Removed EAF and EAF+ tried a couple times and no dice. Do I just start unchecking one by one until it shows protected? I still am not super clear about how to configure them to make sure they are working but would like to
The menu that opens will show green dots for the processes that are running protected. You can check the others you have added in the apps button menu by running those. Bottom of the main GUI there is a refresh button. You can use that to update list of running processes if you open something with EMET GUI open. Should be able to see what is being protected.
I know it works for browsers, because I have seen it catch issues before...maybe it was bad programming practices from Firefox or maybe an exploit not sure. Think I had 5 alerts or around that over around a year and a half. Powershell opens (32 and 64 bit versions) on Windows 7 Pro 64 bit for me with EAF and EAF+ checked. Got the green dot.
Some others I will probably add are smss.exe, lsm.exe, services.exe, taskhost.exe, taskeng.exe. Some of these I was protecting before I reinstalled Windows a week ago. I haven't had time to add and test them all. Don't know if it helps with these, but I focused on them because they are always running.
A couple of days ago EMET blocked Explorer.exe. It happened when I deleted Comodo Firewall Trusted Vendors list. Comodo alerts started slowing things down, and when I opened a folder or a program EMET would fire claiming it was Explorer. It was probably actually Explorer running as part of Comodo somehow system-wise like sandboxed due to the alert timeout. I didn't take it as an issue but really just good to see how it monitors and can catch exploits. Guess Comodo was "injecting itself" into Explorer system-wise, thus the alert. Doesn't cause problems with browsers though.
Unless you afk, you will see an alert if it fires. It makes a report in Event Viewer you can check and drops two files in the .tmp folder->users\user folder\app data\Local\Temp. Can't miss them. They're named EMET and in html or debug form.
