Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: your EMET 5.1 experience? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
your EMET 5.1 experience?
While on the subject - let's whine about deploying EMET. It is hard. We should put together more guidance as a community for it or pressure MS to. (or if there's good docs and I'm confused - do point me to them)

This is based on configuring 5.1 using the guide, XML, GPO templates included http://www.microsoft.com/en-us/download/confirmation.aspx?id=43714

and yes, I do realize the better to place to whine about it is their community forums https://connect.microsoft.com/directory/?keywords=EMET but hey.

If you have a diverse environment:
a) add-ins will break and MS didn't provide us a list when asked (snip - they did offer some help without premium support tickets -I'm wrong)
b) had trouble disabling reporting to MS 'early warning' via GP or in the GUI - seems to come back
c) your AV product [filter drivers by global settings? appinit dll or loaded dlls for app settings] will probably conflict with the default MS settings. [whether local app or global]
- you can obviously override those, but worst case on EMET or AV upgrade you will have to review them [in a positive or negative way]
c) Recently they also had an IE Patch tue update that you needed to update EMET first or else IE broke(or change the app rule for IE). http://www.theregister.co.uk/2014/11/11/emet_version_5_1_released/
d) anything else loading DLLs into processes might not like it [shell extensions end up in all sorts of processes aside from explorer]
e) not really clear for Audit mode - some settings -
System wide DEP/ASLR/SEHOP are 'not really audit only' for obvious reasons
Deep hooks/anti-detour etc are ???
app specific mitigation actions can be set to audit
f) interaction for GPO and various settings is not really clear:
GPO->XML is clear, [ but sounds like XML is needed if GPupdate fails if you install without applying GPO first or PC has issues? Also ]
'Application configuration' and the subtractive mitigation bits (specify ones you want to disable) are also ok
Pre-defined APP profiles are also OK.(e.g. recommended or popular)
Interaction between GPO profiles for IE, app config etc are a bit less clear.
presumably the order of preference for apps is GPO app rules, GPO global
g) enumerating active rules for a process is a pain and managing the deployment in an environment with many legacy active-x components will be great fun for EMET. We tried asking for how [aside from inspecting emet dll memory structs like what people were doing in old emet bypasses] but they were at the time busy patching the 4.1 bypasses... in any case - why EMET_Conf.exe has no 'get effective settings' option - puzzles me.

If you have any helpful tips to share WRT above please let me know.
Mallory Bobalice

28 Posts
I found that EMET in its default recommend installation blocked IE's ability to open PDF links using Adobe reader. I had to go into EMET and disable SEHOP and ASR for both Acrobat.exe and AcroRd32.exe. PW

63 Posts
Definitely difficult to handle, needs to be better integrated into WSUS, System Center, and testing structures.
Regularly has to be uninstalled because it breaks something, or just makes Internet Explorer or Excel completely unstable.
carol

10 Posts
I had a look at the email chain with Microsoft and to my surprise I've been incorrectly saying they refused to help without Premium support tickets. Sorry EMET team :) :(!

They actually answered quite a few of my questions after a few weeks of followup emails but from what I can tell they were busy working on 5.0 at the time after emet 4.1 bypass papers.

Basically - I still think:
a) a compatibility list should be provided that you can run against the software inventory you have (that said they pointed me to the technet community [extra resources here https://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet] https://social.technet.microsoft.com/Forums/security/en-US/1e70c72b-67b2-43c4-bd36-a0edd1857875/application-compatibility-issues?forum=emet )
b) there needs to be a tool that you can point at a process to extract it's currently loaded emet.dll settings [volatility module anyone? ala 4.1 bypass paper explaining what the setting structs are ] . EMET_Conf --list shows ALL settings not effective ones .
c) I'm really surprised to hear that the GPO for 'app configuration' doesn't override any default profiles used meaning you have to define your own list instead of putting entries to disable problematic mitigations for specific apps . It'd be really helpful if there was an easy way to convert imported app policy into GPO settings [import popular app settings, tick the boxes causing issues, export, deploy via GPO]. That said I could see using the XML file way instead here but hmm.

but otherwise they were pretty helpful



Other misc answers:
1)Re what supports auditing and what doesn't (if you have a think about it - it makes sense)

Mitigations that Support Auditing:
EAF,EAF+,LoadLib,MemProt, Caller, StackPivot, SimExecFlow,SEHOP (Vista/2008/2003),Certificate Pinning,ASR??


Where auditing mode is not supported

SYSTEM MITIGATIONS (for obvious reason)
DEP SEHOP ASLR

Application Mitigations (anything memory alocation-y and module load on process-start-ish)
Null Page Heap Spray Mandatory ASLR BottomUp ASLR


2)was told extra mitigation settings [deep hooks/anti-detours]>won't affect OS stability, could affect interactions with protected apps as we are now protecting/inspecting deeper level api calls.
- still not quite if the implications do or don't extend towards AV that loads DLLs into processes via appinit e.g. comodo
3)emet_conf --import configfile.xml for initial setup if worried GPO not applied properly.


4)Re another caveat (listed in the manual) - WRT default DEP/SEHOP/ASLR settings for win7x64sp1 (DEP- app optin, ASLR- app optin, SEHOP -app optin)
They were drawing attention to the DEP config change = bitlocker key request bit.


Finally - had a few issues for the initial install without reboot, but those seem better for EMET 5.1
Mallory Bobalice

28 Posts
wow...yea.. https://social.technet.microsoft.com/Forums/security/en-US/1e70c72b-67b2-43c4-bd36-a0edd1857875/application-compatibility-issues?forum=emet sure does look well maintained...[not really and user contrib]


p.s what would be really helpful in the admin guide is some real world examples of contoso.local where they apply the recommended apps + a few exceptions for all + custom exceptions for a separate class of users. hmeh.
Mallory Bobalice

28 Posts
Never try to login/access your online account from the sites other than the original site. Always type the URL of the site in the address bar to get into the site. Do not click on a hyperlink to enter the site.






___________
kaleem
Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!