locked
XML Protection Profile Configuration customization RRS feed

  • Question

  • I copied the All.xml file to a file with the name Alltest.xml (that way I wouldn't be editing the original All.xml file). I tried loading the All.xml file. It loaded into EMET fine. I made one application addition entry to my Alltest.xml file and it failed to load (EMET gave me an error saying that it couldn't load the configuration file.Since I can't attach a file to this, below shows the last couple of lines of the original code plus the code for the app that I added. I can't find any problem with this.

    ****************************************************************************************************************** -->
      <Vendor Name="Oracle">
        <Suite Name="Java">
          <App Name="Console" Path="*\Java\jre6\bin\java.exe"/>
          <App Name="GUI" Path="*\Java\jre6\bin\javaw.exe"/>
          <App Name="Web Start" Path="*\Java\jre6\bin\javaws.exe"/>
        </Suite>  
      </Vendor>
    
      <!--
    ****************************************************************************************************************** -->
      <Vendor Name="Unknown">
        <Product Name="GNU Image Manipulation Program Plug-In">
          <Version Path="*\sprint.exe"/>
        </Product>
      </Vendor
    
    </EMET_Standard_Rules>
    

    Noe here is the last entry from the original All.xml file:

    ****************************************************************************************************************** -->
      <Vendor Name="Oracle">
        <Suite Name="Java">
          <App Name="Console" Path="*\Java\jre6\bin\java.exe"/>
          <App Name="GUI" Path="*\Java\jre6\bin\javaw.exe"/>
          <App Name="Web Start" Path="*\Java\jre6\bin\javaws.exe"/>
        </Suite>  
      </Vendor>
      
    </EMET_Standard_Rules>
    

    And to show that my line that has "Version Path" in it is OK to use that way, here is a similar section elsewhere in the All.xml file:

        <Product Name="Internet Explorer">
          <Version Path="*\Internet Explorer\iexplore.exe"/>
        </Product>

    So, does anyone know why my little addition at the end of the Alltest.xml file causes EMET to reject loading the configuration file?

    Tuesday, January 29, 2013 9:02 PM

All replies

  • Hi MrDisabledVet,

    In an attempt to troubleshoot the issue that you mention, I tried adding an application using various examples contained in the All.xml file. Using the existing applications from within the All.xml I was also unsuccessful in adding an application to the XML file, I received the same error as you.

    Here was my simplest attempt that did not work:

    <Vendor Name="DonHO">

    <Product Name="Notepad++">

    <Version Arch="x86" Path="*\Notepad\unicode\notepad++.exe"/>

    </Product>

    </Vendor>

    I then tried another method of using the command line to add an application to the list of protected applications. I added the open source Notepad++ to the Program Files (x86) folder and added it to the list using the following command:

    EMET_conf.exe --set "*\notepad++.exe" 

    I chose this method since I wanted to see what lines were added to the config.xml file. This was the result:

    <AppConfig Path="*" Executable="notepad++.exe">

    <Mitigation Name="DEP" Enabled="true" />

    <Mitigation Name="SEHOP" Enabled="true" />

    <Mitigation Name="NullPage" Enabled="true" />

    <Mitigation Name=HeapSpray" Enabled="true" />

    <Mitigation Name="EAF" Enabed="true" />

    <Mitigation Name="MandatoryASLR" Enabled="true" />  

    <Mitigation Name="BottomUpASLR" Enabled="true" />

    </AppConfig>

    The Notepad++ .exe file in my example was located at the following path:

    C:\Program Files (x86)\Notepad\unicode\notepad++.exe

    I have confirmed that EMET is protected Notepad++ when it is in use.

    For your application, I would suggest adding the following to your config file, for EMET 3.0:

    <AppConfig Path="*" Executable="sprint.exe">

    <Mitigation Name="DEP" Enabled="true" />

    <Mitigation Name="SEHOP" Enabled="true" />

    <Mitigation Name="NullPage" Enabled="true" />

    <Mitigation Name="HeapSpray" Enabled="true" />

    <Mitigation Name="EAF" Enabled="true" />

    <Mitigation Name="MandatoryASLR" Enabled="true" />

    <Mitigation Name="BottomUpASLR" Enabled="true" />

    </AppConfig>

    For EMET 3.5 Tech Preview, the above code would be:

    <AppConfig Path="*" Executable="sprint.exe">

    <Mitigation Name="DEP" Enabled="true" />

    <Mitigation Name="SEHOP" Enabled="true" />

    <Mitigation Name="NullPage" Enabled="true" />

    <Mitigation Name="HeapSpray" Enabled="true" />

    <Mitigation Name="EAF" Enabled="true" />

    <Mitigation Name="MandatoryASLR" Enabled="true" />

    <Mitigation Name="BottomUpASLR" Enabled="true" />

    <Mitigation Name="LoadLib" Enabled="false" />

    <Mitigation Name="MemProt" Enabled="false" />

    <Mitigation Name="Caller" Enabled="false" />

    <Mitigation Name="SimExecFlow" Enabled="false" />

    <Mitigation Name="StackPivot" Enabled="false" />

    </AppConfig>

    This code has the same effect with 3.5 Tech Preview as that for EMET 3.0. What I mean is that the ROP mitigations of EMET 3.5 are not enabled with this code. To enable them, simply change “false” to “true”

    I realize that this XML is not as detailed as the version that you wrote i.e. no vendor name or product name is now present but it should protect the program as desired.

    Please let me know if the above information is of assistance to you. If not, I will do my best to assist you further. My apologies for not replying to your question sooner, I had to become familiar with this method of adding programs to protect to EMET and it took longer than I expected.

    I found the following online article explained how to use the * (wildcard) symbol the clearest. It made creating the above examples much easier:

    http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

    Thank you.

    • Edited by JamesC_836 Tuesday, February 12, 2013 12:13 PM Minor edit
    Saturday, February 2, 2013 6:22 PM