I’ve been running the tech preview of EMET 3.5 on my home and work PCs for several months with no problems, and just recently have had three detections when I’ve been doing “legitimate” things. They’re all Caller mitigations, so I’ve now turned that off for iexplore.exe. My PCs are all running 64-bit Windows 7 with all latest service packs and updates.
My EMET settings are as follows:
Data Execution Prevention (DEP): Application Opt Out
Structured Exception Handler Overwrite Protection (SEHOP): Application Opt Out
Address Space Layout Randomization (ASLR): Application Opt In
I’ve added C:\Program Files (x86)\Internet Explorer\iexplore.exe as an application and in the All tab have everything ticked, except now the Caller box.
The actions I was doing that caused EMET to kill IE are as follows, and are 100% reproducible on my PCs – unless I untick the Caller box for iexplore.exe:
- Using the Windows Snipping Tool, take a snip of any part of the IE window contents.
- Click the settings cog, go to Internet Options, click the Advanced tab.
- If a web page causes IE to need to upload a file and it uses the standard Windows file Open dialogue, click on the Pictures library in the navigation pane.
Update 2013-02-07: I’ve just had iexplore killed by EMET due to a DEP detection when I was running a Dell R720 iDRAC console session with Virtual Media connected to an ISO. I’ve also had to turn of the LoadLib mitigation but can’t recall what it was that triggered that…