News:

NOTICE: This forum is mostly an archive, though new posts are allowed. Registration may require manual admin activation. After registering visit https://bitsum.com/contact/ to request account activation.

Main Menu

Process Lasso Activation (plActivate.exe) & Microsoft EMET 5.2

Started by mjdl, July 09, 2015, 11:52:05 PM

Previous topic - Next topic

mjdl

Process Lasso (8.4 x64) on Windows 7 SP1 x64 (all current patches) won't work in the default configuration (with 1 change: SEHOP Opt Out for all processes). The "Ooops" activation failure dialog is displayed after 30-45 seconds. Once the executable plActivate.exe has been added to the EMET exception list with all EMET protections disabled, then activation can proceed.

There is no exploit mitigation pop-up from the EMET tray icon, nor EMET mitigation message in the Event Log.

Sorry, I did not deactivate the EMET protections one by one, so the precise protection blocking plactivate.exe is not certain, but easy to test if you have the time.

BenYeeHua

Thank for telling that Process Lasso is not compatibility with EMET. ;)

But ya, as I know, EMET has compatibility issues with many software, so far the best supported software is Microsoft product like IE and Office. :)

It is still strange that EMET don't tell why it has blocked the activation, so I guess except the software want to launch another software, or using known vulnerability, or some exploit techniques.
And also it look like Chromium don't supported well with EMET too, I guess it is best for using IE with EMET, if for best security. :D
https://www.chromium.org/Home/chromium-security/chromium-and-emet

I also tried to Google for find out how to fixing compatibility with EMET, but too bad so far no good result about that. :P

mjdl

Thanks for the reply.

I just use EMET as an extra layer of anti-exploit protection for internet apps, or for apps that process files from internet sources (e.g. PDF readers, web browsers, email apps). True, it's very oriented to Microsoft applications in its default configuration, and malware developers are continually finding ways to defeat it, but nevertheless if applications work correctly with the EMET dll loaded in the process and *all* EMET mitigations enabled, then that's a little more assurance that the app is not behaving too weirdly.

Of course, I don't really expect a licensing app like plActivate.exe to be able to function without doing some pretty weird Windows API manipulations--which is to say I trust Bitsum software on my computer (I think the developer's dedication to software quality speaks for itself).

The one big change I made to the EMET default configuration--enabling SEHOP for all processes--may be the problem for plActivate.exe. Once I configured EMET to load its dll into the plActivate.exe process with all mitigations including SEHOP disabled, activation succeeded. Of course my Process Lasso is now activated, so I don't have a chance to test a narrower set of disabled EMET mitigations.

BenYeeHua

Yup, just handle it to the dev, and thank for providing info about your EMET config. :)

Jeremy Collake

Yikes... I will have to create an action plan for this.

Thanks for the report!
Software Engineer. Bitsum LLC.