EMET 5.5 vs BitLocker

March 30, 2016, 1:41 pm

≪ Previous: What to do on EMET mitigations

Whenever I try to enable DEP System-Wide, EMET will say BitLocker needs to be suspended. I don't use BitLocker, never will. I only use TrueCrypt. I click on the message to suspend BitLocker, it then says that BitLocker couldn't be suspended, and then give me this error.

(I can't post links yet, sorry).

I talked to 3 Microsoft Tech helpers and none could help me, even with remote connections.

I've been re-installing Windows 7 on numerous spare drives and I noticed that I can only enable DEP if I encrypt my drive with BitLocker (because then BitLocker's "protection" will be active and EMET will be able to suspend it).

What I tried so far:

- bcdedit.exe /set {current} nx AlwaysOn

- EMET_Conf.exe --system --force dep=ApplicationOptOut

- I also edited the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings registry KEY, with no avail.

Is there a way to trick EMET I have BitLocker running?

EDIT: After rebooting, I could see that the command given to me by the last MS technician was correct, I just needed to reboot.

What solved to me:

Open CMD as Administrator.

If you want DEP to always on, paste the following command (without quotes): "bcdedit.exe /set {current} nx AlwaysOn"

If you want DEP to Application Opt Out, paste the following command (without quotes): "bcdedit.exe /set {current} nx OptOut"

Then reboot.

If you open EMET now, you'll see that the selected option is correct to what you specified on CMD before rebooting.

If you want to change DEP settings again, do the same thing via CMD, then reboot. Don't try to change it via EMET GUI otherwise you'll still get that error.

Hope this helps :)

↧

Untrusted Fonts and EOT files.

April 4, 2016, 1:40 am

≫ Next: Will EMET 5.5 work with .NET 4.6?

≪ Previous: EMET 5.5 vs BitLocker

Im trying out the EMET/Windows 10 "block untrusted fonts" feature.

If i block them Outlook Web access looks crap, i guess OWA uses the "Embedded OpenType" format.
I don't want to whitelist the Internet Explorer process, so how do i allow/whitelist/install the specific EOTfiles from Exchange 2016?

I can't install .eot in C:\Windows\Fonts\

↧

Will EMET 5.5 work with .NET 4.6?

April 4, 2016, 3:55 pm

≫ Next: Download link for EMET 5.5 down

≪ Previous: Untrusted Fonts and EOT files.

We are upgrading to EMET 5.5 but also plan on moving to .NET 4.6. The system requirements information for EMET 5.5 says that .NET 4.5 needs to be used. It would be easier for us to go directly to .NET 4.6 if EMET 5.5 works withit.

↧

Download link for EMET 5.5 down

April 5, 2016, 7:31 am

≫ Next: Group Policy EMET Configuration Error

≪ Previous: Will EMET 5.5 work with .NET 4.6?

For some reason the download link for EMET 5.5 has not been working for me for the past week.

https://www.microsoft.com/en-us/download/details.aspx?id=50766

Anyone else experiencing the same issue?

Regards,

Andrew

↧

Group Policy EMET Configuration Error

April 7, 2016, 1:15 pm

≫ Next: windows 10 and Kaspersky

≪ Previous: Download link for EMET 5.5 down

I am working to configure EMET within Group Policy before deployment but I now have an error at the bottom that states: "DEP/ASLR changes are unsafe and ineffective by default..." Current settings are: DEP=Always On, SEHOP=Application Opt Out, ASLR=Application Opt In. Any recommendations on how to remove the error?

↧

windows 10 and Kaspersky

April 9, 2016, 8:43 pm

≫ Next: DISA compliance scan (using Nessus) does not recognize EMET as enabled/installed

≪ Previous: Group Policy EMET Configuration Error

When I upgraded to win. 10 , my security program Kaspersky was shut down and deleted.

my question is why and where did it go, the app logo is in the control panel but it doesn't work?

can you help me with this matter ?

