none
Incompatibility or exploit

    Question

  • Hello Everyone,

    I'm sorry if this question has been asked before, but I have a question about the EMET tool that I haven't seen answered.  How do I know if a program that has a problem with a setting of the tool is because of an incompatibility or an exploit?  So, for example, if a program crashes and I can turn off a mitigation to prevent that crash, how do I know I'm not just letting an exploit through by turning off the mitigation that prevents it?  Other than testing the program on multiple machines (which may or may not tell me how my program will work on any particular machine) how would I know the difference?

    Sorry if this question has an obvious answer that I've missed.

    Tuesday, February 26, 2013 7:15 AM

Answers

  • Hi RDinerman,

    That’s a really good question and I do not think it has been asked before (although I could be wrong).

    I will attempt to answer in the best way I can. If you open a PDF file using your PDF Reader and EMET suddenly displays a notification that it closed the PDF reader due to a certain mitigation you can be quite sure that the PDF file you just tried to open contains a malicious exploit. When I mention a PDF Reader I am not just referring to Adobe Reader but to other popular PDF reading applications too such as Foxit Reader, Sumatra PDF, Nitro PDF and PDF-Xchange.

    If you are browsing the internet and your web browser is closed by EMET it is likely that this is an exploit since web browsers process more un-trusted content that any other program on your PC. Exploits can also be delivered by sites that you know and trust as evidenced by recent attacks on Internet Explorer, Java and NBC.

    If however you simply open a program (i.e. you are not opening a file) on your PC e.g. Dropbox and it is suddenly closed by EMET, it is likely that it is an incompatibility with EMET especially if you are not connected to the internet at time. Dropbox is not compatible with the EAF mitigation of EMET.

    To access a list of common programs that have known incompatibilities with EMET, you can visit the following thread (if you have not already done so):

    http://social.technet.microsoft.com/Forums/en/emet/thread/1e70c72b-67b2-43c4-bd36-a0edd1857875

    If at a later time you wish to review any of the notifications that EMET presented to you, you can do so. By default EMET Notifier documents the files or programs that caused it to display a notification in the Windows Event log. The Event Viewer of Windows can be accessed as follows:

    --------------------------------------------------------------------------------------

    For Windows XP: Start->Control Panel->Administrative Tools->Event Viewer

    For Windows Vista and Windows 7: Start->Control Panel->System and Security->Administrative Tools->Event Viewer

    Or: Start->Control Panel->Administrative Tools->Event Viewer

    For Windows 8:

    1. Press the Windows key to display the Windows Start screen. Type the letters “event” (without the quotes)
    2. Then left click the Settings tab below the search box on right hand side of the screen or press the Windows Key and the letter W. An icon with the text “View event logs” should appear on the left side of the screen.
    3. Left click this icon.

    --------------------------------------------------------------------------------------

    You can sort the Source column by type of error so that all EMET events are shown together. Whenever a mitigation is triggered by a process or an exploit is blocked, an error occurs and you can then check the details of those errors by double clicking them. The errors are easily visible amongst any warnings or information items related to EMET.

    You can sort the events in the log by simply left clicking the Source column heading at the top of the Event viewer window, this will arrange the errors in alphabetical order making EMET log entries easier to locate.

    Please find below a screenshot of Windows 7 showing sorted EMET errors:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Win7EMETError1.png

    An equivalent screenshot from Windows XP is also shown below:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_Error_zpse6a9e112.png

    You can also create a custom view within Event Viewer of Windows 7 to perform the same kind of log minimization for you. When creating the custom view, choose EMET as the event source. Please find below a tutorial detailing how to create a custom view:

    http://www.sevenforums.com/tutorials/83841-event-viewer-create-custom-system-monitoring.html

    Without knowing the action you may be carrying out on your computer when you receive a notification from EMET, I cannot provide more specific advice. For any file/document that you receive especially from people (via email, an external hard drive or a USB thumbdrive) who do not usually send you files, you should scan them with your security software before opening them. If you are still in any doubt about the files legitimacy you can upload it to VirusTotal or Virus Scan by Jotti (however only do this if the file does not contain private information).

