Microsoft EMET prevents Endpoint Protection's Application Control rules from properly functioning

book

Article ID: 169574

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

An Application and Device Control rule to block a process from launching another process (i.e. block Excel and Word from launching cmd.exe and powershell.exe) does not work on 32-bit Windows 8 or 10 when Microsoft's Enhanced Mitigation Experience Toolkit (EMET) protects the applications.

Cause

When EMET's Deep Hook feature is enabled and configured to monitor cmd.exe and powershell.exe, a conflict occurs with SEP Application Control. 

Resolution

Updated the method by which certain instructions are dealt, to prevent issues. This issue is fixed in Symantec Endpoint Protection 14.0.0.2 (MP2)  For information on how to obtain the latest build of Symantec Endpoint Protection, see Upgrade or migrate to Endpoint Protection 14