locked
EMET detected DEP mitigation for Outlook RRS feed

  • Question

  • Outlook 2003, XP SP 3, EMET 3.0

    Using the default All.xml profile, with adjustments for Acrobat 7.0

    Getting a message from EMET associated with the following event when I start Outlook:

    EMET_DLL module logged the following event:
    EMET detected DEP mitigation and will close the application: C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

    Outlook does not close, and DEP has been set on in the XP Computer, Performance Settings, DEP panel for all programs except for certain exceptions (Outlook is not an exception), long before the installation of EMET, and I've not noticed any problems with Outlook before.

    What gives?

    Thursday, May 24, 2012 3:30 PM

All replies

  • Hi,

    according to emet user guide outlook 2003 supports DEP so you shouldn't be getting this errors. I'd suggest trying it on more computers deployed using the same image. The issue may be caused by some outlook add in or extension. Try disabling all extensions and see if this helps. 

    Regards,
    Karol

    Sunday, June 3, 2012 11:06 AM
  • Outlook 2003, Win7 x64, EMET 3.0, Visual Studio C# 2008 Express Edition

    Deployed EMET via GPO and configured it as this:

    ASLR: App Opt In
    DEP: Always On
    SEHOP: App Opt In
    Policy: Internet Explorer - all mitigations

    On 3 computers I have a DEP mitigation, when I try to open the Outlook Calendar (e.g. via CTRL+2), and Outlook can be restarted (which works). On 17 other computers in my company Outlook calendar works. We have roaming profiles, when I sign in with my account on any of the 17 computers the calender works, so I can exclude a user profile related problem. Also, if other users log on one the three computers Outlook produces DEP mitigation. One common thing I have noticed, that all of these 3 computers have Visual Studio C# 2008 Express Edition installed.

    Where does this come from and how can I make the calendar work again besides deinstalling EMET?


    • Edited by omerk Thursday, September 27, 2012 6:48 AM Forgot VS C# Version (2008)
    Wednesday, September 26, 2012 1:29 PM
  • OK, solved it by myself.

    Today I've got the info, that also most of the other computers also have the problem described above. So a correlation with C# 2008 EE, as i supposed above, can be excluded. Maybe the computers just have not fully applied my EMET-GPO, thus not running outlook with EMET DEP.

    For me it seems that Outlook 2003 (OFFICE11) is not fully compatible to DEP. So I need to exclude DEP from Outlook 2003. Here's what I did:

    1) Edit "EMET.admx" in Sysvol ..->.. PolicyDefinitions (the central admx policy store, or the folder defined in EMET User's guide 3.2)
        Find "<string>*\Microsoft Office\OFFICE11\OUTLOOK.EXE</string>" and replace with <string>*\Microsoft Office\OFFICE11\OUTLOOK.EXE -DEP</string>
        This changes the Outlook 2003 settings in the "Office" default protection profile.
    2) Define a GPO with DEP setting: Application Opt Out
        If you choose "Always on" (as I did before) then the application specific definition of not to use DEP will not work!
    3) Activate default protections for "Microsoft Office etc..."
    4) Use "gpupdate /force" on the client to force GPO processing
    5) Restart client

    Maybe a "EMET_Conf --refresh" is needed to update settings.

    For those not using EMET with GPO, but locally: Just do the appropriate configuration steps in EMET GUI directly ;-)

    • Proposed as answer by omerk Thursday, September 27, 2012 12:24 PM
    Thursday, September 27, 2012 12:24 PM