Vlc 2.1.3 is stopped by EMET 4.1 when using "popular software.xml" protection profile (triggered rule:"SimExecFlow") RRS feed

  • Question

  • I came across an issue with vlc.exe version 2.1.3 (most up to date version).

    In the popular software protection profile there is the whole set of mitigation rules defined to run smoothly with normal vlc execution.

    This remained to be true for up to version 2.1.2 of vlc.

    But when vlc 2.1.3 is started EMET detects "EMET detected SimExecFlow mitigation and will close the application: vlc.exe"

    There is also a bug tracker thread in vlc forums (vlc bug ticket #10583).

    There are rumors that this new behavior may be caused by a new version of gcc compiler being used for the new version of vlc.

    Possible Workarounds:

    1. Users might want to use version 2.1.2 instead. The whole predefined rule set can then still be used.
    2. If you disable SimExecFlow mitigation rule for vlc.exe  vlc 2.1.3 is not stopped by EMET.

    As the whole rule set for vlc is part of the predefined protection profile file "popular software.xml" this issue might be of interest for the EMET support team. Chances are there that workaround #2 may find its way to vlc's entry in "popular software.xml" of the next EMET version?

    Because I am not part of the vlc developer team I am not able to make any valid assumptions on the cause of the changed behavior under detection rules of EMET.

    I only want to inform about this issue and some workarounds which helped me.

    Thank you.

    • Edited by Riopantr193 Saturday, February 8, 2014 11:39 AM
    Saturday, February 8, 2014 11:22 AM

All replies

  • There's a third work around by adding a Registry DWord value 'SimExecFlowCount' with the value data of 6. See https://forum.videolan.org/viewtopic.php?f=14&t=117231#p397749 for the complete description for setting this workaround. Also see https://trac.videolan.org/vlc/ticket/10583 for the bug tracker about this issue.

    I'm curious what the difference is between turning of the mitigation SimExecFlow and leaving it turned on and setting the registry value SimExecFlowCount to 6.


    W. Spu

    • Edited by W. Spu Sunday, February 23, 2014 4:45 PM
    • Proposed as answer by W. Spu Friday, May 30, 2014 4:46 PM
    Sunday, February 23, 2014 4:44 PM
  • The same issue affects also VLC's Firefox plugin. EMET 4.1 terminates Firefox's child process plugin-container.exe. I had to deactivate SimExecFlow mitigation for this executable, too.

    (Note: I do not use "popular software.xml". I added the apps manually, raising the issue.)

    • Edited by strawbeard Thursday, February 27, 2014 2:30 AM
    Thursday, February 27, 2014 2:06 AM