↧

DISA compliance scan (using Nessus) does not recognize EMET as enabled/installed

April 11, 2016, 9:27 am

≫ Next: Problem with application hangs due to EMET 5.5 EAF mitigation after Windows 7 April 2016 updates

≪ Previous: windows 10 and Kaspersky

I have installed EMET 5.1 on Windows 2012R2 member server that I am testing for compliance.

Also, admin template file (EMET.admx) has been added to PolicyDefinitions folder in sysvol.

I can see in GPRESULT output that EMET policies have been applied and I can see in REGEDIT that EMET keys have been created.

For some reason, that I am trying to find out, when scanning with Nessus and using DISA _STIG_Server_2012_MS_v1r3.audit policy definitions, it fails every EMET-related item.

Does anyone else have the same problem? What is the remedy?

Slava.

↧

Problem with application hangs due to EMET 5.5 EAF mitigation after Windows 7 April 2016 updates

April 13, 2016, 10:25 am

≫ Next: EMET 5.5 GUI crashes after applying KB3140410 (MS16-031) on Windows 7 (SP1) x64.

≪ Previous: DISA compliance scan (using Nessus) does not recognize EMET as enabled/installed

After having installed the Windows 7 04/2016 updates today, I found that I couldn't start Firefox anymore - it just hangs and uses up 1 core. Then I tried IE - hangs and eats up another core. Same for Chrome and Opera. Then I began to suspect EMET and started Word 2010, Adobe Reader, Thunderbird, WL Mail - all the same. Applications not opted into EMET continued to work.

I then tried to deactivate EMET's mitigations one by one and found that I had to disable "EAF" mitigation to use my apps again.

(I didn't yet try to find out which of the updates is the root of this by uninstalling 1 by 1, since WU took so long (hours) to find updates _at all_ that I haven't yet dared... Maybe later I'll try to install the updates manually on another machine and see if I find sth.)

Is it just me who's seeing this?

System: 32bit Windows 7 Enterprise, EMET 5.5, all updates from WU (except MSRT) installed.

↧

EMET 5.5 GUI crashes after applying KB3140410 (MS16-031) on Windows 7 (SP1) x64.

April 13, 2016, 10:04 pm

≫ Next: Compatibility with Microsoft Outlook 2010

≪ Previous: Problem with application hangs due to EMET 5.5 EAF mitigation after Windows 7 April 2016 updates

Hi there,

Our workstation users do not have admin rights. We must enter admin creds to open EMET GUI. EMET 5.5 GUI crashes on systems running kernelbase.dll v 6.1.7601.19160, which seems to have been introduced by the abovesaid bulletin that addresses a vulnerability with elevation of privilege.

---------------------------------------------------------------------------------------

Event id 1000

Faulting application name: EMET_GUI.exe, version 5.5.5871.31892

Faulting module name KERNELBASE.DLL, version: 6.1.7601.19160

Exception code: 0xe0434352

Faulting application path: c:\program files (x86)\emet 5.5\emet_gui.exe

Faulting module path: c:\windows\system32\kernelbase.dll

----------------------------------------------------------------------------------------------

On systems running older kernelbase.dll v 6.1.7601.18939, EMET GUI opens fine.

Apart from not applying this security update, is there a workaround? Wait for EMET 5.6?

Other aspects of EMET seem to be functioning fine.

-RG

↧

Compatibility with Microsoft Outlook 2010

April 19, 2016, 10:49 am

≫ Next: Proof of concept for EMET

≪ Previous: EMET 5.5 GUI crashes after applying KB3140410 (MS16-031) on Windows 7 (SP1) x64.

When will EMET 5.5 have Office 2010 compatibility? Since I "upgraded" to 5.5, Outlook no longer allows me to open an email without EMET shutting it down.

↧

Proof of concept for EMET

April 20, 2016, 1:03 am

≫ Next: EMET 5.5 EAF Performance

≪ Previous: Compatibility with Microsoft Outlook 2010

Hi Team,

We are in the planning of mass deployment of EMET in our organisation but before this we will need to perform a POC and test on the mitigation methods. Would appreciate if you can provide the POC doc and technique to test on the mitigations methods.

