locked
Trust warnings in EMET 5.0 RRS feed

  • Question

  • Recently I installed EMET 5.0. Version 4 ran for some time prior to this install without any warning messages using default settings.

    EMET 5 is showing a warning box for "*.vo.msecnd.net is not trusted by the rule MSLIVECA for login.live.com.

    Any idea why this suddenly pops up under 5.0? Other EMET rules can show the same message when accessing Yahoo for instance with its rule and also Facebook. Any idea why this is happening? Do I need to uncheck those rules to stop these messages?

    Saturday, August 16, 2014 1:26 PM

All replies

  • How did you install EMET 5.0?

    Did you upgrade version 4(.1) to version 5.0 with the option keep existing settings or did you upgrade with recommended settings or did you uninstall EMET 4(.1) first and then installed EMET 5.0?

    Maybe you can use the Wizard button and choose the option recommended settings to reset the application configuration and certificate trust configuration. You can also delete all certificate trust protected websites and pinning rules and import the certtrust.xml file to reset the certificate trust configuration.


    W. Spu

    Saturday, August 16, 2014 5:12 PM
  • Thanks for the feedback.

    EMET 4 was uninstalled first. Then 5 was installed. I accepted the recommended settings. Since then I have unchecked all default Trust entries. The only one I use is live.login.com. I am not a Facebook, Twitter user, etc. My view is that if Microsoft can't validate a login.live.com cert in their own tool there is no sense wasting energy on using the rule.

    Thanks again.

    Tuesday, August 19, 2014 1:33 PM
  • Thank you for the extra information. As far as I can tell you did a clean install.

    I opened some English *.vo.msecnd.net pages on a Windows 7 computer with IE11 and could not reproduce your problems. I viewed the pages with fiddler running and found only one link to login.live.com. Do you experience the problem on every page?

    Did you try open the pages on a other computer with EMET 5?


    W. Spu

    Tuesday, August 19, 2014 8:45 PM
  • I also did a clean install of EMET 5.0 and am getting exactly the same message:

    EMET 5.0

    EMET detected that the SSL certificate for "*.vo.msecnd.net" is not trusted by the rule "MSLiveCA" associated with the domain "login.live.com"

    As I do not use or logon to live.com, I was wondering why this message comes up?

    I got this message whilst waiting for this page to open after inputting my password but it occurs whenever IE11 opens. Just got it again after deleting some text here!

    I am running Win 8.1 update 1 and IE11 (both fully updated) on a Dell Studio XPS 1640.


    Friday, August 22, 2014 5:55 PM
  • From the information that is provided I can't reproduce the steps which causes the message. Do you browse to a specific page or use a program. I guess it is related to Windows 8.1 and currently I don't have a test machine with this OS. @DG100: Do you also use Windows 8.1?

    I would advise that someone submits an issue on the Microsoft EMET connect portal (https://connect.microsoft.com/emet/Feedback)


    W. Spu

    Friday, August 22, 2014 7:48 PM
  • First: I could not reply in the sticky thread above. IE would not end (long running script) so no way to add a post. Sorry.

    I installed EMET V5 shortly after it came out. I had been using V4 for a while. With Internet Explorer 11 on Windows 8.1 Pro, I had to disable a number of mitigations: DEP, SEHOP, EAF, EAF+ and ASR.

    August 12 patch Tuesday brought botched updates to both Windows 7 and Windows 8. I had already uninstalled KB2982791 and KB2975719. Today August 27. Microsoft issued KB2993651 as a revised update.

    As soon as that was installed and the machine restarted. IE11 "Stopped Working" because of EMET. That is the first actual EMET crash I have seen.

    I have had to disable all mitigations for IE11 to make it work

    Thursday, August 28, 2014 12:05 AM
  • I plan to uninstall EMET 5 and start over to see what aspects of it are causing my problems. IE11 complains all the time at least once or twice a session...stops working. The only change on the system has been the installation of EMET 5. Dropping back to EMET 4 may be the best direction.
    Thursday, August 28, 2014 12:41 PM
  • I'll add to this that uninstalling EMET 5 has improved IE11 performance significantly. Performance is not affected by 4.1. The Live.*.com cert verification rule is still a problem in 4.1 by that can be turned off and now is. I am done with 5. It is very disappointing that Microsoft does not test this critical software more effectively.
    Thursday, August 28, 2014 1:10 PM
  • The performance of IE11 can be improved by disabling EAF and Stack Pivot but I agree that EMET 5.0 causes a lot more problems than EMET 4.1(u1). Hopefully the next version will solve most problems people are experiencing now.

