Running a web browser under EMET + Sandboxie protection

Keep in mind that EMET has been developed solely to force programs to use (new) mitigation measures. Not to 'unforce' mitigation techniques which use has already been coded into programs.
Also, it isn't intended as 'the one program to rule them all', so (imao) it's unlikely MS would even agree to releasing a program that will disable core functionality offered by the OS without following the 'proper' routine.

 

As you said Baserk, there are already built in methods for disabling DEP etc.

 

Ok, I think I get it now, and I understand that EMET is likely a small team within MS, but they need to explain this better IMO...

So you can uncheck the new mitigations EMET provides to turn them off per program.

Unchecking the system wide ones in the app confg page simply does not force them. So, this useful if you have DEP set to opt in and want to opt certain programs in. But it will not allow you to unforce an app in opt out mode. Confusing.

Here's the issue:

1. Inconvenience of not being able to set all mitigations in one place

2. (More important) DEP has its own seperate way to easily add exceptions in Windows. SEHOP does not; at least no GUI. This is why I really wish EMET allowed you to exclude certain apps from DEP/SEHOP as long as they were not in the "always on/off" mode.

 

No, you can't.

If you uncheck SEHOP in the program area in EMET it won't disable SEHOP for that program. It just won't force the program to use SEHOP.

EMET should be built into the Windows security center. Pretty sure I've mentioned this outside of this topic on numerous occasions.

That's because SEHOP is either "Everything" or "Nothing." There is no exception list because there are no exceptions unless the program is specifically compiled not to use SEHOP.

 

Thanks for explaining further.

But what I meant by what you quoted when I said "new mitigations" was the non-system wide stuff, like BottomUpRand, and HeapSpray.

I assume that if you add an app, and check or uncheck those, it turns them on/off since they are not otherwise system wide enforced.

Also, are there any of the mitigations that you have to leave EMET running for it to work? I assume it does DLL injections when you add apps so it is effective right away.

 

Those mitigations dont exist anywhere else. You either don't check the box, in which case they continue to not exist, or you check the box and the application uses them.

EMET is a user interface and a DLL. The DLL is loaded into the applications when they load.

 

Ok right...just making sure.

I've seen some people that were under the impression that EMET's GUI had to be run real-time for it to work, which is not the case.

Thanks.

 

Figured I would update this thread with my initial, very limited implementation of EMET's application mitigation technologies...

Firstly, take note that I have used EMET to set and enforce system wide settings at their maximum levels for a year now.

As you can see in the screenshot attached, I have only applied EMET's mitigation technologies to legacy applications on my machine, including: Adobe Audition 1.5, Cakewalk Music Creator 3, and some old synthesizer programs I still use occasionally.

Also, I have added VLC Media Player as it is frequently very heavily exploited and is my primary (realistically only) media player.

At this time, no other productivity applications were added. I am currently relying on my software restriction policy (to protect against exploits loading other exes) and always up-to-date security practices for those. I will probably add some eventually.

More importantly, nothing that is always run (or forced to run) under Sandboxie was added at this time to prevent undocumented conflicts.

 

If you're worried about undocumented conflicts why would you use EMET at all? It's basically the epitome of a program that would cause that regardless of sandboxie.

 

No,

Undocumented conflicts that may weaken Sandboxie's protection which I consider to be much, MUCH greater than that of EMET. Near perfect application virtualization beats application exploit mitigation.