Jump to content

[EMET] 0.10.0100 Preventing IE 11 From Opening on W8.1 Pro


Nesivos

Recommended Posts

Well, explains why I hadn't seen the issues Nesivos has been very thoroughly explaining.(Not running EMET)

I also agree with the EMET assessment however I've always found the app very 'high maintenance' in the possible configurations  :D

I have used it over the years but not presently.

 

edit

I agree advanced configuration can be very complicated.   Having said that I just use the Recommended default setup and add maybe a half a dozen programs with all the boxes checked.  If there are any problems with the default or my added programs I just remove them or do some research and try and find out which boxes to uncheck for each program.

 

For most users the Recommended settings will work just fine.  Once you have it configured or decide to use the Recommended settings it rarely requires any maintaineance unless you want to add a new program.  However, since 5.x is still in Technical Preview I haven't added programs except Firefox which I wouldn't have added at this time if it weren't to try and identify the problem with IE 11.

 

Bottom line is if a user sticks with their Recommended settings with a final version release it requires no configuration effort and is very little if any trouble at all once installed.  It does add another level of security even if you use their Recommnded settings with their default program list and don't add your own programs because it will still offer additional OS protection without adding your own programs.  I have never seen it conflict with any of the my AV programs.

Link to post
Share on other sites

Hello,

 

I have not Windows 8 so I am not able to reproduce this issue.

Anyway, with Nevisos informations, I may have an idea about what's going wrong.

 

If you enable one of the five ROP mitigations (LoadLib, MemProt, Caller, SimExecFlow or StackPivot)  , EMET will start hooking critical functions in Kernel32, KernelBase and Ntdll.

Disabling all the ROP mitigations will let the code untouched, so we can deduce it's probably a hooking conflict between EMET and MBAE.

 

We know that the crash occurs in KernelBase.dll, so I've listed all the KernelBase functions hooked by both EMET and MBAE:

 

VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
CreateFileW 

 

One of these hooks makes IE 11 crash with EMET+MBAE and given the issues I've had previsouly with CreatefileW when running IE, I would bet on this one.

 

I hope it will help.

 

Kaine

Link to post
Share on other sites

  • Staff

You're most likely correct about CreateFileW Kaine, although there are other kernelbase functions that are hooked but maybe EMET isn't hooking them. We are still reviewing the detailed and in-depth analysis you sent us via PM about the hooking conflicts with EMET. Your analysis is the main reason we're starting to change our point of view about EMET compatibility going forward. We've been busy finishing the next build which we delivered last week to QA, so now we'll have more time to look at the issues you raised and think about possible solutions to this problem.

Link to post
Share on other sites

Hello Pedro,

 

Yes I know there are other kernelbase hooked functions like the CreateProcess family but EMET hooks them at kernel32 and ntdll level.

 

As far as I know MBAE is much more stable than EMET (especially the very buggy 5.0 TP) and it does the job. I enjoy both products and it would be great to find a way to make them work together.

 

Regards,

Kaine

Link to post
Share on other sites

FYI...having this issue with EMET 4.1 as well...

 

Setup:

Windows 8.1 Pro 64bit w/ Update 1

EMET 4.1 default settings

IE11

Anti-Malware Premium

No anti-virus installed

 

Download, install MBAE, restart...now from local user or Admin account IE will not launch.  Disable MBAE service and IE launches with no problem. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.