Assuming support for a group of workstations that are logging their EMET events centrally and wondering how folks react to and follow-up with user EMET mitigations. Is the assumption that EMET protected against a real threat and if so are there efforts
to isolate the cause/source of the mitigation and is this done proactively or reacting to a user complaint? Should one assume that the mitigation and application shutdown took care of the immediate threat and another tool (or EMET) will address the problem
going forward. Freely admit my age and lack of technical skills but have done a good deal of log reviews preceding and following mitigations without identifying the source. In some cases, it appears that the application was crashing prior to the
EMET mitigation being fired so perhaps naively assume that the application fault caused the EMET event. Would be interested in hearing how others determine the validity of the mitigation and what follow-up activities should take place. Is is worth
having someone look at the machine forensically? Are there other tools that allow some rapid assessment? Large parts of my environment is comprised of non-persistent virtual desktops so could have the user log off which shuts down the machine and
they will pull a fresh image when they log back on. If the problem is associated to a specific file then assume that I have only temporarily escaped the issue. Have posted other threads about EMET Service and Agent failures and am not able to explain
those and the percentage is high enough to concern me --- low from a percentage across total machines but significant as part of the total EMET mitigations. What's a "normal" number --- have heard other organizations say that they rarely see
them. Would love to hear how the smarter folks are handling these things?
EMET Follow-up
↧
↧
EMET 5.2 Crashes Outlook 2013 when EAF enabled
Hi
I'm testing EMET 5.2 for deployment into our environment. However I've come across an issue which causes Outlook 2013 to crash when EAF is enabled.
The following is from the event log:
Faulting application name: OUTLOOK.EXE, version: 15.0.4711.1000, time stamp: 0x55091de4
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000005
Fault offset: 0x000000000005473b
Faulting process id: 0x1774
Faulting application start time: 0x01d078b41581d9d3
Faulting application path: C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 53710d64-e4a7-11e4-8277-60571871a781
Faulting package full name:
Faulting package-relative application ID:
Is there any way to have EAF enabled, or all good to leave it off the list?
Andrew
(Question moved from https://social.technet.microsoft.com/Forums/en-US/aeaa583e-b479-4189-a859-1b5cf58080b6/emet-52-crashes-outlook-2013-when-eaf-enabled?forum=w8itprosecurity)
↧
Can't protect Edge with EMET
Hello
Please let me know if using EMET in conjunction with Edge is supported? I'm unable to run Edge with Emet together - I added Edge to protected lists, but it won't show up as "running Emet" at all.
Please let me know if this can be fixed
↧
Emet on servers
Does it make sense to use Microsoft emet on server 2012r2/2016 core/nano?
Can you run emet with wow64 uninstalled on server?
If you could, would it help anything?
↧
Windows 7 Backup Preview Pane
I have turned the Preview Pane on in Microsoft Explorer and it works fine but in Backup it says 'no view available'. I would like to look at a file before restoring it to make sure I have the right one. I can't find any help topics on
Backup in the Help File in Win7.
↧
↧
Application Compatibility Issues
The mitigations offered by EMET have the potential to break some applications. This thread is to discuss people's experiences with applications that do not work correctly under EMET. The goal is to isolate which specific mitigations cause problems and for which applications (or plug-ins where appropriate). For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.
Here are the issues the EMET support team has been able to confirm:
Application or plug-in | Issues that occur | Mitigation or setting causing the issues |
Skype | Fails to run | EAF |
NetFlix SilverLight app | Video playback in browser fails | EAF |
ATI Drivers | System blue screens on boot | System ASLR policy set to always on (must enable unsafe settings to see this option) |
iPod Synchronization service | Service crashes | System DEP policy set to always on |
AOL | System gives “out of memory” error messages | System DEP policy set to always on |
If you have experienced application compatibility problems with EMET, please share your experiences on this thread. The more detail you can provide about what the issues are and what
↧
EMET supresses start of Word and IE
Hi at all,
I have Win 7 SP1 (with all important and recommended updates) withMS Office 2013 and IE 11.
I've noticed today that EMET 5.2 suppressed the start of Word and IE; because "Caller mitigation".
