EMET 5.0 Command Line Issues
I'm having problems with the emet_conf tool included in EMET 5.0:
1. emet_conf --eafplus {enabled|disabled}
doesn't work - it just returns the standard help text for eaf_conf. Is this command simply not implemented?
2. I can't work out the emet_conf syntax for the ASR and EAF+ app mitigations. Turning them off is easy enough, as in...
emet_conf --set <app> -eaf+
... for instance, but how do you turn on ASR or EAF+ and specify the modules list (and, for ASR, the IE zones)?
1. emet_conf --eafplus {enabled|disabled}
doesn't work - it just returns the standard help text for eaf_conf. Is this command simply not implemented?
2. I can't work out the emet_conf syntax for the ASR and EAF+ app mitigations. Turning them off is easy enough, as in...
emet_conf --set <app> -eaf+
... for instance, but how do you turn on ASR or EAF+ and specify the modules list (and, for ASR, the IE zones)?
The format in V4 (not likely to have changed much) is
EMET_Conf --set [--force] < path to executable> [(+|-)Mitigation …] for individual programs.
Try EMET_Conf --list_system to see if it lists what is there.
EMET_Conf --set [--force] < path to executable> [(+|-)Mitigation …] for individual programs.
Try EMET_Conf --list_system to see if it lists what is there.
ASKER
Thanks John, but EMET 5.0 has been released publicly. It's no longer a TP. Also, the 4.1 syntax for setting system mitigations doesn't support EAF+, and setting app mitigations doesn't support the new ASR and EAF+ mitigations. When turning these on in EMET 5.0 you also need to specify the list of modules protected. I can't find the syntax for these.
So it has. And it was released very recently as I have been looking for it.
I shall have to download and test.
The V5 manual says "Currently the command line tool does not allow to configure all EMET features." so what you want may not be there.
I have to run it before I will know more.
I shall have to download and test.
The V5 manual says "Currently the command line tool does not allow to configure all EMET features." so what you want may not be there.
I have to run it before I will know more.
Are you running the command line in an admin command processor?
I get a different answer normal vs. admin. In normal command, the output screen flashes up and disappears. Nothing displayed.
With admin cmd.exe I get an output on the screen from --list_system.
Try that.
I get a different answer normal vs. admin. In normal command, the output screen flashes up and disappears. Nothing displayed.
With admin cmd.exe I get an output on the screen from --list_system.
Try that.
I can replicate what you have done it EMET V5 (running in a test Windows 7 system) using an admin command processor.
emet_conf --list_system works fine. I changed Deep Hooks and list_system reflected the change. So that works.
But emet_conf --eafplus enabled did NOT enable the EAF+ flags. The command looks like it is not implemented.
You can set individual or from a file.
EMET V5 production is a lot more polished than the tech preview.
emet_conf --list_system works fine. I changed Deep Hooks and list_system reflected the change. So that works.
But emet_conf --eafplus enabled did NOT enable the EAF+ flags. The command looks like it is not implemented.
You can set individual or from a file.
EMET V5 production is a lot more polished than the tech preview.
OK, I have EMET V5 running in production on my Windows 8.1 Pro laptop.
Everything so far works as it should.
For the following from the V5 manual:
EMET_CONF --deephooks enabled|disabled works. I turn this off and on at the command line.
EMET_CONF --antidetours enabled|disabled works.
EMET_CONF --bannedfunc enabled|disabled works.
EMET_CONF --eafplus does not change anything. It is also not presented in the GUI with the other 3.
Why? The manual says "by default, unsafe options are not visible either through GUI or command line.
I notice EAF+ is not enabled by application line item. I have turned it on only for Microsoft Office applications to see how it works.
So I think what you saw is at this point what you get. As I say, I have it fully running.
Everything so far works as it should.
For the following from the V5 manual:
EMET_CONF --deephooks enabled|disabled works. I turn this off and on at the command line.
EMET_CONF --antidetours enabled|disabled works.
EMET_CONF --bannedfunc enabled|disabled works.
EMET_CONF --eafplus does not change anything. It is also not presented in the GUI with the other 3.
Why? The manual says "by default, unsafe options are not visible either through GUI or command line.
I notice EAF+ is not enabled by application line item. I have turned it on only for Microsoft Office applications to see how it works.
So I think what you saw is at this point what you get. As I say, I have it fully running.
@cocospm - Is there anything else you need?
1. emet_conf --eafplus {enabled|disabled} doesn't work . Normal. The option does not display in the GUI and so the command line cannot set it. The other main mitigation option settings do work.
