I have Sophos Endpoint installed onto Windows 2008 R2 Server, but I am buffer overflow errors with Excel. I need to find out if EMET is installed on my Server.
How do find out
How do you find out if you have EMET it installed
↧
↧
ASR for packager.dll module under Outlook.exe
Hi, i need to enable ASR mitigation for packager.dll under outlook.exe. (See picture)
Can i enable this with the EMET Command Line Tool?
↧
"User Configured"
Using EMET 5.5 and I'd like to use the Group Policy as the configuration. When I click on Apps, I'd like to select "Audit Only", however it goes back to "User Configured". Any idea why? Can this option not be set by group policy?
↧
Final release for EMET 5.5
Hi Team,
Would like to ask if there is any tentative date for the final release of EMET 5.5. We are planning for a deployment so it is good to have the date so that we can deploy the 5.5 instead of 5.2.
Thanks
Chris
↧
Unable to download EMET
Hello, I keep receiving a "404 - File or directory not found" error when trying to download EMET from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e127dfaf-f8f3-4cd5-8b08-115192c491cb.
Please fix it.
Regards,
Simone
↧
↧
Access 97 crashes with EMET installed
I installed EMET back last year and found that it crashed Microsoft Access 97 when trying to open our database. I didn't really worry about it because it was on my Admin workstation but now I need to get it working again and cannot seem to configure EMET 5.5 to allow any changes to it's settings nor get Access 97 to open without crashing????
Problem signature:Problem Event Name:BEX
Application Name:MSACCESS.EXE
Application Version:8.0.0.4122
Application Timestamp:338b1981
Fault Module Name:StackHash_3c9f
Fault Module Version:0.0.0.0
Fault Module Timestamp:00000000
Exception Offset:0036ed3e
Exception Code:c0000005
Exception Data:00000008
OS Version:6.1.7601.2.1.0.256.1
Locale ID:1033
Additional Information 1:3c9f
Additional Information 2:3c9fffcafd4a169baa105a8ba17430a7
Additional Information 3:2842
Additional Information 4:28421dbf389cb389dd79ad3fdf633834
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
↧
Office 2013 apps, Firefox, Acrobat Reader and Chrome frequently shutdown by EMET 5.1
One of my users is having problems with EMET 5.1 shutting-down Excel, Outlook, Word, Firefox (43.04), Acrobat Reader (11.0.14) and Chrome (48.0.2564.97). The user gets "EMET detected Caller mitigation and will close the application" just before shutdown. The system is running 64-bit Windows 7 Enterprise. The user has disabled the Caller check for the affected apps numerous times but the checks become active again after about an hour. I logged into the user's system as an administrator, disabled the Caller checks and again they become active after about an hour. I also attempted to disable the Caller checks in the registry bychanging the Caller value from 1 to 0 for the various applications in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\_settings_\. These changes also revert back to active Caller checks. I suspect that the Caller checks are being reactivated by a GPO.
Here is the most recent Excel shutdown and application crash noted in the event viewer. The user had just opened Excel and clicked "File", "Open" and Excel was then shutdown by EMET. Is there any way to stop EMET from continuously doing
this?
EMET detected Caller mitigation and will close the application: EXCEL.EXE
Caller check failed:
Application C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
User Name:<REMOVED> Session ID: 1 PID:0xB38(2872)
TID:0x1D58(7512)API Name:kernel32.LoadLibraryW ReturnAddress: 0x5C505727
CalledAddress : 0x752A48F3
TargetAddress : 0x5C505770
StackPtr: 0x0046B02C
Event[5918]:
Log Name: Application
Source: Application Error
Date: 2016-02-02T10:35:45.000
Event ID: 1000
Task: Application Crashing Events
Level: Error
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: <HOSTNAME REMOVED>
Description:
Faulting application name: EXCEL.EXE, version: 15.0.4787.1002, time stamp: 0x567a2cb1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000001d
Fault offset: 0x00000000
Faulting process id: 0xb38
Faulting application start time: 0x01d15dcf09b5d1ec
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
Faulting module path: unknown
Report Id: 9fd7d0c6-c9c2-11e5-bb23-648099870e4b
↧
EMET 5.5 EAF Performance
I am noticing performance issues with the EAF mitigation in the EMET 5.5 Beta and the 5.5 Final releases. Examples are as follows:
- Google Chrome Extensions and Apps crash often with EAF enabled
- Google Chrome seems to run slower with EAF enabled
- Microsoft Office and other applications launch slower with EAF enabled; Excel takes 13 seconds to open with EAF enabled, but only takes 1 second with EAF disabled.
- Other affected applications are Internet Explorer, Adobe Acrobat, etc.
This has been verified on a Windows 8.1 system. Other Windows versions are being tested against. Can this mitigation be fixed?
