Jump to content

Running EMET and MBAE together

hake

By hake
in Anti-Exploit Beta

 Share

Recommended Posts

hake

hake

Posted
Posted

I am providing some notes about the rules of thumb I use to enable EMET and MBAE to be used together.  These rules of thumb are not absolutes, merely guidelines as there will always be occasional exceptions which rear their heads unexpectedly.

 

Please read my comments in conjunction with my attached screenshots of my EMET settings for my WinXP 32bit and Win7 64bit systems. I find that with those Windows systems (and also a friend's Win8.1 system), the displayed settings work well with MBAE Premium. The MBAE protected applications are those with the reduced selection of EMET mitigations (i.e. the mitigations provided by EMET3 less the EAF mitigation). Those applications which are not protected by MBAE are the ones with all EMET mitigations set.

 

The EMET5 EAF+ mitigation has been found not to cause the slightest problem with MBAE.

 

As an aside, I have found that some older applications do not like the EMET Stack Pivot mitigation but this is not related to the use of MBAE.  I just mention it in passing.  MS Publisher 2000 is such an application.  I protect Skype in MBAE as 'other'.  Please note that Skype will not run if the EMET SEHOP and EAF mitigations are enabled for Skype, regardless of whether Skype is protected by MBAE. 

For MBAE Free, only the browser applications (plus Java, if used) would have the reduced selection of EMET mitigations. Basically, the screenshots illustrate my rule of thumb when using MBAE and EMET together.

 

I cannot guarantee that my fairly informal rules of thumb will work in absolutely every circumstance but I have not yet encountered a single exception.

post-150292-0-78863200-1422266663_thumb.

post-150292-0-65239200-1422266674_thumb.

Link to post
Share on other sites
hake

hake

Posted
  • Author
Posted

I have omitted to label the screen shots.

 

The first screen shot is of EMET 4.1 update 1 from my Windows XP 32bit system.

The second screen shot is of EMET 5.1 from my Windows 7 64bit system.

Link to post
Share on other sites
ky331

ky331

Posted
Posted

Thanks for your testing.

 

I will confirm that I have found the EAF mitigation to be problematic when using EMET 2.1 on (32-bit) WinXP:   Specifically, I had to disable EAF in IE, FF and PaleMoon in order to get them to load; as well as in Adobe Reader, Plugin-Container, PowerPoint Viewer, WordPad, and Works Spreadsheet to allow them to function correctly (i.e., not hang).

 

However, in my case, I am able to keep EAF enabled using EMET 3.0 and 4.1 on two separate Win7x64 systems.   Just saying.

 

I would also confirm that I've found StackPivot to be problematic when using EMET 4.1 on Win7x64.   But for me, there was much more:   I in fact had to disable LoadLib, MemProt, Caller, and SimExecFlow [in addition to StackPivot] in IE & FF in order to get them to load; as well as in Plugin-Container so as not to hang FF.   Note:  This configuration was tested using the free version of MBAE, so I focused only on the browsers.

 

The most perplexing system for me was one using EMET 3.0 on Win7x64.   There, I sporadically encountered mbae64.dll crashing IE... even when I completely removed IE from EMET :wacko: .   So on this particular system, it seemed I had no choice but to deactivate IE in MBAE [while keeping ALL of EMET's mitigations for IE].

 

---------------------------

 

I would hope/request that this thread remain open, so others can compare notes as well.   I find it quite useful to pinpoint the precise EMET/MBAE conflicts, to be able to "fine-tune" these two programs to work together, rather than making a blanket statement that they're incompatible.

 

Link to post
Share on other sites
hake

hake

Posted
  • Author
Posted

I hope that users will share their own experiences and knowledge of using MBAE and EMET.  I know what works for me and the Windows XP, Vista, 7, 8 and 8.1 systems which I support.   The users of all of my supported systems which are physically remote from me have not raised a single concern.  I am now confident enough to send non-tech users away with their laptops without anxiety about their computers continuing to be stable, useful and usable.  The telephone remains silent, on MBAE and EMET at least.

 

Thanks ky331 for the comments about EMET 3, Windows 7 and IE.  It's definitely on my list to update the laptop with that version of EMET to EMET 5.1.

Link to post
Share on other sites
  • 1 month later...
dont_touch_my_buffer

dont_touch_my_buffer

Posted
Posted

EMET 5.2 has the same conflicts with MBAE  as version 5.1 did, in regards to IE11 and Firefox 36.0.1. As with the previous version, just disable EMET protection for:

  1. EAF
  2. SimExecOverflow
  3. ASR

Other than that, I did not notice any other conflicts.

 

EMET EAF+ protection has no conflict MBAE, probably because MBAE does not have this buffer protection.

Link to post
Share on other sites
  • 2 weeks later...
Durew

Durew

Posted
Posted

I'd like to confirm dont_touch_my_buffer's finding for what firefox is concerned. Disabling these three mitigations was sufficient.

(windows 7, 32-bit, EMET 5.2, firefox 37.0)

 

For Word however I could not enable ever mitigation as the screenshot stated. I had to disable SimExecFlow to prevent word from termination by EMET. ASR I could not properly configure so that one remains untested.

 

I'd like to add that everything running sandboxed by sandboxie is only protected by EMET and not by MBEA. (I thought that was I known issue but I don't see it listed.)

Link to post
Share on other sites
  • 2 months later...
GruttePier

GruttePier

Posted
Posted

I only have problems with IE11 in combination with EMET and MBEA

 

Question 1 is: Who to trust?

