EMET 5.0 Command Line Issues

I'm having problems with the emet_conf tool included in EMET 5.0:

1. emet_conf --eafplus {enabled|disabled}

doesn't work - it just returns the standard help text for eaf_conf. Is this command simply not implemented?

2. I can't work out the emet_conf syntax for the ASR and EAF+ app mitigations. Turning them off is easy enough, as in...

emet_conf --set <app> -eaf+

... for instance, but how do you turn on ASR or EAF+ and specify the modules list (and, for ASR, the IE zones)?
LVL 2
Steve MossIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
The last time I look (7 days ago), EMET 5 was still a technical preview and not ready for roll out or production. I found it bashed Java.

I am using EMET V4.1 and it works quite well. Only use 4.1 for production.

I use the GUI tool for setting (and excluding where appropriate) EAF mitigations.

The command line will still require admin authority and will pop up UAC. Did you take that into account?
0
JohnBusiness Consultant (Owner)Commented:
The format in V4 (not likely to have changed much) is

EMET_Conf --set [--force] < path to executable> [(+|-)Mitigation …] for individual programs.

Try EMET_Conf --list_system to see if it lists what is there.
0
Steve MossIT ConsultantAuthor Commented:
Thanks John, but EMET 5.0 has been released publicly. It's no longer a TP. Also, the 4.1 syntax for setting system mitigations doesn't support EAF+, and setting app mitigations doesn't support the new ASR and EAF+ mitigations. When turning these on in EMET 5.0 you also need to specify the list of modules protected. I can't find the syntax for these.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

JohnBusiness Consultant (Owner)Commented:
So it has. And it was released very recently as I have been looking for it.

I shall have to download and test.

The V5 manual says "Currently the command line tool does not allow to configure all EMET features."  so what you want may not be there.

I have to run it before I will know more.
0
JohnBusiness Consultant (Owner)Commented:
Are you running the command line in an admin command processor?

I get a different answer normal vs. admin. In normal command, the output screen flashes up and disappears. Nothing displayed.

With admin cmd.exe I get an output on the screen from --list_system.

Try that.
0
JohnBusiness Consultant (Owner)Commented:
I can replicate what you have done it EMET V5 (running in a test Windows 7 system) using an admin command processor.

emet_conf --list_system works fine. I changed Deep Hooks and list_system reflected the change. So that works.

But emet_conf --eafplus enabled did NOT enable the EAF+ flags. The command looks like it is not implemented.

You can set individual or from a file.

EMET V5 production is a lot more polished than the tech preview.
0
JohnBusiness Consultant (Owner)Commented:
OK, I have EMET V5 running in production on my Windows 8.1 Pro laptop.

Everything so far works as it should.

For the following from the V5 manual:

EMET_CONF --deephooks enabled|disabled works. I turn this off and on at the command line.
EMET_CONF --antidetours enabled|disabled works.
EMET_CONF --bannedfunc enabled|disabled works.

EMET_CONF --eafplus does not change anything. It is also not presented in the GUI with the other 3.

Why? The manual says "by default, unsafe options are not visible either through GUI or command line.

I notice EAF+ is not enabled by application line item. I have turned it on only for Microsoft Office applications to see how it works.

So I think what you saw is at this point what you get. As I say, I have it fully running.
0
JohnBusiness Consultant (Owner)Commented:
@cocospm  - Is there anything else you need?

1. emet_conf --eafplus {enabled|disabled}  doesn't work .  Normal. The option does not display in the GUI and so the command line cannot set it.  The other main mitigation option settings do work.

2. Turning them off is easy enough, as in... emet_conf --set <app> -eaf+  <-- This is correct. EAF+ is set individually and not globally. It is probably NOT a good idea to set this one globally.

I have EMET V5 running in production on two machines (Windows 7 and 8) and it all seems to work as the manual says it will.
0
Steve MossIT ConsultantAuthor Commented:
Using  emet_conf --set <app> +eaf+ for an app doesn't actually work. Setting EAF+ and ASR on apps requires a modules list to be specified too. Just enabling them with no modules does nothing. That's my point - unless there is a way to specify the modules on the command line, it's not useful to do. I'll just assume you can't do this with emet_conf. There are other ways.
0
JohnBusiness Consultant (Owner)Commented:
Yes, actually it does.

Using an Administrative Command processor in Windows:

emet_conf --set poppeeper.exe +EAF+ does set EAF+ for PopPeeper.exe where it was not set before.

So from my point of view, EMET V5 does what it says in the manual.

Make sure cmd.exe is Run as Administrator and make sure the application is entered exactly as it exists in EMET.
0
Steve MossIT ConsultantAuthor Commented:
No, it does not. While EAF+ is nominally turned on for an app when you do this, it actually does nothing without a module list. If you go to the app's details you will see an error alert next to the EAF+ settings box (and the same if you turn on ASR without a module list). Without a module list, these mitigation settings do nothing.
0
JohnBusiness Consultant (Owner)Commented:
EAF+ is normally disabled, not enabled. Check your manual and run emet_conf --eafplus to verify.

