The mitigations offered by EMET have the potential to break some applications. This thread is to discuss people's experiences with applications that do not work correctly under EMET. The goal is to isolate which specific mitigations cause problems
and for which applications (or plug-ins where appropriate). For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.
Here are the issues the EMET support team has been able to confirm:
Application or plug-in
Issues that occur
Mitigation or setting causing the issues
Skype
Fails to run
EAF
NetFlix SilverLight app
Video playback in browser fails
EAF
ATI Drivers
System blue screens on boot
System ASLR policy set to always on
(must enable unsafe settings to see this option)
iPod Synchronization service
Service crashes
System DEP policy set to always on
AOL
System gives “out of memory” error messages
System DEP policy set to always on
If you have experienced application compatibility problems with EMET, please share your experiences on this thread. The more detail you can provide about what the issues are and what
DEP set to opt out (unless set as an excluded app)and always on will result in sims 3 + expansion packs to crash to desktop after a few mins of running
World of Warcraft crashes with EAF enabled. This is due to battle.net.dll which may result in other Blizzard Battle.NET games crashing as well if EAF protection is enabled.
The mitigations offered by EMET have the potential to break some applications. This thread is to discuss people's experiences with applications that do not work correctly under EMET. The goal is to isolate which specific mitigations cause problems
and for which applications (or plug-ins where appropriate). For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.
Here are the issues the EMET support team has been able to confirm:
Application or plug-in
Issues that occur
Mitigation or setting causing the issues
Skype
Fails to run
EAF
NetFlix SilverLight app
Video playback in browser fails
EAF
ATI Drivers
System blue screens on boot
System ASLR policy set to always on
(must enable unsafe settings to see this option)
iPod Synchronization service
Service crashes
System DEP policy set to always on
AOL
System gives “out of memory” error messages
System DEP policy set to always on
If you have experienced application compatibility problems with EMET, please share your experiences on this thread. The more detail you can provide about what the issues are and what
hi
include drivescrubber from iolo.com , only DEP under both vista and windows 7
DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail.
Quick guess, might be where I have added the Windows Shell added to EMET? dunno.
When EMET's protections are enabled for web browsers and user installs or upgrades to latest version of Trusteer Rapport (protection from phishing, keylogging and financial malware, such as Zeus or SpyEye), browsers do not launch correctly or open blank,
unusable windows.
Right now, possible solutions are:
stop Rapport service, launch web browser, start Rapport service;
uninstall Rapport, or
remove web browsers from the list of programs protected by EMET.
Neither of these is a good one.
This is just FYI, I see the fault at Trusteer's side.
Please add Zemana AntiLogger 1.9.2.513 EAF and BottomUpRand option need to be unchecked ( all other option are check mark ok under application configuration ) . Otherwise EAF cause it to not start and BottomUpRand causes the hot link to not to work under
services/support of any four links of Zemana software. This is on WIN 7/64 PRO system. Thanks.
Edited byKnighthoodFriday, August 26, 2011 3:05 AMAdded BottomUpRand
On 64-bit Windows 7 SP1, mmc.exe (Microsoft Management Console) will crash on launch if it's included in the protected apps. This has been observed on multiple systems, it's repeatable.
A component of a fingerprint-reader's software suite crashes if it's included in EMET's protected apps. The software in question is the Protector Suite, available for purchase or a free trial here:
www.upek.com The component is psqltray.exe. This also is repeatable on two systems.
Update: as you may have suspected, EAF is the culprit.
Other than that, things have been pretty smooth sailing with EMET applied to an extensive list of apps on Win7 and one recently-retired WinXP box. From past experience, I know not to set system-wide DEP to Always On or I won't be able to make DEP exceptions.
If you want to make the exploit writers break out in a cold sweat, consider adding an EMET-driven mitigation module to Microsoft Security Essentials. You could generate a "safe list" of high-profile targets that EMET can be safely applied to, the usual
stuff like Java, media players, VoIP and email clients, etc, and distribute updated lists as part of your signature updates. Label it with a user-friendly euphemism like "Enable anti-exploit features."
Edited bymechBgonThursday, November 17, 2011 6:17 AM
With Windows Server 2008 R2 SP1 as Hyper-V Host and Hyper-V Guest the EMET 3.0 EAF Mitigation may cause applications like Internet Explorer 9 x86 And Adobe Reader 10 to run about 10 times slower (means at 10% of speed without EMET/EAF). When you disable
only EAF applications run fast. This should be mentioned in the EMET documentation as Hyper-V/EMET/IE are all supported products and it should be possible to disable individual mitigations for a whole system through Group Policy.
You may use <http://v8.googlecode.com/svn/data/benchmarks/current/run.html> to compare. But don't compare IE 9's result with other Browsers or you might cry ;-(
DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail. Quick
guess, might be where I have added the Windows Shell added to EMET? dunno.
Windows has a built in nfo viewer. No need to install any apps to read them. Just right click the nfo file and choose to open with notepad as default.
Audible Manager stops running just after launching, with Maximum Security enabled, but runs fine if drop back to Recommended Security Settings. Win7 x64.
The system settings are registry keys. If you've changed the system settings in EMET then uninstalling it won't undo that, you need to undo the change within EMET.
I would like report that the 32 bit versions of Windows Media Player and Wordpad within Windows 8 Release Preview 64 bit are not compatible with the SEHOP mitigation of EMET 3.0 or EMET 3.5 Tech Preview.
Please see the following threads for details:
Windows Media Player (post dated: 12th October 2012):
Finally, the 64 bit version of Apple iTunes (iTunes.exe) is not compatible with the system wide i.e. global SEHOP setting(Application Opt-Out) when installed on Windows 7 SP1 64 bit.
Please see the following thread for details (post dated: 5th October 2012):
EDIT: 21st April 2013: In the above thread, the version of iTunes was 10.7 64 bit. Version 11 and higher of iTunes 64 bit are not affected by this issue. I
have used iTunes to purchase tracks from the iTunes Store without issues even with system wide SEHOP enabled.
I hope this helps. Thank you.
Edited byJamesC_836Sunday, April 21, 2013 2:57 PMExtra info
updating to Chrome Version 23.0.1271.64 m and Chrome in EMET (all checkmarks on) crashes several extensions. Uncheck SEHOP for chrome solves the problem.
If you think that might be a security problem in Chrome, then give google support a hint. For me as private person its a little bit difficult to contact the right channels.
I have Problems with Roxio easy creator and an Outlook plugin from octophone our phone Company... The application crashes directly and worked fine under Windows 7 before...
Dropbox.exe 1.1.40 (99e6035826ccef09d525b2a025e1d1d7) fails to start with EMET 2.1 ARF enabled. http://forums.dropbox.com/topic.php?id=29640
As noted by David G.1 (above), Dropbox is not compatible with the EAF mitigation of EMET. I can also confirm this for version 1.6.4 (released yesterday) when installed on Windows 7 SP1 64 bit.
Dropbox is compatible with all other mitigations from EMET 3.5 Tech Preview.
For your information, Dropbox works with system wide DEP (Application Opt-Out)(always on) and SEHOP (always on)(Application Opt-Out) applied.
Possibly since November 2012 Windows Update and update to Windows Essentials 16.4.3505.0912:
Windows Explorer frequent minor corruption of Videos library by spontaneous addition of Pictures folder to Videos library (have not yet discovered which action/application triggers this).
Possibly since December 2012 Windows Update and addition of Windows Management Framework 3.0:
Clicking Control Panel links frequently causes Windows Explorer crash with invalid parameter error message.
Disabling EAF for Windows Explorer seems to fix these problems.
Some technical background for this repeatable issue:
OS: Windows 7 Professional, SP1 (64-bit), upto date patches
EMET: version 3.5
Browser: IE 9.0, ROP protection enabled
Application: SnippingTool.exe, version 6.1.76
Issue: When trying to capture some of the content within Internet Explorer with the Snipping tool, the system freezes and only the Task manager is available. EMET Notfier logs this message:
EMET_DLL module logged the following event:
EMET encountered an error in 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
CallerCheck Failed:
PID : 0x1508/5384
TID : 1184
API Name : kernel32.VirtualAllocEx
ReturnAddress: 6AF9B294
CalledAddress: 7644D998
StackPtr : 0014DC64
Capturing image with Snipping tool within any other applications or browsers with ROP protection enabled does not result in this error. Ending task for IE through Task Manager unfreezes the system and Snipping shows the captured image; however, ending
task for Snipping does not unfreeze the system. EMET ask, "Do you want to resume?" Selecting "Yes" results in more EMET notifications, conversely, selecting "No" keeps the system frozen.
Disabling all ROP mitigation for IE resolves this issue. Removing the check mark for the mitigation identified as "Caller" only also resolves this issue. It seems that Windows SnippingTool.exe application code isn't "secure" and might be the next attack
vector for hackers for Windows. In either case, IE should freeze the whole system.
After installing EMET 3.5 on Win7/64. Now AOL will not run. Says out of memory.
I uninstalled EMET, but the problem persists. Clearly EMET is leaving some registry settings behind when it uninstalls.
I went to the advanced system settings control panel, and now I see the DEP settings are all greyed out. I used to be able to turn DEP on and off here, but no longer.
I tried rolling back to a system recovery point before installing EMET, but that was no help.
How do I fix this? Should I reinstall EMET and use it to make an exception of AOL, or what?
How do I get the advanced system settings control panel to let me set DEP settings as it used to?
Can we get EMET fixed so that it uninstalls better?
PS: On a hunch, I reinstalled EMET 3.0, set settings to recommended, then rebooted.
You are correct, AOL will give this error when system wide DEP is enabled. Since the option of turning off system wide DEP is unavailable to you, the following thread may be of assistance to you. From what I can tell these steps only apply to Windows XP:
I hope the above information is of assistance to you. Thank you.
--------------------------------
EDIT: Thanks for your update FAntonio2. If re-installing EMET and setting it to recommended setting had not resolved the issue, the threads I linked to above would have been the next steps. Thank you for providing the solution that worked
for you.
