locked
Opening IE produces "EMET detected ASR mitigation in iexplore.exe Component: Microsoft @ VBScript" warning RRS feed

  • Question

  • We are running EMET 5.5 on Windows 10 Enterprise LTSB 64-bit. Whenever we open IE or open a new tab in IE, we see the warning referenced in the title and the event listed below is logged. We have applied a slew of recommended security settings from the DISA STIGs. I see several people complain about this, but they have worked around the issue by either adding a site to trusted sites or disabling ASR completely. Unfortunately, when I try to disable ASR, I still get the warning and I am assuming that is because of the policy settings we have enforced. Either way, disabling a security feature is never the right answer, so I'd really like to figure out what is causing this. The default homepage is set to about:blank. Even if we change the homepage to something in Trusted Sites, the warning still appears. Like previously mentioned, it also appears when opening a new tab, which isn't opening any page, so it seems the settings for ASR for iexplore.exe are not behaving correctly. Can anyone offer any guidance? Thanks!

    Log Name:      Application
    Source:        EMET
    Date:          5/19/2016 4:40:43 PM
    Event ID:      1
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      DESKTOP-J611FAL
    Description:
    EMET version 5.5.5871.31892
    EMET detected ASR mitigation in iexplore.exe
    ASR check failed:
      Application  : C:\Program Files\Internet Explorer\iexplore.exe
      User Name  : DESKTOP-J611FAL\**************
      Session ID  : 2
      PID   : 0xFF4 (4084)
      TID   : 0x644 (1604)
      Module  : VBScript.dll
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="EMET" />
        <EventID Qualifiers="0">1</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-05-19T20:40:43.000000000Z" />
        <EventRecordID>5839</EventRecordID>
        <Channel>Application</Channel>
        <Computer>DESKTOP-J611FAL</Computer>
        <Security />
      </System>
      <EventData>
        <Data>EMET version 5.5.5871.31892
    EMET detected ASR mitigation in iexplore.exe
    ASR check failed:
      Application  : C:\Program Files\Internet Explorer\iexplore.exe
      User Name  : DESKTOP-J611FAL\**********
      Session ID  : 2
      PID   : 0xFF4 (4084)
      TID   : 0x644 (1604)
      Module  : VBScript.dll
    </Data>
      </EventData>
    </Event>

    Thursday, May 19, 2016 8:46 PM

All replies

  • Disabling vbscript in ASR on I.E. was deliberately added in EMET 5.2.

    blogs.technet.microsoft.com/srd/2015/03/16/emet-5-2-is-available-update/

    You could edit the settings for ASR and remove the vbscript blocking, without touching the other ASR mitigations.  Click on Apps, then on the iexplore.exe executable, then click Show All Settings at the top ribbon, then scroll down to the Attack Surface Reduction and delete the text for vbscript.

    Note: I have 5.1 so the exact way to do this, might be a little different on 5.5

    Friday, July 1, 2016 4:49 AM
  • Right, that's what I did, but why does opening IE cause a vbscript to run - even if I'm just opening a new tab with nothing on it or going to about:blank?
    Thursday, August 11, 2016 10:22 PM
  • Please have a look if disabling the Proxy auto-config [e.g. wpad] in IE11 helps to get rid of the message.

    Just set the proxy manually and test if ASR warning continues to show up.

    _

    Wednesday, August 17, 2016 12:25 PM
  • Please have a look if disabling the Proxy auto-config [e.g. wpad] in IE11 helps to get rid of the message.

    Just set the proxy manually and test if ASR warning continues to show up.

    _


    You mean the "Automatic Configuration" settings I take it? We always have that disabled. Our web-proxy uses WCCP, so the client is totally unaware of it. If you meant something other than that, please let me know! I'd love to figure this one out!
    Wednesday, August 17, 2016 2:23 PM
  • Try wiresharking your IE11. Mostly there is a connection or more causing this issue.

    A simple about:blank site does not raise an EMET ASR warning, when nothing is connected at all.

    Search suggestions [disable them] and the www.bing.com/favicon.ico [found in registry] are pulled by default.

    Thursday, August 18, 2016 7:34 AM