navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: EMET Observations/Questions

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Tholly EMET Observations/Questions
Member 15th Dec, 2010 03:02
Ranking: 2
Posts: 10
User Since: 7th Nov, 2010
System Score: N/A
Location: US
Microsoft's EMET (Enhanced Mitigation Experience Toolkit) has been discussed in Secunia and other forums. I only recently began using EMET and profess no expertise in its usage and capabilities ... so the following are "beginner" level observations.

EMET remains behind the scenes for the most part. Just to assure it is working is a challenge. One method of observation is to run Process Explorer, which is one of many free tools available in the System Internals collection. Upon looking for Secunia PSI within Process Explorer I found psi.exe running under taskeng.exe. Under the headings "Description" and "Company Name" there is no information provided. Possibly the programs that do show this information (i.e. Online Armor Free firewall) have included "meta data" for allowing this identification? I am only guessing here about the meta data being the key. In fact, it is from reading the Secunia FAQ that made me aware of meta data and how Secunia uses meta data for determining the status of the programs it scrutinizes. If this is indeed the case (or if the identification information is included via another mechanism) ... I ask the following of Secunia:

Can you please tag your programs so that they are more easily observed in Process Explorer? Specifically, the two categories mentioned above.

----------------------------
Concerning the executable taskeng.exe:

Does "eng" indicate the "English" version?

Will you please consider naming the executable something more descriptive? Perhaps secunia_eng.exe?

----------------------------
EMET is recommended for applications that "face" the internet. The most important of my questions for this posting is:

Should PSI be included within the list of programs enhanced by EMET?

----------------------------
At this time I have included psi.exe within my EMET list of programs. It shows up in the column labeled "Running EMET". However, I do not see the tell-tail dll named "EMET.dll" that has "EMET shim" as its description. As a comparison, this dll is observable for the Firefox browser that I have also included as programs to be monitored by EMET.

Should the EMET.dll be observed when viewing the details of psi.exe in Process Explorer?

================

I greatly appreciate feedback and guidance to the questions above. If the operating system is of importance on whether to include PSI under EMET monitoring ... please indicate which OS are advised for PSI's inclusion.

Thank you kindly.

-- Tholly (A Secunia advocate.)

This user no longer exists RE: EMET Observations/Questions
Member 15th Dec, 2010 10:45
Hi,

Thank you for your feedback. I will ensure that your suggestions and comments reach our developers for consideration.

If you have any futher feedback or suggestions, please let us know!
Was this reply relevant?
+0
-0
ddmarshall RE: EMET Observations/Questions
Dedicated Contributor 15th Dec, 2010 18:53
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
taskeng.exe is the Task Scheduler Engine, a part of the operating system, not PSI.
Process Explorer is showing PSI as a child of taskeng.exe because PSI is started as a scheduled task.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
Tholly RE: EMET Observations/Questions
Member 15th Dec, 2010 19:38
Score: 2
Posts: 10
User Since: 7th Nov 2010
System Score: N/A
Location: US
ddmarshal --

Thank you for the explanation about taskeng.exe!

Maybe some lights for me are now starting to come on? I think the source of my confusion stems from Microsoft's too broad guideline for EMET usage and my desire to enhance my computer's security using this new and for me exciting tool. Following I will take a stab at clarifying EMET usage. (Much emphasis >> I am not the right person to do this because my computer skills are simply inadequate.)

My current understanding of EMET:

EMET primarily monitors only dll memory usage behavior and aims to prevent overflow related corrupted behaviors and intentional malware attacks that use this injection method.

The Microsoft guideline that internet facing applications benefit from EMET monitoring is too broad, too simplistic, and leads to confusion.

The operating system itself manages memory issues sufficiently when an entire application is contained within a single exe type file and the dll call related memory overflows simply do not exist in these cases.

Proposed EMET usage guideline >>

1) View internet facing applications with Process Explorer.

2) Only if Process Explorer lists dll components as being called by the application should the application be included as one that is monitored by EMET.

------------------
If the above is correct ... I should remove PSI from the listing of programs for EMET to monitor and I should relax because memory overflow attacks simply can not occur through PSI because of the way it is structured into a single executable file.

Please let this be true! I need some closure on when to use EMET and when not too. Its driving me crazier!

