Setting Up EMET 3.5 Tech Preview

Update: EMET 4.0 Beta Is Available

 

I’d like to start off by saying that this new version of EMET is a Tech Preview – it’s not necessarily ready for release, I can’t guarantee stability.

Step 1: Download EMET 3.5 Tech Preview

To install the Tech Preview you must first remove any previous EMET installations. After you do that you can grab the Tech Preview (3.5) here: https://www.microsoft.com/en-us/download/details.aspx?id=30424

Run the installer and open up EMET.

Step 2: Configuring System Settings

You should see something similar (but not exactly the same) to this picture.

Image

Go ahead and hit “System Settings” and you should see something similar to this:

Image

My recommended settings:

DEP: Opt Out

SEHOP: Opt Out (Vista users can choose Always On)

ASLR: Opt On

For a significantly more secure (but potentially less stable) system you can use these settings:

DEP: Always On

SEHOP: Opt Out (Or Always On for Vista Users)

ASLR: Always On

To learn how to enable ASLR Always On click here.

Step 5: Import all.XML

Click the “Configure Apps” button (at the bottom of the EMET User Interface) and you’ll see this page (but without all of these items in it):

Image

Go to File -> Import -> Navigate to all.XML (in your EMET folder) -> Open.

EMET should import all of the settings for the typical ALL.XML but there won’t be any active ROP mitigation techniques, so make sure you enable them manually.

Restart your system for the full effect.

7 thoughts on “Setting Up EMET 3.5 Tech Preview

  1. Pingback: EMET 3.5 Is Out – ROP Mitigations « insanitybit

    • Yikes! I can’t believe how silly I was to upload that with my username haha thank you *so* much for pointing that out.I will reupload one immediately.

      I’ll look into the system wide policies as well as the rest of your post. Lots of information – thanks a lot for taking the time.

      Glad you enjoy the blog.

  2. Hello =edited out for confusing reasons lol apologies- (I think),
    I like the content you’ve posted up.
    Anyway, you might want to check the allrop.xml file for the chrome.exe entry as it specifies a non-standard username in the file path:
    C:UsersColinAppData…
    ^which I believe only applies to users that configure their user account as Colin.
    Perhaps using a default environment variable (for Windows NT 6.x) and calling it via %USERPROFILE%AppData…
    ^would be a more comprehensive approach. Or you could just use an asterisk in the filepath, I suppose.

    On another note, I found certain system executables worked with EMET enabled:
    e.g.
    WindowsSystem32svchost.exe
    WindowsSysWOW64svchost.exe
    lsass.exe
    lsm.exe
    etc.
    I think EMET-enabled dllhost.exe breaks consent.exe and/or prevents elevation of user privileges via the UAC prompt, though. However, seeing as it is ubiquitous on Windows systems, I have also seen dllhost.exe accessing the internet. Other less notable mentions would the the Device Manager driver update check and mobsync.exe.

    Some incompatibilities found for non-standard internet-facing executables include:

    Steam.exe – upon game launch it will crash, the notifier specifies DEP execution as the cause, but really it’s the ROP mitigation

    Ad MuncherAdMunch.exe
    Ad MuncherAdMunch64.exe
    (part of AdMuncher) is incompatible with Caller, but other ROP mitigations function correctly
    ———————————————
    Incompatible with EAF enabled
    Online Armor.*exe

    Doc Scrubberdocscrubber.exe
    EulAlyzereulalyzer.exe
    SpywareBlasterspywareblaster.exe
    ———————————————
    Sorry for digressing.

    Anyway, have you thought about implementing system-wide policies via Group Policy? It’s included in the documentation (WindowsPolicyDefinitions) so I am curious why you have not gone with this approach.

    I enjoyed reading your blog posts so hopefully you will be bored out of your mind. LOL

    Sorry -_-

      • I disabled Chrome’s protection and no change. I deleted all data synced at google and uninstalled Emet 3.5, re-installed Emet and then sync all data, every thing is working fine with Emet installed. “Sorry for wasting your time.”

  3. Pingback: EMET 4.0 Beta Released - What's New? » InsanityBit InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *