locked
How to Identify URL or document after EMET Mitigation? RRS feed

  • Question

  • Hi,

    is there a way to identify which URL was requested in the Browser or which document was opened in Office or Adobe Reader when EMET triggers a mitigation?

    This is an important information missing in the logs and there are probably technical reasons for it (which?) but maybe there is a way of (ideally automatically) getting/correlating this information from somewhere.

    Thanks for any hints or thoughts. 

    Wednesday, November 26, 2014 7:09 AM

All replies

  • In EMET 5.0 a tooltip was shown in the taskbar notification area when you visted a site (in the internet zone) in the browser which uses Java and a event was written to the Windows Event Log which sometimes specified the web address. Below are two examples:

              EMET detected ASR mitigation in iexplore.exe

              ASR check failed:
                Application     : C:\Program Files\Internet Explorer\iexplore.exe
                User Name     : COMP\USERNAME
                Session ID     : 2
                PID         : 0x109C (4252)
                TID         : 0x16BC (5820)
                Module     : jp2iexp.dll

              EMET detected ASR mitigation in iexplore.exe

              ASR check failed:
                Application     : C:\Program Files\Internet Explorer\iexplore.exe
                User Name     : COMP\USERNAME
                Session ID     : 2
                PID         : 0x1710 (5904)
                TID         : 0xA20 (2592)
                Module     : jp2iexp.dll
                Web address     : http://java.server1.company.com/java/module/
                Url zone     : Trusted


    With EMET 5.1 this doesn't seem to happen anymore and Internet Explorer just reports that the website uses Java which can be downloaded and installed.

    When I open a Word document with Shockwave Flash Object I get this tooltip

    and this event is written in the application event log.

              Log Name:      Application
              Source:        EMET
              Date:          26-11-2014 9:35:54
              Event ID:      1
              Task Category: None
              Level:         Warning
              Keywords:      Classic
              User:          N/A
              Computer:      xxxx
              Description:
              EMET detected ASR mitigation in WINWORD.EXE

              ASR check failed:
                Application     : C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                User Name     : Domain\User
                Session ID     : 3
                PID         : 0xEF4 (3828)
                TID         : 0x130C (4876)
                Module     : Flash32_15_0_0_239.ocx

    The name of the document is not mentioned in this.

    My suggestion is to fill in a feedback form (https://connect.microsoft.com/emet/feedback/LoadSubmitFeedbackForm) on the Microsoft Connect portal for the EMET 5.0 feedback program.



    W. Spu

    Wednesday, November 26, 2014 9:31 AM
  • With EMET 5.1 this doesn't seem to happen anymore and Internet Explorer just reports that the website uses Java which can be downloaded and installed.

    stefancpt clarified that the lack of the EMET notification occurs when the user doesn't have administrative rights. See also (t)his post!


    W. Spu

    Monday, December 8, 2014 6:50 PM
  • I just installed EMET 5.2 and to my disappointment this issue has not been addressed yet. Only admin users will see EMET notifications and generate events in the application event log if Java is blocked. Standard users neither log events nor do they see an EMET notification if Java is blocked.
    Thursday, March 19, 2015 11:21 AM
  • This also seems to happen with ASR vbscript when a website is part of the trusted websites and a vbscript is loaded from another website. The ASR notification doesn't report which vbscript is blocked and/or from which website the script is loaded.

    W. Spu

    Sunday, April 5, 2015 8:26 PM