[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

EMET 5.0 Command Line Issues

Posted on 2014-08-08
22
Medium Priority
?
1,070 Views
Last Modified: 2014-09-01
I'm having problems with the emet_conf tool included in EMET 5.0:

1. emet_conf --eafplus {enabled|disabled}

doesn't work - it just returns the standard help text for eaf_conf. Is this command simply not implemented?

2. I can't work out the emet_conf syntax for the ASR and EAF+ app mitigations. Turning them off is easy enough, as in...

emet_conf --set <app> -eaf+

... for instance, but how do you turn on ASR or EAF+ and specify the modules list (and, for ASR, the IE zones)?
0
Comment
Question by:Steve Moss
  • 12
  • 7
  • 2
21 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250091
The last time I look (7 days ago), EMET 5 was still a technical preview and not ready for roll out or production. I found it bashed Java.

I am using EMET V4.1 and it works quite well. Only use 4.1 for production.

I use the GUI tool for setting (and excluding where appropriate) EAF mitigations.

The command line will still require admin authority and will pop up UAC. Did you take that into account?
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250098
The format in V4 (not likely to have changed much) is

EMET_Conf --set [--force] < path to executable> [(+|-)Mitigation …] for individual programs.

Try EMET_Conf --list_system to see if it lists what is there.
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40250120
Thanks John, but EMET 5.0 has been released publicly. It's no longer a TP. Also, the 4.1 syntax for setting system mitigations doesn't support EAF+, and setting app mitigations doesn't support the new ASR and EAF+ mitigations. When turning these on in EMET 5.0 you also need to specify the list of modules protected. I can't find the syntax for these.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 99

Expert Comment

by:John Hurst
ID: 40250125
So it has. And it was released very recently as I have been looking for it.

I shall have to download and test.

The V5 manual says "Currently the command line tool does not allow to configure all EMET features."  so what you want may not be there.

I have to run it before I will know more.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250133
Are you running the command line in an admin command processor?

I get a different answer normal vs. admin. In normal command, the output screen flashes up and disappears. Nothing displayed.

With admin cmd.exe I get an output on the screen from --list_system.

Try that.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250150
I can replicate what you have done it EMET V5 (running in a test Windows 7 system) using an admin command processor.

emet_conf --list_system works fine. I changed Deep Hooks and list_system reflected the change. So that works.

But emet_conf --eafplus enabled did NOT enable the EAF+ flags. The command looks like it is not implemented.

You can set individual or from a file.

EMET V5 production is a lot more polished than the tech preview.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250199
OK, I have EMET V5 running in production on my Windows 8.1 Pro laptop.

Everything so far works as it should.

For the following from the V5 manual:

EMET_CONF --deephooks enabled|disabled works. I turn this off and on at the command line.
EMET_CONF --antidetours enabled|disabled works.
EMET_CONF --bannedfunc enabled|disabled works.

EMET_CONF --eafplus does not change anything. It is also not presented in the GUI with the other 3.

Why? The manual says "by default, unsafe options are not visible either through GUI or command line.

I notice EAF+ is not enabled by application line item. I have turned it on only for Microsoft Office applications to see how it works.

So I think what you saw is at this point what you get. As I say, I have it fully running.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250606
@cocospm  - Is there anything else you need?

1. emet_conf --eafplus {enabled|disabled}  doesn't work .  Normal. The option does not display in the GUI and so the command line cannot set it.  The other main mitigation option settings do work.

2. Turning them off is easy enough, as in... emet_conf --set <app> -eaf+  <-- This is correct. EAF+ is set individually and not globally. It is probably NOT a good idea to set this one globally.

I have EMET V5 running in production on two machines (Windows 7 and 8) and it all seems to work as the manual says it will.
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40250669
Using  emet_conf --set <app> +eaf+ for an app doesn't actually work. Setting EAF+ and ASR on apps requires a modules list to be specified too. Just enabling them with no modules does nothing. That's my point - unless there is a way to specify the modules on the command line, it's not useful to do. I'll just assume you can't do this with emet_conf. There are other ways.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250692
Yes, actually it does.

Using an Administrative Command processor in Windows:

emet_conf --set poppeeper.exe +EAF+ does set EAF+ for PopPeeper.exe where it was not set before.

So from my point of view, EMET V5 does what it says in the manual.

Make sure cmd.exe is Run as Administrator and make sure the application is entered exactly as it exists in EMET.
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40250725
No, it does not. While EAF+ is nominally turned on for an app when you do this, it actually does nothing without a module list. If you go to the app's details you will see an error alert next to the EAF+ settings box (and the same if you turn on ASR without a module list). Without a module list, these mitigation settings do nothing.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250734
EAF+ is normally disabled, not enabled. Check your manual and run emet_conf --eafplus to verify.

