locked
EMET Protection for all Processes? RRS feed

  • Question

  • I'm a bit confused how to protect all runing processes with EMET. My typical EMET settings are application opt out for DEP and SEHOP, and Application Opt-In for ASLR. When I launch EMET no processes are marked as "Running EMET". I was a TechEd 2011, and one of the slides for the SIM307 session recommended "Add .exe from C:\Program Files\ & C:\Program Files (x86)\". However, with the EMET GUI you can not do that type of wild card. It appears to only want specific EXE files.

    And it's not clear to me even with these opt-out/opt-in settings, whether the other protections (NullPage, HeapSpray, EAF, etc.) are being applied to processes, or only to processes that are specifically added to the app configuration list?

    So my question is, how can I enforce all EMET protections (DEP, SEHOP, NullPage, HeapSpray, EAF, ASLR, BottomUpRand) on all processes? If a program can't operate with all of these protections, I have no problems adding a specific exe to the exception list (like UltraISO which doesn't like DEP).

     

    Sunday, May 22, 2011 3:33 PM

Answers

  • Right now, EMET does not support this functionality yet. However, the approach you have of scripting "dir /s" should be succesful at achieving your goal, though indeed slow. We will take this request into consideration for possible future versions of the product.

    Thanks

    • Marked as answer by EMET Support Wednesday, June 1, 2011 2:25 AM
    Wednesday, June 1, 2011 2:24 AM

All replies

  • EMET does not currently support opting in all executable on a system or directory. You have to specifically add the path to the EMET-ized list and enable/disable the mitigations you want that process to have.

    Please refer to the user guide for more information on how to opt-in an executable and further configuration.

    Thank you,

    Thursday, May 26, 2011 5:10 PM
  • For EMET'ing all of c:\program files I've written a batch file using a dir /s *.exe and pass each EXE to EMET individually. It works, but is slow. Is there a more elegant method? The XML method would work, but if the contents of c:\program files is unique per machine (depending on applications installed) this is difficult to do.
    Tuesday, May 31, 2011 2:40 PM
  • Right now, EMET does not support this functionality yet. However, the approach you have of scripting "dir /s" should be succesful at achieving your goal, though indeed slow. We will take this request into consideration for possible future versions of the product.

    Thanks

    • Marked as answer by EMET Support Wednesday, June 1, 2011 2:25 AM
    Wednesday, June 1, 2011 2:24 AM