↧
Unable to enable DEP
Installed EMET 5.5 to start testing its potential in our environment, but am recieving an error complaining about bitlocker each time i try to change DEP settings. Bitlocker has never been enabled on this drive. Any ideas? So far i've reinstalled run as different admin users, rebooted. Not seeing any event log errors pointing to an issue.
Link to screen shot, i'd embed but i haven't been verified. http://imgur.com/ujNhV5C
↧
↧
DEP/ASLR Policy settings are ineffective by default
I've recently upgraded from EMET 5.2 to 5.5 (including creating a brand new GPO using the new templates) and on every PC I've installed it on we get the follow warning message:
"DEP/ASLR Policy settings are ineffective by default; see user's guide on how to enable them"
However I can't see where in the user guide it says to.
DEP is set to Always On (via GPO) and ASLR is Application Opt-In (via GPO).
Other than that EMET seems to be working.
↧
EMET 5.5 final service installed as "delayed start" and "DEP/ASLR Policy settings are ineffective by default"
Hi,
I'm using Windows 10 th2-10511 x64 and when I install EMET 5.5 final the EMET service is installed with the "delayed start" flag and the service and never starts after a reboot. The same thing happened with the beta version, I didn't notice it until the final was released. This issue doesn't occur with EMET 5.2.
I switched the service to the normal Automatic (not delayed) start, and everything seems to be working again. I was wondering if anyone else experienced this issue?
Also, can someone enlighten me about this warning message "DEP/ASLR Policy settings are ineffective by default; see user's guide on how to enable them". It appears when I enable the DEP/ASLR EMET GPO and I couldn't find any reference to this message in the user guide. DEP seems to be enabled, I have no idea how to check for ALSR other than Process hacker that shows ASLR as N/A.
Thanks
↧
EMET detected Caller mitigation and will close the application: OUTLOOK.EXE
Hello,
I have recently Installed EMET 5.5 on my Windows 7 Professional Operating Sysytem...
I have followed the guide, and imported the 'Popular software.xml'.
So this morning, Outlook was no longer able to open, reporting that:
EMET detected Caller mitigation and will close the application: OUTLOOK.EXE
Application : C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
User Name : DOMAIN\User
Session ID : 1
PID : 0x2A14 (10772)
TID : 0x2AA0 (10912)
API Name : kernel32.LoadLibraryExW
ReturnAddress : 0x7522A271
CalledAddress : 0x76744925
TargetAddress : 0x75225020
StackPtr : 0x009EEA08
I have ended up unticking 'ROP Caller Check' Mitigation technology against outlook.exe to get outlook working again.
Can anyone give me some guidance with further diagnosing this? Or if this is a potential false positive?
Thankyou,
Callum.
↧
EMET 5.5 - EMET_GUI.exe crashes
Hi!
I have just started testing EMET 5.5 for deployment in our AD environment.
I am experiencing some issues with EMET_GUI.EXE on some of my users machines.
When users try to launch EMET_GUI from the taskbar it crashes with the following message:
EMET_GUI has stopped working
A problem caused the program to stop working correctly.
Please close the program.
The following has been taken from the EventLog:
EventID: 1000
Faulting application name: EMET_GUI.exe, version: 5.5.5871.31892, time stamp: 0x56aac3a8
Faulting module name: KERNELBASE.dll, version: 10.0.10240.16683, time stamp: 0x56ad97a2
Exception code: 0xe0434352
Fault offset: 0x000000000002a1c8
Faulting process id: 0x2270
Faulting application start time: 0x01d163f323e05ece
Faulting application path: C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe
Faulting module path: C:\WINDOWS\system32\KERNELBASE.dll
Report Id: <Removed>
Faulting package full name:
Faulting package-relative application ID:
EventID: 1026
Application: EMET_GUI.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Exception
Stack:
at HelperLib.Config.GetStringValue(System.String, System.String, Boolean)
at GraphicalApp.MainForm..ctor()
at GraphicalApp.Program.RunEmetGUI()
at GraphicalApp.Program.Main(System.String[])
The EventLog data above is taken from a Windows 10 client, however the behaviour is the same on Windows 7 clients.
These are clients where EMET hasn't previously been installed. On other clients where earlier versions of EMET has been installed (5.2), the GUI works correctly. I have tested this on both a Windows 7 and a Windows 8.1 machine.
EMET is installed on the client machines using IBM BigFix, where the installer MSI is fetched, and installed using "msiexec /i <file> /qn /norestart", as proposed in the EMET 5.5 documentation.
Settings are delivered to the clients using group policy, using the adml and admx files provided by the EMET 5.5 installer.
I have tried with different combinations in the GPO settings, including setting all to "Not configured". It does not seem to make any difference.
Any help would be greatly appreciated! :-)
And also, thanks to the EMET team for providing this neat product!
Best regards.