2. Turning them off is easy enough, as in... emet_conf --set <app> -eaf+ <-- This is correct. EAF+ is set individually and not globally. It is probably NOT a good idea to set this one globally.
I have EMET V5 running in production on two machines (Windows 7 and 8) and it all seems to work as the manual says it will.
1. emet_conf --eafplus {enabled|disabled} doesn't work . Normal. The option does not display in the GUI and so the command line cannot set it. The other main mitigation option settings do work.
2. Turning them off is easy enough, as in... emet_conf --set <app> -eaf+ <-- This is correct. EAF+ is set individually and not globally. It is probably NOT a good idea to set this one globally.
I have EMET V5 running in production on two machines (Windows 7 and 8) and it all seems to work as the manual says it will.
ASKER
Using emet_conf --set <app> +eaf+ for an app doesn't actually work. Setting EAF+ and ASR on apps requires a modules list to be specified too. Just enabling them with no modules does nothing. That's my point - unless there is a way to specify the modules on the command line, it's not useful to do. I'll just assume you can't do this with emet_conf. There are other ways.
Yes, actually it does.
Using an Administrative Command processor in Windows:
emet_conf --set poppeeper.exe +EAF+ does set EAF+ for PopPeeper.exe where it was not set before.
So from my point of view, EMET V5 does what it says in the manual.
Make sure cmd.exe is Run as Administrator and make sure the application is entered exactly as it exists in EMET.
Using an Administrative Command processor in Windows:
emet_conf --set poppeeper.exe +EAF+ does set EAF+ for PopPeeper.exe where it was not set before.
So from my point of view, EMET V5 does what it says in the manual.
Make sure cmd.exe is Run as Administrator and make sure the application is entered exactly as it exists in EMET.
ASKER
No, it does not. While EAF+ is nominally turned on for an app when you do this, it actually does nothing without a module list. If you go to the app's details you will see an error alert next to the EAF+ settings box (and the same if you turn on ASR without a module list). Without a module list, these mitigation settings do nothing.
EAF+ is normally disabled, not enabled. Check your manual and run emet_conf --eafplus to verify.
If by module list, you mean a list of Apps in the Apps setup window, then yes, you need a module list. But again, that is what I gleaned from the manual.
So then emet_conf --set can set EAF+ or other flags on or off.
It has taken me over a year to learn what does and does not work in EMET. Lots of EMET settings for some applications cause "application stopped working" . So then it is, in reality, just easier to set up individual mitigations in the GUI module.
Once done, I think you can put the setup in an XML file and use it on another computer.
If by module list, you mean a list of Apps in the Apps setup window, then yes, you need a module list. But again, that is what I gleaned from the manual.
So then emet_conf --set can set EAF+ or other flags on or off.
It has taken me over a year to learn what does and does not work in EMET. Lots of EMET settings for some applications cause "application stopped working" . So then it is, in reality, just easier to set up individual mitigations in the GUI module.
Once done, I think you can put the setup in an XML file and use it on another computer.
ASKER
No, by module list I do not mean apps. I appreciate your efforts to help, but if you really want to offer something of use to my question, I kindly suggest you read up about EAF+ and ASR - what they do, and what is meant by 'modules', and how they are (or are not) supported by the command line interface.
In my scenario, setting them up via the GUI is not an option, which is why I was hoping someone might just know how to configure EAF+ and ASR for individual apps via emet_conf. As it happens, I believe there is a way for me to achieve what I need to by auto-generating suitable xml files.
In my scenario, setting them up via the GUI is not an option, which is why I was hoping someone might just know how to configure EAF+ and ASR for individual apps via emet_conf. As it happens, I believe there is a way for me to achieve what I need to by auto-generating suitable xml files.
In the language of "Modules and plugins, when loaded into an application, increase its exposure to vulnerabilities and, consequentially, to potential attacks. EMET allows to blacklist modules and plugins that are loaded within an application", I do not use these at all.
I use EMET for its capabilities to handle exist applications without any changes to the applications. That is why EMET works for some apps and not others.
I use EMET for its capabilities to handle exist applications without any changes to the applications. That is why EMET works for some apps and not others.
I have been experimenting with EAF+ and ASR. I am changing just specific applications because a number of my applications will "stop working" with EAF enabled (IE, Skype and others on EMET 4.1)
I set EAF+ for all Office Apps with no ill effects. I set a couple of others and so far, so good.
So then I tried ASR. You cannot set ASR unless you select modules to block like Flash and others. Two things about this:
1. emet_conf --set <app> +asr will not work because you need to specify something like Flash above. I have not figured out how to do this yet.
