Jump to content
hake

Running EMET and MBAE together

Recommended Posts

I am providing some notes about the rules of thumb I use to enable EMET and MBAE to be used together.  These rules of thumb are not absolutes, merely guidelines as there will always be occasional exceptions which rear their heads unexpectedly.

 

Please read my comments in conjunction with my attached screenshots of my EMET settings for my WinXP 32bit and Win7 64bit systems. I find that with those Windows systems (and also a friend's Win8.1 system), the displayed settings work well with MBAE Premium. The MBAE protected applications are those with the reduced selection of EMET mitigations (i.e. the mitigations provided by EMET3 less the EAF mitigation). Those applications which are not protected by MBAE are the ones with all EMET mitigations set.

 

The EMET5 EAF+ mitigation has been found not to cause the slightest problem with MBAE.

 

As an aside, I have found that some older applications do not like the EMET Stack Pivot mitigation but this is not related to the use of MBAE.  I just mention it in passing.  MS Publisher 2000 is such an application.  I protect Skype in MBAE as 'other'.  Please note that Skype will not run if the EMET SEHOP and EAF mitigations are enabled for Skype, regardless of whether Skype is protected by MBAE. 

For MBAE Free, only the browser applications (plus Java, if used) would have the reduced selection of EMET mitigations. Basically, the screenshots illustrate my rule of thumb when using MBAE and EMET together.

 

I cannot guarantee that my fairly informal rules of thumb will work in absolutely every circumstance but I have not yet encountered a single exception.

post-150292-0-78863200-1422266663_thumb.

post-150292-0-65239200-1422266674_thumb.

Share this post


Link to post
Share on other sites

I have omitted to label the screen shots.

 

The first screen shot is of EMET 4.1 update 1 from my Windows XP 32bit system.

The second screen shot is of EMET 5.1 from my Windows 7 64bit system.

Share this post


Link to post
Share on other sites

Thanks for your testing.

 

I will confirm that I have found the EAF mitigation to be problematic when using EMET 2.1 on (32-bit) WinXP:   Specifically, I had to disable EAF in IE, FF and PaleMoon in order to get them to load; as well as in Adobe Reader, Plugin-Container, PowerPoint Viewer, WordPad, and Works Spreadsheet to allow them to function correctly (i.e., not hang).

 

However, in my case, I am able to keep EAF enabled using EMET 3.0 and 4.1 on two separate Win7x64 systems.   Just saying.

 

I would also confirm that I've found StackPivot to be problematic when using EMET 4.1 on Win7x64.   But for me, there was much more:   I in fact had to disable LoadLib, MemProt, Caller, and SimExecFlow [in addition to StackPivot] in IE & FF in order to get them to load; as well as in Plugin-Container so as not to hang FF.   Note:  This configuration was tested using the free version of MBAE, so I focused only on the browsers.

 

The most perplexing system for me was one using EMET 3.0 on Win7x64.   There, I sporadically encountered mbae64.dll crashing IE... even when I completely removed IE from EMET :wacko: .   So on this particular system, it seemed I had no choice but to deactivate IE in MBAE [while keeping ALL of EMET's mitigations for IE].

 

---------------------------

 

I would hope/request that this thread remain open, so others can compare notes as well.   I find it quite useful to pinpoint the precise EMET/MBAE conflicts, to be able to "fine-tune" these two programs to work together, rather than making a blanket statement that they're incompatible.

 

Share this post


Link to post
Share on other sites

I hope that users will share their own experiences and knowledge of using MBAE and EMET.  I know what works for me and the Windows XP, Vista, 7, 8 and 8.1 systems which I support.   The users of all of my supported systems which are physically remote from me have not raised a single concern.  I am now confident enough to send non-tech users away with their laptops without anxiety about their computers continuing to be stable, useful and usable.  The telephone remains silent, on MBAE and EMET at least.

 

Thanks ky331 for the comments about EMET 3, Windows 7 and IE.  It's definitely on my list to update the laptop with that version of EMET to EMET 5.1.

Share this post


Link to post
Share on other sites

My PC has MBAE and EMET 5.1 running on Windows 7 Professional SP1, 64-bit OS . Initially, installing MBAE broke both IE11 and Firefox 35.0 and had to make some configuration changes in EMET; this is the current configuration:

 

post-182747-0-87918500-1422800701_thumb.

 

So far, other programs had not experience any issues, but time will tell...

Share this post


Link to post
Share on other sites

EMET 5.2 has the same conflicts with MBAE  as version 5.1 did, in regards to IE11 and Firefox 36.0.1. As with the previous version, just disable EMET protection for:

  1. EAF
  2. SimExecOverflow
  3. ASR

Other than that, I did not notice any other conflicts.

 

EMET EAF+ protection has no conflict MBAE, probably because MBAE does not have this buffer protection.

Share this post


Link to post
Share on other sites

I'd like to confirm dont_touch_my_buffer's finding for what firefox is concerned. Disabling these three mitigations was sufficient.

(windows 7, 32-bit, EMET 5.2, firefox 37.0)

 

For Word however I could not enable ever mitigation as the screenshot stated. I had to disable SimExecFlow to prevent word from termination by EMET. ASR I could not properly configure so that one remains untested.

 

I'd like to add that everything running sandboxed by sandboxie is only protected by EMET and not by MBEA. (I thought that was I known issue but I don't see it listed.)

Share this post


Link to post
Share on other sites

I only have problems with IE11 in combination with EMET and MBEA

 

Question 1 is: Who to trust?

Question 2 is: Are the programs realy side-to-side? Are the not interfering in real protection? (same logarithmes, etc)

Question 3 is: Is MBAE not just a consumer product, and is EMET better for 'professionals'?

