EMET 5.1 and F-Secure IS do not mix

I asked this in another thread, but it is buried in the guts of the replies so I think I will ask again. I proved that F-Secure interferes with EMET by uninstalling it and voila, EMET works (the error is "EAF mitigation" when I try to start IE11 under W-7 64-bit). I then reinstalled F-Secure and added the entire EMET 5.1 directory to Manual Scanning exclusions, though I do not understand at all why that should help, but it made no difference. Does F-Secure IS have a systemic problem with EMET?

Comments

  • Ukko
    Ukko Posts: 3,241 Superuser

    Hello,

     

    Probably there was answers/descriptions about situation: http://community.f-secure.com/t5/Security/EMET-and-Deepguard-compatibility/td-p/62867

     

    About reasons of F-Secure (like repeating from topic) - any hooks work probably always (such as DeepGuard) or should to do that. :)

  • "The best way to solve this problem while we are waiting for the proper fix from MS is to exclude the affected executable file from on-access scanning in our product"

     

    Yes, I saw that link, but it does not answer my question: what executable file is to be excluded for EAF mitigation? Specifically.

  • NikK
    NikK Posts: 935 Rock Star

    The program that "crashes" and EMET reports about an EAF mitigation, that's the executable file you need to exclude. Example: if IE11 can't start you need to exclude iexplore.exe

    For Firefox you should exclude both firefox.exe and plugin-container.exe

     

    It's only the apps listed and protected in EMET under "Apps"(Application Configuration) that might conflict with FS.

  • NikK
    NikK Posts: 935 Rock Star

    I should add that with EMET and EAF/EAF+ browsers run a little slower and might be very slow when you start them, especially Firefox. Some people don't like that so they disable EAF+ in EMET for the browser.

     

    If you feel EMET is too difficult to have and configure properly then MBAE might be a better option. The free version protects browsers & addons, and Java. But no other programs.

    (MBAE = Malwarebytes Anti-Exploit)

  • Thanks for the reply. I added both the 32 and 64 bit iexplore.exe, but that made no difference.

     

    I will return to MBAE. I could not make it work before, but maybe this time.

  • NikK
    NikK Posts: 935 Rock Star

    That should work! Read your post again and it's not for the manual scan you should make the exclusion. It's for the setting "Virus protection". Those two are completely different exclusion lists and the manual scan exclusions has nothing to do with EMET conflicts.

     

    I understand this can be confusing so maybe you're better of with MBAE. With its latest versions I haven't seen any problems with it when I installed it for other people, even those having FS IS.

  • Now maybe you see why I could not understand why excluding manual scans would do anything. The terminology used in the posts on this subject was ambiguous. In the thread Ukko referenced, everyone refered to scans and file exclusions without being specific. Yes, MBAE is much simpler. So far, MBAE is working fine.

     

    And another thing. Doesn't adding iexplore.exe to the exclusions add a pathway for malware to enter via IE?

  • I am also playing with a throw-away Vista PC, one which I only use for experiments. I added EMET 5.1 to the free anti-virus (shhh! don't tell anyone here). Then I tried to look at the website which started all of this, thediplomat.com. IE9 won't even display it! I think I was right about it either being saddled with privacy-stealing code or malware. And yes, EMET does slow everything down, but this PC will display other websites which have lots of scripts and video, so it's not just EMET.

  • NikK
    NikK Posts: 935 Rock Star

    @baroque-quest wrote:

    Now maybe you see why I could not understand why excluding manual scans would do anything. The terminology used in the posts on this subject was ambiguous. In the thread Ukko referenced, everyone refered to scans and file exclusions without being specific. Yes, MBAE is much simpler. So far, MBAE is working fine.

     

    And another thing. Doesn't adding iexplore.exe to the exclusions add a pathway for malware to enter via IE?


    I see that now, but I didn't before. Unfortunately we used different terms which was confusing: real-time, on-access, virus protection. But actually none of them referring to manual scan settings. This is a good reminder that it can be difficult to explain things so clearly that there aren't any room for confusion Smiley Embarassed

     

    "Doesn't adding iexplore.exe to the exclusions add a pathway for malware to enter via IE?"

    Not if you think EMET does a better job preventing it. But as mentioned in that thread we're waiting for the conflicts to be resolved, so the plan is to have both protections.

This discussion has been closed.