EMET 5.5 DEP problem

Discussion in 'Windows 10' started by amarildo6966, Mar 3, 2016.

  1. amarildo6966

    amarildo6966 MDL Novice

    Mar 2, 2016
    8
    2
    0
    #1 amarildo6966, Mar 3, 2016
    Last edited: Mar 3, 2016
    Hello,

    This is my second attempt at using Windows 10. I couldn't get EMET working properly on the first try, but I decided to give it a final shot before going back to Arch Linux.

    So, my main problem: I can't enable DEP system-wide. EMET says that the BitLocker service must be suspended, I click "OK", then it just says "Error".

    Since I can't post links yet: https : // imgur . com / a / 5dplw
    (Sorry to do it this way, I need help, and the link is not malicious.)

    Does anyone have an idea why this happens?

    The not-so-important problem

    I installed Avira Free with the intention to use it as my main scanner (HIPS, Sandbox, and Firewall will be handled by COMODO). However, it disabled Windows Defender and it complained to me. Could there be any problems about it? Microsoft says that they'll turn on WD if it's off for a while, so will Avira just keep it disabled?

    Regards,
    Amarildo

    EDIT: I tried opening EMET_Conf.exe with the option "--system --force dep=ApplicationOptOut", but it just doesn't respond, it does nothing.

    I also edited the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings registry KEY, with no avail.
     
  2. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,544
    60
    #2 100, Mar 3, 2016
    Last edited by a moderator: Apr 20, 2017
    What happens when you try to manually suspend BitLocker?
    Code:
    manage-bde.exe -protectors c: -disable
     
  3. amarildo6966

    amarildo6966 MDL Novice

    Mar 2, 2016
    8
    2
    0
    #3 amarildo6966, Mar 3, 2016
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Code:
    C:\Windows\system32>manage-bde.exe -protectors c: -disable
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    
    ERROR: An error occurred (code 0x80070057):
    The parameter is incorrect.
    
    C:\Windows\system32
    It's probably because, since I use Windows 10 Home, I don't have BitLocker enabled.

    I use VeraCrypt for encryption ;)
     
  4. dmex

    dmex MDL Junior Member

    Apr 20, 2011
    92
    103
    0
    #4 dmex, Mar 3, 2016
    Last edited by a moderator: Apr 20, 2017
    The option to enable DEP system-wide is built into Windows and Bitlocker is built with DEP permanently enabled, so I'm not sure why EMET says you must specifically exclude it :confused:

    You can enable system-wide DEP (without EMET) via System properties:
    1. Right-click the start button and select 'System' (4th item from the top).
    2. On the left side of the window, click 'Advanced system settings'.
    3. You should now be on the Advanced tab of System Properties, click the Settings button at the top in the Performance group box.
    4. Select the Data Execution Prevention tab and check the 'Turn on DEP for all processes and services except those I select'.
    5. Reboot.

    If you prefer the command line, you can skip the above and just run this from an elevated command prompt before re-booting (but you will be unable to exclude specific processes using the above window):
    Code:
    bcdedit.exe /set {current} nx AlwaysOn
    If you also want to check if EMET has successfully applied any policies, you will need Process Hacker:
    https:// wj32.org/processhacker/ (remove the space from the URL, I can't post links yet either :p)

    1. Right-click any process and on the General tab, click the Details button:
    https:// i.imgur.com/JjayMjQ.png (remove the space from the URL)

    2. You can see all the options applied by EMET (or by the process itself):
    https:// i.imgur.com/Yo5VoI7.png (remove the space from the URL)
     
  5. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,544
    60
    Changing the BCD options will invalidate BitLocker's stored boot configuration and prompt for the recovery key on reboot, which would be an inconvenience to the user. That's going to be the only reason for EMET wanting to temporarily suspending it.
     
  6. dmex

    dmex MDL Junior Member

    Apr 20, 2011
    92
    103
    0
    No, EMET doesn't change the boot configuration (BCD) in order to enable DEP. It injects a DLL into every process that calls SetProcessDEPPolicy (plus other things) in order to enable DEP (plus all other protections) for that process.

    EMET only uses DLL injection to enable protections, so I suspect that's the real reason why you have to exclude the Bitlocker process, it's unable to inject the DLL into the process.
     
  7. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,544
    60
    Ah, I see. I wasn't aware that it's entirely based on DLL injection.
    BitLocker however is implemented in a filter driver (fvevol.sys) that executes in kernel space. It doesn't run as a separate process.
     
  8. amarildo6966

    amarildo6966 MDL Novice

    Mar 2, 2016
    8
    2
    0
    Late response, but anyway: Solved. tenforums . com/antivirus-firewalls-system-security/42768-emet-5-5-avira-bitlocker.html#post619339
     
  9. amarildo6966

    amarildo6966 MDL Novice

    Mar 2, 2016
    8
    2
    0
    Thank you.

    So I assume setting DEP as "OptOut" via command line is more effective/clean than via EMET?
    And if so, I have a question:

    The bcdedit command works for Windows itself (I see that via system properties), but EMET still shows DEP as OptIn. If a DEP mitigation happens, adding the executable to the exclusions doesn't fully work (on system properities, security, DEP tab), I still need to add it to EMET's exclusions.
    Considering the above, would it be OK to ditch EMET completely for Windows 10? Microsoft said EMET is not necessary on Windows 10 because of how secure the OS is [1];

    [1] theregister. co. uk/2016/02/04/emets_win_10_revival_could_be_its_last_as_os_bakes_into_infosec (remove space)