search cancel

Microsoft EMET interference with SEP Application Rules

book

Article ID: 163340

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When running Microsoft Enhanced Mitigation Experience Toolkit (EMET) and Symantec Endpoint Protection (SEP) 12.1 together, application rules preventing the launching of processes do not function as expected for applications protected by EMET.

No error messages are displayed.

Cause

Symantec development identified that EMET modifies the protected process' memory in a way that was preventing the ADC module from being able to properly detect when certain calls were being made by the application.

Resolution

This issue is resolved in SEP 14.0 MP2.

If upgrading is not possible, the known workarounds to allow the ADC Rule to function consistently are:

  1. Uninstall EMET from the client.
  2. Remove the application that the ADC rule is to be applied to from EMET.