As Microsoft has noted in their guidelines article and elsewhere, because DLP application hooking and EMET mitigations work at a similarly low level within applications, compatibility issues may arise. Application hooking is an essential part of our Endpoint Application Monitoring features. Symantec DLP Engineering has found that the following EMET Return Oriented Programming (ROP) mitigations. "Caller Check" and "Simulate Execution Flow", are the mitigations that need to be disabled on affected applications to resolve the compatibility issues being observed between EMET and DLP.
EMET and application compatibility considerations:
- Are there any risks in using EMET?
- The security mitigation technologies that EMET uses have an application compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, individually enable and disable that specific mitigation. For more information, refer to the EMET user guide.
- Quoted from: The Enhanced Mitigation Experience Toolkit
- Generic guidelines
- EMET mitigations work at a very low level in the operating system. Some kinds of software that perform similar low level operations might have compatibility issues when they are configured to be protected by using EMET. The following is a list of the kinds of software that should not be protected by using EMET:
- Software that use anti-debugging, obfuscation, or hooking technologies
- Quoted from: EMET mitigations guidelines
- ROP mitigations
- Caller checks: EMET ensures that when a critical function is reached, it is reached by a CALL instruction rather than a RET instruction. This is a very useful mitigation and breaks many ROP gadgets. This mitigation may be incompatible with some applications. This mitigation is available for 32-bit processes.
- Simulate execution flow: This feature tries to detect ROP gadgets following a call to a critical function. Like the "Caller checks", this feature may not be compatible with some applications. This mitigation is available for 32-bit processes.
- Quoted from: EMET 5.52 User Guide, pg 12