The following actions were not successful:
- Go back to an earlier restore point (as Word was still running)
- Repair Office (online)
- Disable Add-ins in Word
- Complete virus scan
The problem can, however, get around by removing the checkmark for Caller in EMET for winword.exe.
Does somebody know the cause of the problem and a clean solution?
Thank you very much.
Axel F.
I have Win 7 SP1 (with all important and recommended updates) withMS Office 2013 and IE 11.
I've noticed today that EMET 5.2 suppressed the start of Word and IE; because "Caller mitigation".
The following actions were not successful:
- Go back to an earlier restore point (as Word was still running)
- Repair Office (online)
- Disable Add-ins in Word
- Complete virus scan
The problem can, however, get around by removing the checkmark for Caller in EMET for winword.exe.
Does somebody know the cause of the problem and a clean solution?
Thank you very much.
Axel F.
↧
EMET 6.0 / 5.3
Major EMET releases have been published on the second or third monday of every 13th month.
2009-10 v1
2010-07 v2
2011-05 v2.1
2012-05 v3
2013-06 v4
2013-11 v4.1
2014-07 v5
2014-11 v5.1
2015-03 v5.2
2015-08 v5.3 / v6.0 ?
Windows 10 will pe published soon and compatibility issues with and working exploits for EMET 5.2 exist. I guess we'll see a new release soon.
↧
EMET 5.5 Beta supports Windows 10
I watch this forum and missed any announcement that a new EMET version was released that now supports Windows 10! Now knowing what to search for, I see a few others have posted about it under other threads, but this should have a thread of its own. Released on Oct 1st, 2015...
Enhanced Mitigation Experience Toolkit 5.5 Beta
http://www.microsoft.com/en-us/download/details.aspx?id=49166
This link mentions EMET 5.5 beta support:
https://support.microsoft.com/en-us/kb/2458544
What's new in Enhanced Mitigation Experience Toolkit 5.5 Beta?
- EMET 5.5 beta release includes new functionality and updates, such as:
- Windows 10 compatibility
- Full GPO support for mitigations and Cert pinning functionality
- EAF/EAF+ perf improvements
- Untrusted font mitigation for Windows 10
- Various bug fixes (UI)
↧
↧
EMET Error
When starting my Laptop I get an EMET Notifier popup box which states: Error: cannot write to EMET event log source. Please re-install EMET program.
When looking at Computer Management, I see this when trying to access the Event Viewer: Event Log Service is un-available. Verify the service is running.
I checked in Services and saw that the Windows Event Log service was set to Automatic, but Stopped. I Started it, did not get an error but the Event Viewer is still Not Available.
Do I in fact have to Re-install the EMET Program, and if so, how / where do I get it?
Windows 7 Prof 64bit SP1
↧
EMET 5.5 RTM release date
Anyone know when EMET 5.5 release date will be for the non-beta verison?
↧
Emet 5.1 stoppped working now will not re-install
I have a Win7 Ultimate 64 bit system. For some reason 5.1 stopped working after working for a very long time and I couldn't get it back so I decided to uninstall and re-install. Unfortunately during the re-installation, it would hang and say "Service Microsoft Service (EMET_Service) failed to start. Verify that you have sufficient privileges to start system services." I opened Services and saw that Microsoft EMET Service was set to Automatic but not started. When I clicked on Start it gave the following error: Windows could not start the Emet Service service on local computer. Error 1053. The service did not respond to the start or control request in a timely fashion.
Next I tried to install 4.1. It seem to install without a problem (it said the install was successful), however, there is no EMET icon in the task bar. If I go to the Emet directory and click on the Emet_gui.exe I get nothing. So at this point I don't even know if Emet is running, or how to adjust it. And yes, I know about checking to make sure that the icon shows in the task bar.
Lastly I tried installing 5.2 but go the same result that I got when I tried to install 5.1.
Any ideas?
↧
EMET 5.2 blocks Adobe Reader XI will CALLER issue
Yesterday EMET started to block Acroread32.exe with a Caller problem. The Reader has always worked fine in the past with EMET and there were no changes to my system yesterday that I know of.
I Carried out full virus scans with Norton and Malwarebytes and they were clear. The only way I can get the reader to open is by unchecking Caller for Acroread32.exe in EMET.
Has any one else experienced this and what might have happened?
