In looking for mitigations for the recently announced Microsoft Word 0-day, I decided to install EMET on both my desktop and my laptop. I fully admit, I'm not an EMET guru, nor do I know a lot about it. I have found many directions for EMET (a good one here) so installation was a bit of a breeze. However, tweaking it is another story.
First, Firefox 28 wouldn't start. So, I had to tweak the application settings for Firefox to find out which particular protection was preventing it from starting up. (Turns out, it was ROP.)
Then, upon turning EMET loose, I received two "Quarantine Announcements" from our Sophos Antivirus. The notice was for a buffer overflow in IE and Acrobat reader. From my analysis, the best I can tell is that Sophos saw EMET protecting those applications and didn't know how to report it. I asked our Sophos administrator if he had heard anything about Sophos and EMET, but he didn't know what EMET was. I authorized the activity in Sophos, and rebooted a couple of times to see if Sophos would report the activity each time I booted up. So far, so good.
If I find out exactly how the buffer overflow was caught by Sophos, I'll update this post.
Subscribe to:
Post Comments (Atom)
supposedly this was fixed in EMET4.1 per Sophos but it still happens. http://www.sophos.com/en-us/support/knowledgebase/120039.aspx
ReplyDelete