Much thanks again. This is really important for me and hopefully a clarification can help others.
Was this reply relevant?
+0
-0
ddmarshall RE: EMET Observations/Questions
Dedicated Contributor 15th Dec, 2010 19:49
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I've just had a look a my test system with PSI 2.0 Beta and it does report Description and Company Name in Process Explorer. The structure of the new version is somewhat different.

I'll come back and comment on your other remarks when I've got some more time.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
Tholly RE: EMET Observations/Questions
Member 15th Dec, 2010 21:19
Score: 2
Posts: 10
User Since: 7th Nov 2010
System Score: N/A
Location: US
ddmarshal -- thank you again.

I should have included that Microsoft advocates introducing an application into EMET on a "trial" basis to assure it remains functioning correctly. I'm not so keen on the leap that if all is well in the GUI that all is well throughout the entire application ... but such is the current state of affairs.

Your comments on the beta version of PSI are encouraging. Secunia having already addressed the tagging issues for Process Explorer heading information is excellent. Any changes in the PSI beta's structure that affect EMET usage will be very interesting.

I doubt I am alone with some of the EMET confusion and resolving when to use it will be very helpful. A practical example of Process Explorer usage is also excellent. Nothing teaches better than a real example.


Was this reply relevant?
+0
-0
ddmarshall RE: EMET Observations/Questions
Dedicated Contributor 17th Dec, 2010 18:46
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
The main target audience for EMET is the enterprise user who has to run old applications which were developed before the features which can be used to prevent exploitation of programming errors were introduced. These include things like ASLR and SEHOP. In this context an 'Internet facing application' would be something that was behind a web page. This could be targetted by specially crafted input which caused the program to run incorrectly.

For the home user, EMET can be used as a way of hardening your system and providing an extra line of defence behind you antivirus program. The main method of attack here is persuading the user to open a specially crafted file which will cause a program malfunction and allow an exploit to be installed. For example, an Adobe Reader exploit some time ago used Javascript in a PDF file which required a 2000 digit number to be processed. Unsurprisingly, this caused a problem. So programs that receive files from untrusted sources are the main ones to consider for protection by EMET. Most exploits around at the moment use PDF's, Office files or media files. As the PSI does not fall into this category, it doesn't have a large attack surface and wouldn't benefit much from inclusion in EMET.

For system wide settings, I would consider mandatory SEHOP. I have been using this through a registry setting for some time and have never found it a problem.

The distinction you make between dll and exe programs isn't correct. Both have stacks, heaps and SEH chains which would be targets for exploitation.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
Tholly RE: EMET Observations/Questions
Member 17th Dec, 2010 22:26
Score: 2
Posts: 10
User Since: 7th Nov 2010
System Score: N/A
Location: US
ddmarshal --

Your detail and clear explanation is greatly appreciated. My stumbling is obvious in my attempt to simplify when to use EMET based upon Process Explorer listing dll calls. The complexities of the various attack vectors is something I must study to obtain a better understanding of when and when not to consider using EMET to monitor a specific application. I'm glad I've tried to emphasize my lack of skills needed to make good decisions on EMET usage ... because that fact seems be about all I've been correct on in this thread!!

I agree 100% that PSI has a small attack surface and I am most likely over reacting in an attempt to harden security on my old (almost 10 years) hardware with a new hard drive and operating system (Win 7 - 32 bit). I'm learning a lot in my efforts and owe a great debt to forum contributors that I will try to pay forward to others.

At this time I can say PSI seems to work just the same with all the default EMET protection settings as it did before EMET inclusion. The default protections include the following:

DEP
SEHOP
NullPage
HeapSpray
EAF
MandatoryASLR

The recommendation for system wide usage of SEHOP is awesome and something I had yet to implement. I found the following to be very helpful.

http://www.wilderssecurity.com/showthread.php?t=27...

The Microsoft link in the above wilderssecurity discussion is excellent.

PSI might already be invulnerable to one or more of the attack methods neutralized by the 6 protections EMET provides? The article above mentions a /SAFESEH compilation option that provides SEHOP and may already be in place with PSI?

I'll close with a bright side comment: The efforts expended towards the defense against the evil misfits improves one's computer knowledge ... and the good folks are living life large and in the open vs the pathetic option of those on the unenlightened path.

-- Tholly



Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+