Edited byJamesC_836Friday, January 4, 2013 11:43 AM
Word 2000 SP3 and Excel 2000 SP3 running well with all mitigations on, including the DEP that both the .xml protection profile and the EMET guide listed as incompatible in the later Office XP.
Both Word and Excel have all patches up to their end-of-life date in 2009.
Caveat: I have an older Pentium 4 that does not support hardware-based DEP; my DEP is the software-based variant. This might be the reason why DEP did not crash the applications.
Some other software not listed in the EMET guide that are also running all mitigations, with no issues: Rhapsody 4.0.6.7 (the standalone application for music streaming and searching) Irfanview 4.3.3.0 Sumatra PDF reader 2.1.1.0
EMET is closing Explorer.EXE. Fault Module Name: ShellExtensionNative.dll_unloaded
I had this problem with EMET 3.0 and now I still have it with 3.5 Tech Preview. I have EMET configured to opt out explorer.exe for all protection types, but it still crashes and EMET reports it did a DEP mitigation. Looking at the report, it appears there's
a shell extension or context menu causing it to crash? Shouldn't the opt-out of explorer.exe prevent this?
EMET_DLL module logged the following event: EMET detected DEP mitigation and will close the application: C:\Windows\Explorer.EXE
I would suggest simply removing explorer.exe from being protected by EMET. I have not seen this included on any tried and tested list of applications to protect with EMET since explorer.exe is a crucial process that must remain stable.
Since you are running Windows 7 64 bit (your exception shows this, namely BEX64 and Application Version: 6.1.7601.17567. 6.1.7601 is Windows 7 with SP1) explorer.exe already has
DEP, ASLR and
/GS (Guard Stack) v2 enabled and this should be enough protection.
Here are 2 examples of such lists of applications to protect. The first link cautions you about what applications you add to the list, especially for operating system processes.
I am using EMET v4 on windows 7 32bit with IE 10. I had to uncheck ROP Caller for iexplorer to stop pop up errors every time I restarted the computer and opened IE. No more pop ups after the uncheck, here is a sample of the type of error
Also I registered on this site to post this and wanted to make the error a screen shot but every time I try it gives me an error about I am not allowed to add photo till my account email is checked. I set up alert me and received a confirm email. It has
not been 24 hours, do you have to wait longer or can someone tell where to write to get this fixed. thanks Lynn
EDIT I did not know about registry files to delete. So uninstalled, only found one registry file to delete the, HKLM\Software\Microsoft\EMET. And then reinstalled, so far no errors. I have started another post about settings to import.
Due to the variety of add-ons that Internet Explorer may have installed, an incompatibility with a mitigation can be expected. Thanks for pointing out which mitigation you disabled in order to resolve this.
What you describe in relation to the registry keys sounds fine. Another forum user, Quitch mentioned this in the following thread:
Hi JamesC_836, after importing the Popular and Recommended settings started getting the pop ups again. Removed the checkmark for ROP Caller iexplorer and they have again stopped. Just wanted to report this for others.
Should add that the checkmark had been added with the new install of EMET that I did.
In an effort to narrow down what is causing Internet Explorer to close due to the ROP Caller Checks mitigation, would you be willing to re-enable this mitigation and try to use Internet Explorer without add-ons? This is a temporary mode of Internet Explorer.
If Internet Explorer continues to work correctly in this mode, you will then have determined that an add-on for Internet Explorer is causing this issue. The support article linked to below describes how to this. Disabling add-ons one by one is also mentioned.
While not every security mitigation of EMET is compatible with every add-on, if the name of the specific add-on causing the issue can be determined, it may be possible to fix this compatibility issue.
Alternatively you can simply leave the ROP Caller Checks mitigation disabled and continue to use Internet Explorer as normal.
I hope this helps. Thank you.
Edited byJamesC_836Wednesday, April 24, 2013 4:53 PM
Well I disabled all IE add ons and was still getting the errors. I have four computers, the one with the problem is an old vista that I installed a fresh windows 7 so I would not have all that useless junk. I also use it for testing and learning as the reason
this is the only one with EMET v4 the others have v3. I have Winpatrol Plus program I have been trying out, I stop it from loading at startup and thought that was the problem so uninstalled it but now am still getting the errors, so that was not the problem.
So I have eliminated the IE add ons and Winpatrol as the problem. The only other thing I can think of is I have Avast Pro antivirus. What do you think I should try next JamesC_836.
Edit, disabled Avast and still getting error, so Avast has been eliminated as the problem.
Thanks again for your update and for the thoroughness of your testing.
Among my PCs, I also have a Windows Vista 64 bit SP2 PC with EMET v3 loaded. I have found that settings that work perfectly on Windows 7 64 bit do not work as well for Vista. I am not sure exactly why this is. I have had to customize EMET settings to keep
3rd party programs on Vista working smoothly.
My advice would be to leave the mitigations disabled that are causing the issues. This is an advantage of EMET it can provide extra protection while maintaining compatibility/usability by simply turning off mitigations that crash programs. The settings that
you mentioned earlier today seemed to work very well.
Thanks for testing and eliminating Avast and WinPatrol as potential causes. Please feel free to re-enable Avast and re-install WinPatrol and set them up as you have found to work best for you. Please also feel free to use Internet Explorer as normal with
EMET settings that do not cause it to crash but still provide the best protection. Apologies for any inconvenience that this testing has caused.
I am sorry that I can’t provide more specific advice but with the different combinations of programs that each of us use we need to find what settings work best for us and continue to use them.
I have marked your above post as helpful since you have carried out a lot of testing which will benefit others.
If I can provide any further assistance, please let me know. Thank you.
Every could of days a random Windows 7 64 bit user will have an issue when running EMET 3.0 and Microsoft Office 2010 looking at a known good document, where one of the Office apps they are using will crash with a DEP error when opening or
closing the application. This is logged in the Windows Application logs as an Error:
Source: EMET
Event ID: 2
EMET_DLL module logged the following event:
EMET detected DEP mitigation and will close the application: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
The next second, another log will be generated:
Source: Application Error
Event ID: 1000
Faulting application name: WINWORD.EXE, version: 14.0.6129.5000
Faulting module name: log4cxx.dll_unloaded, version: 0.0.0.0
Exception code: 0xc0000005
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Faulting module path: log4cxx.dll
This has happened for "Faulting module path" values of: log4cxx.dll, unknown, PGPlsp.dll, and others. The Office application may be different for each.
This seems non-repeatable but an occasional random occurance.
The log4cxx.dll is a DLL related to Nero CD/DVD Authoring software and is included with Nero Burning ROM. It is possible that this DLL is being loaded by Word 2010 through an Add-in (another less likely possibility is that this DLL is being loaded into Word
via the AppInit_DLLs value within the Windows Registry since Word does load user32.dll).
Please find below links describing how to disable such add-ins. This should prevent Word from crashing in the future.
PGPLsp.dll is related to the Symantec PGP Desktop encryption product. Since this provides encryption for sensitive data, I would advise
against removing this particular add-in.
If the Windows Registry is being used to load these DLLs additional steps will be necessary to remove them.
I hope this helps. Thank you.
Edited byJamesC_836Wednesday, May 1, 2013 11:34 AM
I am not sure if what I mentioned about add-ins for Microsoft Office helps or not. If you need the functionality they offer, the only remaining option is to disable
the DEP mitigation of EMET for any Office application that uses these add-ins. Also ensure that system wide DEP is set to Application Opt-in (or essential Windows programs and services only
option within the Windows Control Panel).
We have identified one Office EMET 3.0 DEP issue as correlating with a separate Cisco Click to Call plug-in error in the OS application logs. Other EMET Office 2010 OS application crash logs, mostly DEP related, occur every now and then across our
workstations randomly and non-repeatedly with known good documents and have no correlated plug-in OS application log messages, so I am unable to troubleshoot.
I had EMET V3.5 Tech Preview installed for a long time on Windows 7 and since inception on Windows 8 with no problems.
I uninstalled V3.5, restarted Windows 8 and installed V4.0.4913.26122 and all of: Adobe Acrobat, Lenovo Hot Spot Service, Skype C2C Service, Internet Explorer and DU Meter failed with KERNELBASE.dll errors. Acrobat and Internet Explorer would not even start.
I had installed V4 with Recommended Settings.
I uninstalled V4, restarted, and reinstall V3.5 Tech Preview. This substantially reduced the errors.
I again uninstalled V3.5 and this time removed the two EMET Registry Keys. I restarted and installed EMET V4 with no setup.
I then added about a dozen and a half programs manually: All of Office 2013 including ONENOTEM, Adobe, both iexplore (32 and 64), Java, and jusched, integratedoffice, and PopPeeper (email daemon). I then imported the certificates file.
Time will tell if this bizarre and worthless Windows 8 system will just keep crashing.
With over 150 processes and 12 flags, adding one each day to test will take 1800 days to set it up. EMET V4 was not made for mortal human beings and yet mortal human being are precisely the ones that need it.
Windows XP SP3, all Updates. Office 2010, all Updates. We installed EMET 4.0 last night, used standard settings and could not open Outlook any more. After we uninstalled EMET all was well again.
Event Error "EMET 2"
Application
Name: C:\Programme\Microsoft Office\Office14\OUTLOOK.EXE
CallerCheck Failed:
PID : 0x788/1928
TID : 124C
API Name : kernel32.CreateFileW
ReturnAddress: 21872340
CalledAddress: 7C810CD9
StackPtr : 0013E4E8
Event Warning "EMET 1"
"Error Sending Telemetry Data: Config Not Initialized"
Foxit Reader version 6.0.3.0524 crashes on startup unless SEHOP is disabled for it.
Running EMET version 4.0.4913.26122 on Windows 7 Ultimate 64-bit
Edit: The FoxIt crash with SEHOP does not happen on a second PC, all the versions are the same, the only difference is the working system has a Core 2 Duo CPU and the problem PC is a workstation with dual older XEON CPUs. We've had several other applications
that acted up on that XEON PC, in one case it was tracked down to a libgnutls26 bug that only happened on CPUs that have MMX but not SSE2.