↧
↧
Cannot find link to "EMET 5.2 Setup.msi" for perform uninstall
I have EMET 5.2 and am trying to update to EMET 5.5. However, I do not have the original "EMET 5.2 Setup.msi" to perform the uninstall.
Can someone help point me to a working download location for EMET 5.2?
Thanks,
Eli
↧
EMET detected ASR mitigation in iexplore.exe
Hi,
I encountered the following whenever I launched my IE11. Did not encounter this in EMET 5.2
Anyone also encountered the same?
EMET version 5.5.5871.31892
EMET detected ASR mitigation in iexplore.exe
ASR check failed:
Application : C:\Program Files\Internet Explorer\iexplore.exe
User Name :
Session ID : 1
PID : 0x213C (8508)
TID : 0x2F3C (12092)
Module : VBScript.dll
↧
EMET 5.5 not importing protections configuration from config xml file
Hi!
We have deployed EMET 5.5 on some Windows 7 Pro x64 with Software Distribuion GPO. We have make a special configuration, and exported it to an xml from GUI or from command. We have decided to distribute the configuration xml file following this article
http://itcalls.blogspot.com.es/2015/02/how-to-prevent-users-from-changing-emet.html
To test it, we disable all the protections on a test PC (DEP, SEHOP, ASLR and Certificate Trust) and reboot the compuerts and When system restarts, the configuration seems not to be imported, cause the EMET protections are still disabled. Importing the config file do not enable the EMET protections, so if a user disabled EMET protection we can not reenable with config import.
If we do a configuration import from the EMET GUI or from command line (EMET_Conf --import \\domain\netlogon\config.xml and restart the EMET_Service, or restart the PC, the EMET protections are still disabled.
Any ideas?
This is the beginning of the config file
<EMET Version="5.5.5871.31890"><Settings>
<ExploitAction Value="StopProgram" />
<AdvancedSettings DeepHooks="True" AntiDetours="True" BannedFunctions="True" />
<Reporting Telemetry="True" TrayIcon="False" EventLog="True" />
<SystemSettings DEP="Always On" SEHOP="Application Opt Out" ASLR="Application Opt In" Pinning="Enabled" />
</Settings>
↧
EMET 5.5 configuration deploy via GPO issue
Hi!
We have deployed EMET 5.5 on some Windows 7 Pro x64 with Software Distribution GPO. We have make a special configuration, and exported it to a GPO
When system restarts, if you open the GUI you will get this error message
Any ideas?
↧
↧
EMET 5.5 GPO - Which setting has the higher precedence, Application Configuration or Default Protection for Recommended Software
Hi,
By enabling the "Default Protection for Recommended Software" in the new EMET 5.5 GP template one will get Microsoft's recommended settings for a good mix of useful third party software, such as Chrome, FireFox and similar.
In the case of FireFox, most mitigations are activated when enabling this setting, including EAF and EAF+.
As several posts to this forum have pointed out, EAF/EAF+ does in some cases have a huge performance impact on certain applications, including FireFox. I have therefore tried to add a entry in the "Application Configuration" for firefox.exe, with parameters "-EAF -EAF+" in order to disable those two mitigations, leaving the "Default Protection for Recommended Software" untouched.
After a reboot, FireFox does seem a bit more snappy, but the GUI reports that EAF and EAF+ is enabled.
When running a EMET_Conf.exe -list I now have two entries for firefox.exe:
firefox.exe DEP SEHOP NullPage HeapSpray MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot
firefox.exe *\Mozilla Firefox DEP SEHOP NullPage HeapSpray EAF EAF+ MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot
The EMET GUI reports that EAF/EAF+ is running, but at the same time I'm under the impression that the performance of FireFox is improved. Is there any way (other than the GUI) to verify what mitigations that are activated for FireFox? Or does anyone know which of the GP settings that has higher precedence, Application Configuration or Default Protection for Recommended Software?
I think the Default Protection for Recommended Software settings bring a lot to the table. However, if a new version of a given software is incompatible with the current settings of EMET, it would be nice to know if one is able to negate specific specific mitigation for that particular software using the Application Configuration setting, opposed to disable the Recommended Software setting as a whole.
Any thoughts?
Best regards
↧
EMET Installation and Configuration
Prior to installation I am trying to determine if EMET defaults to an "on" state after installation. If so I am trying to determine what it will protect by default as I have many applications that not "standard" from Microsoft.
↧
EMET 5.5 iexplore.exe will not open
Hi,
I have just upgraded a machine from EMET 5.2 to 5.5. I imported the popular and recommended applications. Since then the applications will appear in task manager as running at 25% but the UIs will not appear.
If I disable EAF then the applications work.
Noticed this on IE11, Outlook and Lync 2010 client.
Anyone seen this before?
Regards
Mike
↧
More Pages to Explore .....
