rm22

OA and emet compatibility

Recommended Posts

hi - i'm running the latest online armor free version and have used emet 4.1 to change the following system wide settings

DEP - always on (default is windows OS files only)
SEHOP - opt out (default is disabled on windows 7)
ASLR - default

i haven't added any additional mitigations for OA as i've read this is not recommended for AV or firewalls

any potential compatibility issues to watch out for with the changes i've made? i haven't noticed anything, but i'm wondering if i should set DEP to "opt out"  and disable DEP and SEHOP for OA.

thanks.

Share this post


Link to post
Share on other sites

Fabian, I'm wondering if you could provide a short non-technical summary for those of us running OA (in standard mode) + EAM 9 on Windows 8.1 x64 (with all the OS standard protections, e.g. NX, enabled) of which EMET 5.0 mitigations are *actually* going to increase protection against threats that somehow get around OA+EAM and a cautious Internet user? I understand that some of the ROP protections EMET provides are already broken by the more advanced 32/64-bit executable threats, you probably know more about that...

Share this post


Link to post
Share on other sites

We don't comment on other vendor's products, sorry. When in doubt I would stick to the default settings as the authors will know best which settings are most appropriate for everyday use.

Share this post


Link to post
Share on other sites

On my Win7x64 + EMET5.0, if Keyscrambler.exe and VirustotalUploader2.2.exe are monitored by OA as unknown, it causes their crash by EAF mitigation.

Of course I can disable EAF to address this issue, but it started just after I installed OA Premium 7.0.0.1866.

Also MCShiled crashes with some mitigations, I currently haven't looked into it but disable some mitigation addressed it.

Before that MCShield worked fine with all mitigation (except ASR) enabled.

 

i found emet 5 did not work well with win7 64 bit and many others have written the same - you might want to fall back to 4.1 if you're having problems. also emet install guide says not to use with security software

Share this post


Link to post
Share on other sites

Fabian, I'm wondering if you could provide a short non-technical summary for those of us running OA (in standard mode) + EAM 9 on Windows 8.1 x64 (with all the OS standard protections, e.g. NX, enabled) of which EMET 5.0 mitigations are *actually* going to increase protection against threats that somehow get around OA+EAM and a cautious Internet user? I understand that some of the ROP protections EMET provides are already broken by the more advanced 32/64-bit executable threats, you probably know more about that...

 

from what i've read - EAF, stackpivot and caller mitigations provide the bulk of additional protection from the default DEP, SEHOP and ASLR mitigations

 

but you could ask for more info here

http://www.wilderssecurity.com/threads/emet-enhanced-mitigation-experience-toolkit.344631/page-31

Share this post


Link to post
Share on other sites

I know some people report issues in Win7x64 with EMET5 but it probably depends on what setting and what security software they use.

It usually does. The hooks many security applications set look suspiciously like ROP to a lot of exploit protection applications.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.