Hi

I have rolled out EMET 4.1 and configure it from Group Policy. I made a mistake of enabling the "Default Protection for recommended software" setting.

This causes a problem with outlook and the stackpivot mitigation.

I have disabled the setting in GPO and instead added an Application Configuration for Oulook with the -StackPivot switch.

But now all my computers show both settings when running emet_conf --list - it seems like the "Default protection...." setting is sticky. (I have run gpupdate and emet_conf --refresh)!

So if i have configured oulook.exe - StackPivot and Outlook is also enabled through "Default protection...." (with StackPivot)  which one of the settings will be used by EMET?

Or how can I get rid of the sticky settings from "Default protection...."?

Regards

Peder

Seems there is a serious bug in this - I have tried modifying directly in the admx file on the DC:

<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook">
          <value>
            <string>*\OFFICE1*\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>

The output for emet_conf --list is then this (group policy refreshed + run emet_conf --refresh):

OUTLOOK.EXE            *\OFFICE1*                                       SEHOP NullPage HeapSpray EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow

OUTLOOK.EXE            *\Microsoft Office\OFFICE12                      DEP SEHOP NullPage HeapSpray EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot

OUTLOOK.EXE            *\Microsoft Office\OFFICE11                      DEP SEHOP NullPage HeapSpray EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot

OUTLOOK.EXE            *\Microsoft Office\OFFICE14                      DEP SEHOP NullPage HeapSpray EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot

OUTLOOK.EXE            *\Microsoft Office\OFFICE10                      SEHOP NullPage HeapSpray EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot

So event though I can get Outlook.exe without DEP and StackPivot the default settings still persist with DEP and StackPivot - and unfortunatly they take precedence.

So it seems that once you have enabled the "Default Configuration.." in group policy - you'll never be able to get rid of it again.

• Edited by PEP4 2 hours 41 minutes ago

So just answering my own question here:

I have found a workaround(!) - adding more entries in the EMET.admx file and naming it the same as the default setting overwrites the values:

So doing this:

<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook">
          <value>
            <string>*\OFFICE1*\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>
<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook14">
          <value>
            <string>*\Microsoft Office\OFFICE14\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>
<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook12">
          <value>
            <string>*\Microsoft Office\OFFICE12\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>
<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook11">
          <value>
            <string>*\Microsoft Office\OFFICE11\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>
<item key="Software\Policies\Microsoft\EMET\Defaults" valueName="Outlook10">
          <value>
            <string>*\Microsoft Office\OFFICE10\OUTLOOK.EXE -DEP -StackPivot</string>
          </value>
        </item>

Finally gave me this:

• Marked as answer by PEP4 1 hour 54 minutes ago