Question 2 is: Are the programs realy side-to-side? Are the not interfering in real protection? (same logarithmes, etc)

Question 3 is: Is MBAE not just a consumer product, and is EMET better for 'professionals'?

 

Just questions...

 

For the time being i'm using EMET 5.2 with a good AV. And cheching systems with other tools.

 

I know verry well dat 100% save is not possible anymore...

Link to post
Share on other sites
Nesivos

Nesivos

Posted
Posted

I only have problems with IE11 in combination with EMET and MBEA

 

Question 1 is: Who to trust?

Question 2 is: Are the programs realy side-to-side? Are the not interfering in real protection? (same logarithmes, etc)

Question 3 is: Is MBAE not just a consumer product, and is EMET better for 'professionals'?

 

Just questions...

 

For the time being i'm using EMET 5.2 with a good AV. And cheching systems with other tools.

 

I know verry well dat 100% save is not possible anymore...

There was a problem with running MBAE and IE11 together on W8.1 not sure about W7-SP1.   It is a long story but if you download EMET 5.2 again from the Microsoft website and install the new download of EMET 5.2, EMET 5.2 and MBAE should work fine together using the settings in EMET for IE as noted in the first post on this thread.    I had the problem of the two not working together and it was resolved by doing this.

Link to post
Share on other sites
  • 3 weeks later...
ky331

ky331

Posted
Posted

Here's my latest information, under Win7x64, MBAE 1.07.1.1011 (Free), EMET 4.1:

 

I had to disable [only] Caller & SimExecFlow in EMET, for IE and FF [& FF's PluginContainer] in order to get these to load.    That's (at least for the moment) a positive change from the earlier, more-restrictive results I reported above in post#3 using an earlier version of MBAE (I believe it was 1.05.1.1014).   We'll see if this is indeed progress, or if any of the other conflicts show up "eventually".

Link to post
Share on other sites
regenpijp

regenpijp

Posted
Posted

Here's my latest information, under Win7x64, MBAE 1.07.1.1011 (Free), EMET 4.1:

 

I had to disable [only] Caller & SimExecFlow in EMET, for IE and FF [& FF's PluginContainer] in order to get these to load.    That's (at least for the moment) a positive change from the earlier, more-restrictive results I reported above in post#3 using an earlier version of MBAE (I believe it was 1.05.1.1014).   We'll see if this is indeed progress, or if any of the other conflicts show up "eventually".

Just for the record, it is useless to run EMET 4.1 and MBAE at the same time.

MBAE contains all the functionality present in EMET 4.1 (except for EAF) plus a number of additional protections.

 

Regarding EAF: Quite a number of EAF bypasses have already been published and EAF bypasses have already been used in the wild quite a lot. The only mitigation present in EMET 5.x that has not yet been publicly bypassed is EAF+. imo EAF+ is the only advantage of EMET 5.x over other mitigation tools. 

Link to post
Share on other sites
ky331

ky331

Posted
Posted

"Just for the record, it is useless to run EMET 4.1 and MBAE at the same time."

 

I'm not qualified to dispute your assertion where both programs are competing to offer protection.   However, on the machine where I made my recent test, I noted that I'm just running MBAE Free... so the only programs its protecting are my browsers (IE & FF --- and I do NOT have Java installed).   Meaning EMET is still protecting other programs for me (e.g., Reader, Office, and Media Player).

Link to post
Share on other sites
regenpijp

regenpijp

Posted
Posted

"Just for the record, it is useless to run EMET 4.1 and MBAE at the same time."

 

I'm not qualified to dispute your assertion where both programs are competing to offer protection.   However, on the machine where I made my recent test, I noted that I'm just running MBAE Free... so the only programs its protecting are my browsers (IE & FF --- and I do NOT have Java installed).   Meaning EMET is still protecting other programs for me (e.g., Reader, Office, and Media Player).

Of course EMET is still useful when dealing with application that are not protected by MBAE Free  ;)

Link to post
Share on other sites
dont_touch_my_buffer

dont_touch_my_buffer

Posted
Posted

Anyone??

 

Yes, I do use both EMET 5.2 and MBAE with W10 version 10166. Firefox does need AEF, SimExecFlow and ASR disabled in EMET; same as in Windows 7 and 8.x.

 

My W10 does not have IE, instead, it has a new browser named Microsoft Edge. I've added this browser to MBAE and it works just fine. An added bonus, there's no conflict with EMET where all 14 mitigations had been enabled. Edge starts up just fine...

Link to post
Share on other sites
  • 8 months later...
share3141

share3141

Posted
Posted

I jave Windows /x64 - IE11, FireFox, Adobe Reader and Fossamail (variation of Thunderbird) all had problems MBAE and EMET 5.5.  Disabled EAF and SIMEXECFLOW and no issue.  Someone mentioned that MBAE is supposed to warn you during install that you dhould disable EMET.  Would be nice for MBAE to educate us - most of us are so paranoid we ten to think more protection is better - even when we know better! 

Yes I know - duplicate post - had to fix a few spelling errors. 

I have Windows / x64 - IE11, FireFox, Adobe Reader and Fossamail (variation of Thunderbird) all had problems MBAE and EMET 5.5.  Disabled EAF and SIMEXECFLOW and no issue.  Someone mentioned that MBAE is supposed to warn you during install that you should disable EMET.  My install did not.  Would be nice for MBAE to educate us - most of us are so paranoid we ten to think more protection is better - even when we know better! 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.