Guest Tempus Posted April 9, 2014 Report Share Posted April 9, 2014 Hi Does Emsisoft anti malware take advantage of Dep (DEP prevents data from being executed) + ASLR (making it more difficult to predict the location of code within memory) ? With other Words, is Eam. coded to take advantage of these two features ? If not, then why not? Wouldn't it be an advantage against exploits? My question came after reading this blog: On the effectiveness of DEP and ASLR Thanks Jan Quote Link to post Share on other sites
Insert Real Name 1 Posted April 9, 2014 Report Share Posted April 9, 2014 I'd like Emsisoft tech support to also address the related question of the compatibility of running Microsoft's "Enhanced Mitigation Experience Toolkit 4.1" with Emsisoft's Anti-Malware. This Microsoft software allows the user to opt-in potentially exploitable software (e.g. that access the Internet) to an extended range of enhanced anti-malware protections (ASLR, DEP, heap spray, anti-detours, etc.) and it does this by injecting itself into the running programs and by monitoring and limiting the hooking of system APIs. I'd be really happy if the Emsisoft developers would take some time to look at this additional mitigation software and determine if there are any conflicts with using it concurrently with Emsisoft Anti-Malware. What protections are already implemented by Emsisoft and what protections will interfere with Anti-Malware's own functioning? I'm attaching the User Guide for the Microsoft EMET 5.0 Technical Preview Quote Link to post Share on other sites
Pilis 3 Posted April 9, 2014 Report Share Posted April 9, 2014 According to Process Explorer and SlopFinder these files have ASLR enabled: BlitzBlank.exe a2acc.dll a2contmenu.dll a2contmenu64.dll a2core32.dll a2core64.dll a2dix86.dll a2engine.dll a2hooks32.dll a2hooks64.dll clean32.dll cleanhlp32.dll evcdiff.dll frme32.dll And those files have not:a2service.exe a2start.exe a2wizard.exe a2cmd.exe a2guard.exe a2HiJackFree.exe a2framework.dll a2mor.dll a2update.dll a2wsc.dll avxdisk.dll bdcore.dll logging.dll quarantine.dll resource.dll a2accx64.sys a2accx86.sys a2ddax64.sys a2ddax86.sys a2dix64.sys a2dix86.sys a2util32.sys a2util64.sys cleanhlp32.sys cleanhlp64.sys I guess the Emsisoft-guys know what they are doing and the most important files which interact with "attacker code" have ASLR enabled. Not sure of the reasons why not also enabling it for the other files though. (Stability? Compatibility?) Quote Link to post Share on other sites
GT500 873 Posted April 10, 2014 Report Share Posted April 10, 2014 I personally haven't tested the Enhanced Mitigation Experience Toolkit, however I don't know of any reasons why it wouldn't work with our software (I know some of our customers do use it). That being said, there have been cases where EMET have been bypassed, so it may not be as great as Microsoft claims. As for DEP, it is a technology that is implemented by operating systems and processors (or at least certain DEP features require processors to have certain features). It has been a part of Windows since Service Pack 2 for Windows XP, and all versions of Windows that our software runs on have it. You can read more about it here. For more information than that, a developer would have to reply. Quote Link to post Share on other sites
Guest Tempus Posted April 10, 2014 Report Share Posted April 10, 2014 Thanks Gt500 for your answer, it's appreciated . Thanks Pilis, I wasn't aware of " SlopeFinder " Yes it do seems that some of the file has ASLR enabled. But as to my understanding, then must Emsisoft anti malware specifically be configured to take advantage of DEP and ASLR. So my question was basically, in what extent was Emsisoft using the benefits of Dep and ASLR. (which are an excellent layer against exploits).ThanksJan Quote Link to post Share on other sites
Insert Real Name 1 Posted April 10, 2014 Report Share Posted April 10, 2014 Thanks for the answer re. Microsoft EMET. EMET was something I was using with Microsoft's MSE before I switched to Anti-Malware (MSE's detection rates have really gone down in the last two years), so I just wanted to know how many protections they had in common, based on Microsoft's published documentation, and if they would tangle each other up... Maybe I'll try a test. Quote Link to post Share on other sites
Pilis 3 Posted April 11, 2014 Report Share Posted April 11, 2014 But as to my understanding, then must Emsisoft anti malware specifically be configured to take advantage of DEP and ASLR. So my question was basically, in what extent was Emsisoft using the benefits of Dep and ASLR. (which are an excellent layer against exploits). As to my understanding you simply build a PE-file with the linker option "/DYNAMICBASE" (and optionally "/HIGHENTROPYVA" for 64-bit files). That's basically it. ASLR has now been "enabled" for that file and Windows knows to load it at a randomized address. I've listed you all of Anti-Malware's PE-files which either have that linker option or don't. I'm not sure what you could "specifically configure" more. The only thing I could think of is using the new Force ASLR feature but that doesn't really make sense since Emsisoft won't just load unknown dlls. Also compatibility. Of course you could use EMET to manually force an executable to use "Mandatory ASLR" (which actually only forces address space randomization on dlls loaded by a process) but I wouldn't recommend that on using it on security software. Better use the supplied list of recommended processes. That way I'm using EMET in combination with Emisoft Anti-Malware since a long time without any issues. Quote Link to post Share on other sites
