locked
Notifications from EMET? RRS feed

  • Question

  • When EMET blocks an action or denies access by an application, does it always give you some sort of notification that something is being blocked? Or does it sometimes block things in the background without letting you know?

    Thanks


    • Edited by YoVincenzo Friday, January 2, 2015 4:16 PM
    Friday, January 2, 2015 4:15 PM

All replies

  • Below is a part of the text from the EMET 5.1 User Guide (page 13-14):

    EMET has reporting capability provided through a Windows Service called “Microsoft EMET Service”. Once EMET is installed, the service is set to automatically start with Windows. The EMET Service is responsible to dispatch the EMET Agent, which will show up in the system tray area of the taskbar with an EMET icon. The visibility of the EMET Agent icon in tray area can be configured via Group Policy or via the command line tool).

    The EMET Service performs the following tasks:
    Write events in the Windows Event Log: EMET events are...

    Show important events via a tooltip in the taskbar notification area: Similar in severity to the error messages written to the Windows Event Log, when EMET stops an exploit due to one of the mitigations or detects an untrusted SSL certificate, a message is displayed for the user, stating which application is being stopped and which mitigation has been used to stop the exploit. In case of a Certificate Trust violation, it shows details about the untrusted SSL certificate on the current HTTPS connection.

    ...

    However it seems that EMET does not always shows a notification and the logged information is not always the same. stefancpt clarified that the lack of the EMET notification occurs when the user doesn't have administrative rights. See also (t)his post!


    W. Spu

    Friday, January 2, 2015 8:10 PM
  • OK thanks for that info.

    On one of my computers I am running as a standard user, so it seem like I won't see notifications.

    So if a site won't work correctly, is there a way to temporarily disable EMET as a test?

    The only way I find to do this is to remove all the checkmarks for the browser, in the configuration page. This does not seem like the best way to do this.

    Thanks


    • Edited by YoVincenzo Saturday, January 3, 2015 3:36 PM
    Saturday, January 3, 2015 3:35 PM
  • As far as I know there isn't a way to temporarily disable EMET. For the mitigation ASR (Attack Surface Reduction) you can add the website to the trusted sites. For other applications you can try to temporarily rename the 'App Name' or delete the App (use export to save the app and import to add it again).

    There is also an option for the default action that EMET will take when an exploit has been detected. You can configure it as 'Audit Only' to report the exploitation attempt and not terminate the process but it doesn't work for all mitigations. See also page 21 of the EMET 5.1 User Guide


    W. Spu



    • Edited by W. Spu Saturday, January 3, 2015 6:05 PM Added Audit Only part
    Saturday, January 3, 2015 5:34 PM
  • OK thanks for the info.

    Vince

    Thursday, January 8, 2015 1:35 AM