Edited byjh_314159Friday, June 28, 2013 7:41 PMadditional info
TeamViewer (8.0.19045) crashes if the ROP mitigation "Caller checks" is enabled (using EMET 4.0.4913.26122). You need to disable it for both "TeamViewer.exe" and "TeamViewer_Service.exe". All the other mitigations can be enabled. Also you can enable all
mitigations for "TeamViewer_Desktop.exe", "tv_w32.exe" and "tv_x64.exe".
Application Name: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
CallerCheck Failed:
PID : 0xC0C/3084
TID : B4C
API Name : kernel32.LoadLibraryExW
ReturnAddress: 0101A299
CalledAddress: 759C4945
StackPtr : 0016F274
Application Name: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
CallerCheck Failed:
PID : 0x12A0/4768
TID : A94
API Name : kernel32.LoadLibraryExW
ReturnAddress: 00B11CDA
CalledAddress: 759C4945
StackPtr : 002DF9DC
AQTime 7 by SmartBear is a .exe profiling application used by software developers.
I cannot disable the "SimExecFlow" check for this application, no matter what I try.
I added an entry to AQTime.exe and all other *.exe files installed by the application. I disabled all mitigations for all these executables. But when I start AQTime, EMET always detects a SimExecFlow,
even if that checkbox is off.
The only way I can run AQTime is to switch from "Stop On Exploit" to "Audit Only". EMET will display the "SimExecFlow" detection for AQTime.exe but the application itself continues and works as expected.
Please consider the following "EMET 4.0: Configuration issues with XML profile" bug report: http://social.technet.microsoft.com/Forums/en-US/d3d8c845-20b1-46eb-91e6-d9f34ca1b302/emet-40-configuration-issues-with-xml-profile
The Think Cell addon for Powerpoint will trigger a Caller mitigation when importing data from Excel. This will cause EMET to close Excel. Disabling the Caller mitigation resolved this issue.
I have seen the same thing with Outlook and a specific add-in. EMET stops Outlook due to SimExecFlow. Disable
SimExecFlow, same issue. Disable all mitigations, SAME ISSUE. The only way around is to completely remove the process from EMET. Currently working with Microsoft on this issue, I will update you if we get a resolution.
The PhonerLite VoIP softphone (http://www.phonerlite.de/download_en.htm) in its current version 2.11 gets prevented from starting up by the EMET's "SimExecFlow".
See following forum thread for details: http://www.forum.phoner.de/YaBB.pl?num=1379779020
If you boot with a Windows Mobile device connected (at least when connected via USB), Windows Mobile Device Center (v6.1.6965) crashes on startup. You can start WMDC once the system has finished startup, and you can plug a device in after startup,
either way WMDC will work fine. But if you startup with a device attached, WMDC try to start and will crash. This is with EMET 4.0 on Windows 7 Ultimate x64. Did not have this problem until after EMET was installed. WMDC services are set for Auto
(delayed) start. WMDC is runing under EMET with all mitigations enabled.
Also Speedfan 4.49 will not run under EMET. It fails with a SimExecFlow error. And seems to "load" in EMET twice or something. I had to disable all mitigations and remove it in the list in the Applications Configuration window, and again in the Running
Processes list in the main window. I tried adding each mitigation separately, to see if a specific mitigation was the issue, but it simply would not work if any of the mitigations were enabled in EMET. Same computer as the WMDC issue.
Chrome 31.0.1650.58 does not load tabs/websites, Mitigation "Caller" causes this problem.
I had this issue on several computers. Can't say for now whether it's new with Chrome 31 or EMET 4.1, since both updates were installed at the same time. Maybe someone else has this problem, too.
EMET 4:
EMET Detected caller mitigation and will close the application: acrobat.exe
But, the notice is erroneous: It occurs after i disable Caller for Acrobat & it does not close acrobat. Additionally, the notice is set off when acrobat is launched without a pdf.
We are seeing stackpivot mitigations for Outlook.exe for those users that have the MS CRM Plugin for Outlook installed FYI. All MS products and apparently not playing nicely.
I'm also experiencing a "SimExecFlow" error when using a specific application - even if all mitigations have been turned off. You have to actually remove
the app from the apps list. The apps concerned are the DirectShow filters subsumed under the name "LAV Filters" (https://code.google.com/p/lavfilters/). If their ffmpeg part is compiled using gcc 4.8.x EMET will close them
upon start. I'm testing it with the MPC-HC media player 1.7.1 (it comes with LAV Filters built in, so you don't have to download those extra), download below:
http://mpc-hc.org/downloads/
Tested with EMET 4.0 and EMET 4.1 under Windows 7 x64 SP1.
To reproduce:
Add mpc-hc to EMET list (or possibly other DirectShow players), open mpc-hc and make it use one of the LAV Filters by opening a file that needs them or changing their settings. (For the built-in ones: Options>Internal Filters>[one of the bottons at
the bottom])
On my Win7 w/ Office 64bit machine Excel crashes on launch with EMET 4.1. Problem with the
Excel MS Power Query November update add-in. Disabled all mitigations but same result. Un-installing EMET fixes.
Application crashes when try to play Blu-Ray disk with java apps on it. Caused by system-enabled DEP. The only workaround is to set system DEP setting to Application Opt In.
Certificate Pinning feature conflicts with Comodo's certsentry (it's bundled with installer version of Comodo Dragon), causes lots of programs fail to connect internet properly, but connect to "no-dns-yet.ccanet.co.uk".
Disabling the feature or uninstalling certsentry (i.e. uninstall Dragon & re-install Dragon portable version) immediately solve the problem.
Somohow when both are enabled and system is restarted, the conflict seem not to appear immediatly, but seem to need several hours to produce the problem.
I'm having reports from all our developers on the following Emet 4.1 issue:
I'm not sure if this is similar or not, since our issue logs to the Windows OS Application log, but just in case -
Our programmers who use Visual Studio with Internet Explorer applications and set breakpoints will trigger EMET EAF mitigation after pressing F10.To fix that, we put that PC in its own OU inside its present OU, and then created a group policy for an OU with the following settings:
Default Protections for Internet Explorer:
Disabled
Application Settings: Enabled & Show…. (note: no spaces before the asterisk):
This problem can be solved as follows:at the command prompt as Administrator
regsvr32 /u certsentry.dll and prohibiting in Group Policy application execution
certsentry_setup.exe. Though the course is a crutch.
Edited byOleg DivovThursday, September 15, 2016 11:30 AM
EMET 4.0 with Outlook 2010 & CRM 2011 Plugin - Outlook crashing -stackpivot to fix
I realize I can disable the stackpivot check however what if there is a real stackpivot vul that isn't CRM related? We would be unprotected. That and I thought MS products were EMET certified? I suppose I can ask them...
In fact EMET isn't actually closing outlook when the stackpivot mitigation happens. We are just getting a lot of EMET alert (noise) emails.
Turns out a reinstall of the CRM plugin fixed some cobwebs and EMET is no longer alerting on Stackpivot.
I'd also like to point out that telling people to just turn off the mitigation kind of defeats the purpose of EMET. It is there to let you know you have some software doing bad (malware-like) things...and the correct action would be to fix said software.
In the case of Outlook, I did not want to turn off any mitigations. Perhaps for small corner case LOB apps that is more doable.
Just as an FYI I've started a spreadsheet with issues. If you could when reporting add them to the spreadsheet it will help the community and us (MSFT) to tailor installs to our organizations as well as help drive to resolution issues that are encountered.
http://sdrv.ms/LS9PNV which should be open to all to edit. Try to fill in fields as much as possible to help out when you encounter app issues. The first page in the workbook is EMET mitigations which are the
specific emet.dll injection mitigations provided to applications, the 2nd page is the System-Wide Mitigations (DEP/SEHOP/ASLR) which realistically are not EMET however can be controlled by EMET so if you do have a system-wide protection mechanism crash post
it on the 2nd page.
Thanks for your help with this :)
Kurt Falde
MSFT
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)
Your EXEL ONLINE spreadsheet should be formated as table in order to let everyone be able to see table headers, even if doing edits in in high numbered rows.
"Format as table" is available in web interface but there seems to be no obvious way to correct/revert table format for "everyone" users.
So it might be necessary for Support personal to have a look at that table and think of a practical solution for this comfort/accebility problem/feature.
Thank you.
Edited byRiopantr193Friday, February 21, 2014 4:07 PM
With EMET 4.1 DEP set to "Always On" (System Setting) this program errors at boot time with
"cannot write to memory" error. No problems when DEP is set to "Application Opt Out".
I don't see anything here about windows update. If anyone else has this problem I'd be interested in the solution. Since EMET install time, I always receive error code 80244019 when trying to run windows update. I have switched
to downloading them manually when they appear. I'd like to know how to enable EMET to allow windows updates to work again. Have reinstalled the update services and tried stopping and starting a variety of services to re-enable Windows Update.
I'm not sure how to turn EMET off... thought about uninstalling but figure if it even blocks the big virus we call windows update, then it can't be all that bad. But, it would be nice to get that automated process working again.
Using Google Chrome Beta v34.0.1847.11 with EMET 4.1 when installed on Windows 8.1 64 bit resulted in the Caller Checks mitigation needing to be disabled for Chrome to continue to launch. This did not occur with previous versions of Chrome.
Disabling all extensions (using chrome://extensions) and plugins using (chrome://plugins) still resulted in the same change to EMET being necessary.
I have completed some initial testing of EMET 5.0 Technical Preview (TP) on Windows 7 64 bit and Windows 8.1 64 bit and wished to share my findings.
In general, EMET 5.0 TP with Windows 7 64 bit SP1 needed many changes to its configuration to prevent application crashes either on start up or on exit (mostly on exit). For Windows 8.1 only Google Chrome needed a settings change to prevent it crashing on
launch. I have provided a full list of settings below with the config files downloadable from my OneDrive.
According to the following forum thread (and the link below) the many Windows Error Reporting dialogs that are encountered are due to a bug in this preview version of EMET:
I suppose an experienced user would understand about getting applications recognized within the interface but in general I find it hard to navigate. After months of problems with Windows Update (first installed 3.5, upgraded to 4.0 then 4.1 and finally
5.0) I gave up and uninstalled EMET but after some thought, attempted a reinstall and now the Windows Updates are working. That's curious. I accepted default configurations on all builds. The reinstall was build 4.1.