Thanks and regards

Chris Tam

↧

EMET 5.5 EAF Performance

February 3, 2016, 8:24 am

≫ Next: EMET 5.5 closing office applications and IE automatically on Windows 8.1 and Windows 10 during installation

≪ Previous: Proof of concept for EMET

I am noticing performance issues with the EAF mitigation in the EMET 5.5 Beta and the 5.5 Final releases. Examples are as follows:

Google Chrome Extensions and Apps crash often with EAF enabled
Google Chrome seems to run slower with EAF enabled
Microsoft Office and other applications launch slower with EAF enabled; Excel takes 13 seconds to open with EAF enabled, but only takes 1 second with EAF disabled.
Other affected applications are Internet Explorer, Adobe Acrobat, etc.

This has been verified on a Windows 8.1 system. Other Windows versions are being tested against. Can this mitigation be fixed?

↧

EMET 5.5 closing office applications and IE automatically on Windows 8.1 and Windows 10 during installation

April 27, 2016, 12:13 am

≫ Next: EMET 5.5 causes Adobe Acrobat Reader DC 11 to fail if "Protected Mode" is enabled in Reader

≪ Previous: EMET 5.5 EAF Performance

We are seeing EMET 5.5 closing office applications and IE automatically on Windows 8.1 (64 bit) and Windows 10 (x64 bit) during installation.

Anybody experiencing this issue during installation?

Any suggestions?

↧

EMET 5.5 causes Adobe Acrobat Reader DC 11 to fail if "Protected Mode" is enabled in Reader

April 24, 2016, 4:56 am

≫ Next: Please do not use Secondary Logon Service

≪ Previous: EMET 5.5 closing office applications and IE automatically on Windows 8.1 and Windows 10 during installation

Win 7 Professional x64

EMET 5.2 & Adobe Acrobat Reader 11 were working together. Not sure what my EMET 5.2 mitigation settings were for Reader.

Upgraded to EMET 5.5 and now I get a message when launching Adobe Reader saying:

"Adobe Acrobat Reader DC cannot be opened in Protected Mode due to an incompatibility with your system configuration. Would you like to open Adobe Acrobat Reader DC with Protected Mode disabled?"

If I select open with Protected Mode disabled, Adobe still crashes for certain operations. My default EMET settings for AcroRd32.exe are everything checked except ASR.

If I disable all mitigations in EMET 5.5, Adobe Reader works normally.

If I return mitigations to default and then additionally disable EAF+, the problem persists, although I found a post saying that fixed the issue in earlier versions of EMET.

Question: Is there a custom set of mitigations that enable Reader to work, or should I disable Reader mitigations in EMET, or should I disable Protected Mode in Reader, or should I use a different PDF viewer like SumatraPDF?

Thanks

↧

Please do not use Secondary Logon Service

May 3, 2016, 11:10 pm

≫ Next: EMET Event Logs Not Being Generated

≪ Previous: EMET 5.5 causes Adobe Acrobat Reader DC 11 to fail if "Protected Mode" is enabled in Reader

Hi,

Please do not require the Secondary Logon Service for EMET in the future. Apply your own "Assume Breach" approach as mentioned in your Security in Office 365 whitepaper.docx.

↧

EMET Event Logs Not Being Generated

May 5, 2016, 11:07 am

≫ Next: EMET test tools

≪ Previous: Please do not use Secondary Logon Service

Hello,

I am doing proof of concept testing and I am running into a lot of scenarios where EMET blocks an exploit attempts but does not generate a log or notification. For example CVE-2015-5119. I can compromise a vulnerable test machine no problem. When I apply EMET to IE the exploit is stopped (application crashes) but I get no event. I have been unable to generate an EMET event for IE (flash plugin) or Java so far this way. The only way that I get an EMET notification is for when I have it protecting another application like notepad or audioconverter. I have also tried CVE-2012-4969 and CVE-2011-3544 which is a java exploit and EMET mitigates it but not message or Event log. The vulnerable system running EMET is Windows 7 SP1 with IE 8. I have tried both EMET 5.2 and 5.5. Any thoughts?