If by module list, you mean a list of Apps in the Apps setup window, then yes, you need a module list. But again, that is what I gleaned from the manual.

So then emet_conf --set can set EAF+ or other flags on or off.

It has taken me over a year to learn what does and does not work in EMET. Lots of EMET settings for some applications cause "application stopped working" . So then it is, in reality, just easier to set up individual mitigations in the GUI module.

Once done, I think you can put the setup in an XML file and use it on another computer.
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40250812
No, by module list I do not mean apps. I appreciate your efforts to help, but if you really want to offer something of use to my question, I kindly suggest you read up about EAF+ and ASR - what they do, and what is meant by 'modules', and how they are (or are not) supported by the command line interface.

In my scenario, setting them up via the GUI is not an option, which is why I was hoping someone might just know how to configure EAF+ and ASR for individual apps via emet_conf. As it happens, I believe there is a way for me to achieve what I need to by auto-generating suitable xml files.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40250826
In the language of "Modules and plugins, when loaded into an application, increase its exposure to vulnerabilities and, consequentially, to potential attacks. EMET allows to blacklist modules and plugins that are loaded within an application", I do not use these at all.

I use EMET for its capabilities to handle exist applications without any changes to the applications. That is why EMET works for some apps and not others.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40252269
I have been experimenting with EAF+ and ASR. I am changing just specific applications because a number of my applications will "stop working" with EAF enabled (IE, Skype and others on EMET 4.1)

I set EAF+ for all Office Apps with no ill effects. I set a couple of others and so far, so good.

So then I tried ASR. You cannot set ASR unless you select modules to block like Flash and others. Two things about this:

1. emet_conf --set <app> +asr will not work because you need to specify something like Flash above. I have not figured out how to do this yet.
2. There are many reports of ASR "application stopped working" errors.

So I have not set ASR on for any application yet, but I have set some EAF+ flags.

http://betanews.com/2014/08/01/microsofts-emet-5-0-blocks-vulnerable-plugins/
0
 
LVL 2

Accepted Solution

by:
Steve Moss earned 0 total points
ID: 40284082
Sorry for the delay in closing this question, having been away on holiday. I have worked around the deficiencies in the emet_conf command line tool by instead auto-generating a suitable xml file and importing that. Works fine.
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40284141
I've requested that this question be closed as follows:

Accepted answer: 0 points for cocospm's comment #a40284082

for the following reason:

No feasible alternatives offered, xml-based solution is workable.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40284142
No you cannot say you have the answer. So two things:

1. (a) "emet_conf --eafplus {enabled|disabled}"  &lt;-- I answered this. The other commands work and per the manual, this one does not because there is no GUI flag.
(b) "emet_conf --set &lt;app&gt; -eaf+" &lt;--- work for everything that has a simple flag and per the manual do not work when there is no GUI flag. For ASR you have to fill in a text box and the set command does not work (as per manual).
(c) Finally, because of the complexity of EMET and the vast variability of application problems, you need to work by GUI. There is no other choice. And VASTLY better than a file of set commands (some of which cannot work), we are better to export working configurations (you can do this) to use in other machines.  I suggested that earlier and see you are now doing that.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40285960
This command does work for me
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" +EAF+
The changes you have made may require restarting one or more applications
Reload the config and I see it is enabled.
To disable it, use the minus
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" -EAF+
The changes you have made may require restarting one or more applications
-rich
0
 
LVL 2

Author Comment

by:Steve Moss
ID: 40286043
Yes Rich, the command does turn EAF+ on or off for a given application, but as I have observed it achieves nothing, because EAF+ only actually does anything when a module list is specified as well. Doing this via emet_conf therefore is not useful. This is something that Mr. Hurst seems unable to comprehend. Suggesting I do this via the gui is also not helpful because, as is obvious from this thread, I am automating the configuration of EMET. As I have posted above, I have now achieved what I need to by auto-generating suitable XML and importing it using emet_conf.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40286555
The users guide doesn't say you can specify the addresses to use in the last two items for EAF+
Export Address Table Access Filtering Plus (EAF+)
The EAF+ mitigation is an extension of EAF that can be used independently or in combination with EAF itself. Following is the list of actions that this mitigation performs:
Detects if the stack register is out of the allowed boundaries
Detects mismatch of stack and frame pointer registers;
Detects memory read access to export table pointers of KERNEL32, NTDLL and KERNELBASE originated from specific modules (typically used during the exploitation of memory corruption vulnerabilities);
Detects memory read accesses to the MZ/PE header of specific modules (typically used during the exploitation of memory corruption vulnerabilities).
The actions described in the last two bullet points require users to specify a set of modules that will be used for validation; if no modules are specified, these two actions will be ignored.

So it looks like you have to do the XML yourself if you want those last two mitigations, otherwise you have the first two available via the cmdline.
-rich
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question