    Also if you feel that your current security software may have missed a piece of malware that may still be present on your PC and causing notifications, you could use standalone/single use scanners such as the Microsoft Safety Scanner, the Microsoft Malicious Software Removal Tool or Hitman Pro to scan your PC. These scanners provide extra reassurance and do not conflict with your existing security software and do not need to be installed. Alternatives such as Malwarebytes Anti-Malware and SuperAntiSpyware need to be installed.

    If EMET is continuously blocking Java exploits, to completely clear these exploits and stop the notifications you will need to follow the instructions under the heading of “How you can remediate Exploit:Java/CVE…” as mentioned in the following Microsoft Malware Protection Center blog post:

    http://blogs.technet.com/b/mmpc/archive/2013/02/10/the-curious-case-of-the-exploit-java-cve-infection.aspx

    I hope the above information is of assistance to you. If I can any answer any further questions, please let me know.

    Thank you.

    • Edited by JamesC_836 Tuesday, February 26, 2013 2:26 PM Added extra info
    • Marked as answer by RDinerman Tuesday, February 26, 2013 3:21 PM
    Tuesday, February 26, 2013 12:12 PM

All replies

  • Hi RDinerman,

    That’s a really good question and I do not think it has been asked before (although I could be wrong).

    I will attempt to answer in the best way I can. If you open a PDF file using your PDF Reader and EMET suddenly displays a notification that it closed the PDF reader due to a certain mitigation you can be quite sure that the PDF file you just tried to open contains a malicious exploit. When I mention a PDF Reader I am not just referring to Adobe Reader but to other popular PDF reading applications too such as Foxit Reader, Sumatra PDF, Nitro PDF and PDF-Xchange.

    If you are browsing the internet and your web browser is closed by EMET it is likely that this is an exploit since web browsers process more un-trusted content that any other program on your PC. Exploits can also be delivered by sites that you know and trust as evidenced by recent attacks on Internet Explorer, Java and NBC.

    If however you simply open a program (i.e. you are not opening a file) on your PC e.g. Dropbox and it is suddenly closed by EMET, it is likely that it is an incompatibility with EMET especially if you are not connected to the internet at time. Dropbox is not compatible with the EAF mitigation of EMET.

    To access a list of common programs that have known incompatibilities with EMET, you can visit the following thread (if you have not already done so):

    http://social.technet.microsoft.com/Forums/en/emet/thread/1e70c72b-67b2-43c4-bd36-a0edd1857875

    If at a later time you wish to review any of the notifications that EMET presented to you, you can do so. By default EMET Notifier documents the files or programs that caused it to display a notification in the Windows Event log. The Event Viewer of Windows can be accessed as follows:

    --------------------------------------------------------------------------------------

    For Windows XP: Start->Control Panel->Administrative Tools->Event Viewer

    For Windows Vista and Windows 7: Start->Control Panel->System and Security->Administrative Tools->Event Viewer

    Or: Start->Control Panel->Administrative Tools->Event Viewer

    For Windows 8:

    1. Press the Windows key to display the Windows Start screen. Type the letters “event” (without the quotes)
    2. Then left click the Settings tab below the search box on right hand side of the screen or press the Windows Key and the letter W. An icon with the text “View event logs” should appear on the left side of the screen.
    3. Left click this icon.

    --------------------------------------------------------------------------------------

    You can sort the Source column by type of error so that all EMET events are shown together. Whenever a mitigation is triggered by a process or an exploit is blocked, an error occurs and you can then check the details of those errors by double clicking them. The errors are easily visible amongst any warnings or information items related to EMET.

    You can sort the events in the log by simply left clicking the Source column heading at the top of the Event viewer window, this will arrange the errors in alphabetical order making EMET log entries easier to locate.