Thanks!

↧

EMET test tools

September 14, 2015, 11:33 am

≫ Next: EMET 5.5 Configuration guide?

≪ Previous: EMET Event Logs Not Being Generated

Hello, does EMET provide testing tools? For example heapspray test or DEP testing?

If not, can someone please advise on how to perform these tests to see if EMET is running properly?

Thank you.

↧

EMET 5.5 Configuration guide?

May 9, 2016, 8:49 am

≫ Next: EMET 5.5 Unhandled Exception

≪ Previous: EMET test tools

Hello my Customer want to put EMET 5.5 in is infrastructure but we need to have the configuration guide. Do you have this?

↧

EMET 5.5 Unhandled Exception

May 11, 2016, 10:17 am

≫ Next: EMET 5.5.5871.31892 incompatible with OneNote Office 365 ProPlus 16.0.6741.2033 (First release channel for Deferred)

≪ Previous: EMET 5.5 Configuration guide?

When I right-click on the EMET icon (v5.5) and select "Open EMET", I get a "EMET Service status is: Not Running" dialog. Retry simply redisplays the dialog.

If I select "Cancel", I get an unhandled exception dialog:

The stack trace is:

System.NullReferenceException: Object reference not set to an instance of an object.
   at GraphicalApp.MainForm.SystemStatusTL_CustomDrawNodeCell(Object sender, CustomDrawNodeCellEventArgs e)
   at DevExpress.XtraTreeList.TreeList.RaiseCustomDrawNodeCell(CustomDrawNodeCellEventArgs e)
   at DevExpress.XtraTreeList.Painter.TreeListPainter.DrawCell(CellInfo cell)
   at DevExpress.XtraTreeList.Painter.TreeListPainter.DrawCells(RowInfo ri)
   at DevExpress.XtraTreeList.Painter.TreeListPainter.DrawRow(TreeListDrawInfo e, RowInfo ri)
   at DevExpress.XtraTreeList.Painter.TreeListPainter.DrawRows()
   at DevExpress.XtraTreeList.Painter.TreeListPainter.DoDraw(TreeListViewInfo viewInfo, DXPaintEventArgs e)
   at DevExpress.XtraTreeList.TreeList.OnPaint(PaintEventArgs e)
   at System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs e, Int16 layer)
   at System.Windows.Forms.Control.WmPaint(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at DevExpress.XtraEditors.Container.EditorContainer.WndProc(Message& m)
   at DevExpress.XtraTreeList.TreeList.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Let me know if you need further details (I wasn't permitted to upload images).

Pressing "Continue" seems to show the GUI, except with the System Status pane with a large cross in it.

Is EMET still working effectively?

Thanks.

↧

EMET 5.5.5871.31892 incompatible with OneNote Office 365 ProPlus 16.0.6741.2033 (First release channel for Deferred)

May 12, 2016, 3:39 am

≫ Next: 『강남오피』→밤포유《bam4u8.com》㎸강남오피 역삼오피 선릉오피 논현오피 서초오피 반포오피

≪ Previous: EMET 5.5 Unhandled Exception

I updated Microsoft Office 365 ProPlus to version 16.0.6741.2033 of First Release for Deferred channel.

It seems that when starting OneNote the Caller mitigation closes the ONENOTE.exe. Here are the logs.

EMET version 5.5.5871.31892
EMET detected Caller mitigation and will close the application: ONENOTE.EXE

Caller check failed:
Application : C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
User Name : Domain\Username
Session ID : 1
PID : 0x1170 (4464)
TID : 0x11A8 (4520)
API Name : kernel32.LoadLibraryExW
ReturnAddress : 0x012F295B
CalledAddress : 0x77594925
TargetAddress : 0x01345B86
StackPtr : 0x002DE3E0

↧

Latest Images