IE sudden crash

March 1, 2016

Hello,

You know the feeling : the sun shines, temperature rises, summer is in the air and life’s good. So you decide to do some work. But hey what’s that : technology is on strike. IE crashes.

To be more accurate : IE does nothing when starting.

In the eventviewer you see the following error :

clip_image002

So you start verifying the latest patches installed and uninstall some

clip_image004

… but unfortunately this changes nothing.

But wait .. We are running the ehanced security EMET solution. Could this have anything to do with the issue ?

Bingo … we need to disable the EAF mitigation for iexplore.exe

clip_image006

And our favorite browser works again.

clip_image008

Enjoy.

Gino D

Advertisements

EMET #rdproud

July 31, 2015

Hello,

Security is gaining importance, allways connected, different devices, different cloud services, security is key in all of these scenarios.

Let’s talk about an older but not well-known security addon from Microsoft : EMET ( Enhanced Mitigation Experience Toolkit )

https://technet.microsoft.com/en-us/security/jj653751

The toolset is designed to detect and block something from exploiting an existing application vulnerability. The most important part is that it is not depending on updated signature files but focuses on patterns so it can block new exploits before these are commonly known.

The toolset also has a feature that allows you to link one or more specific root CA’s to a ssl website. For more info you can read this blog : http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx

It can be deployed by ESD and configured for the enterprise using standard AD policies. The emet policies are also part of the MS baseline policies. ( ex- EC or SSLF policies : see http://www.microsoft.com/en-us/download/details.aspx?id=16776 )

Okay , sound good let’s install the toolset and see what it does.

clip_image002

It’s an easy MSI setup, after setup

clip_image004

Let’s be wild and use the recommended settings.

As stated in the support documentation you can set rules on apps, executables and you can select allwayson, on if app opts in for the possibility or disabled.

The guide contains detailed information about how you could use enterprise tools ( such as system center configuration manager ) for deployment of applications and activation of the default configuration.

clip_image006

Looking at the settings we see that we can activate system wide settings and decide whether or not we allow specific apps to run the protection.

clip_image008

We’ve got a view on the running process and see if they are using EMET or not.

clip_image010

Looking at the apps page you can see that the recommended config enables protection for office apps and IE.

clip_image012

You can add applications by the GUI or you can use the commandline for importing an existing prefdefined list ( or you can create your custom list )

For example you can use emet_conf –import .\deployment\protection profiles\popular software.xml

clip_image014

You can see now that we have activated protection on a larger set of applications

clip_image016

It is considered good practice to run the tool in “audit only” mode before activating it on the environment.

clip_image018

This will not stop the process but will only report it to :

-> Eventviewer

-> Tray icon

-> Early warning ( this will send the info to Microsoft using error reporting )

clip_image020

You can then use scom to consolidate the event logs and verify the informatio. It would be very usefull to have the possbility to add a custom action to detection so we could customise our logging possbility.

So let’s give it a go, it’s a free toolset and adds an additional layer of security on your device.

Enjoy.

Gino D