imsoadude's free configuration

[AtlBo]

If they open that's a start. Try closing and reopening the EMET GUI with cmd.exe open and then PowerShell. See if it show up green. Just checked and I think I recall now the refresh button doesn't work. Makes testing a little more difficult.

I have set Always On, Opt In, Opt In, Enabled. Can't remeber, the default for DEP might be Opt In. Think I turned it on full time, but I don't get any lag.

Now that I think about it, protecting cmd.exe and powershell using EMET is not so high on the list as it might be compared to protecting them with other security apps. The reason is that EMET protects the application itself from being exploited by malware (then causing damage to the system), rather than protecting the system from being directly exploited by the malicious application (like most security apps). So malware could like wait for a cmd line command to run on the system and then maybe there is a way to exploit that by injecting into the run. Not out of the question I would say, but seems not as likely as the browser or office apps being exploited for sure. Anyway, sure doesn't hurt to protect cmd/ps from being exploited. Javascript is protected by default, so I don't see why cmd/ps shouldn't be too.

Almost forgot. If you use Flash, you might want to add the Flash player executables to the list. I had them before, and I will be adding them. Processes are:

C:\Windows\System32\Macromed\Flash
C:\Windows\SysWow\Macromed\Flash

 

[imsoadude]

Yea i realized the refresh button doesnt like to work as new processes wouldnt show up. If i can't get it to work i won't worry too much

 

[AtlBo]

Are all the other processes showing green? If you close EMET GUI and reopen it and the cmd/ps don't show up (when the process is running), maybe something about Windows 10 is causing this issue. Hope you like EMET. I like it more and more. Wish there was a good way to test it.

 

[imsoadude]

Yea, Chrome is protected, DWM, Thunderbird and uTorrent, MS Office are all ones I have tried so far that show the green protection dot. I would say I like this better than MBAE for being able to configure programs. If I were to pay Id probably go for MBAE premium as it seems simpler. But I'm a free kind of guy so this is perfect.

 

[imsoadude]

Almost seems like none of the windows processes will get the green dot. Any other program I add seems to be protected (MPC-HC, Notepad++, MusicBee, Keepass). Microsoft Edge and notepad are other ones that don't seem to get protected all within the Windows folder.. only one from that folder that works is dwm.exe odd...

 

[AtlBo]

I ran into this with another memory manager program (not security) on Windows 10. I think it might have to do with the fact that Windows 10 has built in memory mitigation for some things. Looked all over for a way to turn them off, but what I read led me to believe that they are hard coded into the OS and can't be turned off. Even tried turning off Defender which is what I was using during my trial of W10 (back in late July). With this program I needed to run, I could set values for RAM memory usage in Windows 7 for processes, but in Windows 10 it wouldn't see all the processes (I could see the monitoring wasn't happening). This was almost all happening with Windows processes in the exact same way you report .

That was the main reason I ended up back on Windows 7. Aside from that, some programs I think can be configured to work in Windows 10 that otherwise might not. You might take a look at looking up the EMET program executables and then from right click->Properties->Compatibility->check and set to run for compatibility for Windows 7 for each .exe. All the files are in Program Files (x86)\EMET 5.5

I don't want to give the wrong impression or cause a ruckus, but this disappointed me about Windows 10. Your issue might be corrected with a simple change of compatibility (doubt it considering EMET 5.5 was made for later version 8.1 and 10). Microsoft does appear to me to have crossed a threshold here, though, by hard coding these changes, and it's not just mitigations...it's invalidation of certain practices to do with memory management from programs. I have read information that indicates these changes did happen (or at least some of them). It would be OK, but I really feel like MS made a mistake to do this this way. Whether they meant to or not, they were attempting to cut off the security providers and their ideas and concepts for security, while staying quiet about the issue. There is apparently no way to turn the monitoring off, and there is no warning system, maybe unless you are using Windows Defender idk. But we see that WD is a low scale option and getting lower in comparison to the others. Custom options for security are the way to go in my opinion, using software that can be customized. MS' options have too large of a surface for study by malware scripters, just like what has always happened with IE.

Anyway, MS does have the ability to improve W10. Hope they can find a way to and then I guess I will give it a try again. Thumb is what I see in EMET main.

 

[imsoadude]

Ah, If that is the case I wont worry too much then. I can leave the settings in incase anything ever changes but for now at least I can protect other programs Generally when you add a new program it marks most fields for you. Is there a good reason to mark the others like EAF+ or would the defaults that it puts in there for me enough?

 

[AtlBo]

Is there a good reason to mark the others like EAF+ or would the defaults that it puts in there for me enough?

Attempted to look up information about this a few times and the individual protections. Wasn't able to find much. I was left with the impression that it is best to attempt to test, especially if the process has a front (inbound or outbound) to the internet. For me, this could include basically anything that could be configured to be used over the internet (especially Microsoft processes) and then applications that are normally allowed access to the internet (allowed access by the user). I block update and other connections of applications as a rule using Comodo Firewall, so I haven't seen the need to protect many to this point. MS Office programs can be very risky with macro threats and internet access typically being granted for the online help elements of the programs. Google might help you some with this. Kind of surprising how little there is on EMET considering it is supposedly in fairly wide use in businesses.

If you use a browser other than Edge, EMET will cover it. Likely Microsoft has given Edge some special treatment in the OS when it comes to mitigations and memory protections. I suppose that is still a safe option. I prefer to have the alert and report from EMET, so I would use Chrome or Dragon with EMET

 

[imsoadude]

added flash in there to protect it like you recommended. I know Adobe air is one of the higher risk programs I know I had it installed but not sure how air works. I can't seem to find a exe file for it except for the installer file is it just like requirement for other adobe products?

Other note: Added MBR Filter (because why not)

 

[AtlBo]

Maybe you didn't install Flash? The new thing with browsers is to contain Flash within the browser. Firefox v 50 and on will have the container, and I think Google Chrome and others already have it. Not sure if this means Flash doesn't install executables, but I'm not sure where you should look for them, especially in Windows 10. Maybe try a search of Windows folder for Flash?

I added an extension to Dragon (Chrome based) that plays Flash on YouTube instead of html. I noticed when the video ran that the Flash process doesn't appear in Task Manager. I guess it's now considered part of the browser and gets the advantages of being more securely run there. Since it doesn't run as a standalone process, I don't know if it's important to add to EMET, but like you well said why not?

Other note: Added MBR Filter (because why not)

Interesting idea. I don't know much about the MBR filter other than Comodo Firewall considers it a Protected File. I hope I get some time to get my head together about EMET and think about putting together a really great configuration. For now, I have the settings exported in case I ever need to start over or maybe for when I finally do find some time for thinking and testing. So many processes in Windows.