none
EMET 5.0 Pinning Rule doesn´t work RRS feed

  • Question

  • I have installed EMET 5.0 on my Windows 7 pro system. I have configured a pinning rule for my internetbank exactly the same way as i did with EMET 4.1. But when I apply a different certificate from my bank's to test the rule nothing happens - no warnings when I log in to the internetbank. Except once!. With EMET 4.1 the warnings never failed to show.

    The new EMET 5.0 blocking function doesn't work at all (which is very disappointing, as this was the main reason why I upgraded to EMET 5.0).

    Anyone who knows how to do to make this work?

    I tried to enclose screenshots of my current configuration, but got the error message:

    "Body text cannot contain images or links until we are able to verify your account."

    But i don't understand how to verify my account...sorry...

    Monday, August 18, 2014 7:28 AM

Answers

  • I also have the same problem as you with all my Windows 7 PCs. Windows 8 or later PC have no problem.

    I found pinning rule may not work when using UAC enabled user. If I logged on my PC by local administrator (UAC turned off by default), my pinning rule worked as expected. However, this work around is unsuitable for security.

    I already feedback this problem to emet_feedback@microsoft.com.


    Monday, August 18, 2014 9:03 AM
  • Do you mean that EMET 5.0 pinning rule on windows 7 works if you log in as administrator but on windows 8 it works logged in as standard user?

    Yes. If you start IE with as Administrator (UAC elevated process) on  Windows 7, it will work.

    I also tested on one Windows Vista SP2 PC, pinning rule notification worked even when using UAC enabled user, but  blocking rule (new feature from EMET 5) did not work in Vista.

    > Have you ever tried to configure EMET 5.0 pinning rule on windows 7 logged in as administrator and then test if pinning rule works logged in as standard user?

    I did. It did not work soon, or did not work after a few times. I don't know why and which conditions.

    Monday, August 25, 2014 4:52 AM

All replies

  • I also have the same problem as you with all my Windows 7 PCs. Windows 8 or later PC have no problem.

    I found pinning rule may not work when using UAC enabled user. If I logged on my PC by local administrator (UAC turned off by default), my pinning rule worked as expected. However, this work around is unsuitable for security.

    I already feedback this problem to emet_feedback@microsoft.com.


    Monday, August 18, 2014 9:03 AM
  • Do you mean that EMET 5.0 pinning rule on windows 7 works if you log in as administrator but on windows 8 it works logged in as standard user?

    Have you ever tried to configure EMET 5.0 pinning rule on windows 7 logged in as administrator and then test if pinning rule works logged in as standard user?

    Very useful to know that that EMET 5.0 pinning rule works better on windows 8 - I will try that!

    Also useful to know about the mail address emet_feedback@microsoft.com!


    Sunday, August 24, 2014 6:14 AM
  • Do you mean that EMET 5.0 pinning rule on windows 7 works if you log in as administrator but on windows 8 it works logged in as standard user?

    Yes. If you start IE with as Administrator (UAC elevated process) on  Windows 7, it will work.

    I also tested on one Windows Vista SP2 PC, pinning rule notification worked even when using UAC enabled user, but  blocking rule (new feature from EMET 5) did not work in Vista.

    > Have you ever tried to configure EMET 5.0 pinning rule on windows 7 logged in as administrator and then test if pinning rule works logged in as standard user?

    I did. It did not work soon, or did not work after a few times. I don't know why and which conditions.

    Monday, August 25, 2014 4:52 AM
  • This morning I:

    1. Logged in as administrator on Windows 8 (Swedish version).

    2. Installed and configured EMET 5.0 with recommended settings and added pinning/blocking rule for my internetbank. Imported certificate different from that used by my internetbank.

    3. Logged out.

    4. Logged in as standard user.

    5. Launched Internet Explorer in desktop mode (didn't run as administrator).

    6. Tried to log in to my internetbank – pinning rule blocked login, nice!.

    As you stated before, pinning rule does not work as one would like on Windows 7 (I have windows 7 professional English version).

    Have not yet tried to use EMET logged in as administrator on Windows 7 but why bother? I agree with you, not a good idea to log in as administrator and then use internet…

    I will use Windows 8 for my internet banking until this is resolved.

    Thank you!

    Tuesday, August 26, 2014 10:41 AM