I see no one else with Windows Update problems so I can assume I am alone with the problem but it is clear that the interface is rather unfriendly as all here seem to have issues with ASR and ASLR.
On the KREB's site, there is talk about something in the lower right corner that only exists as a refresh button on the versions I've seen. I suspect that website may be outdated and misleading. I think it is open season on someone
with a good website explaining how to configure the EMET and especially tricky for the EMET developers to find a way to make the interface more user friendly and the tool bar less cluttered with options.
My two cents. But I like the product regardless of its awkward handling.
With EMET 4.1 installed, installing WinZip 17.5 causes Microsoft Outlook to not start due to the WinZip ZipSend Outlook add-in. With EMET 5.0 TP installed, there is no issue.
If you apply any ROP mitigation to iexplorer.exe (I'm using IE11 on Win7x64), Quarri MyPOQ's protected browser will crash.
I'm now using EMET 5.0 RP2.
BTW, am I only one who experience occasional crash of flash player when I apply Heapspray mitigation to firefox.exe & plugincontainer.exe and watch Flash videos?
It happens from time to time, not always, and remove Heapspray from both resolve the problem.
Also when I set ASLR in AlwaysOn, Comodo Cleaning Essentials couldn't finish it's scan.
It always stops (not crash, just silently ends) at Program Files\Internet Explorer\en-US\eula.rtf.
Putting back ASLR to Opt-in resolve the matter.
However, last time I used CCE was several month ago. I'll confirm and maybe report to Comodo when I have a time.
AFAIK, so far CertSentry's function is gathering statistical info about certificate revocation checking system, so in the default setting it doesn't offer any additional protection.
But you can make it enforce revocation checking for all apps which uses Microsoft CryptAPI so it protects a user from being fooled by revoked certificate.
OTOH, EMET's pinning demands certain website to show certain certificate (exactly speaking, certificate which belongs to certain root CA), it works when a CA is compromised or made a serious mistake, malicious people get completely legitimate certificate(s),
and then abuse it e.g. launch malicious website with the certificate while trick people by DNS poisoning, or more likely uses the cert for MITM attack.
EMET can prevent such attacks proactively, but CertSentry (with enforced checking) can help only after the CA revoked those compromised certs.
Hi, I'm using Windows Server 2008 Enterprise (Build 6002, SP2) 64-bit English running as the only productive domain controller, IIS and SQL-Server and I updated EMET from 4.1 to 5.0TP2 and after reboot the system didn't start anymore. First I had
to circumvent a hardware problem (with a monitor connected, the harddrive doesn't start), then I couldn't log in due to missing cached credentials (I always log in remotely) and couldn't find the DomainAdmin password. Finally I could log in with SafeMode+Net,
but uninstalling EMET is not possible in SafeMode. After I got that solved I could boot again. Trying to install EMET4.1U1 caused the same problems. It seems like the following applications are crashing, sometimes with error "DEP detected", sometimes they
simply crash and EMET doesn't even detect the module. But finally, with some tweaking, I got it working. Here's the list of non-compatible programs, all of them don't work with EAF (Export Address Table Access Filtering) and run fine with EAF turned off
(all are .exe):
EMET_GUI
EMET_Agent
Explorer
mmc
taskeng (Task Scheduler Engine)
Dwm (Desktop Window Manager)
lsass (*)
lsm (*)
services (*)
svchost (*)
w3wp
inetmgr
dns
ismserv
msdtc
spoolsv
dfssvc
inetinfo
DFSRs
NamecheapDDNSClient
sqlservr
sqlwriter
SQLAGENT
iexplore
The ones with the star (*) are responsible for not being able to boot. All generic options are enabled or at highest level.
Why is EAF for most applications not working? Is there some general incompatibility with Windows Server 2008? Would you recommend to turn off EAF for all applications, even for those that seem to work (like RegEdit)? Or is the machine pwned?
We have noticed that Google Chrome web browser has started to cause dozens of "EMET detected Caller Mitigation and will close the application: chrome.exe" errors when started since 5/21/2014, and have found a related article:
http://www.chromium.org/Home/chromium-security/chromium-and-emet.
Update: Unfortunately, adding a number of variations of the path including just "chrome.exe -Caller" into the group policy "Application Configuration" section didn't work to override the setting for Chrome used in the "Default
Protections for Popular Software" section of group policy. To get it to work we had to manually change the chrome line in the group policy .admx file to "<string>*\Google\Chrome\Application\chrome.exe -SEHOP -Caller</string>"
and then change the Popular Software section in group policy to Not Configured and then Enabled again.
Personal Software Inspector (PSI) - after scanning for vulnerable applications and closing PSI, crashes psia.exe code C0000005. For normal operation of PSI must disable DEP for psia.exe.
Screamer Radio -
To run the application, you must disable all the values in the ROP -LoadLib, MemProt, Caller, SimExecFlow, StackPivot.
KeePass 1.27 released - often, but not always, a message appears, when you drag and drop your password - "EMET detected DEP mitigation and will close the application: C:\Program Files\KeePass Password Safe\KeePass.exe"
Edited byOleg DivovThursday, September 15, 2016 11:30 AM
After I installed this, my user account control access was changed and I now no longer have administrative rights and don't know how to fix this. Very very frustrating. Sorry I ever downloaded it.
I'm running EMET 4.1 Update 1. We have some users that have to connect to another network from time to time. When they switch networks, they get a Telco Systems' EdgeGenie error. "Could not create the Java Virtual Machine." Disabling
mitigations didn't help. The only way I could get the virtual machines to create is uninstalling EMET.
--UPDATE--
I was able to get EMET 4.1 Update 1 to work by turning off every mitigation except DEP, SEHOP, NullPage and BottomUpASLR. I had to use a config file. If I use group policy to enforce mitigation, the java virtual machines crash.
Edited byShoMeNickWednesday, June 11, 2014 1:35 PMUpdate Post
Latest Adobe Flash ActiveX control installer crashes on Win7 SP1 x64 running EMET 4.1 Update 1. Figured out that I have to disable ASLR under System Status and reboot, install Flash, then enable ASLR and reboot again.
Faulting application name: install_flashplayer14x32ax_gtbd_awe_aih.exe, version: 3.5.4.25, time stamp: 0x537d2fbd
Faulting module name: install_flashplayer14x32ax_gtbd_awe_aih.exe, version: 3.5.4.25, time stamp: 0x537d2fbd
Exception code: 0xc0000005
Fault offset: 0x00065ea4
Faulting process id: 0xfbc
Faulting application start time: 0x01cf8b15d91bfdd0
Faulting application path: C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFH7ATP7\install_flashplayer14x32ax_gtbd_awe_aih.exe
Faulting module path: C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFH7ATP7\install_flashplayer14x32ax_gtbd_awe_aih.exe
Report Id: 17cffa14-f709-11e3-bbb7-005056c00001
Edited byLucas Z. _Wednesday, July 16, 2014 5:50 PM
Interesting, I have been having multiple crashes with Opera and Internet Explorer, and I am examining logs now and testing to see if this is Emet's fault.
Please post if you have any crashes with these browsers.
Problem
When the Microsoft Enhanced Mitigation Experience Toolkit (EMET) software is installed on a system running the Host IPS software and the EMET "Deep Hooks" feature is enabled, any application that is hooked by both EMET and Host IPS will become unresponsive
on start up.
Cause
When Host IPS functionality is enabled, along with Microsoft EMET "Deep Hooks" functionality, both products attempt to protect an application with similar hooking functionality.
Solution
This issue is resolved for Host IPS 8.0 in Host IPS 8.0 Patch 4, released in February 2014. For known issues, see KB78494. For Release Notes, see PD25043.
It seems as though there are a lot of issues with this, is it really worth it? I am sure it is not for me as I don't understand most of what you folks are talking about. I was really hoping that I could use this on my XP System but I don't know
it I want the headache.
Also interested in why the members here don't have there configuration posted so that others will be able to utilize this information properly?
Oh, I am sorry It appears this is just for reporting issues? I will look around to see if I can post questions somewhere.
I made DEP setting AlwaysOn and even added psi.exe, psia.exe and psi_tray.exe into app config, disabled EAF+, LoadLib, caller, and SimExecFlow (not because specific problem, but just to avoid unexpected problem as those mitigation often cause problem), then
no problem found.
After the July update of the Windows 7 there are many positives Emet, then appear in the journal describing the error with frequent mention msvcrt.dll.
Download Master - dmaster.exe - SimExecFlow (in the journal referred to msvcrt.dll)
C:\Windows\system32\mrt.exe - Caller (in the journal referred to msvcrt.dll)
C:\Windows\system32\Wat\WatAdminSvc.exe - Caller + SimExecFlow (in the journal referred to msvcrt.dll)
Firefox.exe 24.6.0.5273 - 0xc0000005 - DEP (Memory).
Edited byOleg DivovThursday, September 15, 2016 11:30 AM
Since upgrading to 5.0 on Windows 7 x64 SP1 I experience crashes with a number of different programs. Often (but not always) when using the Windows save file or Windows open file dialog the given program would crash. EMET would not detect any attack or
similar but disabling EMET for the given program completely gets rid of the crashes.
Since 5.0 I can for example still run wmplayer.exe without problems, but if I try to start it opening a video file, wmplayer.exe will crash in EMET.DLL. This is the case on several machines running Windows 8.1 or Windows 7.
I had to disable the "Stack Pivot" mitigation to make Skype (6.18.0.105, Desktop version) work. Otherwise the process would just crash after a few seconds without any GUI appearing. "EAF", "EAF+" and "ASR" were already disabled by default.
Event Log entry (in german):
Name der fehlerhaften Anwendung: Skype.exe, Version: 6.18.0.105, Zeitstempel: 0x53b3f36a
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17055, Zeitstempel: 0x532943a3
Ausnahmecode: 0x000006a6
Fehleroffset: 0x00011d4d
ID des fehlerhaften Prozesses: 0x1034
Startzeit der fehlerhaften Anwendung: 0x01cfb00706ddde85
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Skype\Phone\Skype.exe
Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\KERNELBASE.dll
Berichtskennung: 45191bab-1bfa-11e4-8283-74d435819821
The following crash in EMET 5.0 that didn't in EMET 4.1.1:
Adobe Premiere CS4 - *\Adobe Premiere Pro.exe
Crashes when opening a new project. Stores a 'EMET detected DEP mitigation and will close the application' error in Event Viewer, however it's EAF and StackPiviot that need disabling, not DEP.