If by module list, you mean a list of Apps in the Apps setup window, then yes, you need a module list. But again, that is what I gleaned from the manual.

So then emet_conf --set can set EAF+ or other flags on or off.

It has taken me over a year to learn what does and does not work in EMET. Lots of EMET settings for some applications cause "application stopped working" . So then it is, in reality, just easier to set up individual mitigations in the GUI module.

Once done, I think you can put the setup in an XML file and use it on another computer.
0
Steve MossIT ConsultantAuthor Commented:
No, by module list I do not mean apps. I appreciate your efforts to help, but if you really want to offer something of use to my question, I kindly suggest you read up about EAF+ and ASR - what they do, and what is meant by 'modules', and how they are (or are not) supported by the command line interface.

In my scenario, setting them up via the GUI is not an option, which is why I was hoping someone might just know how to configure EAF+ and ASR for individual apps via emet_conf. As it happens, I believe there is a way for me to achieve what I need to by auto-generating suitable xml files.
0
JohnBusiness Consultant (Owner)Commented:
In the language of "Modules and plugins, when loaded into an application, increase its exposure to vulnerabilities and, consequentially, to potential attacks. EMET allows to blacklist modules and plugins that are loaded within an application", I do not use these at all.

I use EMET for its capabilities to handle exist applications without any changes to the applications. That is why EMET works for some apps and not others.
0
JohnBusiness Consultant (Owner)Commented:
I have been experimenting with EAF+ and ASR. I am changing just specific applications because a number of my applications will "stop working" with EAF enabled (IE, Skype and others on EMET 4.1)

I set EAF+ for all Office Apps with no ill effects. I set a couple of others and so far, so good.

So then I tried ASR. You cannot set ASR unless you select modules to block like Flash and others. Two things about this:

1. emet_conf --set <app> +asr will not work because you need to specify something like Flash above. I have not figured out how to do this yet.
2. There are many reports of ASR "application stopped working" errors.

So I have not set ASR on for any application yet, but I have set some EAF+ flags.

http://betanews.com/2014/08/01/microsofts-emet-5-0-blocks-vulnerable-plugins/
0
Steve MossIT ConsultantAuthor Commented:
Sorry for the delay in closing this question, having been away on holiday. I have worked around the deficiencies in the emet_conf command line tool by instead auto-generating a suitable xml file and importing that. Works fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve MossIT ConsultantAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for cocospm's comment #a40284082

for the following reason:

No feasible alternatives offered, xml-based solution is workable.
0
JohnBusiness Consultant (Owner)Commented:
No you cannot say you have the answer. So two things:

1. (a) "emet_conf --eafplus {enabled|disabled}"  &lt;-- I answered this. The other commands work and per the manual, this one does not because there is no GUI flag.
(b) "emet_conf --set &lt;app&gt; -eaf+" &lt;--- work for everything that has a simple flag and per the manual do not work when there is no GUI flag. For ASR you have to fill in a text box and the set command does not work (as per manual).
(c) Finally, because of the complexity of EMET and the vast variability of application problems, you need to work by GUI. There is no other choice. And VASTLY better than a file of set commands (some of which cannot work), we are better to export working configurations (you can do this) to use in other machines.  I suggested that earlier and see you are now doing that.
0
Rich RumbleSecurity SamuraiCommented:
This command does work for me
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" +EAF+
The changes you have made may require restarting one or more applications
Reload the config and I see it is enabled.
To disable it, use the minus
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" -EAF+
The changes you have made may require restarting one or more applications
-rich
0
Steve MossIT ConsultantAuthor Commented:
Yes Rich, the command does turn EAF+ on or off for a given application, but as I have observed it achieves nothing, because EAF+ only actually does anything when a module list is specified as well. Doing this via emet_conf therefore is not useful. This is something that Mr. Hurst seems unable to comprehend. Suggesting I do this via the gui is also not helpful because, as is obvious from this thread, I am automating the configuration of EMET. As I have posted above, I have now achieved what I need to by auto-generating suitable XML and importing it using emet_conf.
0
Rich RumbleSecurity SamuraiCommented:
The users guide doesn't say you can specify the addresses to use in the last two items for EAF+
Export Address Table Access Filtering Plus (EAF+)
The EAF+ mitigation is an extension of EAF that can be used independently or in combination with EAF itself. Following is the list of actions that this mitigation performs:
Detects if the stack register is out of the allowed boundaries
Detects mismatch of stack and frame pointer registers;
Detects memory read access to export table pointers of KERNEL32, NTDLL and KERNELBASE originated from specific modules (typically used during the exploitation of memory corruption vulnerabilities);
Detects memory read accesses to the MZ/PE header of specific modules (typically used during the exploitation of memory corruption vulnerabilities).
The actions described in the last two bullet points require users to specify a set of modules that will be used for validation; if no modules are specified, these two actions will be ignored.

So it looks like you have to do the XML yourself if you want those last two mitigations, otherwise you have the first two available via the cmdline.
-rich
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.