↧
↧
MS Office 2010 Word, Excel and IE 8 with Blue Cielo Meridian 2011 SP1 integrators
EMET 5.2 is causing Word, Excel 2010 and IE 8 to crash with a "Microsoft Excel has stopped working" error when we have ASR active for these applications.
Installed apps:
EMET 5.2
MS Office 2010 32 bit.
Blue Cielo Meridian 2011 SP1.
Blue Cielo Meridian 2011 SP1 has 2 services running that integrate with MS Office 2010, these are:
AMHookTray.exe (x64)
AMHookTrayU.exe (x86)
If I end the 32 bit (AMHookTrayU.exe) application in task manager then problem does not occur.
If I disable the ASR in Word or Excel then again the issue does not occur.
I have added AMHookTray.exe, AMHookTrayU.exe to the "Modules" but I still get the error.
Any suggestions would be welcomed.
Rob
↧
EMET 5.2 Breaks Internet Explorer 11
Using Windows 8.1 with Internet Explorer 11, EMET 5.2 causes Internet Explorer to crash just by navigating to a website. I'm using 'Recommended Security' settings in EMET, with the default 'Popular Software' protection profile.
1) Open Internet Explorer
2) Either go to a website such as http://www.amazon.co.uk/ or alternatively just open IE and wait for 30 seconds without doing anything
3) Browser crashes and says 'Internet Explorer has stopped working'
4) Error reporting shows the following:
Faulting application name: iexplore.exe, version: 11.0.9600.17416, time stamp: 0x5452fe91
Faulting module name: EMET64.dll, version: 5.2.0.0, time stamp: 0x54ff88ee
Exception code: 0xc0000005
Fault offset: 0x0000000000048417
Faulting process ID: 0xf3c
Faulting application start time: 0x01d05d8898f1fd96
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\AppPatch\AppPatch64\EMET64.dll
Report ID: e8b7058f-c97b-11e4-82a7-0019d16e4234
Faulting package full name:
Faulting package-relative application ID:
5) Disabling ALL mitigations for Internet Explorer in the EMET 'Applications List' doesn't solve the issue. Internet Explorer has to be completely removed from the EMET 'Applications List' in order to prevent it from crashing.
6) Problem occurs regardless of whether Internet Explorer is running in 'Enable Enhanced Protected Mode' with 'Enable 64-bit processes for Enhanced Protected Mode' or not.
7) Needed to uninstall EMET 5.2 and go back to 5.1
↧
EMET 5.5 User Guide or Details on Untrusted Fonts?
I have been unable to find a user guide or an details on what Blocking Untrusted Fonts does in EMET 5.5. In the details it states "Prevent loading of font files installed outside the system fonts directory." Is this as simple as blocking
access to all .FON, .OTF, .TTC, & .TTF files that don't come from %systemroot%\fonts ?
↧
emet stops Word from runnning
Tried both Emet 5.1 and 5.2 and Word 2013 and 2016. Emet will not let Word run.
WINDOWS 8.1 PRO 64-BIT
"EMET detected Caller mitigation and will close the application: WINWORD.EXE"
↧
↧
EMET 5.5 fails to load on reboot with some group policy editor settings.
I am unsure where to report bugs so I'm mentioning one here. If there is a more appropriate forum then feel free to point me that direction.
EMET 5.5 beta on Windows 10 64 bit will fail to load on reboot after an install if group policy editor has been used to aggressively remove "features" from Windows. One notable problem is disabling Cortana in group policy editor. EMET on my box really doesn't like that. This is unfortunate as I don't expect Cortana will ever be enabled on any of the boxes I oversee.
↧
Updating EMET configuration from a webserver
I understand that you can point computers with EMET installed to a fileserver to obtain an updated .xml.
Does anyone know if it's supported to point clients to an .xml file hosted on a webserver? We have a large number of clients that are never in the office and don't use VPN on a regular basis. I would like to setup a scheduled task and then just maintenance .xml files on an Internet facing webserver. I tested this and it works but just didn't know if people are doing this with any success?
For instance, "EMET_Config.exe --import http://www.webserver.com/Emet_Config.xml"
Thanks for your time,
Dave
↧
Jamie
cdgdh
↧
More Pages to Explore .....