2. There are many reports of ASR "application stopped working" errors.
So I have not set ASR on for any application yet, but I have set some EAF+ flags.
http://betanews.com/2014/08/01/microsofts-emet-5-0-blocks-vulnerable-plugins/
I set EAF+ for all Office Apps with no ill effects. I set a couple of others and so far, so good.
So then I tried ASR. You cannot set ASR unless you select modules to block like Flash and others. Two things about this:
1. emet_conf --set <app> +asr will not work because you need to specify something like Flash above. I have not figured out how to do this yet.
2. There are many reports of ASR "application stopped working" errors.
So I have not set ASR on for any application yet, but I have set some EAF+ flags.
http://betanews.com/2014/08/01/microsofts-emet-5-0-blocks-vulnerable-plugins/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for cocospm's comment #a40284082
for the following reason:
No feasible alternatives offered, xml-based solution is workable.
Accepted answer: 0 points for cocospm's comment #a40284082
for the following reason:
No feasible alternatives offered, xml-based solution is workable.
No you cannot say you have the answer. So two things:
1. (a) "emet_conf --eafplus {enabled|disabled}" <-- I answered this. The other commands work and per the manual, this one does not because there is no GUI flag.
(b) "emet_conf --set <app> -eaf+" <--- work for everything that has a simple flag and per the manual do not work when there is no GUI flag. For ASR you have to fill in a text box and the set command does not work (as per manual).
(c) Finally, because of the complexity of EMET and the vast variability of application problems, you need to work by GUI. There is no other choice. And VASTLY better than a file of set commands (some of which cannot work), we are better to export working configurations (you can do this) to use in other machines. I suggested that earlier and see you are now doing that.
1. (a) "emet_conf --eafplus {enabled|disabled}" <-- I answered this. The other commands work and per the manual, this one does not because there is no GUI flag.
(b) "emet_conf --set <app> -eaf+" <--- work for everything that has a simple flag and per the manual do not work when there is no GUI flag. For ASR you have to fill in a text box and the set command does not work (as per manual).
(c) Finally, because of the complexity of EMET and the vast variability of application problems, you need to work by GUI. There is no other choice. And VASTLY better than a file of set commands (some of which cannot work), we are better to export working configurations (you can do this) to use in other machines. I suggested that earlier and see you are now doing that.
This command does work for me
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" +EAF+
The changes you have made may require restarting one or more applications
Reload the config and I see it is enabled.
To disable it, use the minus
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" -EAF+
The changes you have made may require restarting one or more applications
-rich
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" +EAF+
The changes you have made may require restarting one or more applications
Reload the config and I see it is enabled.
To disable it, use the minus
c:\Program Files (x86)\EMET 5.0>EMET_Conf.exe --set "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" -EAF+
The changes you have made may require restarting one or more applications
-rich
ASKER
Yes Rich, the command does turn EAF+ on or off for a given application, but as I have observed it achieves nothing, because EAF+ only actually does anything when a module list is specified as well. Doing this via emet_conf therefore is not useful. This is something that Mr. Hurst seems unable to comprehend. Suggesting I do this via the gui is also not helpful because, as is obvious from this thread, I am automating the configuration of EMET. As I have posted above, I have now achieved what I need to by auto-generating suitable XML and importing it using emet_conf.
The users guide doesn't say you can specify the addresses to use in the last two items for EAF+
Export Address Table Access Filtering Plus (EAF+)
The EAF+ mitigation is an extension of EAF that can be used independently or in combination with EAF itself. Following is the list of actions that this mitigation performs:
So it looks like you have to do the XML yourself if you want those last two mitigations, otherwise you have the first two available via the cmdline.
-rich
Export Address Table Access Filtering Plus (EAF+)
The EAF+ mitigation is an extension of EAF that can be used independently or in combination with EAF itself. Following is the list of actions that this mitigation performs:
Detects if the stack register is out of the allowed boundaries
Detects mismatch of stack and frame pointer registers;
Detects memory read access to export table pointers of KERNEL32, NTDLL and KERNELBASE originated from specific modules (typically used during the exploitation of memory corruption vulnerabilities);
Detects memory read accesses to the MZ/PE header of specific modules (typically used during the exploitation of memory corruption vulnerabilities).
The actions described in the last two bullet points require users to specify a set of modules that will be used for validation; if no modules are specified, these two actions will be ignored.So it looks like you have to do the XML yourself if you want those last two mitigations, otherwise you have the first two available via the cmdline.
-rich
I am using EMET V4.1 and it works quite well. Only use 4.1 for production.
I use the GUI tool for setting (and excluding where appropriate) EAF mitigations.
The command line will still require admin authority and will pop up UAC. Did you take that into account?