GT500 873 Posted April 11, 2014 Report Share Posted April 11, 2014 ... But as to my understanding, then must Emsisoft anti malware specifically be configured to take advantage of DEP and ASLR. ... I'm fairly certain that that's not the case for DEP, and that the operating system takes care of protecting memory (Wikipedia's explanation of DEP makes it sound this way at least). That being said, the types of exploits that DEP was created to protect against are very old, and anti-virus software typically has completely different threats to worry about. As for ASLR, I'm fairly certain (and please keep in mind that this is coming from the perspective of someone who is not a developer and is not privy to all of the technical details about how this works) that that would be impossible for a2service to really make use of, because the way a2guard and a2start interface with it is by reading and modifying its memory (which is, as I understand it, pretty much an industry standard in security software). Quote Link to post Share on other sites
Guest Tempus Posted April 11, 2014 Report Share Posted April 11, 2014 Thanks Guys, GT500 and Pills, for shedding some light over my posts. What I have done for now, is to do a complete up to date Image backup of my system, and have downloaded and installed Emet. version 4.1, and sat it to "Recommended Settings". There may be something more that I would like to add to Emet later , but for now I will test (and learn) it for a period (in recommended settings), to see how it will behave and interact with my overall systemkonfiguration.ThanksJan Quote Link to post Share on other sites
GT500 873 Posted April 12, 2014 Report Share Posted April 12, 2014 You're welcome. Quote Link to post Share on other sites
hackerman1 6 Posted April 12, 2014 Report Share Posted April 12, 2014 I have been using EMET together with EAM for months and I have not noticed any problems. I tried to find information about configuring EMET for EAM, but since I could not find any I decided to instruct EMET to ignore EAM. I see no reason to let EMET mess with EAM´s processes (a2guard.exe & a2service.exe).... And I have also added exceptions for EMET in EAM. Quote Link to post Share on other sites
Guest Tempus Posted April 12, 2014 Report Share Posted April 12, 2014 I had come to the same conclusion as you, after the feedback that I received from the above posts.The only thing that I might what to add to EMET, is my Twitter and Skype. But then again, then I don't think it is necessary, because I use those programs from Windows Metro interface. And they are already isolated, in app containers,so that has to be enough, I guess. I have not created exceptions for EMET in Eam, but it is definitely a good approach, thanks for the idea. But for now I will let it run in recommended settings, until I have a better understanding of what I'm doing. Thanks for your post " hackerman1 " Quote Link to post Share on other sites
hackerman1 6 Posted April 13, 2014 Report Share Posted April 13, 2014 Have you checked what the "recommended settings" are ? I´f I remember correctly EMET sets several if not all options to On (active) for EAM´s a2guard.exe & a2service.exe Quote Link to post Share on other sites
Guest Tempus Posted April 13, 2014 Report Share Posted April 13, 2014 Yeap " hackerman1" , checked the recommended settings, as soon EMET were installed, see image. I can see the two processes running in Emet's main window. " a2guard " and " a2service ". But those are not set to run under EMET's protection. And as you write, then I think like you, that those are best to be left as there are. If I should run into some compatibilities issues, then I will place EMET in the " Manage Whitelist " under the tab " Fileguard ", i would guess . Btw I received a heavy manuel, 42 pages, with the download. So now I am trying to bend my brain around all the technical stuff. My frontal lobe hurts, but in a pleasant way. Quote Link to post Share on other sites
Fabian Wosar 390 Posted April 13, 2014 Report Share Posted April 13, 2014 The main issue is, that a lot of our executable files are not built using the Microsoft tool chain (Visual Studio). So it is not as easy as adding "/DYNAMICBASE" simply because that parameter doesn't exist in development tools outside of Visual Studio. All files that are built using the Microsoft tool chain have both DEP and ASLR already enabled. The files that don't have DEP or ASLR enabled are files that are built with a tool chain that does not officially support DEP or ASLR. Quote Link to post Share on other sites
Guest Tempus Posted April 23, 2014 Report Share Posted April 23, 2014 The main issue is, that a lot of our executable files are not built using the Microsoft tool chain (Visual Studio). So it is not as easy as adding "/DYNAMICBASE" simply because that parameter doesn't exist in development tools outside of Visual Studio. All files that are built using the Microsoft tool chain have both DEP and ASLR already enabled. The files that don't have DEP or ASLR enabled are files that are built with a tool chain that does not officially support DEP or ASLR. Somehow it has slipped my attention, that you have given a fine explanation. Thanks Fabian Wosar, and sorry for my late response. Quote Link to post Share on other sites
