EMET EAF mitigation

September 1, 2015, 9:49 am

≫ Next: EMET 5.2 crashes random applications due to registered Tortoise SVN 1.9.3 shell extension with unclear error indication (1.9.2 worked)

≪ Previous: Compatibility with Microsoft Outlook 2010

Hi,

Today I installed EMET 5.2 on both my laptop and desktop(both Win7 x64). Both machines are more or less configured the same, except from the hardware.

On my laptop I've loaded EMET without any issues, set it to high secure and loaded in all of my apps. After a reboot my system works fine.

On my desktop however it's a completely different story. I installed EMET, set it to high secure, added my apps, rebooted machine and then "nothing" worked anymore.

After successfully accessing EMET again to unconfigure all the apps and just import the "popular apps" my system became accessible again.

Now whenever I want to start apps such as IE, FF, Chrome, mIRC I get warnings from EMET; EMET detected EAF mitigation and will close the application: <appname>

If I disable EAF on those processes everything works fine.

I am trying to figure out what is going on at my system here, seeing my laptop doesn't show any issues while using the same software, browser plugins, etc.

As far as I can tell my system seems to be entirely clean. Got immunet3 and F-secure running and several AS/AM scanners tell me my system is clean.

How do I go on about figuring out why my apps cause an EAF mitigation to trigger in EMET? I do not blindly want to disable EAF mitigation on those apps as my other system works fine and this makes me worry something goes on at my system which I am unable to see.

Cheers,

↧

EMET 5.2 crashes random applications due to registered Tortoise SVN 1.9.3 shell extension with unclear error indication (1.9.2 worked)

January 6, 2016, 2:15 am

≫ Next: Edge can't open .pdf files after installing EMET

≪ Previous: EMET EAF mitigation

See the crash signature at http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3153692.

The EMET report does not contain any indicative information as why the process has been crashed?!

↧

Edge can't open .pdf files after installing EMET

March 18, 2016, 4:10 pm

≫ Next: Emet on servers

≪ Previous: EMET 5.2 crashes random applications due to registered Tortoise SVN 1.9.3 shell extension with unclear error indication (1.9.2 worked)

I've recently installed EMET 5.5 on Windows 10 and noticed that I can no longer open .pdf files with the edge browser.

I get a small error window with a red cross and the .pdf file location as well as an error message that translates to "Can't execute RPC" (I'm using a Dutch version of Windows, the Dutch message is "Kan RPC niet uitvoeren" ).

ASLR and SEHOP are on always on. DEP is on application opt in. Block untrusted fonts is on always on.
All other settings are at the default recommended, I've also imported the default Popular Software.xml profile. (Edge is not shown under the apps Window, so it's likely an issue with the one of the main EMET settings which apply to the system)

↧

Emet on servers

September 19, 2015, 11:25 am

≫ Next: Can't protect Edge with EMET

≪ Previous: Edge can't open .pdf files after installing EMET

Does it make sense to use Microsoft emet on server 2012r2/2016 core/nano?

Can you run emet with wow64 uninstalled on server?

If you could, would it help anything?

↧

Can't protect Edge with EMET

September 19, 2015, 2:19 am

≫ Next: EMET 5.5 vs BitLocker

≪ Previous: Emet on servers

Hello

Please let me know if using EMET in conjunction with Edge is supported? I'm unable to run Edge with Emet together - I added Edge to protected lists, but it won't show up as "running Emet" at all.

Please let me know if this can be fixed

↧

EMET 5.5 vs BitLocker

March 30, 2016, 1:41 pm

≫ Next: EMET 5.5 -- Can't "Show Full Path"

≪ Previous: Can't protect Edge with EMET

Whenever I try to enable DEP System-Wide, EMET will say BitLocker needs to be suspended. I don't use BitLocker, never will. I only use TrueCrypt. I click on the message to suspend BitLocker, it then says that BitLocker couldn't be suspended, and then give me this error.

(I can't post links yet, sorry).

I talked to 3 Microsoft Tech helpers and none could help me, even with remote connections.

I've been re-installing Windows 7 on numerous spare drives and I noticed that I can only enable DEP if I encrypt my drive with BitLocker (because then BitLocker's "protection" will be active and EMET will be able to suspend it).

What I tried so far:

- bcdedit.exe /set {current} nx AlwaysOn

- EMET_Conf.exe --system --force dep=ApplicationOptOut

- I also edited the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings registry KEY, with no avail.

Is there a way to trick EMET I have BitLocker running?

EDIT: After rebooting, I could see that the command given to me by the last MS technician was correct, I just needed to reboot.

What solved to me:

Open CMD as Administrator.

If you want DEP to always on, paste the following command (without quotes): "bcdedit.exe /set {current} nx AlwaysOn"

If you want DEP to Application Opt Out, paste the following command (without quotes): "bcdedit.exe /set {current} nx OptOut"

Then reboot.

If you open EMET now, you'll see that the selected option is correct to what you specified on CMD before rebooting.

If you want to change DEP settings again, do the same thing via CMD, then reboot. Don't try to change it via EMET GUI otherwise you'll still get that error.