 

Just questions...

 

For the time being i'm using EMET 5.2 with a good AV. And cheching systems with other tools.

 

I know verry well dat 100% save is not possible anymore...

Share this post


Link to post
Share on other sites

I only have problems with IE11 in combination with EMET and MBEA

 

Question 1 is: Who to trust?

Question 2 is: Are the programs realy side-to-side? Are the not interfering in real protection? (same logarithmes, etc)

Question 3 is: Is MBAE not just a consumer product, and is EMET better for 'professionals'?

 

Just questions...

 

For the time being i'm using EMET 5.2 with a good AV. And cheching systems with other tools.

 

I know verry well dat 100% save is not possible anymore...

There was a problem with running MBAE and IE11 together on W8.1 not sure about W7-SP1.   It is a long story but if you download EMET 5.2 again from the Microsoft website and install the new download of EMET 5.2, EMET 5.2 and MBAE should work fine together using the settings in EMET for IE as noted in the first post on this thread.    I had the problem of the two not working together and it was resolved by doing this.

Share this post


Link to post
Share on other sites

Here's my latest information, under Win7x64, MBAE 1.07.1.1011 (Free), EMET 4.1:

 

I had to disable [only] Caller & SimExecFlow in EMET, for IE and FF [& FF's PluginContainer] in order to get these to load.    That's (at least for the moment) a positive change from the earlier, more-restrictive results I reported above in post#3 using an earlier version of MBAE (I believe it was 1.05.1.1014).   We'll see if this is indeed progress, or if any of the other conflicts show up "eventually".

Share this post


Link to post
Share on other sites

Here's my latest information, under Win7x64, MBAE 1.07.1.1011 (Free), EMET 4.1:

 

I had to disable [only] Caller & SimExecFlow in EMET, for IE and FF [& FF's PluginContainer] in order to get these to load.    That's (at least for the moment) a positive change from the earlier, more-restrictive results I reported above in post#3 using an earlier version of MBAE (I believe it was 1.05.1.1014).   We'll see if this is indeed progress, or if any of the other conflicts show up "eventually".

Just for the record, it is useless to run EMET 4.1 and MBAE at the same time.

MBAE contains all the functionality present in EMET 4.1 (except for EAF) plus a number of additional protections.

 

Regarding EAF: Quite a number of EAF bypasses have already been published and EAF bypasses have already been used in the wild quite a lot. The only mitigation present in EMET 5.x that has not yet been publicly bypassed is EAF+. imo EAF+ is the only advantage of EMET 5.x over other mitigation tools. 

Share this post


Link to post
Share on other sites

"Just for the record, it is useless to run EMET 4.1 and MBAE at the same time."

 

I'm not qualified to dispute your assertion where both programs are competing to offer protection.   However, on the machine where I made my recent test, I noted that I'm just running MBAE Free... so the only programs its protecting are my browsers (IE & FF --- and I do NOT have Java installed).   Meaning EMET is still protecting other programs for me (e.g., Reader, Office, and Media Player).

Share this post


Link to post
Share on other sites

Anyone testing these Scenarios on W10 Preview??

Share this post


Link to post
Share on other sites

"Just for the record, it is useless to run EMET 4.1 and MBAE at the same time."

 

I'm not qualified to dispute your assertion where both programs are competing to offer protection.   However, on the machine where I made my recent test, I noted that I'm just running MBAE Free... so the only programs its protecting are my browsers (IE & FF --- and I do NOT have Java installed).   Meaning EMET is still protecting other programs for me (e.g., Reader, Office, and Media Player).

Of course EMET is still useful when dealing with application that are not protected by MBAE Free  ;)

Share this post


Link to post
Share on other sites

Anyone testing these Scenarios on W10 Preview??

 

Anyone??

Share this post


Link to post
Share on other sites

Anyone??

 

Yes, I do use both EMET 5.2 and MBAE with W10 version 10166. Firefox does need AEF, SimExecFlow and ASR disabled in EMET; same as in Windows 7 and 8.x.

 

My W10 does not have IE, instead, it has a new browser named Microsoft Edge. I've added this browser to MBAE and it works just fine. An added bonus, there's no conflict with EMET where all 14 mitigations had been enabled. Edge starts up just fine...

Share this post


Link to post
Share on other sites

In addition...

 

W10 TP also has MS Office 2016 installed. With the exception of Outlook 2016, the AEF and SimExecFlow, but not ASR, had to be disabled with MBAE protection enabled for MS Office. Please keep in mind that I am using the latest trial version of MBAE that will expire in a week or so...

Share this post


Link to post
Share on other sites

Thanks for your time and input.

Share this post


Link to post
Share on other sites

I jave Windows /x64 - IE11, FireFox, Adobe Reader and Fossamail (variation of Thunderbird) all had problems MBAE and EMET 5.5.  Disabled EAF and SIMEXECFLOW and no issue.  Someone mentioned that MBAE is supposed to warn you during install that you dhould disable EMET.  Would be nice for MBAE to educate us - most of us are so paranoid we ten to think more protection is better - even when we know better! 

Yes I know - duplicate post - had to fix a few spelling errors. 

I have Windows / x64 - IE11, FireFox, Adobe Reader and Fossamail (variation of Thunderbird) all had problems MBAE and EMET 5.5.  Disabled EAF and SIMEXECFLOW and no issue.  Someone mentioned that MBAE is supposed to warn you during install that you should disable EMET.  My install did not.  Would be nice for MBAE to educate us - most of us are so paranoid we ten to think more protection is better - even when we know better! 

Share this post


Link to post
Share on other sites

Someone mentioned that MBAE is supposed to warn you during install that you should disable EMET

See screenshot:

MBAE.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.