Adobe Bridge CS4 - *\Bridge.exe
Crashes when right-clicking on an image and going to 'File Info'. Stores a 'EMET detected DEP mitigation and will close the application' error in Event Viewer, however it's EAF and StackPiviot that need disabling, not DEP.
IE 10 crashes while viewing web page (http://www.phonearena.com/phones/size). There are no corresponding entries in the event log.
It's not reproducible 100% of the time. It took many attempts to reproduce it with ProcMon running, but I do have a couple ProcMon logs - if it would help.
------------
Here are the details:
Problem signature:
Problem Event Name: APPCRASH
Application Name: IEXPLORE.EXE
Application Version: 10.0.9200.17054
Application Timestamp: 53d0b9f0
Fault Module Name: EMET.DLL
Fault Module Version: 5.0.0.0
Fault Module Timestamp: 53d99ebe
Exception Code: c0000005
Exception Offset: 000012ee
OS Version: 6.1.7601.2.1.0.256.4
Locale ID: 1033
Additional Information 1: d460
Additional Information 2: d460871d13a9e4a764be2b9055549e1a
Additional Information 3: 60f8
Additional Information 4: 60f89cbcea4f357f65086eac6a24b3fa
I had to disable the "Stack Pivot" mitigation to make Skype (6.18.0.105, Desktop version) work. Otherwise the process would just crash after a few seconds without any GUI appearing. "EAF", "EAF+" and "ASR"
were already disabled by default.
Event Log entry (in german):
Name der fehlerhaften Anwendung: Skype.exe, Version: 6.18.0.105, Zeitstempel: 0x53b3f36a
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17055, Zeitstempel: 0x532943a3
Ausnahmecode: 0x000006a6
Fehleroffset: 0x00011d4d
ID des fehlerhaften Prozesses: 0x1034
Startzeit der fehlerhaften Anwendung: 0x01cfb00706ddde85
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Skype\Phone\Skype.exe
Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\KERNELBASE.dll
Berichtskennung: 45191bab-1bfa-11e4-8283-74d435819821
I just wanted to say I've run into the same issue on Windows 8.1 Pro x64 with 6.18.106. I believe it only occurred following my upgrade from EMET 4 to EMET 5. I'm running the English version of Skype
System Explorer 5.9.2.5250 crashes when SimExecFlow is applied to.
Win7HPx64, EMET5.0 with DH. AD, BF enabled.
BTW this site took quite long time to be displayed on IE, even worse when I clicked 'reply' on Chrome, I logged out automatically so cannot reply at all.
Finally I used Firefox but it temporarily goes unresponsive.
Also popup about MS data collection is quite annoying.
EMET 5.0 with the Popular Software Protection Profile applied definitely breaks Windows Media Player unless you turn off the StackPivot mitigation for wmplayer.exe. This was not the case in 4.x. This is the case on Win7 and Win8.1. Come on Microsoft.
At least make your own apps play nicely with EMET.
Edited byaxeshr3dderWednesday, August 27, 2014 7:06 PMwrong
Windows 8.1 Pro
EMET 5.0.5324.31804
Dropbox 2.10.30
Dropbox crashes if the "StackPivot"-mitigation is activated for it.
Name der fehlerhaften Anwendung: Dropbox.exe, Version: 2.10.30.0, Zeitstempel: 0x538fa625 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eeb4a3 Ausnahmecode: 0x40010006 Fehleroffset: 0x0009a792 ID des fehlerhaften Prozesses: 0xf80 Startzeit der fehlerhaften Anwendung: 0x01cfd605a44fe51f Pfad der fehlerhaften Anwendung: C:\Users\X\AppData\Roaming\Dropbox\bin\Dropbox.exe Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\ntdll.dll
Getting this on a Windows 8.1 box with EMET 5.0. I'll be waiting for the first update to 5 before deploying to my enterprise. This could have been very bad.
1. I'm experiencing Word 2010 crashes after installing EMET 5 (with 4.1 there were no problems), usually when a user try to "Save as..." a file opened from a network fileshare.
This is happening on several of our organization's PCs, all with Windows 7 Enterprise x64 and Office Pro Plus 2010 x86, both with latest SPs and patches.
2. I also found that the
Brother MFC-8860DN driver installer for W7 x64 is incompatible with EMET (even if you disable all the mitigations): to install it you have to uninstall EMET and restore the DEP settings with command:
bcdedit.exe /set {current} nx OptIn
This just for the installer, because once it is installed the driver and the control utility works well with EMET.
3. Generally speaking, I complain about the fact that EMET often doesn't alert with a popup that a program is being closed and for which reason. Also, often disabling all mitigations for a program is not enough to make a program works (maybe because the
problem is in a loaded DLL and not in the program itself?).
Edited byf.delbeneTuesday, September 23, 2014 8:43 AM
EMET 5 closed MS Access 2010, citing detection of "caller mitigation", when a VBA procedure in an accdb file attempted to use the Application.FileDialog(3) object to get the user to browse to an external file.
I solved the problem by opting out of Caller mitigation on the MSAccess.exe line in EMET.
Note: (1) I did not previously have any version of EMET installed. EMET 5 is my first use of it.
(2) I was using late binding with the FileDialog object. I have not experimented to see if early binding would have passed EMET's scrutiny.
I am experiencing exactly the same issue (Exception code: 0xc0000005) with Word and Excel 2010. I disabled SEHOP and Caller (EAF+ is disabled by default) and so far so good. Does this work in your case as well?
This paragraph in the manual made me think that SEHOP might be the culprit:
"On Windows 7 and later versions, SEHOP (both system wide and per application) is implemented by the operating system. For this reason, when this mitigation is enabled and is detected, EMET will not be able to catch and notify that SEHOP was detected.
Instead, the OS will terminate the process and write an event in the Applications event log."
What I find interesting about most crashes with EMET 5.0 is that there is hardly ever an event log from EMET itself, only from the application which crashed. This makes it difficult to identify the mitigation technique responsible for the crash.
Using Outlook 2010 on my Win 7 machine, I attempted to save an email attachment via Right-click > Save As.
As soon as the FileDialog browser window appeared, EMET 5 closed OUTLOOK.EXE, citing Caller Mitigation.
Before changing any EMET option, I checked that I could extract the attachment by drag-and-drop. No problem.
I opted out of Caller mitigation in the OUTLOOK.EXE line in EMET and restarted Outlook. This time I could successfully Right-click > Save As.
This is similar to the issue I reported yesterday in Access 2010, where EMET also closed the application when a FileDialog object was opened. That time, too, I solved the problem by opting out of Caller mitigation. Yesterday, it was my own VBA code that
attempted to open the FileDialog object, but today in Outlook it is Microsoft's code; I do not have any of my own VBA running in Outlook. Therefore, it seems clear that there is some conflict between EMET and the FileDialog object itself that MS should
investigate. You would not expect EMET to disable "Save As" capability!
Following my previous postings about encountering unjustified Caller mitigation shutdowns in Access 2010 and Outlook 2010, I can now report that the same problem arises in Word 2010. There, I encountered it under two different situations. The first was when
I attempted to paste into a document a pageful of text that I had copied to the Clipboard from a web page. The text had some hyperlinks in it, so I wonder if it was they that precipitated the Caller mitigation shutdown.
Word automatically restarted and presented a recovered document on screen, containing the text I had entered before I attempted to paste in the web page text. I therefore attempted to save the document, but as soon as the "Save" dialog opened,
EMET again triggered a shutdown, citing Caller mitigation.
I therefore opted out of Caller mitigation in the WinWord.exe line in EMET, and that solved the problem just as it had done in Outlook and Access.
Hi! Ever since installing EMET 5.0 =all= Adobe products give me a EMET message. I can't even open an existing .pdf. How do you =un=install this damn thing?
Unfortunately this issue is still not fixed in my case. Sometimes when one of our users saves a document in any of the Office 2010 applications it leads to a crash, usually just after the Save As dialog appears. I have disabled both Caller and
SEHOP but this does not seem to work in my case, even though it looked promising in the beginning.
EMET does not log any event logs, only the Office 2010 application itself. I therefore don’t know which mitigation techniques is causing the problem. And I am not able to reproduce this issue either since it does not happen every time a user saves a document.
It only happens sporadically, usually 2-3 times a day per user.
Edited bystefancptMonday, September 29, 2014 2:12 PM
In my case, disabling Mandatory ASLR finally fixed the Office 2010 issue. I have monitored this for one week and I have not seen a single application crash on PCs with MASLR disabled.
This is far from ideal as the MASLR mitigation has proven to be successful in blocking recent 0day threats. What's the point of using EMET 5 if key mitigation techniques have to be disabled due to application crashes? I am tempted to uninstall EMET
5 and reinstall EMET 4.1u1 as it was more stable.
Any news as to when an update for EMET 5 will be released? I hope this will happen soon, considering all the problems users are reporting and the fact that it has already been bypassed.
I am an EMET devotee, and have convinced many friends to enhance their systems with this exceptional program. That is version 4.1. I was just getting curious about upgrading when I came upon this thread. I wouldn't touch 5.0 with a barge pole, now. Just
when the open-source option is becoming downright dangerous to use, with two documented critical weaknesses coming to light recently, and Bash being exposed only within the last 30 days, Microsoft gets lax with code. I have had some real problems with caller
mitigation in 4.1. Rather than opening a thread, I experimented, using a couple of basic assumptions.