    Please find below a screenshot of Windows 7 showing sorted EMET errors:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Win7EMETError1.png

    An equivalent screenshot from Windows XP is also shown below:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_Error_zpse6a9e112.png

    You can also create a custom view within Event Viewer of Windows 7 to perform the same kind of log minimization for you. When creating the custom view, choose EMET as the event source. Please find below a tutorial detailing how to create a custom view:

    http://www.sevenforums.com/tutorials/83841-event-viewer-create-custom-system-monitoring.html

    Without knowing the action you may be carrying out on your computer when you receive a notification from EMET, I cannot provide more specific advice. For any file/document that you receive especially from people (via email, an external hard drive or a USB thumbdrive) who do not usually send you files, you should scan them with your security software before opening them. If you are still in any doubt about the files legitimacy you can upload it to VirusTotal or Virus Scan by Jotti (however only do this if the file does not contain private information).

    Also if you feel that your current security software may have missed a piece of malware that may still be present on your PC and causing notifications, you could use standalone/single use scanners such as the Microsoft Safety Scanner, the Microsoft Malicious Software Removal Tool or Hitman Pro to scan your PC. These scanners provide extra reassurance and do not conflict with your existing security software and do not need to be installed. Alternatives such as Malwarebytes Anti-Malware and SuperAntiSpyware need to be installed.

    If EMET is continuously blocking Java exploits, to completely clear these exploits and stop the notifications you will need to follow the instructions under the heading of “How you can remediate Exploit:Java/CVE…” as mentioned in the following Microsoft Malware Protection Center blog post:

    http://blogs.technet.com/b/mmpc/archive/2013/02/10/the-curious-case-of-the-exploit-java-cve-infection.aspx

    I hope the above information is of assistance to you. If I can any answer any further questions, please let me know.

    Thank you.

    • Edited by JamesC_836 Tuesday, February 26, 2013 2:26 PM Added extra info
    • Marked as answer by RDinerman Tuesday, February 26, 2013 3:21 PM
    Tuesday, February 26, 2013 12:12 PM
  • Hello James,

    Thank you so much for the helpful reply.  We just installed EMET and are testing it, and we realized that if we put this out in the field we might have techs disabling the protections in order to help clients get their machines back to a functional state, while at the same time infecting the machines.  I think you've given excellent guidance as to what to look for to help make the determination.

    I don't know if you are involved with the development of this tool or not, but if your advice could somehow be put into the warning that pops up when EMET blocks something, I think that would go a long way toward making this tool more end user/first level tech friendly.

    Once again, thanks for the excellent reply.

    Tuesday, February 26, 2013 3:27 PM
  • Hi RDinerman,

    Many thanks for your kind words and I am glad that you found my reply useful.

    Unfortunately, I am not involved in the development of this tool. I am simply a volunteer who assists on this forum since I have built up some knowledge of this tool over the last 2 years. I can’t solve every problem but I can usually contribute something useful.

    For the suggestions that you mentioned, you can pass these on to the developers of EMET, their email address is given at the bottom of the following blog post:

    http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

    It may interest you to know that a new version of EMET should be available in the coming months. According to Jonathan Ness (from his Twitter account), there will be a beta of EMET 3.5 in March with a final version this Summer (if all goes according to plan). Here is the link to the appropriate tweet:

    https://twitter.com/jness/status/302128486804500481

    For full details on the changes in EMET 3.5 Tech Preview, please see the following Microsoft Security Research and Defense blog posts:

    http://blogs.technet.com/b/srd/archive/2012/07/24/emet-3-5-tech-preview-leverages-security-mitigations-from-the-bluehat-prize.aspx

    http://blogs.technet.com/b/srd/archive/2012/07/26/technical-analysis-of-the-top-bluehat-prize-submissions.aspx

    If I can any answer any further questions, please feel free to create a new thread on this forum. Thanks for your reply.

    • Edited by JamesC_836 Tuesday, February 26, 2013 3:53 PM Added EMET 3.5 Info
    Tuesday, February 26, 2013 3:38 PM