Hope this helps :)

↧

EMET 5.5 -- Can't "Show Full Path"

July 20, 2016, 9:41 am

≫ Next: 남원시★포켓몬고┇ 위치 제이제이닷컴⌘

≪ Previous: EMET 5.5 vs BitLocker

I'm running EMET 5.5 on Windows 7 SP1 and when I click the "Show Full Path" button, nothing changes in the "App Name" column. The GUI shows the "Show Full Path" button as being pressed, but no action is actually taken. Is anyone else seeing this issue?

↧

남원시★포켓몬고┇ 위치 제이제이닷컴⌘

July 20, 2016, 8:18 pm

≫ Next: Overriding Default Profile Settings

≪ Previous: EMET 5.5 -- Can't "Show Full Path"

★제이제이닷컴⌘제이제이45다컴 위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇

위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇ 위치 남원시★포켓몬고┇

↧

Overriding Default Profile Settings

July 21, 2016, 9:13 am

≫ Next: How to prevent user to from changing configuration of EMET 5.5?

≪ Previous: 남원시★포켓몬고┇ 위치 제이제이닷컴⌘

This issue bubbles up from time to time, but I've never seen an authoritative answer on it. I know of several workarounds, but I'd like not to go down that path if it's not necessary.

Question -- Has anyone successfully managed to get specific Application Configuration settings tooverride settings that may exist in a Default Protection profile?

Simply put, we use EMET 5.5 and deploy all 3 default protection profiles (Internet Explorer, Recommended Software, and Popular Software). We're running into an issue with Excel while attempting to load the Power View add-in. After searching, I was able to find official documentation that states the Power View add-in requires EAF to be disabled on Excel (at least in EMET 5.2). I've added the exception to the application configuration via GPO so that it the name matches exactly what the default profile has for Excel.

value name: *\OFFICE1*\EXCEL.EXE
value: -DEP -Caller -EAF

After refreshing group policy, I see two entries for Excel by the exact same name. Official documentation from the User's Guid for EMET 5.5 states explicitly that "if the same app is configuration in Application Configuration and in one of the Default profiles, the Application Configuration settings take precedence", but I'm not really finding that to be the case. The Power View add-in is still not functioning properly.

Does anyone have any insight to offer?

↧

How to prevent user to from changing configuration of EMET 5.5?

June 20, 2016, 2:38 am

≫ Next: Win 10 Pro EMET 5.5 GUI will not open for non admin user

≪ Previous: Overriding Default Profile Settings

Dear All,

We are planning to deploy EMET in a large organisation, but there is 1 thing where i can't get a solid answer. After deploying EMET 5.5 , how can we make sure that users will not amend the configurations on their own pc or laptop ? How can we lock down EMET ?

Thanks

Chris Tam

↧

Win 10 Pro EMET 5.5 GUI will not open for non admin user

May 27, 2016, 6:53 am

≫ Next: iexplore 11 crashes with EMET 5.2 in VirtualBox

≪ Previous: How to prevent user to from changing configuration of EMET 5.5?

I have deployed EMET to my test computer running Win 10 Pro. Though I see EMET in the notification area if I try to open the GUI and enter Admin creds nothing happens. I would like to get this working to help protect my environment. What am I missing?

↧

iexplore 11 crashes with EMET 5.2 in VirtualBox

August 1, 2016, 9:14 am

≫ Next: OneDrive Won't Open After Windows 10 Anniversary 1607 Update (EMET 5.5)

≪ Previous: Win 10 Pro EMET 5.5 GUI will not open for non admin user

Hello. I experience a very strange behavior with iexplore 11 and EMET 5.2 on a Windows 7 running in a VirtualBox virtual machine.

In the virtual machine the iexplore.exe is crashing after a few seconds. It won't load any webpage during the time the IE is visible. Googling for the error message that showed up in the event viewer pointed me to EMET as source of the problems. And indeed, deactivating EAF did the trick: iexplore was running normal afterwards, even after re-activating EAF.

Strange is that with the same Windows 7 installation routine (automatic installation via task sequence) in VMWare the error didn't occur.

Is there any known issue with EMET 5.2 (on Windows 7) when running in VirtualBox? I would really like to eliminate the problem as our current workaround (manually disabling and re-enabling EAF via EMET GUI) involves a lot of manual labour (2 restarts of the virtual machine) in an otherwise fully automated process that runs multiple times every day.

best regards

Bjoern

↧

OneDrive Won't Open After Windows 10 Anniversary 1607 Update (EMET 5.5)

August 2, 2016, 2:58 pm

≫ Next: StackPivot mitigation and will close the application: OUTLOOK.EXE

≪ Previous: iexplore 11 crashes with EMET 5.2 in VirtualBox

Just a heads up, I found OneDrive wouldn't open from the Start Menu after the Windows 10 Anniversary 1607 Update, it crashes before it opens to your OneDrive location in explorer.exe. Reliability History shows the following:

Faulting application name: OneDrive.exe, version: 17.3.6390.509, time stamp: 0x5730e595
Faulting module name: KERNELBASE.dll, version: 10.0.14393.0, time stamp: 0x57898e34
Exception code: 0x406d1388
Fault offset: 0x000d96c2
Faulting process ID: 0x1758
Faulting application start time: 0x01d1ecff033313b8
Faulting application path: C:\Users\UserName\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report ID:
Faulting package full name:
Faulting package-relative application ID:

This is a long time problem I've noticed with EMET, although it usually happens when updating EMET to a new version. This time it was an OS upgrade that triggered it.