1. The alert is real and appropriate.
2. The mitigation is also appropriate, taking into mind that I have maximum security settings selected in EMET 4.1.
I recently had an alert about an Outlook extension in Chrome, and Outlook was shut down (Office University 365) (psst..., my laptop is a server! And I am not telling how!) Okay, I insured that Chrome no longer had the miscreant extension. Outlook works fine
now. I had horrible issues with the Java 8.1 intro, and found out that the same mitigation's that are ignored for previous versions should be ignored with the new versions. So, problems with 5.0 may, and I say may reluctantly, be along the same lines. And
furthermore, if you have a standalone, or a hybrid system like mine, the ordinary upgrade process works fine. Otherwise, and this means 65-75% of users, you should install and configure EMET from the command line. Go ahead, sharpen your skills a little bit.
And save yourself the headaches. I write this knowing that MS may have messed up badly with the 5.0 intro. I'll see what 5.1 brings
I had the same issue with the Caller Mitigation and Excel 2013. The application would crash upon closing, but only with documents off a file share not with documents opened in SharePoint.
Note that this occurred with both EMET 4.1U1 and EMET 5.0
Edited byThomas_BrFriday, October 10, 2014 7:30 PMupdate for version info.
1- I have SSL/trust EMET alerts/pop up using IE 11, even when I logged in to this page.
2- Have EMET 5.0 (clean install). But was getting alerts from EMET 4.1 before.
3- OS Windows 8.1 / always updated. Also use Bitdefender total security 2015. Bitdefender confirmed that there is no compatibility issues with EMET 5.0.
4- After opening couple of web pages, IE stops working and re-lunch, this is a most recent problem and happens frequently.
5- The funny thing is I get these EMET alerts when going to bing.com, but not with google.com using IE. Captures below when I was on bing.com.
6- Tried to write to Microsoft EMET connect portal using the link provided above( and got
Page Not Found
Hope we get a fix for this from MS, hope they will pay attention more to the quality of their products.
One of my users has installed Wuala. After the Wuala installation EMET 4.1 has detected Caller Mitigation and closes iexplorer.exe and other Office 2010 Products inc Word and Outlook
This behavior happens when the user does a "save as" or "save target as"
User is running Win7 Enterprise SP1 32 bit
Office 2010
Updated to EMET 4.1 update 1 and same behavior shown
On a brand new Alienware system with Windows 8.1, I can't seem to run Java even if it has nothing to do with browser-related applications. Just now EMET 5 blocked me using it with Intel's update software that requires it, as well as prevented
the installation of the most-recent build of Java Runtime. I haven't installed Office yet, however...
It would appear the use of EMET causes more problems than it solves if it's having issues with even the most mainstream of applications, let alone plugins that help certain, other software run more smoothly.
Edited byHyncharasWednesday, October 29, 2014 4:38 PM
Since upgrading from EMET 4.1 to EMET 5 we've had tons of problems with Outlook, Word, and Firefox.
We ended up outright removing the entry for Outlook because we were unable to determine which combination of protections was causing it to crash. Users are reporting that Word is crashing too, but this has been less frequent, so we can't even begin
to test. If another user reports and issue with Word crashing, we'll likely remove the entire entry for Word.
We may just have to roll back to EMET 4.1 at this point.
1- I have SSL/trust EMET alerts/pop up using IE 11, even when I logged in to this page.
2- Have EMET 5.0 (clean install). But was getting alerts from EMET 4.1 before.
3- OS Windows 8.1 / always updated. Also use Bitdefender total security 2015. Bitdefender confirmed that there is no compatibility issues with EMET 5.0.
4- After opening couple of web pages, IE stops working and re-lunch, this is a most recent problem and happens frequently.
5- The funny thing is I get these EMET alerts when going to bing.com, but not with google.com using IE. Captures below when I was on bing.com.
6- Tried to write to Microsoft EMET connect portal using the link provided above( and got
Page Not Found
Hope we get a fix for this from MS, hope they will pay attention more to the quality of their products.
Thanks
Hi
A possible scenario : This issue might relate to the "SSL Scanning" feature of Bitdefender Product which interposed it's own Bitdefender Certificate into your IE browser in order to scan SSL connections.
If
your IE browser then visits those websites that are protected within your EMET's Certificate Trust Configuration, they may trigger EMET's blocking rules.
Possible Solution: Disable the "SSL Scanning" feature of Bitdefender or perhaps import "Bitdefender Personal CA.Net-Defender" into your EMET's pinning rules.
I run Windows 7 Enterprise (Sp1) 64-bit, Internet explorer 11 and Adobe Reader 11.0.09.
Upgraded today from EMET 4 to EMET 5.1.
Didn´t work to well. I can´t start Internet Explorer before it crashes, IE without Add-Ons did not work either. This was before installing this months patches. The patches didn´t do any difference.
Another program not working is Adobe Reader which also crashes when I try to use it (open a pdf file).
I first used the recommended settings, and then tried to keep the existing settings. This didn´t seem to make any difference. Maybe the existing settings disappeard when I first choose Recommended Settings (however I don´t think I did any tweaking on EMET
4)?
Any standard solutions for this, other than go back to EMET 4 or 4.1?
I confirm that after the latest updates released Tuesday, IE11 on Windows 7 SP1 x64 crashes due to EMET 5.0.
This, joint with the problem with the Open/Save File dialog in Office 2010, made me to revert all our PCs to EMET 4.1 U1.
What strikes me the most is the incompatibility of EMET not with some obscure third party driver or utility, but with flagship software from the very same Microsoft: Office and Internet Explorer. I really cannot imagine how this could have passed unnoticed
in the tests... because I'm sure EMET was thoroughly tested....
I'm not daring to install anymore EMET 5/5.X until they have EMET 6 out!
I confirm that after the latest updates released Tuesday, IE11 on Windows 7 SP1 x64 crashes due to EMET 5.0.
Yes - that's exactly why Microsoft published EMET 5.1 before the November patch day and instructed people to upgrade to 5.1 because there were known issues between November IE patches and EMET 5.0.
Yes - that's exactly why Microsoft published EMET 5.1 before the November patch day and instructed people to upgrade to 5.1 because there were known issues between November IE patches and EMET 5.0.
Not sure if this is the right place as it's not really an application: When running EMET 5.1, default settings on a Server 2012 R2 Remote Desktop Server (Terminal Server), IE11 and Office 2014 are terribly slow. Remove EMET and it's all fast again...
Yes, it's running in a Hyper-V VM. Those threads refer to EMET 3.*, we are running 5.1 and it's still a problem? Is this something that will be solved in a next version, or is it by design because of the debug-registers and is EMET thereby incompatible with
Hyper-V VMs?
In abstract this is also written in the EMET Manual but to my mind Microsoft doesn't communicate this clearly and aggressively enough - especially given the relevant RDS / Hyper-V use case.
Unfortunately this still seems to be true for EMET 5.1 and there is still no "Hyper-V compatibility switch".
You can disable EAF with Hyper-V manually to have better performance, but this would obviously impact security as EAF is an important feature.
.NFO files are text files which often include ASCII art decorations. DAMN NFO Viewer renders these faithfully (supports UTF-8 encoding), while Notepad's default font (consolas, on my system) makes unhelpful substitutions for these extended ASCII characters.
This is a cosmetic issue, an annoyance more than a problem. I set the default program for .NFO files to Notepad++, another program I already use, rather than using DAMN NFO Viewer for this one file type.
Experienced problems with EMET 5.1 (or any other version for that matter) when Malwarebytes Anti-Exploit is installed. I have Windows 7, 64 bit OS. I had to disable several mitigations and deep hooks to get EMET to work. EMET works fine when Malwarebytes
Anti-Exploit is uninstalled.
Experienced problems with EMET 5.1 (or any other version for that matter) when Malwarebytes Anti-Exploit is installed. I have Windows 7, 64 bit OS. I had to disable several mitigations and deep hooks to get EMET to work. EMET works fine when Malwarebytes
Anti-Exploit is uninstalled.
It is surprising that you do something that works, because you use in your operating system 2 applications simultaneously perform the same task.
Experiencing problems in IE 11 with VS 2013 breakpoints after upgrading from EMET 4.1u1 to EMET 5.1 on Windows 7 SP1 Pro. In Visual Studio Premium debugging Silverlight in IE using F5 with breakpoints causes IE to crash with EMET DEP message (even
when EAF excluded from IE in EMET). This worked fine in IE 4.1u1 (after excluding EAF from IE in EMET). The system is fully patched using Microsoft Update which checks for updates directly from Microsoft.
Here are the potentially relevant versions of installed software:
Microsoft Visual Studio Premium 2013 12.0.21005.13
Microsoft Silverlight 5.1.31211.0
Microsoft Silverlight 5 SDK 5.0.61118.0
Microsoft Silverlight 5 Toolkit December 2011 5.0.51209.1124
Windows Internet Explorer 11 11.0.9600.17501
[Update: The software appears to be working fine as of a few weeks ago with EMET 5.1 and EAF enabled, and are no longer able to reproduce the issue as we previously were. We are not aware of any changes other than the normal monthly OS / application updates.]
I've upgraded two Windows 7 64 bit PCs to EMET 5.1 today, and both have had the same problem with IE11
Following the EMET upgrade, IE is slower than normal to start up. I have the start page set to about:blank. Once IE has opened, visiting any site causes IE to crash and pop up the standard
Internet Explorer has stopped working box. It tried to recover but just kept failing. By a process of elimination I found that unticking the SEHOP box for iexplore.exe in EMET fixes the problem. I've seen other people mention this on here with reference
to version of Java 7 & 8, and I have 7 on both machines (though as of yesterday they'll want to upgrade to 8 update 31 fairly soon). I should point out that I was not trying to visit a website that uses Java. I first tried Yahoo mail, and then google.co.uk.
Neither use Java to my knowledge, though I do have the Java plug in helpers enabled.
Edit: I tried disabling all IE addons (not that I have loads) but it still crashed if SEHOP was ticked.
Edited byrobincm2Wednesday, January 21, 2015 6:28 PMextra info
Same problem for me on Win7 and Win8 x64. Disabling ASR on iexplore.exe fixes the problem. It started happening with the latest Java update. Slight possibility it was also present in the prior version. Don't recall exactly.
Update: I have also noticed that new IE tabs are slow to be functional once opened. The tab opens, but the address bar does not show typing, and the main page does not show any content for a good few seconds.
This is on a PC with an 8-core AMD FX 8350 CPU, SSD, and plenty of RAM.
