose not to put in on their XP boxes and avoid apps that depend on it.
     
    Last edited: Jan 16, 2013
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    No thanks... I like the one I have just fine. I'd rather have a smaller attack surface to begin with than a few mitigation techniques to account for a larger one anyway. To each his/her own approach though.

    But it would be nice to have both... I guess I'm being greedy here.

    Paradoxically... things like .NET Framework are exactly why you need tools like EMET.

    Anyhow it sounds like WehnTrust is my best bet. Seems I get exactly what I'd get with NEMET in the end without jumping through a bunch of hoops in the process.
     
    Last edited: Jan 16, 2013
  10. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Play around with WehnTrust in a VM before jumping in with both feet. If I remember correctly, it will create a copy of every .exe and .dll you run on your system. Depending on the size of your Windows drive and if all your apps are located elsewhere, this might be an issue.
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yeah, I might play around with it on another box just out of curiosity, but the most I think about it the more I'm convincing myself not to use it. I've not only survived, but thrived this long without such a tool. And from all accounts I hear it's glitchy, causes programs to become likewise glitchy, and is a huge resource drain (even moreso on XP).

    MS can keep it's mitigation techniques, and I'll just make the attack surface as tiny as possible to begin with instead, and not do stupid stuff. It's served me well all this time. At least until they can make such an app that isn't as heavy as a Regalian Ox.

    And who knows, maybe ExploitShield will be just that thing?...
     
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Okay... this subject came up in another thread so I figured I'd revive this one instead of completely hijacking that one. I'm reopening the case to put NEMET on my box. But I'm still a tad confused on exactly how to go about doing it.

    Also I would really like some opinions, and experiences shared from people that have used this on XP. Regarding footprint & stability mainly, but whatever else you have to share too is welcome. And likewise regarding WehnTrust...

    Also if anyone knows where I can get the EMET.dll, I'd be much obliged. I did a search and couldn't find the thing anywhere. If you could PM the info. And/or I could provide you an email address you could zip the thing to me as an attachment... you would be awesome. And if there were some day anything I could do for you I wouldn't forget the gesture.

    And please no more hating on my approach... my apprehension to use .NET FW, or my OS. I don't want this to devolve into mud slinging. I want this thread to be a useful source of info. for people in my boat... running XP and wanting the deploy these mitigations without having to have .NET FW on your box.
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Oh god... nevermind. I just realized it's absolutely infeasible for me to use this thing. No way around having to have EMET on my box first in order to use it.

    WehnTrust is an option though.

    Mods, or whoever... you can close/lock, nuke, or whatever this thread now.
     
    Last edited: Feb 16, 2013
  14. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    You can do exactly what you want without installing EMET by using a VM as suggested in post 3.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    My box/specs wouldn't take a VM in stride at all. Heck, I'm apprehensive about even using a real-time AV because of all the resources they eat up. A VM is like 10X heavier.
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The host doesn't have to that powerful. I run Virtualbox on a host with a P4 and 1GB of RAM. No, I can't game or edit video with the guest systems, but I can use it to test installs, extract files, and work with different ideas. The guest systems can browse the web decently, even if they can't play all the videos on it. For tasks like testing EMET and NEMET, it'll be a bit slow but it will work just fine. Experimenting with EMET/NEMET is one of the items on my virtual system to-do list. Many tasks, tests, and experiments don't require that much RAM and aren't going to be adversely affected by a loss of speed. The only real limitation is on multitasking. Depending on how well your host system is optimized, you might be quite surprised at what you can do on a virtual system.
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    After further review, I don't even think it's possible to use NEMET without having EMET installed. I think it's merely an alternate GUI... and not an app that can provide the protections on it's own. Or at least, if it can, I don't see how...

    The thing doesn't install. The whole program is merely 1 .exe file. It doesn't auto-start with Windows. And as soon as you close the GUI, it seems the app/protections go right along with it (if they were ever there to begin with). And every time I try to install a Redeployment Pack it says: "I failed to install the Redeployment Pack. Do you want to exit NEMET?" It just won't take.

    Unless I'm supposed to be doing something with the .dll's (which I have) that I'm not aware of... a way to get them to "take"/install without having to install EMET altogether? And that will get NEMET to auto-start and stay started even when you close out the GUI... and allow the Re. Pack to install.

    But I really do think this is just an alternate GUI... I'd love to be proven wrong.

    WehnTrust works fine though, on the bright side. So I have system wide protection anyway. And you can even add app rule right in NEMET now (I thought that functionality may have been added)... but again, as soon as you exit the GUI, it's gone. So you'd have to manually start the thing, and leave it minimized along the Taskbar to have it work. And that just doesn't seem... right.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's purely a user interface.
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thanks for the confirmation. Here I thought I could get the protections from it without having to have EMET or .NET FW on my box... it seemed that the dev himself, and several people were implying that you could do just that. Either I misinterpreted their comments... they weren't being honest, or misunderstood themselves... or it indeed is possible, and I just can't figure out how.

    But if it comes down to it I'm happy having the system wide protections in place via WehnTrust while keeping my surface tiny. But I was hoping to "cheat the system", so to speak, and get app specific protections too without taking on .NET FW. Doesn't look possible.

    But hey, with no .NET FW, Java, or PDF app, the only things they could really be useful for are Firefox, Pidgin Messenger, & Adobe Flash. All 3 are sandboxed... the latter installed in one. And very tight D+ rules too. And I've already seen what DEP alone (even the software version) can do when combined with SBIE. I think I'll be okay.

    Still... if anyone finds that I've overlooked anything and I can indeed use NEMET as I wish... I'm all ears. Well, and eyes too.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes. You install EMET and .NET. Then you uninstall .NET. Then you use NEMET.
     
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yeah, that seems the only conceivable way. But can you ever REALLY uninstall .NET FW once it's there?... I mean it just digs itself in so deep, in so many places. I'd probably be digging through my registry for weeks to remove all the traces.

    But I'm OCD enough to do it...

    But... would NEMET really work with .NET FW gone? After all, without .NET FW EMET doesn't function. And it seems to me that, no EMET = no NEMET.

    Well, there's only 1 way to find out... and that's why God created images & VM's.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's not like those registry keys will be vulnerable or anything. If you remove .NET NEMET should still work.
     
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Note the OCD part... just KNOWING those keys are there pointing to nothing, would keep me awake at night. LOL!

    And, contrary to what many say I believe keeping a tight/cleaned/well, maybe not compacted registry can help in terms of stability. "Maybe" even speed on older/low spec boxes, like the one I just swapped. But it most likely wouldn't show on this one.
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree 100%
     
Thread Status:
Not open for further replies.