    W. Spu

    Thursday, August 28, 2014 7:09 PM
  • I've assumed you meant 4.1(u1) when you referred about 4.1 Live.*.com cert verification rule and you stated "by that can be turned off and now is."

    Did you mean that for MSLiveCA in PublicKey Match column was disabled, right ?

    I'm simply asking because in my current 4.1(u1_5/39/2014 release) I too have found MSLiveCA PublicKey Match disabled and because of this I'm wondering if for any reason on your PC you might possibly have a wrong/fake certificate for *.vo.msecnd.net installed and thus conflicting with Certificate Trust configuration checks made by EMET 4.1(u1) or EMET 5 (and this should really not happen).

    So if you want to better verify this you can check from within IE11 -> Tools -> Internet Options -> Content -> [ Certificates ] button or even via Control Panel -> Internet Options -> Content -> [ Certificates ] button.

    Regards

    Rob

    • Proposed as answer by _RobMer_ Thursday, August 28, 2014 8:22 PM
    • Edited by _RobMer_ Thursday, August 28, 2014 8:42 PM Even better clarity...
    Thursday, August 28, 2014 8:21 PM
  • 1- I have this same issue when using IE11. I get these same EMET alerts/pop up when I logged in to this page even!!!!

    2- Have EMET 5.0 (clean install). But was getting alerts from EMET 4.1 before.

    3- OS Windows 8.1 / always updated. Also use Bitdefender total security 2015. Bitdefender confirmed that there is no compatibility issues with EMET 5.0.

    4- After opening couple of web pages, IE stops working and re-lunch, this is a most recent problem and happens frequently.

    5- The funny thing is I get these EMET alerts when going to bing.com, but not with google.com using IE. Captures below when I was on bing.com.

    6- Tried to write to Microsoft EMET connect portal using the link provided above( and got Page Not Found

    Hope we get a fix for this from MS, hope they will pay attention more to the quality of their products.

    Thanks

    Thursday, October 16, 2014 2:51 AM
  • Only way to stop it is to open the app and go to the Trust tab. Uncheck ALL the default "trusted" certs that come with the app. The only one that I use is Outlook. I figure if they can't get that right the App is not all that good anyway so what is it really doing for me.

    DG100

    Thursday, October 16, 2014 10:53 PM
  • EMET detected that the SSL certificate for "*.vo.msecnd.net" is not trusted by the rule "MSLiveCA" associated with the domain "login.live.com"

    As I do not use or logon to live.com, I was wondering why this message comes up?

    I have the same Problem with EMET 5.1 and Windows 7.1 and Windows 8.1 - also by Login Yahoo..

    the Certificate comes from Avast:

    EMET detected that the SSL certificate for "login.live.com" is not trusted by the rule "MSLiveCA" associated with the domain "login.live.com".

    Subject Name          : CN=login.live.com, OU=Passport, O=Microsoft Corporation, STREET=1 Microsoft Way, L=Redmond, S=Washington, PostalCode=98052, C=US, SERIALNUMBER=600413485, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.1.3.6.1.4.1.311.60.2.1.3=US

    Issuer CA      : CN=avast! Web/Mail Shield Root, O=avast! Web/Mail Shield, OU=generated by avast! antivirus for SSL/TLS scanning

    Serial Number         : 06BE58BEC86C644A8E6426EEB64C3B35

    Thumbprint   : F3D38962F3870D211768E87038EFB27257226AF6

    Hope to get some answer..

    Thursday, December 4, 2014 3:14 PM
  • Same issue,.  Emet 4.1 did not show the issue, but since the upgrade to EMET 5.1 there are warning:

    Going to http://www.msn.com shows the following - note that this is a HTTP not HTTPS url.

    Outlook.com is OK. microsoftstore.com is OK.  login.live.com is OK


    • Edited by YasharF Sunday, December 7, 2014 9:54 PM
    Sunday, December 7, 2014 9:53 PM