The EMET setting that seems to be behind this is EAF+. Turn this off and tabs open and become functional at a sensible speed (i.e. instant).I should mention that all the PCs where EMET 5.1 has been giving me problems were running older version of
EMET (a mix of 3.5 and 4) with zero issues for quite some time (from shortly after whenever those versions were released).
Have just loaded EMET 5.1 and found that IE11, Chrome and Firefox need EAF disabled as does Java, JavaAW and JavaAWS. IE11, Chrome and Firefox also seem to need SimExeFlow disabled. On Office 2010 programmes, all seem to need EAF disabling.
Running Win 8.1 Pro x64 on Dell Studio XPS 1640, 8Gb RAM.
DEP - Application opt in, SEHOP - Application opt in.
Whenever I browse www.bing.com images section or videos section and close the browser IE crashes. I get the EMET DEP mitigation detected message in the task bar, and Event 1000 in event viewer. Screenshot will be attached once my account is verified.
Unchecking Stack Pivot for WINWORD.EXE seems to have solved the problem.
EDIT: Further testing found the same problem with Powerpoint and Excel on that workstation. Again, unchecking
Stack Pivot for EXCEL.EXE and POWERPNT.EXE
solved the issue. Only 1 of 5 workstations with Office 2013 installed shows this issue.
EMET 5.1 and Firefox 35. After EMET was installed, Firefox started up quite slowly, 30 seconds or more instead of 2-3 seconds. Unchecking
EAF+ (not EAF) fixed this.
Edited byjjjdavidsonFriday, February 27, 2015 3:15 PM
On a Windows 7 SP1 machine I can consistently duplicate an issue with Adobe Photoshop CS6 and EMET 5.1.
There is a GPO in effect which has the "Default Protections for Popular Software" setting enabled, and therefore any version of Photoshop is covered given the "*\Adobe\Adobe Photoshop CS*\Photoshop.exe" entry in the Registry.
Each time I launch Photoshop CS6 it opens, but then the following message appears:
Adobe Photoshop CS6 has stopped working
The following is logged in the event viewer:
Faulting application name: Photoshop.exe, version 13.0.0.0
(lots of text removed)
Faulting module path: C:\Windows\AppPatch\EMET.DLL
If I edit the Registry entry for Photoshop to be:
"*\Adobe\Adobe Photoshop CS1\Photoshop.exe"
It successfully launches.
To further support this being an EMET 5.1 and Photoshop CS6 issue, I uninstalled 5.1, installed 3.0, and left the GPO in effect. Photoshop launches without issue and I confirmed the EMET 3.0 GUI has the green checkmark next to Photoshop.
I know the EMET team does extensive testing of popular software before releasing new versions of EMET, so it seems like it's something on my end, but I am not doing anything out of the norm, so that's why I'm posting to this forum for any potential help.
I realise this thread is probably not monitored by EMET Support any longer, but in the hopes that it will help raise awareness with the tiny amount of end-users of this particular application:
Preton PretonSaver is incompatible with EMET. It attaches itself to any newly launched processes in a way that causes EMET to terminate those processes. I've found it affects just about anything, including Internet Explorer, Office, Adobe Reader
and more.
The workaround is to uninstall PretonSaver, or to set the PretonSaver service to disabled.
No events are logged that indicates the failure is related to EMET or PretonSaver. It can be confirmed by disabling either EMET or PretonSaver, or by reviewing a Process Monitor trace.
Unchecking Stack Pivot for WINWORD.EXE seems to have solved the problem.
EDIT: Further testing found the same problem with Powerpoint and Excel on that workstation. Again, unchecking
Stack Pivot for EXCEL.EXE and POWERPNT.EXE
solved the issue. Only 1 of 5 workstations with Office 2013 installed shows this issue.
EMET 5.1 and Firefox 35. After EMET was installed, Firefox started up quite slowly, 30 seconds or more instead of 2-3 seconds. Unchecking
EAF+ (not EAF) fixed this.
How do you uncheck the "stack pivot" option for Power Point?
How do you uncheck the "stack pivot" option for Power Point?
Open EMET and click the Apps (Configure Applications) button. A list of all the settings for all currently monitored applications will appear. Find the checkbox where the column for Stack Pivot (second from right in EMET 5.1) and the line for POWERPNT.EXE
meet, and uncheck that box. (If you don't have a line that says POWERPNT.EXE, then Powerpoint isn't being monitored.)
I am a 4.1 user, with a Win 7SP1 platform, and no problems. I am real comfortable with EMET's GUI functions, so I guess I should ask if I should install 5.1 in advance of my Win 10 upgrade?
Don't install EMET on Windows 10 until Microsoft states it is supported on Windows 10. They have not said anything about that, and the current version of EMET, 5.2, has been observed to be incompatible with Internet Explorer 11 on the latest released
builds of Windows 10.
I downloaded EMET and it effectively blocked IE from operating at all. All the web browsers worked. Chrome, Edge... When I deleted EMET, IE returned. IE may be the worst web browser ever--but it works for me for what I want. The whole thing was very annoying.
I have Win 7 SP1 (with all important and recommended updates) with
MS Office 2013 and IE 11.
Yesterday I've noticed that EMET 5.2 suppressed the start of
Word and IE; because "Caller mitigation".
The following actions were not successful:
- Go back to an earlier restore point (as Word was still running)
- Repair Office (online)
- Disable Add-ins in Word
- Complete virus scan
The problems (Word AND IE) can, however, get around by removing the checkmark for Caller in EMET for winword.exe.
Does somebody know the cause of the problem and a clean solution?
I'm on Win 8.1 Pro 64-bit, with Office 2016 running for the last couple of weeks. As of 1st October, I too started getting the Caller Mitigation errors in my Office apps and also in Firefox 41. I had not made any changes unless, although I do allow for
the possibility that the system may have downloaded an update.
I reverted back to a previous backup, and all was fine. Until I did an update of "Norton Security with Backup" at which point the issues returned. I think that might be a clue.
thank you for your answer. Yes I've Norton Internet Security on my computer and I don't know exactly, but I think you are right. That could be the problem, because when I've gone back to a earlier Windows restore point, for a short time (before Norton has
made its update again) everthing was working well.
I reverted back to a previous backup, and all was fine. Until I did an update of "Norton Security with Backup" at which point the issues returned. I think that might be a clue.
Sorry for the trouble. Let me know if you need any help with your Norton. Glad to help.\
Only for one user they Office 2016 is restarting the app when it is closed. (A dialog box says Powerpoint is restarting) for example once this user hits the X in the upper right corner to close the app.
Apps are fully functional and if he wants out of the app I believe there is a small cancel button on the "xxx is restarting" box, or he can kill it in task manager. So this is not a show stopper, but it is still annoying.
I am not experiencing this issue on the same version of Office 2016 on either my Windows 10 desktop or Windows 8.1 laptop. This user is on Windows 7 SP1 Pro. All OS versions here are 64-bit and Office 2016 is 32-bit installed from the Office
365 portal. Our EMET settings are identical as we push GPO for EMET for the entire org and its the same GPO. What is the fix without compromising EMET protection for 99% of the other users on Office 2013 or 2010?
Media Player Classic(Home Cinema) is a widely popular media Player. In my computer it came with K-lite mega codec pack. I use EMET 5.2 and my configuration for this player(mpc-hc.exe) is
This player performs normal under this configuration in EMET 5.2. But it gets very slow in EMET 5.5 beta under the same configuration. The process/player(mpc-hc.exe) starts almost after 30 seconds late while using 5.5 beta, it starts in just 3-4
seconds under EMET 5.2. Sorry for bad English. Hope you'll investigate it.
Only for one user they Office 2016 is restarting the app when it is closed. (A dialog box says Powerpoint is restarting) for example once this user hits the X in the upper right corner to close the app.
Apps are fully functional and if he wants out of the app I believe there is a small cancel button on the "xxx is restarting" box, or he can kill it in task manager. So this is not a show stopper, but it is still annoying.
I am not experiencing this issue on the same version of Office 2016 on either my Windows 10 desktop or Windows 8.1 laptop. This user is on Windows 7 SP1 Pro. All OS versions here are 64-bit and Office 2016 is 32-bit installed from the Office
365 portal. Our EMET settings are identical as we push GPO for EMET for the entire org and its the same GPO. What is the fix without compromising EMET protection for 99% of the other users on Office 2013 or 2010?
We upgraded this user to Windows 10 and the problem is resolved. Office 2016 and EMET 5.2 only clash on Windows 7 64-bit. It seems fine on Windows 8.1 and later.
Conversely Interaction Client .NET edition from Interactive Intelligence (our phone system vendor) causes issues when our call center reps use it to reply to customer service emails. The word.exe process hangs in task manager hidden (even though they
are doing email) in Office 2010. No errors or anything, the Interaction Client program just seems to "freeze". Ending the hidden word task fixes it. Removing word and outlook from EMET 5.2 fixes the problem. Sadly....
EMET 5.2 stops all both Winzip Courier and Winzip Express addins running in all Office aplications (Word, Excel, Outlook etc...) The applications crash when lacuhning with these addins enabled and will onyl launch successfully when each is disabled in turn
or the application is launched in safe mode and they are disabled manually - or in Outlooks case.
In EMET version 5.5.5871.31892, Canon Digital Photo Professional 3.15 (DPPViewer.exe) won't open due to DEP mitigation (EMET detected DEP mitigation and will close the application: DPPViewer.exe).
Up to and including EMET 5.5 Beta is has been OK with EMET, but with EMET 5.5 you now need to disable DEP mitigation for Canon DPP software in order to use it on Windows 10.
Sysinternals Process Explorer won't open when added to EMET app list. The CPU goes to and stays at around 30% and nothing happens. Therefore Process Explorer needs to be closed manually with Task Manager.
Adding *\procexp.exe to the EMET app list is fine. However when also adding *\procexp64.exe (which is located in %USERPROFILE%\AppData\Local\Temp\procexp64.exe when Process Explorer is executed) the problem occurs.
No EMET errors are logged in Event Viewer and disabling all mitigations for *\procexp64.exe isn't enough, you need to actually remove it from the EMET app list altogether, which then allows Process Explorer to run correctly again.