To stop onedrive.exe crashing (or any other applications you have set in the application protections list that are crashing) you need to toggle the security setting in EMET, which for some odd reason fixes it. For example:

1) Turn 'Certificate Pinning' to the opposite of what you currently have it set to, or change the 'Block Untrusted Fonts' to one of the other settings other than what you have it currently set to. That makes the Quick Profile Name change to 'Custom Security Settings'.

2) Then go to Quick Profile Name and set it to 'Recommended Security Settings'.

3) Then set your settings back to how you want them.

4) Reboot PC

----------------------------------
Windows 10 Version 14393.10
EMET Version 5.5.5871.31892

↧

StackPivot mitigation and will close the application: OUTLOOK.EXE

August 2, 2016, 3:02 pm

≫ Next: EMET 5.5 - Set to "Audit Only". Yet...

≪ Previous: OneDrive Won't Open After Windows 10 Anniversary 1607 Update (EMET 5.5)

I currently have a users that started getting this MS Outlook (2010) error, USER is running Windows 7. I uninstall and Re-install MSOutlook hoping it would fix the issues. Nope. I'm assuming its something with EMET, if so I sure need some guidance on getting this fixed.

Error 1:

Microsoft Outlook has stopped working - A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

Error 2:

EMET 5.5 - EMET detected StackPivot mitigation and will close the application: OUTLOOK.EXE

Any help is GREATLY appreciated!!!

Thanks,

↧

EMET 5.5 - Set to "Audit Only". Yet...

August 5, 2016, 6:27 am

≫ Next: Microsoft Tech Group

≪ Previous: StackPivot mitigation and will close the application: OUTLOOK.EXE

It is still blocking chrome from opening with an EAF mitigation.

EMET version 5.5.5871.31892
EMET detected EAF mitigation in chrome.exe

EAF check failed:
Application : C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

EMET configuration being pushed by GPO. And I confirmed it's set to Audit Only.

↧

Microsoft Tech Group

February 23, 2013, 2:26 pm

≫ Next: How to undo/remove all changes EMET made to Domain PCs

≪ Previous: EMET 5.5 - Set to "Audit Only". Yet...

I was contacted from "Microsoft Technical Services group" because my computer was sending error messages to Microsoft. They wanted to take control of my computer which I did not let them. I am pretty sure that this was a scam. Their phone number is 1-806-590-7967 so you can call them. Would Microsoft act this way?

↧

How to undo/remove all changes EMET made to Domain PCs

August 12, 2016, 7:37 am

≫ Next: how to find who is shuting down my pc from shutdown -i command

≪ Previous: Microsoft Tech Group

One of our Admins deployed EMET 5.51 with max security to all workstations in an OU sigh. Lots of issues and management wants all the changes it made reverted back to default before it was installed. Workstations running Win 10 Pro.

Whats the best way to get this done?

↧

how to find who is shuting down my pc from shutdown -i command

August 14, 2016, 1:50 am

≫ Next: how to find who is shuting down my pc from shutdown -i command

≪ Previous: How to undo/remove all changes EMET made to Domain PCs

Hi Experts

how to find out who shutdown my pc from shutdown -i command .my pc's are windows 7 ,8 , 10 .i checked the event log 1073 and 1074 .1073 shows me that i canceled the forced shutdown . and 1074 is not generated because i cancel the shutdown when it was forcing to shutdown .

can i find any logs in DC that who is using shutdown -i command .

thanks

↧

how to find who is shuting down my pc from shutdown -i command

August 16, 2016, 2:55 am

≫ Next: Fresh EMET 5.5 installation giving a ASR warning ( Module : VBScript.dll) running Explorer 11

≪ Previous: how to find who is shuting down my pc from shutdown -i command

Hi Experts

can i find any logs in DC that who is using shutdown -i command .

thanks

↧

Fresh EMET 5.5 installation giving a ASR warning ( Module : VBScript.dll) running Explorer 11

February 29, 2016, 8:44 am

≫ Next: EMET detected ASR mitigation in iexplore.exe

≪ Previous: how to find who is shuting down my pc from shutdown -i command

Hi,

After the default installation of EMET 5.5, I just open explorer 11 and I get the following EMET warning, affecting the module VBScript.dll.

could someone tell me why? how can I debug this warning to identify the reason?

Many thanks.

Jose

EMET version 5.5.5871.31892
EMET detected ASR mitigation in iexplore.exe

ASR check failed:
Application    : C:\Program Files\Internet Explorer\iexplore.exe
User Name    : XXXXXXXX
Session ID    : 1
PID        : 0x16F0 (5872)
TID        : 0x1444 (5188)
Module    : VBScript.dll

↧

Latest Images