Security software can reduce effectiveness of DEP/ASLR

tnx Mr Brian.
i use UAC at maximum; it only warns me rarely.
if it was like a HIPS i'd get rid of it in an instant but it's relatively painless.

i like to follow these discussions, although this is close to being high wizardry for me.
are you folks getting any closer to design that theoretically perfectly secure system?

 

This Infoworld articles seems to mention a different story as well.

Source: http://www.infoworld.com/t/microsoft-windows/microsoft-shuffles-windows-security-deck-emet-21-831

 

hmm. EMET is like hips/av for processes right? sort of like blacklisting these exploits behaviour and it breaks apps most of the time.

I'm too lazy... I could just sandbox it all

aww that's scary... going SUA and denying elevation is becoming useless for new malwares

SRP is bypassable says Hungry Man.

I'm going to sandbox everything after all and hope these bad guys won't be able to break out sandboxing.

 

The only way to get a perfectly secure system is to dump closed-source windows.

 

ASLR from EMET.dll is not true ASLR.

I mean, that article seemingly agrees with me. You can't do system wide settings but you can achieve the same results with EMET.dll.

 

But if malware doesn't get admin privileges, it's easier to spot and remove.

 

If only linux focus on making their own directx thingy so I could play better games in it instead of frequently changing their OS' GUI.

 

Yep, if it can't bury itself into the system it's fairly easy to remove.

 

Oh I agree. I definitely would not move to linux purely for security.

 

Yes, I know that what EMET provides isn't true ASLR. What I'm saying is that EMET won't apply this pseudo-ASLR in Windows XP.

That's what I'm seeing in EMET's guide as well. According to it, (pseudo-)ASLR mitigation is not supported in Windows XP.

How's EMET going to apply the pseudo-ASLR, then?

 

I read this as saying that ASLR will not work but Pseudo-ASLR will. Could go either way, it isn't that clear.

 

Were confusing Mandatory ASLR, perhaps?

According to EMET's guide:

 

Ah, I see. So both Mandatory and regular ASLR are not supported then.

Either way you will still see a greater effect because of SEHOP, which is not supported on XP by default but you can force it with EMET.dll.

Source being the guy in my EMET topic (the EMET developer?) saying so =p

 

Yes, it's possible to apply SEHOP per application.

 

Which is why I said earlier that you'll see a greater jump when using EMET on XP.

Though I can't really support anyone using XP anymore.

 

Thanks for the info and the link. I will give it a try in a VM.

 

Attack Surface Analyzer Report for SpyShelter Premium

-http://www.megaupload.com/?d=GKG7K6LH-

 

After reading this thread I understand that EMET does work under XP wich is interesting. I thought it was an exclusive Vista/W7 tool.

A few questions to the EMET experts...

Does EMET work as good under LUA as under an Admin account?
And what would the recommended settings be?

Thank you.

 

Yes. EMET only uses .dll injection (at most) and therefor you only need admin settings to configure it. It'll run just fine in an LUA account.

Recommended settings? Hard to say.

I have it as such:
DEP Always On
SEHOPT Opt Out
ASLR Opt In


And I have all internet facing applications EXCEPT for Chrome running with EMET.dll. That includes thigns like Java, Digsby, CCleaner, Skype, MiPony, and a few others.

 

I'm using these settings for EMET:
DEP Opt Out
SEHOPT Opt Out
ASLR Opt In

 

I had issues with DEP Always On before with the Java installer but there's a workaround and I haven't had a Java update in a long time.

 

same
I have problem with one of my Game client when DEP is always ON.

 

Interesting. Just wiped a friends laptop for uni but the uni requeres Java installed for internet access authentication. I couldn't get the 32bit version installed, probably because of forcing DEP to on in EMET. Funny thing is, my solution was to install the 64bit version, which installed fine...

 

Yes, 64bit installs fine but it can't be used with a 32bit browser (at least I don't think?)

You can unpack the java installer and install from an .msi apparently.

 

I have read most of the posts with interest. However, since I run XP, I see no benefit to installing EMET on my system. I have DEP only for a system setting, since ASLR and SEHOP is not available for XP.

Also, I did find a good reference Protecting your Windows PC with Microsoft EMET 2.1

In the meantime I have this...