Note:
Using 'Recommended Security' settings in EMET 5.5 (5.5.5871.31892) on Windows 10 Pro (10586.104)
Outlook 2010 (14.0.7166.5000 SP2), all current patches, EMET 5.5 (5.5.5871.31892) with EAF applied for outlook.exe causes multi-second slowdowns and high cpu usage when navigating the calendar. Disabling EAF returned to normal quick response. This is changed
behavior from EMET 5.2.
For Firefox 44.0.2 to run, I have to disable DEP, SEHOP, Null Page Protection, Heap Spray Protection & EAF. This is also changed behavior from EMET 5.2.
I'm not ready to deploy 5.5 with these issues (I'm not sure what I haven't found in the last 20 days of testing on one workstation).
Edit: Windows 8.1. Haven't tried on Win 10 (yet).
Edited byPhilVancWATuesday, February 23, 2016 2:12 AMAdd Win version
Around the end of December 2015, I suddenly started getting Caller Mitigation alerts from EMET when I did anything in an Office 2007 application that popped up a file dialog (Open, Save As). The problem persists, and I've had to switch EMET to audit-only,
because it was driving me crazy, killing Office 2007 apps whenever I tried to save or open a document, or add or save an attachment in Outlook. I've searched the web for solutions, but so far had no luck.
I'm configuring and testing EMET for an enterprise environment. I've deployed to a small test group (15-20 machines) and all has been well for about two weeks. Until today... One user was unable to open Beyond Compare 3.3.3 this morning. Uninstalling
EMET fixed the issue, reinstalling repeated the problem.
The rub is that the machine he is running and my main test box are the same and Beyond Compare runs perfectly on mine. I can open, save, and compare files, directories, etc. with no issue at all, while my tester can't even open the app.
We are both running Windows 7 Enterprise SP1 64-bit, both using Beyond Compare 3.3.3, and both using the same EMET config file. As far as he can tell from the logs, nothing new was deployed to his machine in the last few days. Due to his schedule
(and rights/permissions within this large environment), I'm unable to test his machine. Simply disabling/enabling mitigations to home in on the issue is not an option right now.
Any help, ideas, suggestions are welcome. And if you need any more info, please ask. I'm trying (read: failing) to keep this concise.
Installed on Windows 10. Found that I had to turn off the standard SEHOP protection for several of the Office 2013 applications or they would crash on startup:
Outlook
Word
Excel
PowerPoint
Access
Publisher
On a separate Windows 10 computer with Office 365 I did not have to disable SEHOP
Since the EMET 5.5 Install: (for office install base of 100+-)
Note: all programs to have problems had not previously experienced this issue with EMET 5.2 and all previous versions
1: Immediately after EMET 5.5 was installed, adobe acrobat and multiple office programs experienced slowdowns or crashing upon startup.
Resolution to 1: removed EAF from all programs listed in the apps protection list. this stopped the crashing and slowdowns.
2: periodically one of our users experiences crashing and or abhorant behavior with some program. We use a 32 bit program that wasn't listed on the protection list for Emet that I had to add to the list and remove DEP protection on windows 10.
3: just had a user with adobe acrobat crash issue trying to create forms(repeatable issue), EAF is still off, investigating EMET as possible cause.
An older version of Sage Accpac ERP results in an error when launching the "Print Financial Statements" application under the General Ledger module. (Print to file option).
Dialogue Title: FrCom Addin
Initializing FR Error (3): Fail in starting Print Financial Statements
Excel then exits.
Solution: Disabling the Mandatory ASLR resolves the issue.
Note: No EMET error messages, popups or log entries appear when this process fails other than the excel related popup.
1.Amazon Music (desktop) won't open with default mitigations enabled in EMET 5.5 on Windows 10 Home (1511). Disabling EAF resolves the issue, and Amazon Music appears to run with full functionality.
Amazon Music version: 4.2.1.1306.4.2.1.654 (32-bit app)
Windows 10 build: 10586.164 (64-bit)
EMET version: 5.5.5871.31892
Dell Inspiron 5459 desktop all-in-one with Intel Skylake Core-i5 6400T
2. Spotify music app (desktop) won't open with default mitigations enabled. I was confused by error messages in EMET itself, so for now I've enabled only DEP and ASLR, with which Spotify works. It's possible that a few other mitigations
can be enabled, but I haven't had time to test.
Spotify version: 1.0.25.127.g58007b4c (it's a 32-bit app)
System and OS same as above.
Note that Spotify uses Flash Player, which expands the attack surface, and would make it a good candidate for ASR mitigation. However, I've been unable to locate the Flash player as a plugin or separate exe or dll. It might be built into Spotify.exe (which
is in ...AppData/Roaming/Spotify)
The Microsoft Edge browser is unable to open .pdf files once EMET 5.5 is installed on Windows 10.
I get a small error window with a red cross and the .pdf file location as well as an error message that translates to "Can't execute RPC" (I'm using a Dutch version of Windows, the Dutch message is "Kan RPC niet uitvoeren" ).
ASLR and SEHOP are on always on. DEP is on application opt in. Block untrusted fonts is on always on.
All other settings are at the default recommended, I've also imported the default Popular Software.xml profile. (Edge is not shown under the apps Window, so it's likely an issue with the one of the main EMET settings which apply to the system)
Is this something that's appeared just recently? (After the April 12, 2016 update, maybe?) I'm running Windows 7 (32 bit) and saw something similar after the April 12 updates:
Thread
IE11 and Reader will not open (Process Monitor shows each will take ~25% of CPU resources and do nothing, requiring a kill of the process manually) on Win 7 32-bit with EMET 5.5 installed and new default EMET application Group Policy engaged. Both of these
ran fine with the EMET 5.2 defaults. Deleting the new-format registry keys for IE and Reader at HKLM\Software\Policies\Microsoft\EMET\Defaults will allow both to run. Both of these keys engage EAF+, so a conclusion could be drawn that EAF+
conflicts with these apps.
ABBYY PDF Transformer+ (and presumably PDF Transformer as well) version 4 won't start if you have Always On ASLR enabled. The licensing service crashes when it tries to start, and so the main program never starts (it gives a message about files
being corrupt).
with manual additions of other installed applications.
Default Action:
-----------
Stop On Exploit
Mitigation Settings:
---------------
Deep Hooks
Anti-Detours
Banned Functions
Reporting Options:
--------------------
Windows Event Log - On
Tray Icon - On
Early Warning - On
Problem : Aw Snap? problems started upon auto-updating Google Chrome 52.0.2743.116 (64Bit) to 53.0.2785.89 (64Bit) with both Google Chrome
opened webpages and Google Chrome Extensions crashing. Restarting both Google Chrome and these extensions did not work.
This problem only happens in the 64Bit version of Google Chrome and NOT the 32Bit version in my other netbook with EMET 5.5 (and EMET 5.51) installed.
Offending Mitigation : EAF+ (or Export Address Table Access Filtering Plus) with list of Protected Modules "chrome_child.dll"
Solution Applied : Unchecked EAF+ Mitigation or deleting "chrome_child.dll" under Protected Modules list.
Hope this information helps other users.
Further reference/info : https://productforums.google.com/forum/#!topic/chrome/es5cUpgIdLs;context-place=forum/chrome
Edited byCatTechMonday, September 26, 2016 12:17 PMAdd Google Forum Link
Today's update for Windows 7 SP1 x32 finally forced to turn off the EAF in EMET 5.51 for all remaining operational applications, where a small number left.
Applications load on the CPU by 50% and their windows do not appear on the screen.
Soon, probably have to remove the EMET, as on Windows 10 does not intend to move, and to Windows 7 EMET does not operate normally. It is unfortunate, but probably this is such a Microsoft policy, squeeze users on Windows 10.
DEP - Always On, SEHOP - App-Opt-Out, ASLR - App-Opt-In, CERT TRUST - Enabled.
Windows Event Log - On, Tray Icon - On, Early Warning - On.
Stop On Exploit, Deep Hooks- On, Anti-Detours - On, Banned Functions - On.
Edited byOleg DivovThursday, September 15, 2016 11:28 AM
Mitigation: Both the system-wide SEHOP and EMET SEHOP setting seems to be incompatible.
Details:
I configured my systems to use the system wide SEHOP Opt-out setting through the EMET group policy setting. Prowc.exe will crash when rendering what appears to be graphic data controls. Text controls seem to be unaffected. There will be two event log entries
for the crash as below.
EAF disabled in all browsers, and SEHOP. Also caller, and sim exec flow. Status shows: DEP (Yellow)-Application Opt In; SEHOP (Yellow)-Application Opt In; ASLR (Green)- Application Opt In.
A reinstall (using IE11-Windows6.1-x64-en-us.exe - Product version: 11.00.9600.16428) after checking all of the recommended precursor updates [see https://support.microsoft.com/en-gb/help/2847882/prerequisite-updates-for-internet-explorer-11 ] were
either installed or not applicable, worked. IE11 still failed to launch; however, this time EMET alerted "EMET detected SimExecFlow mitigation and will close the application: iexplore.exe"
Disabling SimExecFlow protection in EMET for iexplore.exe resolved problem without having to make any further changes to either Windows or IE.
Don't know when conflict may have actually happened, as Firefox is set as the default browser on this system.
Edited byRB16Tuesday, February 21, 2017 2:18 PMcorrect typo's
Freedom Scientific JAWS version 16 and prior cannot read EMET toast pop-up notifications presented to visually impaired users. This should be corrected in JAWS 17 for Win 8.1 +
Thanks James. It sounds like EMET 5.5 is best deployed with 64 bit applications. This makes a lot of sense since the world needs to transition from 32 bit software to 64 bit software. I have EMET 5.5 on my systems and Office 2010 32 bit
takes a small performance hit but still works fine for me.
I am glad you found a workaround BartZD because Office 2007 has left Microsoft official support at the end of last year. https://support.microsoft.com/en-us/help/3198497/office-2007-approaching-end-of-extended-support
Nothing beats a hard copy
Edited byDanW7Thursday, February 15, 2018 5:01 AMweblink updated
