Microsoft EMET Compatibility

If it's not about a problem in the program
Post Reply
nikhiltom

Microsoft EMET Compatibility

Post by nikhiltom » Sun Dec 16, 2012 3:09 am

Hello everybody,

First of all this is not exactly a Sandboxie question but a question related to a 3rd party tool (where sandboxie also involved), Thanks

I'm a registered user of Sandboxie (currently using latest version ie version 3.74),

I'm currently testing EMET 3.0 (Enhanced Mitigation Experience Toolkit) - http://support.microsoft.com/kb/2458544,

I included all the .exe files from Sandboxie folder in EMET Apps configuration with default settings,

But in the EMET running process pane, 3 Sandboxie processes (SandboxieRpcSs.exe, SandboxieDcomLaunch.exe & SandboxieCrypto.exe) are not running DEP,
Other Sandboxie processes (SbieCtrl.exe, SbieSvc.exe) & all other processes are following DEP,

Image Image


Can somebody explain why is that?

Is Sandboxie compatible with EMET?

Any help will be appreciated,

Thanks :)
Top
DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Sun Dec 16, 2012 6:12 am

Yeah, Sandboxie and EMET should generally work fine together. :)

Is the EMET compatibility template enabled under Configure > Software Compatibility in Sandboxie Control? That's the global setting. Can also be set per sandbox in Sandbox Settings > Applications...

Sandboxie should auto-detect EMET and prompt to enable compatibility, unless you've disabled that. EMET will work without that (e.g. check loaded DLLs for a process and EMET.dll will be there), it's just that the EMET GUI can't "see" it to show you for the sandboxed processes by default (anything you run in addition to the standard Crypto, DcomLaunch, RpcSs).


BTW, I haven't had the desire to add any of Sandboxie's processes to EMET, since they aren't really being fed data from files or online, etc., which is generally my criteria for judging what could be exploited...
XP Home-as-Pro SP3 (Admin) w/ continued updates (Embedded/POSReady 2009)
> Permissions + "2-level" SRP, latest Sandboxie (Pro/registered), EMET 4, no anti-anything (ever)
Did I make tzuk crazed... in his last days? :o
Top
nikhiltom

Post by nikhiltom » Sun Dec 16, 2012 9:28 am

Thanks for the reply DR_LaRRY_PEpPeR, :)

Yes, Sandboxie detected EMET & it is in the global software compatibility list,

Is that why EMET GUI is not showing it?

Also please note that all the programs running inside sandbox is showing that they are running DEP,

So EMET DEP is showing sandboxed programs but not sanboxing program itself (ie Sandboxie), why is that?
Top
DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Thu Dec 27, 2012 8:22 pm

Don't know if it's too late for you to see this, OP. :) I forgot to check this more and report back...

OK, it wasn't clear that other sandboxed programs were running as expected.

So I also tried adding those Sandboxie processes (Crypto, DcomLaunch, RpcSs) on XP, and I got the same result. I checked with Process Explorer and saw that the EMET DLL isn't even being loaded into those processes, for some reason. :?

I'm not sure why that is... Maybe SBIE is doing something special with those processes to block loading? tzuk? I don't see the point in adding those processes anyway, but it's interesting.

As far as no DEP: I'm using EMET 3.5 Tech Preview, which doesn't have the DEP column, but Process Explorer shows DEP. Of course I have Windows DEP configured as Opt Out. :) I guess it's possible those Sandboxie processes don't Opt In to DEP, although I doubt that...
Top
Post Reply

Return to “Quick Questions”

Who is online

Users browsing this forum: No registered users and 1 guest