locked
Evidence of EMET RRS feed

  • Question

  • Hello, 

    EMET seems like an excellent new layer of defense against exploits, but how would a support team determine if EMET terminates an application versus an application crashing on its own?  Is there a specific log record generated with each action taken by EMET?

    Thanks!

    Wednesday, July 6, 2011 4:51 PM

All replies

  • I haven't yet seen an application crash from EMET.  That said, I have seen many an application freeze or fail to start with any number of those annoying unspecific error codes.  I don't think it's wise to use the maximum settings as they may be too harsh.  In particular, when apps fail to start or terminate immediately, it usually has to do with DEP kicking in.

    Hope this helps.


    edit:  Oh right, you might find the error codes in the Event Log.
    Wednesday, July 6, 2011 11:09 PM
  • Hi,

    At the event log you will find !Application Error" logs. For some mitigations (SEHOP and EAF) EMET will generate these with "Exception code: 0xc0000409". Due to the nature of some mitigations the crash could be different with some otehr Error codes.

    Thank you,

    Monday, July 25, 2011 5:38 PM
  • Hi, I am having the same concerns about EMET. The short answer seems to be that there is no way to easily and comprehensively determine whether EMET is working and what has it actually protected against.

    If there is a way to configure EMET to log/alert/notify or otherwise tell me when it has protected me, I am all ears/eyes.

    While I am excited about EMET's capabilities, the apparent inability to verify without some sort of pentest is not comfitting. Again I am excited to hear about any features I am missing. thanks for your support.

     

    Friday, October 28, 2011 3:01 PM
  • Hi, I am having the same concerns about EMET. The short answer seems to be that there is no way to easily and comprehensively determine whether EMET is working and what has it actually protected against.

    If there is a way to configure EMET to log/alert/notify or otherwise tell me when it has protected me, I am all ears/eyes.

    While I am excited about EMET's capabilities, the apparent inability to verify without some sort of pentest is not comfitting. Again I am excited to hear about any features I am missing. thanks for your support.

     


    hi ,

    windows dep will let you know when the sh@t hits the fan , .... last sundat emet saved the day again on a honeypot , .... !

    have a nice day


    Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! 
    Tuesday, December 20, 2011 7:01 AM