hackerman1 6 Posted December 3, 2014 Report Share Posted December 3, 2014 The main issue is, that a lot of our executable files are not built using the Microsoft tool chain (Visual Studio). So it is not as easy as adding "/DYNAMICBASE" simply because that parameter doesn't exist in development tools outside of Visual Studio. All files that are built using the Microsoft tool chain have both DEP and ASLR already enabled. The files that don't have DEP or ASLR enabled are files that are built with a tool chain that does not officially support DEP or ASLR. Thanks. I have been using EMET together with EAM for months and I have not noticed any problems. I tried to find information about configuring EMET for EAM, but since I could not find any I decided to instruct EMET to ignore EAM. I see no reason to let EMET mess with EAM´s processes (a2guard.exe & a2service.exe).... And I have also added exceptions for EMET in EAM. I know that EMET is not created by Emsisoft, but do you have any recommendations for how EMET should be configured ? Should it ignore a2guard.exe & a2service.exe ? And should it be configured for any other EAM-files ? And since your post above is from April 2014, and newer versions of EAM has been released since then, has there been any change regarding DEP & ASLR in those versions ? AV-test.org published a report about the use of DEP & ASLR in antivirus software on 2014-11-25 Self-Protection for Antivirus Software: http://www.av-test.org/en/news/news-single-view/self-protection-for-antivirus-software/ Unfortunately EAM is not included is that report, so it would be very interesting to hear about EAM´s use of DEP & ASLR. Quote Link to post Share on other sites
Fabian Wosar 390 Posted December 4, 2014 Report Share Posted December 4, 2014 We only test EMET with default settings. If you want to tinker with its settings, you are on your own. All Emsisoft components support DEP and ASLR since version 9.0. Quote Link to post Share on other sites
hackerman1 6 Posted December 8, 2014 Report Share Posted December 8, 2014 We only test EMET with default settings. If you want to tinker with its settings, you are on your own. All Emsisoft components support DEP and ASLR since version 9.0. Thank you. But, what exactly are the "default" settings ? Do you mean everything checked for both a2guard.exe & a2service.exe ? And, are we talking about EMET 4.1 or 5 (5.1) ? To make sure we all get it right, It would be very nice if you could post a screenshot of the correct "default" settings. Quote Link to post Share on other sites
Fabian Wosar 390 Posted December 8, 2014 Report Share Posted December 8, 2014 But, what exactly are the "default" settings ? Do you mean everything checked for both a2guard.exe & a2service.exe ? No. Default means the settings you get after running the wizard and choosing "Use recommended settings". We do not test how certain a EMET mitigation effect any of our own processes, but we do make sure that we don't interfere with protections put in place by EMET in other processes that we monitor as well, as EMET and our behavior blocker use very similar techniques to intercept code flow that often result in incompatibilities. And, are we talking about EMET 4.1 or 5 (5.1) ?We always test with the latest stable release which is version 5.1. Quote Link to post Share on other sites
hackerman1 6 Posted December 9, 2014 Report Share Posted December 9, 2014 No. Default means the settings you get after running the wizard and choosing "Use recommended settings". We do not test how certain a EMET mitigation effect any of our own processes, but we do make sure that we don't interfere with protections put in place by EMET in other processes that we monitor as well, as EMET and our behavior blocker use very similar techniques to intercept code flow that often result in incompatibilities. We always test with the latest stable release which is version 5.1. That was the reason for asking, as i thought there might be Incompatibilities between EAM & EMET. I did run the wizard when I installed EMET, but since I wasn´t sure that those mitigations really should be checked, I unchecked all of them. And I didn´t save the recommended settings because I was hoping to get the needed information from Emsisoft.... But, what exactly are the "default" settings ?To make sure we all get it right, It would be very nice if you could post a screenshot of the correct "default" settings. Could you please list the settings or post a screenshot ? Quote Link to post Share on other sites
hackerman1 6 Posted December 9, 2014 Report Share Posted December 9, 2014 I just ran the wizard again. The recommended setting in EMET 4.1 is everythinh checked for both a2guard & a2service. But then EMET block EAM.... I get a notification from EMET: SimExecFlow mitigation for a2guard.... Now I remember that being the primary reason for unchecking everything. So a list of the settings or a screenshot are appreciated. Quote Link to post Share on other sites
Fabian Wosar 390 Posted December 10, 2014 Report Share Posted December 10, 2014 This are the default settings and the only settings we test with: Adding any of the EAM processes is not covered by the defaults. As I said before, we do not test whether EMET protections interfere with our processes (they very well may). We test whether or not our behavior blocker interferes with EMET in other processes that are included in the default EMET settings. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.